XP Help, privileges taken away. virus...corruption???

YES it could be a virus.  Dont you have AV software?  You should NEVER run a computer exposed to the internet without using some AV software, I recommend McAfee.  But for a brief test, you can go to -- housecall.trendmicro.com/
You have to be using IE for this, and it will want to install an active X control, that is the only way an online scanner can do it.  After that, if no resident AV program, install McAfee.

However, once you get beyond the viruses, it sounds like (1) you are loggin in without ADMIN rights, that would explain the restrictions you are facing.  (2) someone has got to your system and changed the background, and limited your use.  Suspect kids with this, they love to change the desktop interface.  If that is not the case then do this --

logout as current user, log back in as Administrator, and give the PW if any (usually none).  If the desktop has changed, then maybe someone last logged in as NOT you, hence a different desktop.

Has you laptop been recently been conected to a domain. If yes the domain group policies may be causing this problem.

What happens in safe mode?
If the pc boots normally and the run command works, go into msconfig and disable all startups. Go into services, click on "hide all Microsoft services" and then disable all. Reboot.
Any change?

Software restriction policy has been applied on your pc.

Try restoring it to some previous point using msconfig.exe

If you can login as administrator, then use secpol.msc to disable the software restirction policy on local computer.

If its added to domain, then it can be a domain policy instead of local policy.

But, this sure sound like software restiction policy.

See the following solution

https://www.experts-exchange.com/questions/20861378/This-operation-has-been-cancelled-due-to-restrictions-in-effect-on-this-computer.html

You should boot on safe mode and run spybot and scan your pc for viruses. also if you could run hijackthis that could tell use more about what type of malware you have

i had this proplem this is a virus it looks like a folder but's it's an exe it will then infect the whole system you will find in almost every directory a sub directory with same name(i.e if u had a games folder u will find a games folder inside it actully it's not it's the exe of the virus the only solution is a clean fresh install the antivirus will not restore ur setting but it will remove the virus) so the solution is clean install and an antivirus insall dicretlly after the install to test if you are infected or not go to tools folder options if it's there u r not infected.

this is the log,  seems bad.  How do i fix it?


