Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1310
  • Last Modified:

XP Help, privileges taken away. virus...corruption???

Hello, I restarted my computer today, and it was all messed up.

I couldn't use the run command, when I tried it said: "This operation has been cancelled due to restrictions in effect on this computer. Please contact your sytem administrator"

 The Start menu has a black bar on the left of it, and Shutdown & Logoff buttons are missing.   Also when I try to enter any drive letter in the Address bar of My Computer it says "Access to the resource  "d:" has been disallowed."

I don't know what happened. Its a shared computer and had not been restarted for 5-6 days. I don't know if someone downloaded a virus, or rootkit or something, Or an important file was corrupted on the harddisk (ongoing problem since shipping it).

Any suggestions on how to fix this?  Questions??

Thanks.

ScreenShot:  http://www.gfoto.com/UserPicPopup.asp?pid=3575353&alid=50293&uid=A05E1CA8E91B49B6AE6CFAA4929488BE

0
alamoudis
Asked:
alamoudis
  • 7
  • 6
  • 4
  • +6
3 Solutions
 
r-kCommented:
Can you try the following:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

This will help determine whether there is malware or some other reason.

Is this XP Pro or Home?
0
 
scrathcyboyCommented:
YES it could be a virus.  Dont you have AV software?  You should NEVER run a computer exposed to the internet without using some AV software, I recommend McAfee.  But for a brief test, you can go to -- housecall.trendmicro.com/
You have to be using IE for this, and it will want to install an active X control, that is the only way an online scanner can do it.  After that, if no resident AV program, install McAfee.

However, once you get beyond the viruses, it sounds like (1) you are loggin in without ADMIN rights, that would explain the restrictions you are facing.  (2) someone has got to your system and changed the background, and limited your use.  Suspect kids with this, they love to change the desktop interface.  If that is not the case then do this --

logout as current user, log back in as Administrator, and give the PW if any (usually none).  If the desktop has changed, then maybe someone last logged in as NOT you, hence a different desktop.
0
 
SunshineVKCommented:
Has you laptop been recently been conected to a domain. If yes the domain group policies may be causing this problem.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
phototropicCommented:
What happens in safe mode?
If the pc boots normally and the run command works, go into msconfig and disable all startups. Go into services, click on "hide all Microsoft services" and then disable all. Reboot.
Any change?
0
 
prashsaxCommented:
Software restriction policy has been applied on your pc.

Try restoring it to some previous point using msconfig.exe

If you can login as administrator, then use secpol.msc to disable the software restirction policy on local computer.

If its added to domain, then it can be a domain policy instead of local policy.

But, this sure sound like software restiction policy.
0
 
jimmymcp02Commented:
See the following solution

http://www.experts-exchange.com/Web/Browser_Issues/Q_20861378.html

You should boot on safe mode and run spybot and scan your pc for viruses. also if you could run hijackthis that could tell use more about what type of malware you have
0
 
abkrinoCommented:
i had this proplem this is a virus it looks like a folder but's it's an exe it will then infect the whole system you will find in almost every directory a sub directory with same name(i.e if u had a games folder u will find a games folder inside it actully it's not it's the exe of the virus the only solution is a clean fresh install the antivirus will not restore ur setting but it will remove the virus) so the solution is clean install and an antivirus insall dicretlly after the install to test if you are infected or not go to tools folder options if it's there u r not infected.
0
 
alamoudisAuthor Commented:
this is the log,  seems bad.  How do i fix it?


