Solved

task manager and reg edit is disabled

Posted on 2010-08-24
11
350 Views
Last Modified: 2012-05-10
Hello,
We have a windows 2003 server with SQL 2005.
The task manager and the reg edit are disabled for administrator. Is this an indication of a virus?
We have Trend micro installed but the client will not start.
Is it possible to clean the server if infected or it is too late?

If this is a virus...we have SQL 2005 databases on this server. What is the probability that the data is infected?
Should it be safe to rebuild the server and restore the SQL data back.
The SQL databases store data for a web client application (ClearQuest); would that application be affected by the virus?

Thanks for nay help you can provide.
0
Comment
Question by:SiemensSEN
  • 2
  • 2
  • 2
  • +4
11 Comments
 
LVL 11

Accepted Solution

by:
CynepMeH earned 167 total points
Comment Utility
Talk to your domain admins if it is a member of a domain. This is most likely a GPO that's applied to the system. You can run GPRESULT and RSOP.MSC to see what applied to your system.
0
 
LVL 11

Expert Comment

by:CynepMeH
Comment Utility
To clarify - GPO is a GROUP POLICY OBJECT, a security feature that administrators often use to lock down the system. The Registry Editing and Task manager tools may have been disabled by administrative policy.
0
 
LVL 1

Assisted Solution

by:KungFuGu
KungFuGu earned 167 total points
Comment Utility
It may be worth trying something as simple as Malwarebytes. It certainly doesn't hurt to run that in addition to Trend Micro. Try installing and running that and see if it restores any of your functionality.

It may be safe to rebuild the server. If nothing else you could perform a dump and scan on the new installation/server before restoring it.
0
 
LVL 11

Expert Comment

by:yarwell
Comment Utility
The task manager and the reg edit are disabled for administrator. Is this an indication of a virus?
We have Trend micro installed but the client will not start.


looks like a trojan or virus to me.

Run prevxcsi.com lightweight cloud-based scanner on it for starters. Or a bootable CD based virus checker if you can take it off line. You should be able to clean it up.

If it's a standard windows malware problem your data will be fine, it will just have messed with system settings to protect itself and the friends it will be downloading.
0
 
LVL 3

Expert Comment

by:Shaun
Comment Utility
It could be a possible virus attack

Try running FixBlast on the machine from this link
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-99
located down under.

We cannot confirm data loss, till we figure out what virus it is...

Is there any Anti-Virus on this machine? have you tried scanning?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Expert Comment

by:KungFuGu
Comment Utility
It would be helpful to clarify your comment please - Are you getting a message that says it is disabled or are you unable to open it?

If you are getting a message that says it is disabled by your administrator you will need to edit your group policy. Follow the instructions here for that  http://support.microsoft.com/kb/555480

If you are unable to open it but receive no messages, log in as another network user with administrative rights, and run a malware removal program such as malwarebytes.
0
 

Expert Comment

by:Emerex
Comment Utility
I would suggest running RKILL then scan for viruses or spyware using the scanner of your choice.

If a virus\spyware disabled taskmgr \ regedit rkill will re-enable and kill known running virus\spyware processes.

rkill - http://www.bleepingcomputer.com/forums/topic308364.html


0
 

Author Comment

by:SiemensSEN
Comment Utility
Thanks for your answers.

We check the domain policies, and there were no new policies applied that block task manager or the reg edit.
I was also able to connect to the registry remotely from another server on the domain; no issues with that.

So we think this is a virus.
We have two SQL servers involved in this problem.
We do have TrendMicro in one of the SQL servers but did not have it on the second server. We do SQL transaction log shipping, so we are wondering if that is how the virus got propagated.
The TredMicro on the 1st server is didabled and when we try to to enable it hung.
We cannot install TrendMicro on the 2nd server...it blue screens.

Our servers are behid a firewall so we can't run scans from the internet.

Our plan is to rebuild the server.
Copy the  DB data to an isolated machine that has TrendMicro and run the viruscan on teh data.
But my next questions is: would TrendMicro detect viruses on the SQL DB files?

Is there a difference if the scan is run when the data is already restored in the SQL server (recover the whole machien from backup including DB data)
or is it better to isolate the db backup files, run scan on them, and restore the data to SQL?
0
 
LVL 3

Expert Comment

by:Shaun
Comment Utility
0
 
LVL 3

Assisted Solution

by:fireline1082
fireline1082 earned 166 total points
Comment Utility
Hi SiemensSEN,

Usually diable both Task manager and regedit is high indication of virus, but don't panic you can fix this issue. The virus changes a specific registry which disable the access to both Task Manager and regedit. To enable them back, copy the below code to notepad and save it as .vbs script and then execute the file on the infected machine

Ciode:
**************************** copy the below only without the stars ******************
on error resume next
Set WshShell = Wscript.CreateObject("Wscript.Shell")
WshShell.RegDelete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools"

WshShell.RegDelete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr"

***********************

The two keys mentioned above are usually created by most viruses so ths script will delete these registries which will enable back access to both Task Manager and Regedit.

For cleanup the virus, if the AV couldn't detect the virus and the PC was infected so that is mean AV is not able to determine that this Malware so it will not clean it, but there are few steps that u can do to clean the virus manually.

For my self, I am using process explorer (Download from Microsoft) which is like Task Manager but even better and check for any running process with Malicious name or the coprporate name is not from Known Vendor and kill it ( you may need to browse to the file location and also delete it). Then I am using tool called HijackThis (use google to get it) this which will show you any malicious registries added to your system and fthen select and fix that (Be careful when u r doing this if you are not sure don't do it. If you are not sure run Hijackthis and select do scan and save log then provide the logs here so we can have a look

Then diable System restore in the machine froms System properties > Syetm restore (Turn off system restore on all drives)
Finally do full scan using your AV software (Trend Micro)


Alternatively, to the manual steps above you can Use Kaspersky free scan tool (from Kaspersky) or Mcafee Stinger from (Mcafee) which can be run on the system and do full system scan.

Please let me know if this help or if you need further clarification as I am writing to you in a hurry while I am in work

Regards
0
 

Author Comment

by:SiemensSEN
Comment Utility
Thanks to everyone who replied.
We did rebuild the servers from scratch and retored the databases from backup -after we run viruscan on them.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Know what services you can and cannot, should and should not combine on your server.
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now