Logfile of HijackThis v1.99.1
Scan saved at 3:06:34 AM, on 5/30/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
D:\xero\SysX\SYSTRAYX.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.00\WlanCU.exe
D:\xero\AutoHotkey\AutoHotkey.exe
D:\Program Files\ExplorerPlus\Nxdlghlp.exe
D:\xero\tor\Privoxy\privoxy.exe
D:\Program Files\eMu\emule.exe
D:\xero\Ethereal\ethereal.exe
D:\xero\Ethereal\ethereal.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PowerArchiver\POWERARC.EXE
C:\DOCUME~1\Mish\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.saudi.net.sa:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.249; http://localhost:9000
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\config\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\config\svchost.exe
O1 - Hosts: 203.186.128.56 lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 online.lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 www.lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 www.lloydstsb.com
O1 - Hosts: 203.186.128.56 www.lloydstsb.com
O1 - Hosts: 203.186.128.56 personal.barclays.co.uk
O1 - Hosts: 203.186.128.56 barclays.co.uk
O1 - Hosts: 203.186.128.56 ibank.barclays.co.uk
O1 - Hosts: 203.186.128.56 www.barclays.co.uk
O1 - Hosts: 203.186.128.56 www.nwolb.com
O1 - Hosts: 203.186.128.56 nwolb.com
O1 - Hosts: 203.186.128.56 hsbc.co.uk
O1 - Hosts: 203.186.128.56 www.hsbc.co.uk
O1 - Hosts: 203.186.128.56 abbey.com
O1 - Hosts: 203.186.128.56 www.abbey.com
O1 - Hosts: 203.186.128.56 www.abbey.co.uk
O1 - Hosts: 203.186.128.56 abbey.co.uk
O1 - Hosts: 203.186.128.56 cahoot.com
O1 - Hosts: 203.186.128.56 www.cahoot.com
O1 - Hosts: 203.186.128.56 www.cahoot.co.uk
O1 - Hosts: 203.186.128.56 cahoot.co.uk
O1 - Hosts: 203.186.128.56 www.co-operativebank.co.uk
O1 - Hosts: 203.186.128.56 co-operativebank.co.uk
O1 - Hosts: 203.186.128.56 www.co-operativebank.com
O1 - Hosts: 203.186.128.56 co-operativebank.com
O1 - Hosts: 203.186.128.56 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 www.smile.co.uk
O1 - Hosts: 203.186.128.56 smile.co.uk
O1 - Hosts: 203.186.128.56 www.cajamar.es
O1 - Hosts: 203.186.128.56 cajamar.es
O1 - Hosts: 203.186.128.56 www.cajamar.com
O1 - Hosts: 203.186.128.56 cajamar.com
O1 - Hosts: 203.186.128.56 www.unicaja.es
O1 - Hosts: 203.186.128.56 unicaja.es
O1 - Hosts: 203.186.128.56 www.unicaja.com
O1 - Hosts: 203.186.128.56 unicaja.com
O1 - Hosts: 203.186.128.56 www.caixagalicia.es
O1 - Hosts: 203.186.128.56 caixagalicia.es
O1 - Hosts: 203.186.128.56 www.caixagalicia.com
O1 - Hosts: 203.186.128.56 caixagalicia.com
O1 - Hosts: 203.186.128.56 activa.caixagalicia.es
O1 - Hosts: 203.186.128.56 www.caixapenedes.es
O1 - Hosts: 203.186.128.56 caixapenedes.es
O1 - Hosts: 203.186.128.56 www.caixapenedes.com
O1 - Hosts: 203.186.128.56 caixapenedes.com
O1 - Hosts: 203.186.128.56 bancae.caixapenedes.com
O1 - Hosts: 203.186.128.56 www.caixasabadell.es
O1 - Hosts: 203.186.128.56 caixasabadell.es
O1 - Hosts: 203.186.128.56 www.caixasabadell.net
O1 - Hosts: 203.186.128.56 caixasabadell.net
O1 - Hosts: 203.186.128.56 www.cajamadrid.es
O1 - Hosts: 203.186.128.56 cajamadrid.es
O1 - Hosts: 203.186.128.56 www.cajamadrid.com
O1 - Hosts: 203.186.128.56 cajamadrid.com
