Solved

'Virus Alert!' and task manager disabled

Posted on 2008-10-07
17
1,576 Views
Last Modified: 2013-12-06
I have a severe virus on an xp laptop.
symptoms:
- Task Manager disabled
- Start>Run disabled
- My Computer disabled
- Regedit disabled
-'Virus Alert!' appears in task bar where system clock should be.
- tries to launch 'player.exe' from user%\application data (i've deleted this file)

so far i have taken the following steps:
- booted up in safe mode
- turned off system restore
- ran ccleaner
- ran adaware
- ran spybot s&d
- ran Malwarebytes' Anti-Malware
- ran Super Anti-Spyware
- browsed folders and registry for related 'xp antivirus' and 'micro antivirus 2008' files
- checked regkey to restore time format tpo hh:mm:ss

this has removed a lot of the spyware but not any of the above symptoms.

grateful for any help as i really dont want to have to rebuild teh machine.

cheers

0
Comment
Question by:Rockstar_North
  • 5
  • 4
  • 2
  • +5
17 Comments
 
LVL 5

Expert Comment

by:cpottercpotter
Comment Utility
I had a similar issue recently that I resolved by running Malwarebytes from www.Malwarebytes.org.
0
 
LVL 6

Assisted Solution

by:Grizzly072000
Grizzly072000 earned 40 total points
Comment Utility
Post a HJT (TrendMicro HijackThis) log (Attach File)
0
 
LVL 18

Assisted Solution

by:sk_raja_raja
sk_raja_raja earned 50 total points
Comment Utility
would recommend scanning with Malwarebytes' Antimalware:

http://www.malwarebytes.org/mbam.php

Download the trial version, update it fully, then click on "Perform a quick scan".  Show results then click on "remove selected". Post the log here.

I would also run Smitfraudfix:

http://siri.geekstogo.com/SmitfraudFix.php

Run option 2 in safe mode.  Post the log.

If you still have problems after that, download and run SDFix:

http://www.bleepingcomputer.com/files/sdfix.php

It would also be a good idea to reset your hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

A Hijackthis log would also be helpful to see what is happening on your pc:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Download the installer, install the program. Check "Do a systyem scan and save a logfile". Post the scan log here
0
 
LVL 18

Expert Comment

by:sk_raja_raja
Comment Utility
1.This should fix the problem: Click the Start button, and then Run (alternatively startkey+r). Copy and paste "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f" without the quotations, click OK,

2.This is a trojan that has attacked your system.
You can find the removal instructions here
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vicsfram.html

3.Click Start, Run and type Command
Type the following and then press Enter after typing each one:

cd\windows
copy regedit.exe regedit.com
start regedit.com  [or regedit.com]

Navigate to and select the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command

Double-click the (Default) value in the right pane.
Delete the current value data, and then type: "%1" %* [with quotes]
(ie., quote-percent-one-quote-space-percent-asterisk.)

Exit the Registry Editor and restart Windows

4.Download .exe File association fix from here:
http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip
[To run the .reg files, again you will need to rename regedit.exe to regedit.com and run the REG file using "regedit.com filename.reg" parameter]

NOTE: Once set, update the definition files for your anti-virus software and scan the system for viruses

5.From http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/--ReadMe.txt

Download and right click the following file > Then select Install
http://www.google.co.uk/url?sa=U&start=1&q=http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/FIX-exec.inf&e=9797

Also,
Related Microsoft Knowledgebase articles:

You receive an error message when you try to start a program that has an .exe file name extension:
http://support.microsoft.com/?kbid=837334 [New]

You Are Unable to Start a Program with an .exe File Extension:
http://support.microsoft.com/default.aspx?kbid=310585

You Cannot Start Programs (.exe Files) When Your Computer Is Infected with the SirCam Virus:
http://support.microsoft.com/default.aspx?kbid=311446
http://windowsxp.mvps.org/exefile.htm

0
 
LVL 6

Assisted Solution

by:Grizzly072000
Grizzly072000 earned 40 total points
Comment Utility
0
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 20 total points
Comment Utility
You have almost the exact problem I had. Part of your problem is that the virus may be gone, but the group policy modifications it left behind (to disable things like My Computer and Task Manager) are still there.

See the solutions to the question posted here:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_23582666.html
0
 
LVL 17

Assisted Solution

by:houssam_ballout
houssam_ballout earned 20 total points
Comment Utility
Check the file attached, it will reapply the policies in your comptuer.
make sure to change the file extension to .inf

policies.txt
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
Comment Utility
You can download this zipfile, extract it, then rightclick on the "VArestorepolicies.inf" and select Install.
That should take care of the disabled task manager, regedit, run, My computer, and etc.
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

If problem persists, can we look at the MalwareBytes log please?
Hijackthis log as already suggested should also tell us if there are other infections present in the system.

Download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 23

Expert Comment

by:phototropic
Comment Utility
sk_raja_raja:

I have no objection to you quoting me.  However, if you are going to copy/paste a large chunk of what I wrote (in fact an entire post to someone else' question) it would be polite to acknowledge the quote and attribute it accordingly. Otherwise it looks as if you are the author of what you posted, and that is not correct.

Please do not do this again.  Thanks.

0
 

Author Comment

by:Rockstar_North
Comment Utility
please see my hijack this log attached:

i will try all the above recommendations.


hijackthisnew.log
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
Comment Utility
What scanners have you run so far?
There's a vundo there, run combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0
 

Author Comment

by:Rockstar_North
Comment Utility
sorry guys, how do i apply the VArestorepolicies.inf?

when i run it, it just opens a text file?

how do i run it to reset my reg keys and policies?

cheers
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
>>> when i run it, it just opens a text file?<<<
After you've downloaded the zip file, you rightclick on it and click "extract here"
VArestorepolicies.inf will be created on your desktop, you then rightclick on the VArestorepolicies.inf and click "Install"

0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
OR: you can also rightclick on the zip file and click "Extract Files", a VArestorepolicies folder will be created on the desktop, doubleclick on the folder to open and rightclick on the VArestorepolicies.inf and click "Install" either way works.
0
 

Author Comment

by:Rockstar_North
Comment Utility
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
If it does what it says then good.
Or you can also use this.
FixPolicies.exe.
Please download FixPolicies.exe by Bill Castner and save it to your desktop.
http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe

Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.  
0
 

Accepted Solution

by:
Rockstar_North earned 0 total points
Comment Utility
still couldnt restore the chnages that the virus had made. the virus is gone but task manager and my computer are disabled. i've had to recreate the users profile. this was a workaround to fix the problem.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now