This worked for me when i was infected
Thanks for the link, not sure if it would have fixed my issue, but I did figured it out by doing some more research. I compared two XP regirsties, and noticed the infected had a extra key.
[HKey Local_Machine\...Windows NT\CurrentVersion\Image File Execution Option\taskmgr.exe]
I deleted it, and rebooted, and task manager was back.
Now a new problem, everything seems to be working, I ran HighJack This this just to make sure my Hosts file was not highjacked, and yet, it found many entries in my hosts file. It said there were so many I needed to just delete the hosts file. There were about 50 or more IP's, only two IPS, just repeated multiple times:
18.104.22.168 (6 of these)
22.214.171.124 (Theses were referenced to www.Google.*, had about 50 of theses)
Anyway, went to system32\drivers\etc, and opened the hosts file, I only seen the first 6 that HiJackThis listed, the Google entries were not there. I scrolled all the way down, nothing. I deleted them, saved it, ran highjack again, and it still reported the same thing. So I went back to the hosts file, it was empty, so I'm curious were HiJackThis is finding them. They are definitely there, becuase, I still can not go to Google in IE, it redirects me to one of those www.google.* websites, which are infected websites.
I'm not sure how to fix this, I mean I deleted the hosts file, and yet there still there or somewhere. Could I have multiple hosts file, I mean how does this work?
Edited by Modify, 24 September 2009 - 09:52 AM.