O1 - Hosts: 203.186.128.56 oi.cajamadrid.es
O1 - Hosts: 203.186.128.56 www.ccm.es
O1 - Hosts: 203.186.128.56 ccm.es
O1 - Hosts: 203.186.128.56 www.haspa.de
O1 - Hosts: 203.186.128.56 haspa.de
O1 - Hosts: 203.186.128.56 ssl2.haspa.de
O1 - Hosts: 203.186.128.56 www.dresdner-bank.de
O1 - Hosts: 203.186.128.56 dresdner-bank.de
O1 - Hosts: 203.186.128.56 www.dresdner-privat.de
O1 - Hosts: 203.186.128.56 postbank.de
O1 - Hosts: 203.186.128.56 www.postbank.de
O1 - Hosts: 203.186.128.56 banking.postbank.de
O1 - Hosts: 203.186.128.56 www.sparda-b.de
O1 - Hosts: 203.186.128.56 sparda-b.de
O1 - Hosts: 203.186.128.56 www.bankingonline.de
O1 - Hosts: 203.186.128.56 www.raiffeisenbank-erding.de
O1 - Hosts: 203.186.128.56 raiffeisenbank-erding.de
O1 - Hosts: 203.186.128.56 www.vr-networld-ebanking.de
O1 - Hosts: 203.186.128.56 vr-networld-ebanking.de
O1 - Hosts: 203.186.128.56 www.bnhof.de
O1 - Hosts: 203.186.128.56 bnhof.de
O1 - Hosts: 203.186.128.56 www.deutsche-bank.de
O1 - Hosts: 203.186.128.56 deutsche-bank.de
O1 - Hosts: 203.186.128.56 meine.deutsche-bank.de
O1 - Hosts: 203.186.128.56 www.citibank.de
O1 - Hosts: 203.186.128.56 citibank.de
O1 - Hosts: 203.186.128.56 www.dkb.de
O1 - Hosts: 203.186.128.56 dkb.de
O1 - Hosts: 203.186.128.56 www.sparkasse-regensburg.de
O1 - Hosts: 203.186.128.56 sparkasse-regensburg.de
O1 - Hosts: 203.186.128.56 www.berliner-bank.de
O1 - Hosts: 203.186.128.56 berliner-bank.de
O1 - Hosts: 203.186.128.56 www.berliner-sparkasse.de
O1 - Hosts: 203.186.128.56 berliner-sparkasse.de
O1 - Hosts: 203.186.128.56 www.wellsfargo.com
O1 - Hosts: 203.186.128.56 wellsfargo.com
O1 - Hosts: 203.186.128.56 www.bankofamerica.com
O1 - Hosts: 203.186.128.56 bankofamerica.com
O1 - Hosts: 203.186.128.56 www.usbank.com
O1 - Hosts: 203.186.128.56 usbank.com
O1 - Hosts: 203.186.128.56 www.bankone.com
O1 - Hosts: 203.186.128.56 bankone.com
O1 - Hosts: 203.186.128.56 www.citibank.com
O1 - Hosts: 203.186.128.56 citibank.com
O2 - BHO: CBHOBJObj Object - {8A406068-D45C-40B9-A096-38AC717FB608} - C:\WINDOWS\BHOBJ.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0 ME\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\RunOnce: [SYSTRAYX] D:\xero\SysX\RUNSTX.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: AutoHotkey.lnk = D:\xero\AutoHotkey\AutoHotkey.exe
O4 - Startup: Dialog Tracker.lnk = D:\Program Files\ExplorerPlus\Nxdlghlp.exe
O4 - Startup: Privoxy.lnk = D:\xero\tor\Privoxy\privoxy.exe
O4 - Startup: sysdll32.LNK = D:\xero\SysX\SysTrayX.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0 ME\Distillr\acrotray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.00\WlanCU.exe
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 1.5 - C:\Program Files\Sony\Image Converter 1.5\menu.htm
O8 - Extra context menu item: Transfer with Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - d:\xero\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - d:\xero\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.gfoto.com/ImageUploader3.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Windows Configuration Backup Service (CfgBackupSvc) - Unknown owner - C:\WINDOWS\config\svchost.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\xero\PalmVNC\WinVNC\WinVNC.exe" -service (file missing)