Logfile of HijackThis v1.99.1
Scan saved at 3:06:34 AM, on 5/30/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
D:\xero\SysX\SYSTRAYX.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.00\WlanCU.exe
D:\xero\AutoHotkey\AutoHotkey.exe
D:\Program Files\ExplorerPlus\Nxdlghlp.exe
D:\xero\tor\Privoxy\privoxy.exe
D:\Program Files\eMu\emule.exe
D:\xero\Ethereal\ethereal.exe
D:\xero\Ethereal\ethereal.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PowerArchiver\POWERARC.EXE
C:\DOCUME~1\Mish\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.saudi.net.sa:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.249; http://localhost:9000
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\config\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\config\svchost.exe
O1 - Hosts: 203.186.128.56 lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 online.lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 www.lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 www.lloydstsb.com
O1 - Hosts: 203.186.128.56 www.lloydstsb.com
O1 - Hosts: 203.186.128.56 personal.barclays.co.uk
O1 - Hosts: 203.186.128.56 barclays.co.uk
O1 - Hosts: 203.186.128.56 ibank.barclays.co.uk
O1 - Hosts: 203.186.128.56 www.barclays.co.uk
O1 - Hosts: 203.186.128.56 www.nwolb.com
O1 - Hosts: 203.186.128.56 nwolb.com
O1 - Hosts: 203.186.128.56 hsbc.co.uk
O1 - Hosts: 203.186.128.56 www.hsbc.co.uk
O1 - Hosts: 203.186.128.56 abbey.com
O1 - Hosts: 203.186.128.56 www.abbey.com
O1 - Hosts: 203.186.128.56 www.abbey.co.uk
O1 - Hosts: 203.186.128.56 abbey.co.uk
O1 - Hosts: 203.186.128.56 cahoot.com
O1 - Hosts: 203.186.128.56 www.cahoot.com
O1 - Hosts: 203.186.128.56 www.cahoot.co.uk
O1 - Hosts: 203.186.128.56 cahoot.co.uk
O1 - Hosts: 203.186.128.56 www.co-operativebank.co.uk
O1 - Hosts: 203.186.128.56 co-operativebank.co.uk
O1 - Hosts: 203.186.128.56 www.co-operativebank.com
O1 - Hosts: 203.186.128.56 co-operativebank.com
O1 - Hosts: 203.186.128.56 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 www.smile.co.uk
O1 - Hosts: 203.186.128.56 smile.co.uk
O1 - Hosts: 203.186.128.56 www.cajamar.es
O1 - Hosts: 203.186.128.56 cajamar.es
O1 - Hosts: 203.186.128.56 www.cajamar.com
O1 - Hosts: 203.186.128.56 cajamar.com
O1 - Hosts: 203.186.128.56 www.unicaja.es
O1 - Hosts: 203.186.128.56 unicaja.es
O1 - Hosts: 203.186.128.56 www.unicaja.com
O1 - Hosts: 203.186.128.56 unicaja.com
O1 - Hosts: 203.186.128.56 www.caixagalicia.es
O1 - Hosts: 203.186.128.56 caixagalicia.es
O1 - Hosts: 203.186.128.56 www.caixagalicia.com
O1 - Hosts: 203.186.128.56 caixagalicia.com
O1 - Hosts: 203.186.128.56 activa.caixagalicia.es
O1 - Hosts: 203.186.128.56 www.caixapenedes.es
O1 - Hosts: 203.186.128.56 caixapenedes.es
O1 - Hosts: 203.186.128.56 www.caixapenedes.com
O1 - Hosts: 203.186.128.56 caixapenedes.com
O1 - Hosts: 203.186.128.56 bancae.caixapenedes.com
O1 - Hosts: 203.186.128.56 www.caixasabadell.es
O1 - Hosts: 203.186.128.56 caixasabadell.es
O1 - Hosts: 203.186.128.56 www.caixasabadell.net
O1 - Hosts: 203.186.128.56 caixasabadell.net
O1 - Hosts: 203.186.128.56 www.cajamadrid.es
O1 - Hosts: 203.186.128.56 cajamadrid.es
O1 - Hosts: 203.186.128.56 www.cajamadrid.com
