'Virus Alert!' and task manager disabled

I have a severe virus on an xp laptop.
- Task Manager disabled
- Start>Run disabled
- My Computer disabled
- Regedit disabled
-'Virus Alert!' appears in task bar where system clock should be.
- tries to launch 'player.exe' from user%\application data (i've deleted this file)

so far i have taken the following steps:
- booted up in safe mode
- turned off system restore
- ran ccleaner
- ran adaware
- ran spybot s&d
- ran Malwarebytes' Anti-Malware
- ran Super Anti-Spyware
- browsed folders and registry for related 'xp antivirus' and 'micro antivirus 2008' files
- checked regkey to restore time format tpo hh:mm:ss

this has removed a lot of the spyware but not any of the above symptoms.

grateful for any help as i really dont want to have to rebuild teh machine.


Who is Participating?
Rockstar_NorthAuthor Commented:
still couldnt restore the chnages that the virus had made. the virus is gone but task manager and my computer are disabled. i've had to recreate the users profile. this was a workaround to fix the problem.
I had a similar issue recently that I resolved by running Malwarebytes from www.Malwarebytes.org.
Post a HJT (TrendMicro HijackThis) log (Attach File)
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

would recommend scanning with Malwarebytes' Antimalware:


Download the trial version, update it fully, then click on "Perform a quick scan".  Show results then click on "remove selected". Post the log here.

I would also run Smitfraudfix:


Run option 2 in safe mode.  Post the log.

If you still have problems after that, download and run SDFix:


It would also be a good idea to reset your hosts file:


A Hijackthis log would also be helpful to see what is happening on your pc:


Download the installer, install the program. Check "Do a systyem scan and save a logfile". Post the scan log here
1.This should fix the problem: Click the Start button, and then Run (alternatively startkey+r). Copy and paste "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f" without the quotations, click OK,

2.This is a trojan that has attacked your system.
You can find the removal instructions here

3.Click Start, Run and type Command
Type the following and then press Enter after typing each one:

copy regedit.exe regedit.com
start regedit.com  [or regedit.com]

Navigate to and select the following key:

Double-click the (Default) value in the right pane.
Delete the current value data, and then type: "%1" %* [with quotes]
(ie., quote-percent-one-quote-space-percent-asterisk.)

Exit the Registry Editor and restart Windows

4.Download .exe File association fix from here:
[To run the .reg files, again you will need to rename regedit.exe to regedit.com and run the REG file using "regedit.com filename.reg" parameter]

NOTE: Once set, update the definition files for your anti-virus software and scan the system for viruses

5.From http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/--ReadMe.txt

Download and right click the following file > Then select Install

Related Microsoft Knowledgebase articles:

You receive an error message when you try to start a program that has an .exe file name extension:
http://support.microsoft.com/?kbid=837334 [New]

You Are Unable to Start a Program with an .exe File Extension:

You Cannot Start Programs (.exe Files) When Your Computer Is Infected with the SirCam Virus:

You have almost the exact problem I had. Part of your problem is that the virus may be gone, but the group policy modifications it left behind (to disable things like My Computer and Task Manager) are still there.

See the solutions to the question posted here:
Check the file attached, it will reapply the policies in your comptuer.
make sure to change the file extension to .inf

You can download this zipfile, extract it, then rightclick on the "VArestorepolicies.inf" and select Install.
That should take care of the disabled task manager, regedit, run, My computer, and etc.

If problem persists, can we look at the MalwareBytes log please?
Hijackthis log as already suggested should also tell us if there are other infections present in the system.

Download Hijackthis:
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.

I have no objection to you quoting me.  However, if you are going to copy/paste a large chunk of what I wrote (in fact an entire post to someone else' question) it would be polite to acknowledge the quote and attribute it accordingly. Otherwise it looks as if you are the author of what you posted, and that is not correct.

Please do not do this again.  Thanks.

Rockstar_NorthAuthor Commented:
please see my hijack this log attached:

i will try all the above recommendations.

What scanners have you run so far?
There's a vundo there, run combofix.
Please download ComboFix by sUBs:

You must download it to and run it from your Desktop

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Rockstar_NorthAuthor Commented:
sorry guys, how do i apply the VArestorepolicies.inf?

when i run it, it just opens a text file?

how do i run it to reset my reg keys and policies?

>>> when i run it, it just opens a text file?<<<
After you've downloaded the zip file, you rightclick on it and click "extract here"
VArestorepolicies.inf will be created on your desktop, you then rightclick on the VArestorepolicies.inf and click "Install"

OR: you can also rightclick on the zip file and click "Extract Files", a VArestorepolicies folder will be created on the desktop, doubleclick on the folder to open and rightclick on the VArestorepolicies.inf and click "Install" either way works.
Rockstar_NorthAuthor Commented:
If it does what it says then good.
Or you can also use this.
Please download FixPolicies.exe by Bill Castner and save it to your desktop.

Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.  
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.