'Virus Alert!' and task manager disabled

I have a severe virus on an xp laptop.
symptoms:
- Task Manager disabled
- Start>Run disabled
- My Computer disabled
- Regedit disabled
-'Virus Alert!' appears in task bar where system clock should be.
- tries to launch 'player.exe' from user%\application data (i've deleted this file)

so far i have taken the following steps:
- booted up in safe mode
- turned off system restore
- ran ccleaner
- ran adaware
- ran spybot s&d
- ran Malwarebytes' Anti-Malware
- ran Super Anti-Spyware
- browsed folders and registry for related 'xp antivirus' and 'micro antivirus 2008' files
- checked regkey to restore time format tpo hh:mm:ss

this has removed a lot of the spyware but not any of the above symptoms.

grateful for any help as i really dont want to have to rebuild teh machine.

cheers

Rockstar_NorthAsked:
Who is Participating?
 
Rockstar_NorthConnect With a Mentor Author Commented:
still couldnt restore the chnages that the virus had made. the virus is gone but task manager and my computer are disabled. i've had to recreate the users profile. this was a workaround to fix the problem.
0
 
cpottercpotterCommented:
I had a similar issue recently that I resolved by running Malwarebytes from www.Malwarebytes.org.
0
 
Grizzly072000Connect With a Mentor Commented:
Post a HJT (TrendMicro HijackThis) log (Attach File)
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
sk_raja_rajaConnect With a Mentor Commented:
would recommend scanning with Malwarebytes' Antimalware:

http://www.malwarebytes.org/mbam.php

Download the trial version, update it fully, then click on "Perform a quick scan".  Show results then click on "remove selected". Post the log here.

I would also run Smitfraudfix:

http://siri.geekstogo.com/SmitfraudFix.php

Run option 2 in safe mode.  Post the log.

If you still have problems after that, download and run SDFix:

http://www.bleepingcomputer.com/files/sdfix.php

It would also be a good idea to reset your hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

A Hijackthis log would also be helpful to see what is happening on your pc:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Download the installer, install the program. Check "Do a systyem scan and save a logfile". Post the scan log here
0
 
sk_raja_rajaCommented:
1.This should fix the problem: Click the Start button, and then Run (alternatively startkey+r). Copy and paste "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f" without the quotations, click OK,

2.This is a trojan that has attacked your system.
You can find the removal instructions here
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vicsfram.html

3.Click Start, Run and type Command
Type the following and then press Enter after typing each one:

cd\windows
copy regedit.exe regedit.com
start regedit.com  [or regedit.com]

Navigate to and select the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command

Double-click the (Default) value in the right pane.
Delete the current value data, and then type: "%1" %* [with quotes]
(ie., quote-percent-one-quote-space-percent-asterisk.)

Exit the Registry Editor and restart Windows

4.Download .exe File association fix from here:
http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip
[To run the .reg files, again you will need to rename regedit.exe to regedit.com and run the REG file using "regedit.com filename.reg" parameter]

NOTE: Once set, update the definition files for your anti-virus software and scan the system for viruses

5.From http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/--ReadMe.txt

Download and right click the following file > Then select Install
http://www.google.co.uk/url?sa=U&start=1&q=http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/FIX-exec.inf&e=9797

Also,
Related Microsoft Knowledgebase articles:

You receive an error message when you try to start a program that has an .exe file name extension:
http://support.microsoft.com/?kbid=837334 [New]

You Are Unable to Start a Program with an .exe File Extension:
http://support.microsoft.com/default.aspx?kbid=310585

You Cannot Start Programs (.exe Files) When Your Computer Is Infected with the SirCam Virus:
http://support.microsoft.com/default.aspx?kbid=311446
http://windowsxp.mvps.org/exefile.htm

0
 
Grizzly072000Connect With a Mentor Commented:
0
 
Frosty555Connect With a Mentor Commented:
You have almost the exact problem I had. Part of your problem is that the virus may be gone, but the group policy modifications it left behind (to disable things like My Computer and Task Manager) are still there.

See the solutions to the question posted here:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_23582666.html
0
 
houssam_balloutConnect With a Mentor Commented:
Check the file attached, it will reapply the policies in your comptuer.
make sure to change the file extension to .inf

policies.txt
0
 
rpggamergirlConnect With a Mentor Commented:
You can download this zipfile, extract it, then rightclick on the "VArestorepolicies.inf" and select Install.
That should take care of the disabled task manager, regedit, run, My computer, and etc.
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

If problem persists, can we look at the MalwareBytes log please?
Hijackthis log as already suggested should also tell us if there are other infections present in the system.

Download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download 
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.
0
 
phototropicCommented:
sk_raja_raja:

I have no objection to you quoting me.  However, if you are going to copy/paste a large chunk of what I wrote (in fact an entire post to someone else' question) it would be polite to acknowledge the quote and attribute it accordingly. Otherwise it looks as if you are the author of what you posted, and that is not correct.

Please do not do this again.  Thanks.

0
 
Rockstar_NorthAuthor Commented:
please see my hijack this log attached:

i will try all the above recommendations.


hijackthisnew.log
0
 
rpggamergirlConnect With a Mentor Commented:
What scanners have you run so far?
There's a vundo there, run combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0
 
Rockstar_NorthAuthor Commented:
sorry guys, how do i apply the VArestorepolicies.inf?

when i run it, it just opens a text file?

how do i run it to reset my reg keys and policies?

cheers
0
 
rpggamergirlCommented:
>>> when i run it, it just opens a text file?<<<
After you've downloaded the zip file, you rightclick on it and click "extract here"
VArestorepolicies.inf will be created on your desktop, you then rightclick on the VArestorepolicies.inf and click "Install"

0
 
rpggamergirlCommented:
OR: you can also rightclick on the zip file and click "Extract Files", a VArestorepolicies folder will be created on the desktop, doubleclick on the folder to open and rightclick on the VArestorepolicies.inf and click "Install" either way works.
0
 
Rockstar_NorthAuthor Commented:
0
 
rpggamergirlCommented:
If it does what it says then good.
Or you can also use this.
FixPolicies.exe.
Please download FixPolicies.exe by Bill Castner and save it to your desktop.
http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe

Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.