Hi,

Run Hijackthis and put a check next to these entries and click "Fix Checked":
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\config\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\config\svchost.exe
O1 - Hosts: 203.186.128.56 lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 online.lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 www.lloydstsb.co.uk
O1 - Hosts: 203.186.128.56 www.lloydstsb.com
O1 - Hosts: 203.186.128.56 www.lloydstsb.com
O1 - Hosts: 203.186.128.56 personal.barclays.co.uk
O1 - Hosts: 203.186.128.56 barclays.co.uk
O1 - Hosts: 203.186.128.56 ibank.barclays.co.uk
O1 - Hosts: 203.186.128.56 www.barclays.co.uk
O1 - Hosts: 203.186.128.56 www.nwolb.com
O1 - Hosts: 203.186.128.56 nwolb.com
O1 - Hosts: 203.186.128.56 hsbc.co.uk
O1 - Hosts: 203.186.128.56 www.hsbc.co.uk
O1 - Hosts: 203.186.128.56 abbey.com
O1 - Hosts: 203.186.128.56 www.abbey.com
O1 - Hosts: 203.186.128.56 www.abbey.co.uk
O1 - Hosts: 203.186.128.56 abbey.co.uk
O1 - Hosts: 203.186.128.56 cahoot.com
O1 - Hosts: 203.186.128.56 www.cahoot.com
O1 - Hosts: 203.186.128.56 www.cahoot.co.uk
O1 - Hosts: 203.186.128.56 cahoot.co.uk
O1 - Hosts: 203.186.128.56 www.co-operativebank.co.uk
O1 - Hosts: 203.186.128.56 co-operativebank.co.uk
O1 - Hosts: 203.186.128.56 www.co-operativebank.com
O1 - Hosts: 203.186.128.56 co-operativebank.com
O1 - Hosts: 203.186.128.56 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 203.186.128.56 www.smile.co.uk
O1 - Hosts: 203.186.128.56 smile.co.uk
O1 - Hosts: 203.186.128.56 www.cajamar.es
O1 - Hosts: 203.186.128.56 cajamar.es
O1 - Hosts: 203.186.128.56 www.cajamar.com
O1 - Hosts: 203.186.128.56 cajamar.com
O1 - Hosts: 203.186.128.56 www.unicaja.es
O1 - Hosts: 203.186.128.56 unicaja.es
O1 - Hosts: 203.186.128.56 www.unicaja.com
O1 - Hosts: 203.186.128.56 unicaja.com
O1 - Hosts: 203.186.128.56 www.caixagalicia.es
O1 - Hosts: 203.186.128.56 caixagalicia.es
O1 - Hosts: 203.186.128.56 www.caixagalicia.com
O1 - Hosts: 203.186.128.56 caixagalicia.com
O1 - Hosts: 203.186.128.56 activa.caixagalicia.es
O1 - Hosts: 203.186.128.56 www.caixapenedes.es
O1 - Hosts: 203.186.128.56 caixapenedes.es
O1 - Hosts: 203.186.128.56 www.caixapenedes.com
O1 - Hosts: 203.186.128.56 caixapenedes.com
O1 - Hosts: 203.186.128.56 bancae.caixapenedes.com
O1 - Hosts: 203.186.128.56 www.caixasabadell.es
O1 - Hosts: 203.186.128.56 caixasabadell.es
O1 - Hosts: 203.186.128.56 www.caixasabadell.net
O1 - Hosts: 203.186.128.56 caixasabadell.net
O1 - Hosts: 203.186.128.56 www.cajamadrid.es
O1 - Hosts: 203.186.128.56 cajamadrid.es
O1 - Hosts: 203.186.128.56 www.cajamadrid.com
O1 - Hosts: 203.186.128.56 cajamadrid.com
O1 - Hosts: 203.186.128.56 oi.cajamadrid.es
O1 - Hosts: 203.186.128.56 www.ccm.es
O1 - Hosts: 203.186.128.56 ccm.es
O1 - Hosts: 203.186.128.56 www.haspa.de
O1 - Hosts: 203.186.128.56 haspa.de
O1 - Hosts: 203.186.128.56 ssl2.haspa.de
O1 - Hosts: 203.186.128.56 www.dresdner-bank.de
O1 - Hosts: 203.186.128.56 dresdner-bank.de
O1 - Hosts: 203.186.128.56 www.dresdner-privat.de
O1 - Hosts: 203.186.128.56 postbank.de
O1 - Hosts: 203.186.128.56 www.postbank.de
O1 - Hosts: 203.186.128.56 banking.postbank.de
O1 - Hosts: 203.186.128.56 www.sparda-b.de
O1 - Hosts: 203.186.128.56 sparda-b.de
O1 - Hosts: 203.186.128.56 www.bankingonline.de
O1 - Hosts: 203.186.128.56 www.raiffeisenbank-erding.de
O1 - Hosts: 203.186.128.56 raiffeisenbank-erding.de
O1 - Hosts: 203.186.128.56 www.vr-networld-ebanking.de
O1 - Hosts: 203.186.128.56 vr-networld-ebanking.de
O1 - Hosts: 203.186.128.56 www.bnhof.de
O1 - Hosts: 203.186.128.56 bnhof.de
O1 - Hosts: 203.186.128.56 www.deutsche-bank.de
O1 - Hosts: 203.186.128.56 deutsche-bank.de
O1 - Hosts: 203.186.128.56 meine.deutsche-bank.de
O1 - Hosts: 203.186.128.56 www.citibank.de
O1 - Hosts: 203.186.128.56 citibank.de
O1 - Hosts: 203.186.128.56 www.dkb.de
O1 - Hosts: 203.186.128.56 dkb.de
O1 - Hosts: 203.186.128.56 www.sparkasse-regensburg.de
O1 - Hosts: 203.186.128.56 sparkasse-regensburg.de
O1 - Hosts: 203.186.128.56 www.berliner-bank.de
O1 - Hosts: 203.186.128.56 berliner-bank.de
O1 - Hosts: 203.186.128.56 www.berliner-sparkasse.de
O1 - Hosts: 203.186.128.56 berliner-sparkasse.de
O1 - Hosts: 203.186.128.56 www.wellsfargo.com
O1 - Hosts: 203.186.128.56 wellsfargo.com
O1 - Hosts: 203.186.128.56 www.bankofamerica.com
O1 - Hosts: 203.186.128.56 bankofamerica.com
O1 - Hosts: 203.186.128.56 www.usbank.com
O1 - Hosts: 203.186.128.56 usbank.com
O1 - Hosts: 203.186.128.56 www.bankone.com
O1 - Hosts: 203.186.128.56 bankone.com
O1 - Hosts: 203.186.128.56 www.citibank.com
O1 - Hosts: 203.186.128.56 citibank.com
O2 - BHO: CBHOBJObj Object - {8A406068-D45C-40B9-A096-38AC717FB608} - C:\WINDOWS\BHOBJ.dll
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: Windows Configuration Backup Service (CfgBackupSvc) - Unknown owner - C:\WINDOWS\config\svchost.exe (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\xero\PalmVNC\WinVNC\WinVNC.exe" -service (file missing)

Some of those entries will come back after you fixed them with hijackthis, unless you run some tools as well.
I think you're better off formatting your system, I don't know how much your system is compromised, it looks like a RAT(remote Access Trojan)

You have a lot of nasties there like qoologic etc.
Let us know whether you want to clean your pc or format, we'll then help you clean it up.

