Task Manager Disabled By administrator

Discussion in 'Software' started by mondrawy, Oct 6, 2006.

  1. mondrawy

    mondrawy Private E-2

    I have a PC that has its task manager & registry editor disabled, I'm not quite sure what caused it, most probable reason is spyware but I have my PC well protected.

    Anyhow, I can't seem to be able to unlock the task manager again. Whatever it is that caused this has also disabled registry editing. I've tried running scripts that re-open the registry but its quickly closed again, which led me to believe that something is running on the PC ensuring that the registry remains closed.

    Spyware and antivirus scans didn't work, so I tried using Hijack this to isolate the problem and finally found the culprit. It turned out to be a file masquerading as REGSVR running out of C:\windows. When I kill this process I can re-open the registry editor and from there open up the task manager.

    Now the problem is, this file keeps running every time I restart windows. I've tried every trick I can think off to stop it but I can't seem to get anything to work. Its not listed under msconfig's startup. Its not listed in the Registry editor under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or any of the users. My attempts at deleting the file or corrupting it don't seem to be doing any good, everytime I restart the PC this malicious file reappears and runs itself, shutting down the registry and task manager. Its not being picked up by updated spyware or antivirus scans (different programs) and there is little left I haven't tried.

    Any ideas how to get rid of it ?
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  3. mondrawy

    mondrawy Private E-2

    thats wierd, I remember replying some time earlier. Looks like my post didn't get posted. Anyways, I didn't exactly follow this list but I ran my own comparable set of diagnostics with several of the same applications and I couldn't find anything funny, ALL start up keys have no Regsvr.exe in them or anything else out of the ordinary. I've exhausted all the tests I can think off, perhaps you have some specific test in mind ?
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    There was a system glitch on Sunday so posts that day got deleted ....so to carry on ...try this:
    To reinstall the Microsoft Task Manager:

    NOTE: You must be logged on as Administrator or as a member of the Administrators group in order to perform this procedure.

    1. Click Start , click Run , and then type the following command:

    %systemroot%\inf

    NOTE : There are no spaces at all in the preceding command line.

    2. Click OK to open the INF folder.
    3. Locate the file mstask.inf

    Right-click the file, and then click Install . This will reinstall the files that Search needs to proceed normally.

    You will be asked to place your windows XP cd rom in the drive.
     
  5. Mada_Milty

    Mada_Milty MajorGeek

    Are we certain that a computer administrator hasn't applied group policies to restrict access to the task manager? This is the ONLY time I've seen the symptoms you describe.

    Is this computer part of a domain? If so, it may have inherited this restriction from the domain controller. You'll have to talk to the network administrator if this is the case.

    Otherwise, it should be a policy defined on the local computer. Here's how we can check:

    1. Hit windows key + r (or click Start --> Run)
    2. Type 'gpedit.msc' (without the quotes)
    3. Hit enter (or click 'OK')

    The group policy editor will now launch. I'm willing to bet that there is a setting in here (ie, "Restrict Access to Task Manager") that has been enabled.

    Even better, please see this link on how to enable/disable task manager
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    regsvr
    regsvr.exe
    Added by the WEBMONEY-G TROJAN! .
    Would suggest a bitscan.
     
  7. hopperdave2000

    hopperdave2000 MajorGeek

    Boot in safe mode. Run regedit. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System and look for DisableTaskMgr in the right-hand pane. It's probably set to a value of 1, and it should be set to 0 (zero). Right click on it, choose the appropriate option to change the value to 0, and exit regedit and reboot.

    hopperdave2000
     
  8. tmiller67

    tmiller67 Private E-2

    I had this problem a while back and tried all of the things suggested here and more with no luck. System restore was the only thing that fixed it for me after cleaning out the trojan.
     
  9. mondrawy

    mondrawy Private E-2

    I'm the system administrator and I didn't disable the task manager.

    Group policy editor is disabled because registry editing is disabled, the editor runs but has very little policies that can be changed (I'm assuming those are the policies that don't require registry).

    Booting in safe mode or killing regsvr.exe to open the registry works and indeed the task manager is disabled in the registry, after fixing it and rebooting, my changes are apparently undone. Regsvr.exe runs again on startup and I'm assuming it shuts down regedit and the task manager as well.

    I've ran several anti-(you name it) programs and they all came out blank. I suppose I'll try bitscan as well but I doubt it'll catch anything.

    Also, I had system restore disabled so I can't restore to anything prior to the problem (which has existed for quite some time anyways)
     
  10. hopperdave2000

    hopperdave2000 MajorGeek

    Try regedit in safe mode or try a 3rd party regedit. Several good free ones are available right here at majorgeeks...

    hopperdave2000 :)
     
  11. ®ViPeR®

    ®ViPeR® Private E-2

    Same here how ever there is a article in the microsoft help section about this they say its as a result of an incompatibility with sp2 and previously installed security patches but the fail to mention which ones and as usual the problem runs much deper than they suspect the long and the short of it is the only thing i found that fixed it was back up all my needed files email addies etc etc etc and reinstall
     
  12. mondrawy

    mondrawy Private E-2

    In safe mode the registry and task manager are enabled, but I can't find anything that calls regsvr on startup whatsoever. I've even done a complete search through the registry for regsvr.exe and nothing came up. All other "tools" have come up clean as well.

    Looks like I might have to reinstall, which is a very drastic measure but I seem to have run out of options here
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ever run the bitscan?
     
  14. mondrawy

    mondrawy Private E-2

    Unfortunatly I didn't try that earlier, I thought since all the tests I've tried and all the applications I've installed failed to detect the problem that some online scan would probably fail too. But I was sorely mistaken, FINALLY the damn thing was identified as trojan.PSW.Agent.B and was subsequently removed, there doesn't seem to be much information online about this trojan though. But from what I gather it apparently stashes another copy of regsvr.exe in 'c:\program files' as well as what appears to be a master file with a different name in c:\windows\system32. Those files seem to have returned again after a restart though. But I could probably give it another try while shutting off system restore again (i turned it back on after losing hope).
     
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now do the read and run first sticky in the malware section ....:)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds