Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

task manager and reg edit is disabled

Posted on 2010-08-24
11
Medium Priority
?
358 Views
Last Modified: 2012-05-10
Hello,
We have a windows 2003 server with SQL 2005.
The task manager and the reg edit are disabled for administrator. Is this an indication of a virus?
We have Trend micro installed but the client will not start.
Is it possible to clean the server if infected or it is too late?

If this is a virus...we have SQL 2005 databases on this server. What is the probability that the data is infected?
Should it be safe to rebuild the server and restore the SQL data back.
The SQL databases store data for a web client application (ClearQuest); would that application be affected by the virus?

Thanks for nay help you can provide.
0
Comment
Question by:SiemensSEN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +4
11 Comments
 
LVL 11

Accepted Solution

by:
CynepMeH earned 668 total points
ID: 33510940
Talk to your domain admins if it is a member of a domain. This is most likely a GPO that's applied to the system. You can run GPRESULT and RSOP.MSC to see what applied to your system.
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 33510955
To clarify - GPO is a GROUP POLICY OBJECT, a security feature that administrators often use to lock down the system. The Registry Editing and Task manager tools may have been disabled by administrative policy.
0
 
LVL 1

Assisted Solution

by:KungFuGu
KungFuGu earned 668 total points
ID: 33510960
It may be worth trying something as simple as Malwarebytes. It certainly doesn't hurt to run that in addition to Trend Micro. Try installing and running that and see if it restores any of your functionality.

It may be safe to rebuild the server. If nothing else you could perform a dump and scan on the new installation/server before restoring it.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 11

Expert Comment

by:yarwell
ID: 33510969
The task manager and the reg edit are disabled for administrator. Is this an indication of a virus?
We have Trend micro installed but the client will not start.


looks like a trojan or virus to me.

Run prevxcsi.com lightweight cloud-based scanner on it for starters. Or a bootable CD based virus checker if you can take it off line. You should be able to clean it up.

If it's a standard windows malware problem your data will be fine, it will just have messed with system settings to protect itself and the friends it will be downloading.
0
 
LVL 3

Expert Comment

by:Shaun
ID: 33510990
It could be a possible virus attack

Try running FixBlast on the machine from this link
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-99 
located down under.

We cannot confirm data loss, till we figure out what virus it is...

Is there any Anti-Virus on this machine? have you tried scanning?
0
 
LVL 1

Expert Comment

by:KungFuGu
ID: 33511398
It would be helpful to clarify your comment please - Are you getting a message that says it is disabled or are you unable to open it?

If you are getting a message that says it is disabled by your administrator you will need to edit your group policy. Follow the instructions here for that  http://support.microsoft.com/kb/555480

If you are unable to open it but receive no messages, log in as another network user with administrative rights, and run a malware removal program such as malwarebytes.
0
 

Expert Comment

by:Emerex
ID: 33511807
I would suggest running RKILL then scan for viruses or spyware using the scanner of your choice.

If a virus\spyware disabled taskmgr \ regedit rkill will re-enable and kill known running virus\spyware processes.

rkill - http://www.bleepingcomputer.com/forums/topic308364.html


0
 

Author Comment

by:SiemensSEN
ID: 33512957
Thanks for your answers.

We check the domain policies, and there were no new policies applied that block task manager or the reg edit.
I was also able to connect to the registry remotely from another server on the domain; no issues with that.

So we think this is a virus.
We have two SQL servers involved in this problem.
We do have TrendMicro in one of the SQL servers but did not have it on the second server. We do SQL transaction log shipping, so we are wondering if that is how the virus got propagated.
The TredMicro on the 1st server is didabled and when we try to to enable it hung.
We cannot install TrendMicro on the 2nd server...it blue screens.

Our servers are behid a firewall so we can't run scans from the internet.

Our plan is to rebuild the server.
Copy the  DB data to an isolated machine that has TrendMicro and run the viruscan on teh data.
But my next questions is: would TrendMicro detect viruses on the SQL DB files?

Is there a difference if the scan is run when the data is already restored in the SQL server (recover the whole machien from backup including DB data)
or is it better to isolate the db backup files, run scan on them, and restore the data to SQL?
0
 
LVL 3

Expert Comment

by:Shaun
ID: 33518444
0
 
LVL 3

Assisted Solution

by:fireline1082
fireline1082 earned 664 total points
ID: 33519075
Hi SiemensSEN,

Usually diable both Task manager and regedit is high indication of virus, but don't panic you can fix this issue. The virus changes a specific registry which disable the access to both Task Manager and regedit. To enable them back, copy the below code to notepad and save it as .vbs script and then execute the file on the infected machine

Ciode:
**************************** copy the below only without the stars ******************
on error resume next
Set WshShell = Wscript.CreateObject("Wscript.Shell")
WshShell.RegDelete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools"

WshShell.RegDelete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr"

***********************

The two keys mentioned above are usually created by most viruses so ths script will delete these registries which will enable back access to both Task Manager and Regedit.

For cleanup the virus, if the AV couldn't detect the virus and the PC was infected so that is mean AV is not able to determine that this Malware so it will not clean it, but there are few steps that u can do to clean the virus manually.

For my self, I am using process explorer (Download from Microsoft) which is like Task Manager but even better and check for any running process with Malicious name or the coprporate name is not from Known Vendor and kill it ( you may need to browse to the file location and also delete it). Then I am using tool called HijackThis (use google to get it) this which will show you any malicious registries added to your system and fthen select and fix that (Be careful when u r doing this if you are not sure don't do it. If you are not sure run Hijackthis and select do scan and save log then provide the logs here so we can have a look

Then diable System restore in the machine froms System properties > Syetm restore (Turn off system restore on all drives)
Finally do full scan using your AV software (Trend Micro)


Alternatively, to the manual steps above you can Use Kaspersky free scan tool (from Kaspersky) or Mcafee Stinger from (Mcafee) which can be run on the system and do full system scan.

Please let me know if this help or if you need further clarification as I am writing to you in a hurry while I am in work

Regards
0
 

Author Comment

by:SiemensSEN
ID: 33581524
Thanks to everyone who replied.
We did rebuild the servers from scratch and retored the databases from backup -after we run viruscan on them.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question