Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


task manager and reg edit is disabled

Posted on 2010-08-24
Medium Priority
Last Modified: 2012-05-10
We have a windows 2003 server with SQL 2005.
The task manager and the reg edit are disabled for administrator. Is this an indication of a virus?
We have Trend micro installed but the client will not start.
Is it possible to clean the server if infected or it is too late?

If this is a virus...we have SQL 2005 databases on this server. What is the probability that the data is infected?
Should it be safe to rebuild the server and restore the SQL data back.
The SQL databases store data for a web client application (ClearQuest); would that application be affected by the virus?

Thanks for nay help you can provide.
Question by:SiemensSEN
  • 2
  • 2
  • 2
  • +4
LVL 11

Accepted Solution

CynepMeH earned 668 total points
ID: 33510940
Talk to your domain admins if it is a member of a domain. This is most likely a GPO that's applied to the system. You can run GPRESULT and RSOP.MSC to see what applied to your system.
LVL 11

Expert Comment

ID: 33510955
To clarify - GPO is a GROUP POLICY OBJECT, a security feature that administrators often use to lock down the system. The Registry Editing and Task manager tools may have been disabled by administrative policy.

Assisted Solution

KungFuGu earned 668 total points
ID: 33510960
It may be worth trying something as simple as Malwarebytes. It certainly doesn't hurt to run that in addition to Trend Micro. Try installing and running that and see if it restores any of your functionality.

It may be safe to rebuild the server. If nothing else you could perform a dump and scan on the new installation/server before restoring it.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 11

Expert Comment

ID: 33510969
The task manager and the reg edit are disabled for administrator. Is this an indication of a virus?
We have Trend micro installed but the client will not start.

looks like a trojan or virus to me.

Run prevxcsi.com lightweight cloud-based scanner on it for starters. Or a bootable CD based virus checker if you can take it off line. You should be able to clean it up.

If it's a standard windows malware problem your data will be fine, it will just have messed with system settings to protect itself and the friends it will be downloading.

Expert Comment

ID: 33510990
It could be a possible virus attack

Try running FixBlast on the machine from this link
located down under.

We cannot confirm data loss, till we figure out what virus it is...

Is there any Anti-Virus on this machine? have you tried scanning?

Expert Comment

ID: 33511398
It would be helpful to clarify your comment please - Are you getting a message that says it is disabled or are you unable to open it?

If you are getting a message that says it is disabled by your administrator you will need to edit your group policy. Follow the instructions here for that  http://support.microsoft.com/kb/555480

If you are unable to open it but receive no messages, log in as another network user with administrative rights, and run a malware removal program such as malwarebytes.

Expert Comment

ID: 33511807
I would suggest running RKILL then scan for viruses or spyware using the scanner of your choice.

If a virus\spyware disabled taskmgr \ regedit rkill will re-enable and kill known running virus\spyware processes.

rkill - http://www.bleepingcomputer.com/forums/topic308364.html


Author Comment

ID: 33512957
Thanks for your answers.

We check the domain policies, and there were no new policies applied that block task manager or the reg edit.
I was also able to connect to the registry remotely from another server on the domain; no issues with that.

So we think this is a virus.
We have two SQL servers involved in this problem.
We do have TrendMicro in one of the SQL servers but did not have it on the second server. We do SQL transaction log shipping, so we are wondering if that is how the virus got propagated.
The TredMicro on the 1st server is didabled and when we try to to enable it hung.
We cannot install TrendMicro on the 2nd server...it blue screens.

Our servers are behid a firewall so we can't run scans from the internet.

Our plan is to rebuild the server.
Copy the  DB data to an isolated machine that has TrendMicro and run the viruscan on teh data.
But my next questions is: would TrendMicro detect viruses on the SQL DB files?

Is there a difference if the scan is run when the data is already restored in the SQL server (recover the whole machien from backup including DB data)
or is it better to isolate the db backup files, run scan on them, and restore the data to SQL?

Expert Comment

ID: 33518444

Assisted Solution

fireline1082 earned 664 total points
ID: 33519075
Hi SiemensSEN,

Usually diable both Task manager and regedit is high indication of virus, but don't panic you can fix this issue. The virus changes a specific registry which disable the access to both Task Manager and regedit. To enable them back, copy the below code to notepad and save it as .vbs script and then execute the file on the infected machine

**************************** copy the below only without the stars ******************
on error resume next
Set WshShell = Wscript.CreateObject("Wscript.Shell")
WshShell.RegDelete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools"

WshShell.RegDelete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr"


The two keys mentioned above are usually created by most viruses so ths script will delete these registries which will enable back access to both Task Manager and Regedit.

For cleanup the virus, if the AV couldn't detect the virus and the PC was infected so that is mean AV is not able to determine that this Malware so it will not clean it, but there are few steps that u can do to clean the virus manually.

For my self, I am using process explorer (Download from Microsoft) which is like Task Manager but even better and check for any running process with Malicious name or the coprporate name is not from Known Vendor and kill it ( you may need to browse to the file location and also delete it). Then I am using tool called HijackThis (use google to get it) this which will show you any malicious registries added to your system and fthen select and fix that (Be careful when u r doing this if you are not sure don't do it. If you are not sure run Hijackthis and select do scan and save log then provide the logs here so we can have a look

Then diable System restore in the machine froms System properties > Syetm restore (Turn off system restore on all drives)
Finally do full scan using your AV software (Trend Micro)

Alternatively, to the manual steps above you can Use Kaspersky free scan tool (from Kaspersky) or Mcafee Stinger from (Mcafee) which can be run on the system and do full system scan.

Please let me know if this help or if you need further clarification as I am writing to you in a hurry while I am in work


Author Comment

ID: 33581524
Thanks to everyone who replied.
We did rebuild the servers from scratch and retored the databases from backup -after we run viruscan on them.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question