A reader writes: "I think I have a virus. I get an error when I try to access the Task Manager and Registry Editor. When I try to click on any of my drives, I receive another error and when I use the right mouse click, there is a command on the menu that reads, "if freedom is outlawed, then only oulaws have freedom" and a second command that reads "just a game" ...

Answer: This sounds similar to what many are referring to as the Freedom or Outlaw worm. It may also be known as W32/Frawrm-A or W32/Outlaw-A (both Sophos) or W32.Vediance (Symantec).

There may be a couple of worms that match the "Freedom worm" description so the symptoms described here will try to account for both. Either worm disables access to Task Manager and Registry Editor and one variant also disables access to the Command Shell and Folder Options menu and tries to delete MP3 files found on the infected system.

Removing the Freedom worm
First, you'll want to regain access to Task Manager and Registry Editor and get any other disabled system tools working again. The easiest way to do so is by using the free "Remove Restrictions Tool" from Sergiwa.com. Simply download the tool, run it, and select the items you need re-enabled.

Next, make sure you have file extension viewing and viewing of hidden and system files enabled. Alternatively, you can use the Windows 'Search Files and Folders' feature to locate the files. Either way, you will want to delete the files listed below. Make SURE you use the EXACT name provided to avoid deleting a similarly named but legitimate file.

<Drive Letter>\recycler\systems.com (note the plural, systems and not system, and that it's a .com file and not .exe)
<Drive Letter>\autorun.inf
<System Folder>\taskmger.com (note taskmger and not taskmgr, and a .com file and not .exe)

<Driver Letter> is the drive letter of the affected drive. You will need to look on all drives (including USB/thumb/MP3 drives) for the files systems.com and autorun.inf and delete them. The taskmger.com file should only be on the local drive (usually C:) in the <system folder>. By default on Windows XP, this folder is C:\Windows\System32\.

Again, pay very close attention to the spelling of these files and only delete those that have the EXACT name provided above.

After the files have been deleted and access to system utilities has been restored, you will need to correct one more Registry key (otherwise you will keep getting an error when Windows starts up). If you are experienced with editing the Registry, browse to HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon and make sure the Shell and Userinit values contain only the data shown as follows:

"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

If you are not well-versed in editing the Registry, then copy and paste the lines between the **** below (but not the astericks themselves) to a Notepad file and save that file as winlogon.reg. (Make sure it has a .reg extension and not a .txt extension).

****************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
***************************************

Now double click the saved winlogon.reg file and the necessary change to the Registry will be made.