task manager and reg edit is disabled

Hello,
We have a windows 2003 server with SQL 2005.
The task manager and the reg edit are disabled for administrator. Is this an indication of a virus?
We have Trend micro installed but the client will not start.
Is it possible to clean the server if infected or it is too late?

If this is a virus...we have SQL 2005 databases on this server. What is the probability that the data is infected?
Should it be safe to rebuild the server and restore the SQL data back.
The SQL databases store data for a web client application (ClearQuest); would that application be affected by the virus?

Thanks for nay help you can provide.
SiemensSENAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
CynepMeHConnect With a Mentor Commented:
Talk to your domain admins if it is a member of a domain. This is most likely a GPO that's applied to the system. You can run GPRESULT and RSOP.MSC to see what applied to your system.
0
 
CynepMeHCommented:
To clarify - GPO is a GROUP POLICY OBJECT, a security feature that administrators often use to lock down the system. The Registry Editing and Task manager tools may have been disabled by administrative policy.
0
 
KungFuGuConnect With a Mentor Commented:
It may be worth trying something as simple as Malwarebytes. It certainly doesn't hurt to run that in addition to Trend Micro. Try installing and running that and see if it restores any of your functionality.

It may be safe to rebuild the server. If nothing else you could perform a dump and scan on the new installation/server before restoring it.
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
yarwellCommented:
The task manager and the reg edit are disabled for administrator. Is this an indication of a virus?
We have Trend micro installed but the client will not start.


looks like a trojan or virus to me.

Run prevxcsi.com lightweight cloud-based scanner on it for starters. Or a bootable CD based virus checker if you can take it off line. You should be able to clean it up.

If it's a standard windows malware problem your data will be fine, it will just have messed with system settings to protect itself and the friends it will be downloading.
0
 
ShaunCommented:
It could be a possible virus attack

Try running FixBlast on the machine from this link
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-99 
located down under.

We cannot confirm data loss, till we figure out what virus it is...

Is there any Anti-Virus on this machine? have you tried scanning?
0
 
KungFuGuCommented:
It would be helpful to clarify your comment please - Are you getting a message that says it is disabled or are you unable to open it?

If you are getting a message that says it is disabled by your administrator you will need to edit your group policy. Follow the instructions here for that  http://support.microsoft.com/kb/555480

If you are unable to open it but receive no messages, log in as another network user with administrative rights, and run a malware removal program such as malwarebytes.
0
 
EmerexCommented:
I would suggest running RKILL then scan for viruses or spyware using the scanner of your choice.

If a virus\spyware disabled taskmgr \ regedit rkill will re-enable and kill known running virus\spyware processes.

rkill - http://www.bleepingcomputer.com/forums/topic308364.html


0
 
SiemensSENAuthor Commented:
Thanks for your answers.

We check the domain policies, and there were no new policies applied that block task manager or the reg edit.
I was also able to connect to the registry remotely from another server on the domain; no issues with that.

So we think this is a virus.
We have two SQL servers involved in this problem.
We do have TrendMicro in one of the SQL servers but did not have it on the second server. We do SQL transaction log shipping, so we are wondering if that is how the virus got propagated.
The TredMicro on the 1st server is didabled and when we try to to enable it hung.
We cannot install TrendMicro on the 2nd server...it blue screens.

Our servers are behid a firewall so we can't run scans from the internet.

Our plan is to rebuild the server.
Copy the  DB data to an isolated machine that has TrendMicro and run the viruscan on teh data.
But my next questions is: would TrendMicro detect viruses on the SQL DB files?

Is there a difference if the scan is run when the data is already restored in the SQL server (recover the whole machien from backup including DB data)
or is it better to isolate the db backup files, run scan on them, and restore the data to SQL?
0
 
fireline1082Connect With a Mentor Commented:
Hi SiemensSEN,

Usually diable both Task manager and regedit is high indication of virus, but don't panic you can fix this issue. The virus changes a specific registry which disable the access to both Task Manager and regedit. To enable them back, copy the below code to notepad and save it as .vbs script and then execute the file on the infected machine

Ciode:
**************************** copy the below only without the stars ******************
on error resume next
Set WshShell = Wscript.CreateObject("Wscript.Shell")
WshShell.RegDelete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools"

WshShell.RegDelete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr"

***********************

The two keys mentioned above are usually created by most viruses so ths script will delete these registries which will enable back access to both Task Manager and Regedit.

For cleanup the virus, if the AV couldn't detect the virus and the PC was infected so that is mean AV is not able to determine that this Malware so it will not clean it, but there are few steps that u can do to clean the virus manually.

For my self, I am using process explorer (Download from Microsoft) which is like Task Manager but even better and check for any running process with Malicious name or the coprporate name is not from Known Vendor and kill it ( you may need to browse to the file location and also delete it). Then I am using tool called HijackThis (use google to get it) this which will show you any malicious registries added to your system and fthen select and fix that (Be careful when u r doing this if you are not sure don't do it. If you are not sure run Hijackthis and select do scan and save log then provide the logs here so we can have a look

Then diable System restore in the machine froms System properties > Syetm restore (Turn off system restore on all drives)
Finally do full scan using your AV software (Trend Micro)


Alternatively, to the manual steps above you can Use Kaspersky free scan tool (from Kaspersky) or Mcafee Stinger from (Mcafee) which can be run on the system and do full system scan.

Please let me know if this help or if you need further clarification as I am writing to you in a hurry while I am in work

Regards
0
 
SiemensSENAuthor Commented:
Thanks to everyone who replied.
We did rebuild the servers from scratch and retored the databases from backup -after we run viruscan on them.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.