I would prefer to clean it up, but will format if nescessary.  Just tell me what to do and I will do it.

A couple questions.:

1. Is Ad-Aware Pro & AVG Free sufficient for scanning?

2. Will I be able to restore my rights? (fix the start menu/use run/address bar)

3. Can I safely format my C:/ without erasing my D:/ partition? If not I will need to do burn alot of dvds!

4. Would reinstalling XP fix anything?

5. If I had not been running the administrator account full time, would this have been prevented?

Thanks for helping.

Sorry, rpggamergirl, I must correct a couple of details:

(3) Can I safely format my C:/ without erasing my D:/ partition? If not I will need to do burn alot of dvds!

 Yes, you can format C: without affecting the other partitions. But be very careful not to delete the partitions, which will defintely destroy D: as well.

(4) Would reinstalling XP fix anything?

 This is a "maybe" answer. If you reinstall XP to a new folder (e.g. c:\win instead of c:\windows) it will fix the virus in the sense that it will install a completely new Registry. You will have to reinstall all applications etc. Also, before doing something like this, backup all important files off the C: drive, esp. those within the "Documents and Settings" tree.

Finally, before reinstalling XP, make sure you did not encrypt any of your own files on the C: drive. It is impossible to recover them later unless things are done in the right order.

r-k.
Okay, I don't have a personal experience on that one, :) I have 2 drives but not partitioned, so I was wrong in assuming, thanks for the info :)

"If not I will need to do burn alot of dvds!"

I just noticed this comment. If you don't have a backup of your important files I would suggest making that a top priority. Disks can, and often do, fail or get erased for no apparent reason. Burning DVD's every now and then is trivial compared to the hassle of losing important files.

I'm not sure if this has been mentioned somewhere else in the topic, but I'm just wondering if your System Restore Console is turned on? and working properly.

If so, it would be quicker to roll back to a date like a week or so ago before your pc were infected.

Start > All Programs > Accessories > System Tools > System Restore
and pick a date to roll back.
NOTE: Bear in mind that any programs you've installed and any updates, drivers you've installed after the chosen restore point would need to be reinstalled.

Ok, unfortunately System Restore was turned off.  Is there a way to run services.msc without the run menu? As I don't have access to it anymore (restrictions).    Maybe If I run the tools  you mentioned I'll get it back?  I've been kind of busy lately, plus I think I'll backup before anything else just to be safe. It might take a day or two but I'll keep you posted.   Thanks again

you can try to get there from my computer then
C:\WINNT\SYSTEM32 look for services and double click

Just out of curiosity. you are doing all this troubleshooting from Safe Mode right?

You can run the Services control panel from:

 Start -> Control Panel -> Admin Tools -> Services

Ok, I did what you said, did I miss anything?

http://hijackthis.de/logfiles/fcd49cf40dfa264db7f232d5c0db1b28.html

So what do I do next? Any idea how to turn off these restrictions so I can user Run, etc..?

Thanks Guys

>>I couldn't use the run command, when I tried it said: "This operation has been cancelled due to restrictions in effect on this computer. Please contact your sytem administrator"<<

the run window will open right? it's when you type "cmd" that command prompt does not open is that right?
how about when you run "regedit" does command prompt opens?
If not, then look in your system32 folder for these files and delete them if present:
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\regedit.com



Fix this entry please:
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\config\svchost.exe  

Make sure these files are deleted:
C:\WINDOWS\config\svchost.exe
C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\MSmedia.exe


Also run these tools:(they give you logs which you can post for us to look at)
1. Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

2. Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

3. Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.

No, I can't use Run, if you check the screenshot up top you will see what I mean.   I downloaded the tools, but do I run them in safe mode or normal boot?

Formatted and started fresh.  Thanks

I didn't get the notification that you had replied.

Sorry we failed to help you.

Formatting and starting afresh is good.

Thanks!