O1 - Hosts: 203.186.128.56 cajamadrid.com
O1 - Hosts: 203.186.128.56 oi.cajamadrid.es
O1 - Hosts: 203.186.128.56 www.ccm.es
O1 - Hosts: 203.186.128.56 ccm.es
O1 - Hosts: 203.186.128.56 www.haspa.de
O1 - Hosts: 203.186.128.56 haspa.de
O1 - Hosts: 203.186.128.56 ssl2.haspa.de
O1 - Hosts: 203.186.128.56 www.dresdner-bank.de
O1 - Hosts: 203.186.128.56 dresdner-bank.de
O1 - Hosts: 203.186.128.56 www.dresdner-privat.de
O1 - Hosts: 203.186.128.56 postbank.de
O1 - Hosts: 203.186.128.56 www.postbank.de
O1 - Hosts: 203.186.128.56 banking.postbank.de
O1 - Hosts: 203.186.128.56 www.sparda-b.de
O1 - Hosts: 203.186.128.56 sparda-b.de
O1 - Hosts: 203.186.128.56 www.bankingonline.de
O1 - Hosts: 203.186.128.56 www.raiffeisenbank-erding.de
O1 - Hosts: 203.186.128.56 raiffeisenbank-erding.de
O1 - Hosts: 203.186.128.56 www.vr-networld-ebanking.de
O1 - Hosts: 203.186.128.56 vr-networld-ebanking.de
O1 - Hosts: 203.186.128.56 www.bnhof.de
O1 - Hosts: 203.186.128.56 bnhof.de
O1 - Hosts: 203.186.128.56 www.deutsche-bank.de
O1 - Hosts: 203.186.128.56 deutsche-bank.de
O1 - Hosts: 203.186.128.56 meine.deutsche-bank.de
O1 - Hosts: 203.186.128.56 www.citibank.de
O1 - Hosts: 203.186.128.56 citibank.de
O1 - Hosts: 203.186.128.56 www.dkb.de
O1 - Hosts: 203.186.128.56 dkb.de
O1 - Hosts: 203.186.128.56 www.sparkasse-regensburg.de
O1 - Hosts: 203.186.128.56 sparkasse-regensburg.de
O1 - Hosts: 203.186.128.56 www.berliner-bank.de
O1 - Hosts: 203.186.128.56 berliner-bank.de
O1 - Hosts: 203.186.128.56 www.berliner-sparkasse.de
O1 - Hosts: 203.186.128.56 berliner-sparkasse.de
O1 - Hosts: 203.186.128.56 www.wellsfargo.com
O1 - Hosts: 203.186.128.56 wellsfargo.com
O1 - Hosts: 203.186.128.56 www.bankofamerica.com
O1 - Hosts: 203.186.128.56 bankofamerica.com
O1 - Hosts: 203.186.128.56 www.usbank.com
O1 - Hosts: 203.186.128.56 usbank.com
O1 - Hosts: 203.186.128.56 www.bankone.com
O1 - Hosts: 203.186.128.56 bankone.com
O1 - Hosts: 203.186.128.56 www.citibank.com
O1 - Hosts: 203.186.128.56 citibank.com
O2 - BHO: CBHOBJObj Object - {8A406068-D45C-40B9-A096-38AC717FB608} - C:\WINDOWS\BHOBJ.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\RunOnce: [SYSTRAYX] D:\xero\SysX\RUNSTX.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: AutoHotkey.lnk = D:\xero\AutoHotkey\AutoHotkey.exe
O4 - Startup: Dialog Tracker.lnk = D:\Program Files\ExplorerPlus\Nxdlghlp.exe
O4 - Startup: Privoxy.lnk = D:\xero\tor\Privoxy\privoxy.exe
O4 - Startup: sysdll32.LNK = D:\xero\SysX\SysTrayX.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.00\WlanCU.exe
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 1.5 - C:\Program Files\Sony\Image Converter 1.5\menu.htm
O8 - Extra context menu item: Transfer with Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - d:\xero\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - d:\xero\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.gfoto.com/ImageUploader3.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows Configuration Backup Service (CfgBackupSvc) - Unknown owner - C:\WINDOWS\config\svchost.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\xero\PalmVNC\WinVNC\WinVNC.exe" -service (file missing)

