windows 2003 server "Task Manager has been disabled by your administrator"

I have a Windows 2003 server I am using as an ftp server and I think someone hacked it. I am getting the error message "Task Manager has been disabled by your administrator" when I try to run taskmgr. I checked the policy manager and it has not been disabled. I ran symantec and adaware, but nothing significant. I have attached my hijackthis log file to see if you guys might be able to see what I am missing. Is there a service not running or corrupt?

Thanks, Scott...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:34 PM, on 11/17/2008
Platform: Windows 2003  (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPNRA.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\drivers\wuaclt.exe
C:\WINDOWS\system32\drivers\btwdins.exe
C:\Program Files\Gene6 FTP Server\G6FTPTray.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE
C:\Program Files\Gene6 FTP Server\G6FTPAdmin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\svchost.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [wuaclt.exe] C:\WINDOWS\system32\drivers\wuaclt.exe
O4 - HKLM\..\Run: [btwdins.exe] C:\WINDOWS\system32\drivers\btwdins.exe
O4 - HKLM\..\Run: [svchost.exe] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [G6FTP Server Tray Monitor] "C:\Program Files\Gene6 FTP Server\G6FTPTray.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1226677434171
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BBK.local
O17 - HKLM\Software\..\Telephony: DomainName = BBK.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{89CE6803-0A37-4551-9C7B-85BD0146FC8C}: NameServer = 10.51.58.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BBK.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BBK.local
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
 
--
End of file - 4970 bytes

Open in new window

smuthAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dfxdeimosCommented:
There are multiple levels that this could have been disabled at. You should use the RSoP wizard to see where the policy is being applied.

Related Microsoft KB Article:

http://support.microsoft.com/kb/555480
0
smuthAuthor Commented:
I had already done the first one and when I try to open regedit I get the same error, "Task Manager has been disabled by your administrator". I cannot even change the time on the clock. I think this is a virus.
0
dfxdeimosCommented:
Can you open the Resultant Set of Policy Snap-In?
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

smuthAuthor Commented:
Not sure what that is
0
dfxdeimosCommented:
0
smuthAuthor Commented:
Maybe you could step me through this a little. I am assuming I need the snap in for this server. I downloaded the GPMC.msi on this server and installed it. I am in GP Manager now.
0
smuthAuthor Commented:
I figured it out. When I try to get to anything in the rsop I receive the following error a bunch of times
mmc.gif
0
smuthAuthor Commented:
So this all started when I went to run sp2 on this box and I go the error that the ftp.exe file was running and needed to be shutdown to proceed. I tried to run taskmgr to close it after stopping the process did not work. That is when I realized there was a problem. We are using Gene6 FTP Server
0
dfxdeimosCommented:
Wow, this is very odd indeed. Do you have a valid backup of this server?
0
smuthAuthor Commented:
Not too much to back up. I could just save the ftp server profile in the data folder and wipe it and start over, but I would like to make sure a virus is not causing this.

Did you see the line "O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1" in the log file. Do you know the run command to enable this?
0
dfxdeimosCommented:
You could use the REG.exe command to try to modify that key from the command line:

http://www.petri.co.il/reg_command_in_windows_xp.htm

NOTE: This should work the same on 2003 as in XP.
0
itgroup1Commented:
Did you try running malwarebytes? It is a great product and will find a Virus if there is one there. The only reason I bring this up is because we had a very similar issue and it was some malware/virus and we got it cleaned up.
/sf
0
smuthAuthor Commented:
I just tried that one and it found a few things, but I am still having the problem after rebooting
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
itgroup1Commented:
Sorry to hear that!
If I think of anything else I certainly will give you a holler!
/SF
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.