Task Manager Disabled By administrator

[mondrawy]

I have a PC that has its task manager & registry editor disabled, I'm not quite sure what caused it, most probable reason is spyware but I have my PC well protected.

Anyhow, I can't seem to be able to unlock the task manager again. Whatever it is that caused this has also disabled registry editing. I've tried running scripts that re-open the registry but its quickly closed again, which led me to believe that something is running on the PC ensuring that the registry remains closed.

Spyware and antivirus scans didn't work, so I tried using Hijack this to isolate the problem and finally found the culprit. It turned out to be a file masquerading as REGSVR running out of C:\windows. When I kill this process I can re-open the registry editor and from there open up the task manager.

Now the problem is, this file keeps running every time I restart windows. I've tried every trick I can think off to stop it but I can't seem to get anything to work. Its not listed under msconfig's startup. Its not listed in the Registry editor under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or any of the users. My attempts at deleting the file or corrupting it don't seem to be doing any good, everytime I restart the PC this malicious file reappears and runs itself, shutting down the registry and task manager. Its not being picked up by updated spyware or antivirus scans (different programs) and there is little left I haven't tried.

Any ideas how to get rid of it ?

[TimW]

Read and run first - Malware section
http://forums.majorgeeks.com/showthread.php?t=35407

[mondrawy]

thats wierd, I remember replying some time earlier. Looks like my post didn't get posted. Anyways, I didn't exactly follow this list but I ran my own comparable set of diagnostics with several of the same applications and I couldn't find anything funny, ALL start up keys have no Regsvr.exe in them or anything else out of the ordinary. I've exhausted all the tests I can think off, perhaps you have some specific test in mind ?

[TimW]

There was a system glitch on Sunday so posts that day got deleted ....so to carry on ...try this:
To reinstall the Microsoft Task Manager:

NOTE: You must be logged on as Administrator or as a member of the Administrators group in order to perform this procedure.

1. Click Start , click Run , and then type the following command:

%systemroot%\inf

NOTE : There are no spaces at all in the preceding command line.

2. Click OK to open the INF folder.
3. Locate the file mstask.inf

Right-click the file, and then click Install . This will reinstall the files that Search needs to proceed normally.

You will be asked to place your windows XP cd rom in the drive.

[Mada_Milty]

Are we certain that a computer administrator hasn't applied group policies to restrict access to the task manager? This is the ONLY time I've seen the symptoms you describe.

Is this computer part of a domain? If so, it may have inherited this restriction from the domain controller. You'll have to talk to the network administrator if this is the case.

Otherwise, it should be a policy defined on the local computer. Here's how we can check:

1. Hit windows key + r (or click Start --> Run)
2. Type 'gpedit.msc' (without the quotes)
3. Hit enter (or click 'OK')

The group policy editor will now launch. I'm willing to bet that there is a setting in here (ie, "Restrict Access to Task Manager") that has been enabled.

Even better, please see this link on how to enable/disable task manager

[TimW]

regsvr
regsvr.exe
Added by the WEBMONEY-G TROJAN! .
Would suggest a bitscan.

[hopperdave2000]

Boot in safe mode. Run regedit. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System and look for DisableTaskMgr in the right-hand pane. It's probably set to a value of 1, and it should be set to 0 (zero). Right click on it, choose the appropriate option to change the value to 0, and exit regedit and reboot.

hopperdave2000

[tmiller67]

I had this problem a while back and tried all of the things suggested here and more with no luck. System restore was the only thing that fixed it for me after cleaning out the trojan.

[mondrawy]

I'm the system administrator and I didn't disable the task manager.

Quote:

1. Hit windows key + r (or click Start --> Run)
2. Type 'gpedit.msc' (without the quotes)
3. Hit enter (or click 'OK')

Group policy editor is disabled because registry editing is disabled, the editor runs but has very little policies that can be changed (I'm assuming those are the policies that don't require registry).

Booting in safe mode or killing regsvr.exe to open the registry works and indeed the task manager is disabled in the registry, after fixing it and rebooting, my changes are apparently undone. Regsvr.exe runs again on startup and I'm assuming it shuts down regedit and the task manager as well.

I've ran several anti-(you name it) programs and they all came out blank. I suppose I'll try bitscan as well but I doubt it'll catch anything.

Also, I had system restore disabled so I can't restore to anything prior to the problem (which has existed for quite some time anyways)

[hopperdave2000]

Try regedit in safe mode or try a 3rd party regedit. Several good free ones are available right here at majorgeeks...

hopperdave2000

[®ViPeR®]

Quote:

Originally Posted by tmiller67

I had this problem a while back and tried all of the things suggested here and more with no luck. System restore was the only thing that fixed it for me after cleaning out the trojan.

Same here how ever there is a article in the microsoft help section about this they say its as a result of an incompatibility with sp2 and previously installed security patches but the fail to mention which ones and as usual the problem runs much deper than they suspect the long and the short of it is the only thing i found that fixed it was back up all my needed files email addies etc etc etc and reinstall

[mondrawy]

Quote:

Originally Posted by hopperdave2000

Try regedit in safe mode or try a 3rd party regedit. Several good free ones are available right here at majorgeeks...

In safe mode the registry and task manager are enabled, but I can't find anything that calls regsvr on startup whatsoever. I've even done a complete search through the registry for regsvr.exe and nothing came up. All other "tools" have come up clean as well.

Looks like I might have to reinstall, which is a very drastic measure but I seem to have run out of options here

[TimW]

Ever run the bitscan?

[mondrawy]

Quote:

Originally Posted by TimW

Ever run the bitscan?

Unfortunatly I didn't try that earlier, I thought since all the tests I've tried and all the applications I've installed failed to detect the problem that some online scan would probably fail too. But I was sorely mistaken, FINALLY the damn thing was identified as trojan.PSW.Agent.B and was subsequently removed, there doesn't seem to be much information online about this trojan though. But from what I gather it apparently stashes another copy of regsvr.exe in 'c:\program files' as well as what appears to be a master file with a different name in c:\windows\system32. Those files seem to have returned again after a restart though. But I could probably give it another try while shutting off system restore again (i turned it back on after losing hope).

[TimW]

Now do the read and run first sticky in the malware section ....