0
 
rpggamergirlCommented:
Hi,

Run Hijackthis and put a check next to these entries and click "Fix Checked":
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\config\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\config\svchost.exe
O1 - Hosts: 203.186.128.56 lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 online.lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 www.lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 www.lloydstsb.com
O1 - Hosts: 203.186.128.56 www.lloydstsb.com
O1 - Hosts: 203.186.128.56 personal.barclays.co.uk
O1 - Hosts: 203.186.128.56 barclays.co.uk
O1 - Hosts: 203.186.128.56 ibank.barclays.co.uk
O1 - Hosts: 203.186.128.56 www.barclays.co.uk
O1 - Hosts: 203.186.128.56 www.nwolb.com
O1 - Hosts: 203.186.128.56 nwolb.com
O1 - Hosts: 203.186.128.56 hsbc.co.uk
O1 - Hosts: 203.186.128.56 www.hsbc.co.uk
O1 - Hosts: 203.186.128.56 abbey.com
O1 - Hosts: 203.186.128.56 www.abbey.com
O1 - Hosts: 203.186.128.56 www.abbey.co.uk
O1 - Hosts: 203.186.128.56 abbey.co.uk
O1 - Hosts: 203.186.128.56 cahoot.com
O1 - Hosts: 203.186.128.56 www.cahoot.com
O1 - Hosts: 203.186.128.56 www.cahoot.co.uk
O1 - Hosts: 203.186.128.56 cahoot.co.uk
O1 - Hosts: 203.186.128.56 www.co-operativebank.co.uk
O1 - Hosts: 203.186.128.56 co-operativebank.co.uk
O1 - Hosts: 203.186.128.56 www.co-operativebank.com
O1 - Hosts: 203.186.128.56 co-operativebank.com
O1 - Hosts: 203.186.128.56 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 www.smile.co.uk
O1 - Hosts: 203.186.128.56 smile.co.uk
O1 - Hosts: 203.186.128.56 www.cajamar.es
O1 - Hosts: 203.186.128.56 cajamar.es
O1 - Hosts: 203.186.128.56 www.cajamar.com
O1 - Hosts: 203.186.128.56 cajamar.com
O1 - Hosts: 203.186.128.56 www.unicaja.es
O1 - Hosts: 203.186.128.56 unicaja.es
O1 - Hosts: 203.186.128.56 www.unicaja.com
O1 - Hosts: 203.186.128.56 unicaja.com
O1 - Hosts: 203.186.128.56 www.caixagalicia.es
O1 - Hosts: 203.186.128.56 caixagalicia.es
O1 - Hosts: 203.186.128.56 www.caixagalicia.com
O1 - Hosts: 203.186.128.56 caixagalicia.com
O1 - Hosts: 203.186.128.56 activa.caixagalicia.es
O1 - Hosts: 203.186.128.56 www.caixapenedes.es
O1 - Hosts: 203.186.128.56 caixapenedes.es
O1 - Hosts: 203.186.128.56 www.caixapenedes.com
O1 - Hosts: 203.186.128.56 caixapenedes.com
O1 - Hosts: 203.186.128.56 bancae.caixapenedes.com
O1 - Hosts: 203.186.128.56 www.caixasabadell.es
O1 - Hosts: 203.186.128.56 caixasabadell.es
O1 - Hosts: 203.186.128.56 www.caixasabadell.net
O1 - Hosts: 203.186.128.56 caixasabadell.net
O1 - Hosts: 203.186.128.56 www.cajamadrid.es
O1 - Hosts: 203.186.128.56 cajamadrid.es
O1 - Hosts: 203.186.128.56 www.cajamadrid.com
O1 - Hosts: 203.186.128.56 cajamadrid.com
O1 - Hosts: 203.186.128.56 oi.cajamadrid.es
O1 - Hosts: 203.186.128.56 www.ccm.es
O1 - Hosts: 203.186.128.56 ccm.es
O1 - Hosts: 203.186.128.56 www.haspa.de
O1 - Hosts: 203.186.128.56 haspa.de
O1 - Hosts: 203.186.128.56 ssl2.haspa.de
O1 - Hosts: 203.186.128.56 www.dresdner-bank.de
O1 - Hosts: 203.186.128.56 dresdner-bank.de
O1 - Hosts: 203.186.128.56 www.dresdner-privat.de
O1 - Hosts: 203.186.128.56 postbank.de
O1 - Hosts: 203.186.128.56 www.postbank.de
O1 - Hosts: 203.186.128.56 banking.postbank.de
O1 - Hosts: 203.186.128.56 www.sparda-b.de
O1 - Hosts: 203.186.128.56 sparda-b.de
O1 - Hosts: 203.186.128.56 www.bankingonline.de
O1 - Hosts: 203.186.128.56 www.raiffeisenbank-erding.de
O1 - Hosts: 203.186.128.56 raiffeisenbank-erding.de
O1 - Hosts: 203.186.128.56 www.vr-networld-ebanking.de
O1 - Hosts: 203.186.128.56 vr-networld-ebanking.de
O1 - Hosts: 203.186.128.56 www.bnhof.de
O1 - Hosts: 203.186.128.56 bnhof.de
O1 - Hosts: 203.186.128.56 www.deutsche-bank.de
O1 - Hosts: 203.186.128.56 deutsche-bank.de
O1 - Hosts: 203.186.128.56 meine.deutsche-bank.de
O1 - Hosts: 203.186.128.56 www.citibank.de
O1 - Hosts: 203.186.128.56 citibank.de
O1 - Hosts: 203.186.128.56 www.dkb.de
O1 - Hosts: 203.186.128.56 dkb.de
O1 - Hosts: 203.186.128.56 www.sparkasse-regensburg.de
O1 - Hosts: 203.186.128.56 sparkasse-regensburg.de
O1 - Hosts: 203.186.128.56 www.berliner-bank.de
O1 - Hosts: 203.186.128.56 berliner-bank.de
O1 - Hosts: 203.186.128.56 www.berliner-sparkasse.de
O1 - Hosts: 203.186.128.56 berliner-sparkasse.de
O1 - Hosts: 203.186.128.56 www.wellsfargo.com
O1 - Hosts: 203.186.128.56 wellsfargo.com
O1 - Hosts: 203.186.128.56 www.bankofamerica.com
O1 - Hosts: 203.186.128.56 bankofamerica.com
O1 - Hosts: 203.186.128.56 www.usbank.com
O1 - Hosts: 203.186.128.56 usbank.com
O1 - Hosts: 203.186.128.56 www.bankone.com
O1 - Hosts: 203.186.128.56 bankone.com
O1 - Hosts: 203.186.128.56 www.citibank.com
O1 - Hosts: 203.186.128.56 citibank.com
O2 - BHO: CBHOBJObj Object - {8A406068-D45C-40B9-A096-38AC717FB608} - C:\WINDOWS\BHOBJ.dll
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: Windows Configuration Backup Service (CfgBackupSvc) - Unknown owner - C:\WINDOWS\config\svchost.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\xero\PalmVNC\WinVNC\WinVNC.exe" -service (file missing)

