task manager and reg edit is disabled

Posted on 2010-08-24
Last Modified: 2012-05-10
We have a windows 2003 server with SQL 2005.
The task manager and the reg edit are disabled for administrator. Is this an indication of a virus?
We have Trend micro installed but the client will not start.
Is it possible to clean the server if infected or it is too late?

If this is a virus...we have SQL 2005 databases on this server. What is the probability that the data is infected?
Should it be safe to rebuild the server and restore the SQL data back.
The SQL databases store data for a web client application (ClearQuest); would that application be affected by the virus?

Thanks for nay help you can provide.
Question by:SiemensSEN
  • 2
  • 2
  • 2
  • +4
LVL 11

Accepted Solution

CynepMeH earned 167 total points
ID: 33510940
Talk to your domain admins if it is a member of a domain. This is most likely a GPO that's applied to the system. You can run GPRESULT and RSOP.MSC to see what applied to your system.
LVL 11

Expert Comment

ID: 33510955
To clarify - GPO is a GROUP POLICY OBJECT, a security feature that administrators often use to lock down the system. The Registry Editing and Task manager tools may have been disabled by administrative policy.

Assisted Solution

KungFuGu earned 167 total points
ID: 33510960
It may be worth trying something as simple as Malwarebytes. It certainly doesn't hurt to run that in addition to Trend Micro. Try installing and running that and see if it restores any of your functionality.

It may be safe to rebuild the server. If nothing else you could perform a dump and scan on the new installation/server before restoring it.
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

LVL 11

Expert Comment

ID: 33510969
The task manager and the reg edit are disabled for administrator. Is this an indication of a virus?
We have Trend micro installed but the client will not start.

looks like a trojan or virus to me.

Run lightweight cloud-based scanner on it for starters. Or a bootable CD based virus checker if you can take it off line. You should be able to clean it up.

If it's a standard windows malware problem your data will be fine, it will just have messed with system settings to protect itself and the friends it will be downloading.

Expert Comment

ID: 33510990
It could be a possible virus attack

Try running FixBlast on the machine from this link 
located down under.

We cannot confirm data loss, till we figure out what virus it is...

Is there any Anti-Virus on this machine? have you tried scanning?

Expert Comment

ID: 33511398
It would be helpful to clarify your comment please - Are you getting a message that says it is disabled or are you unable to open it?

If you are getting a message that says it is disabled by your administrator you will need to edit your group policy. Follow the instructions here for that

If you are unable to open it but receive no messages, log in as another network user with administrative rights, and run a malware removal program such as malwarebytes.

Expert Comment

ID: 33511807
I would suggest running RKILL then scan for viruses or spyware using the scanner of your choice.

If a virus\spyware disabled taskmgr \ regedit rkill will re-enable and kill known running virus\spyware processes.

rkill -


Author Comment

ID: 33512957
Thanks for your answers.

We check the domain policies, and there were no new policies applied that block task manager or the reg edit.
I was also able to connect to the registry remotely from another server on the domain; no issues with that.

So we think this is a virus.
We have two SQL servers involved in this problem.
We do have TrendMicro in one of the SQL servers but did not have it on the second server. We do SQL transaction log shipping, so we are wondering if that is how the virus got propagated.
The TredMicro on the 1st server is didabled and when we try to to enable it hung.
We cannot install TrendMicro on the 2nd blue screens.

Our servers are behid a firewall so we can't run scans from the internet.

Our plan is to rebuild the server.
Copy the  DB data to an isolated machine that has TrendMicro and run the viruscan on teh data.
But my next questions is: would TrendMicro detect viruses on the SQL DB files?

Is there a difference if the scan is run when the data is already restored in the SQL server (recover the whole machien from backup including DB data)
or is it better to isolate the db backup files, run scan on them, and restore the data to SQL?

Expert Comment

ID: 33518444

Assisted Solution

fireline1082 earned 166 total points
ID: 33519075
Hi SiemensSEN,

Usually diable both Task manager and regedit is high indication of virus, but don't panic you can fix this issue. The virus changes a specific registry which disable the access to both Task Manager and regedit. To enable them back, copy the below code to notepad and save it as .vbs script and then execute the file on the infected machine

**************************** copy the below only without the stars ******************
on error resume next
Set WshShell = Wscript.CreateObject("Wscript.Shell")
WshShell.RegDelete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools"

WshShell.RegDelete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr"


The two keys mentioned above are usually created by most viruses so ths script will delete these registries which will enable back access to both Task Manager and Regedit.

For cleanup the virus, if the AV couldn't detect the virus and the PC was infected so that is mean AV is not able to determine that this Malware so it will not clean it, but there are few steps that u can do to clean the virus manually.

For my self, I am using process explorer (Download from Microsoft) which is like Task Manager but even better and check for any running process with Malicious name or the coprporate name is not from Known Vendor and kill it ( you may need to browse to the file location and also delete it). Then I am using tool called HijackThis (use google to get it) this which will show you any malicious registries added to your system and fthen select and fix that (Be careful when u r doing this if you are not sure don't do it. If you are not sure run Hijackthis and select do scan and save log then provide the logs here so we can have a look

Then diable System restore in the machine froms System properties > Syetm restore (Turn off system restore on all drives)
Finally do full scan using your AV software (Trend Micro)

Alternatively, to the manual steps above you can Use Kaspersky free scan tool (from Kaspersky) or Mcafee Stinger from (Mcafee) which can be run on the system and do full system scan.

Please let me know if this help or if you need further clarification as I am writing to you in a hurry while I am in work


Author Comment

ID: 33581524
Thanks to everyone who replied.
We did rebuild the servers from scratch and retored the databases from backup -after we run viruscan on them.

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question