Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1161
  • Last Modified:

windows 2003 server "Task Manager has been disabled by your administrator"

I have a Windows 2003 server I am using as an ftp server and I think someone hacked it. I am getting the error message "Task Manager has been disabled by your administrator" when I try to run taskmgr. I checked the policy manager and it has not been disabled. I ran symantec and adaware, but nothing significant. I have attached my hijackthis log file to see if you guys might be able to see what I am missing. Is there a service not running or corrupt?

Thanks, Scott...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:34 PM, on 11/17/2008
Platform: Windows 2003  (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPNRA.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\drivers\wuaclt.exe
C:\WINDOWS\system32\drivers\btwdins.exe
C:\Program Files\Gene6 FTP Server\G6FTPTray.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE
C:\Program Files\Gene6 FTP Server\G6FTPAdmin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\svchost.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [wuaclt.exe] C:\WINDOWS\system32\drivers\wuaclt.exe
O4 - HKLM\..\Run: [btwdins.exe] C:\WINDOWS\system32\drivers\btwdins.exe
O4 - HKLM\..\Run: [svchost.exe] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [G6FTP Server Tray Monitor] "C:\Program Files\Gene6 FTP Server\G6FTPTray.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1226677434171
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BBK.local
O17 - HKLM\Software\..\Telephony: DomainName = BBK.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{89CE6803-0A37-4551-9C7B-85BD0146FC8C}: NameServer = 10.51.58.30
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BBK.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BBK.local
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Gene6 FTP Server (G6FTPServer) - Gene6 - C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
 
--
End of file - 4970 bytes

Open in new window

0
smuth
Asked:
smuth
  • 7
  • 5
  • 2
1 Solution
 
dfxdeimosCommented:
There are multiple levels that this could have been disabled at. You should use the RSoP wizard to see where the policy is being applied.

Related Microsoft KB Article:

http://support.microsoft.com/kb/555480
0
 
smuthAuthor Commented:
I had already done the first one and when I try to open regedit I get the same error, "Task Manager has been disabled by your administrator". I cannot even change the time on the clock. I think this is a virus.
0
 
dfxdeimosCommented:
Can you open the Resultant Set of Policy Snap-In?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
smuthAuthor Commented:
Not sure what that is
0
 
dfxdeimosCommented:
0
 
smuthAuthor Commented:
Maybe you could step me through this a little. I am assuming I need the snap in for this server. I downloaded the GPMC.msi on this server and installed it. I am in GP Manager now.
0
 
smuthAuthor Commented:
I figured it out. When I try to get to anything in the rsop I receive the following error a bunch of times
mmc.gif
0
 
smuthAuthor Commented:
So this all started when I went to run sp2 on this box and I go the error that the ftp.exe file was running and needed to be shutdown to proceed. I tried to run taskmgr to close it after stopping the process did not work. That is when I realized there was a problem. We are using Gene6 FTP Server
0
 
dfxdeimosCommented:
Wow, this is very odd indeed. Do you have a valid backup of this server?
0
 
smuthAuthor Commented:
Not too much to back up. I could just save the ftp server profile in the data folder and wipe it and start over, but I would like to make sure a virus is not causing this.

Did you see the line "O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1" in the log file. Do you know the run command to enable this?
0
 
dfxdeimosCommented:
You could use the REG.exe command to try to modify that key from the command line:

http://www.petri.co.il/reg_command_in_windows_xp.htm

NOTE: This should work the same on 2003 as in XP.
0
 
itgroup1Commented:
Did you try running malwarebytes? It is a great product and will find a Virus if there is one there. The only reason I bring this up is because we had a very similar issue and it was some malware/virus and we got it cleaned up.
/sf
0
 
smuthAuthor Commented:
I just tried that one and it found a few things, but I am still having the problem after rebooting
0
 
itgroup1Commented:
Sorry to hear that!
If I think of anything else I certainly will give you a holler!
/SF
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now