Some of those entries will come back after you fixed them with hijackthis, unless you run some tools as well.
I think you're better off formatting your system, I don't know how much your system is compromised, it looks like a RAT(remote Access Trojan)
0
 
jimmymcp02Commented:
you have been infected you should remove the following thread Nxdlghlp.exe

also see this article
fgiebar.dll
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453077947
You should do perfom a deep virus scan also perform a spyware scan to remove all those pests.... Once you have removed all the spyware please re-run hijack this and post back
0
 
rpggamergirlCommented:
You have a lot of nasties there like qoologic etc.
Let us know whether you want to clean your pc or format, we'll then help you clean it up.
0
 
alamoudisAuthor Commented:
I would prefer to clean it up, but will format if nescessary.  Just tell me what to do and I will do it.

A couple questions.:

1. Is Ad-Aware Pro & AVG Free sufficient for scanning?

2. Will I be able to restore my rights? (fix the start menu/use run/address bar)

3. Can I safely format my C:/ without erasing my D:/ partition? If not I will need to do burn alot of dvds!

4. Would reinstalling XP fix anything?

5. If I had not been running the administrator account full time, would this have been prevented?

Thanks for helping.
0
 
rpggamergirlCommented:
1. Is Ad-Aware Pro & AVG Free sufficient for scanning?
Yes they are fairly good spyware scanner and antivirus scanner, but they can't remove special malware infections.

2. Will I be able to restore my rights? (fix the start menu/use run/address bar)
You should be if and when you get rid of the viruses.

3. Can I safely format my C:/ without erasing my D:/ partition? If not I will need to do burn alot of dvds!
Formatting will erase all partitions in that drive.

4. Would reinstalling XP fix anything?
reinstalling XP will not fix the viruses in your system, it might fix some system files that were corrupted by the virus but it will not removed the virus.

5. If I had not been running the administrator account full time, would this have been prevented?
Well, not necessarily, even if you were on a limited account viruses can still get thru because of vulnerabilities etc, but if you were not running the administrator account it would be safer against malware which can just install themselves.



Let's try and fix your system.
Fix those entries in hijackthis that I mentioned earlier.


Go to START > RUN > type in;

services.msc

In the next window, look on the right hand side for this services:
Automatic Update Service
Windows Configuration Backup Service
Hardware Clock Driver
MicroSoft Media Tools

Double click on each and STOP the service
In the drop down menu, change the startup type to "Disabled"


Open Hijackthis > Open Misc Tools Section > Open" Delete an NT Service"
In the new window, copy and paste or type each of the following in bold into the Open field and hit OK

Automatic Update
CfgBackupSvc
hwclock
MicroSoft Media Tools


Delete this file:
C:\WINDOWS\config\svchost.exe

Also make sure these files are really gone:
C:\WINDOWS\System32\wuapi.exe
C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\MSmedia.exe


1. Download and install the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.


2. Please download ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


3. Download Hoster to your desktop.
http://www.funkytoad.com/download/hoster.zip
Press the "Restore Original Hosts"  button and then press the OK button.


Reboot.
Run Hijackthis log again and paste the log to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.
0
 
r-kCommented:
Sorry, rpggamergirl, I must correct a couple of details:

(3) Can I safely format my C:/ without erasing my D:/ partition? If not I will need to do burn alot of dvds!

 Yes, you can format C: without affecting the other partitions. But be very careful not to delete the partitions, which will defintely destroy D: as well.

(4) Would reinstalling XP fix anything?

 This is a "maybe" answer. If you reinstall XP to a new folder (e.g. c:\win instead of c:\windows) it will fix the virus in the sense that it will install a completely new Registry. You will have to reinstall all applications etc. Also, before doing something like this, backup all important files off the C: drive, esp. those within the "Documents and Settings" tree.

Finally, before reinstalling XP, make sure you did not encrypt any of your own files on the C: drive. It is impossible to recover them later unless things are done in the right order.
0
 
rpggamergirlCommented:
r-k.
Okay, I don't have a personal experience on that one, :) I have 2 drives but not partitioned, so I was wrong in assuming, thanks for the info :)
0
 
r-kCommented:
"If not I will need to do burn alot of dvds!"

I just noticed this comment. If you don't have a backup of your important files I would suggest making that a top priority. Disks can, and often do, fail or get erased for no apparent reason. Burning DVD's every now and then is trivial compared to the hassle of losing important files.
0
 
rpggamergirlCommented:
I'm not sure if this has been mentioned somewhere else in the topic, but I'm just wondering if your System Restore Console is turned on? and working properly.

If so, it would be quicker to roll back to a date like a week or so ago before your pc were infected.

Start > All Programs > Accessories > System Tools > System Restore
and pick a date to roll back.
NOTE: Bear in mind that any programs you've installed and any updates, drivers you've installed after the chosen restore point would need to be reinstalled.
0
 
alamoudisAuthor Commented:
Ok, unfortunately System Restore was turned off.  Is there a way to run services.msc without the run menu? As I don't have access to it anymore (restrictions).    Maybe If I run the tools  you mentioned I'll get it back?  I've been kind of busy lately, plus I think I'll backup before anything else just to be safe. It might take a day or two but I'll keep you posted.   Thanks again
0
 
jimmymcp02Commented:
you can try to get there from my computer then
C:\WINNT\SYSTEM32 look for services and double click

Just out of curiosity. you are doing all this troubleshooting from Safe Mode right?
0
 
r-kCommented:
You can run the Services control panel from:

 Start -> Control Panel -> Admin Tools -> Services
0
 
alamoudisAuthor Commented:
Ok, I did what you said, did I miss anything?

http://hijackthis.de/logfiles/fcd49cf40dfa264db7f232d5c0db1b28.html

So what do I do next? Any idea how to turn off these restrictions so I can user Run, etc..?

Thanks Guys
0
 
rpggamergirlCommented:
>>I couldn't use the run command, when I tried it said: "This operation has been cancelled due to restrictions in effect on this computer. Please contact your sytem administrator"<<

the run window will open right? it's when you type "cmd" that command prompt does not open is that right?
how about when you run "regedit" does command prompt opens?
If not, then look in your system32 folder for these files and delete them if present:
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\regedit.com



Fix this entry please:
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\config\svchost.exe  

Make sure these files are deleted:
C:\WINDOWS\config\svchost.exe
C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\MSmedia.exe


Also run these tools:(they give you logs which you can post for us to look at)
1. Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

2. Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

3. Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
0
 
alamoudisAuthor Commented:
No, I can't use Run, if you check the screenshot up top you will see what I mean.   I downloaded the tools, but do I run them in safe mode or normal boot?
0
 
alamoudisAuthor Commented:
Formatted and started fresh.  Thanks
0
 
rpggamergirlCommented:
I didn't get the notification that you had replied.

Sorry we failed to help you.

Formatting and starting afresh is good.

Thanks!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 7
  • 6
  • 4
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now