Locked Task manager

Discussion in 'Windows Desktop Systems' started by CrashGate3, Jul 29, 2006.

  1. CrashGate3

    CrashGate3 OSNN Junior Addict

    Messages:
    24
    Recently I've been the victim of a trojan which kept opening popups all over the place as well as disabling Explorer's search function and locking the task manager to protect itself.

    I think I've got rid of the trojan (the popups have stopped and it no loger keeps requesting to connect to the net when I'm offline) but the Task manager is still 'locked by my administrator' and the search function still does nothing.

    Any advice?
     
  2. BouncingSoul

    BouncingSoul Stranger Than Fiction Political User

    Messages:
    1,297
    Location:
    Sioux Falls, SD
    Start>Run> Type 'regedit'

    Hive: HKEY_CURRENT_USER
    Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
    Name: DisableTaskMgr
    Type: REG_DWORD
    Value: 1=Enablethis key, that is DISABLE TaskManager
    Value: 0=Disablethis key, that is Don't Disable, Enable TaskManager

    I've had this issue before with spyware/trojans, this should fix it.
     
  3. CrashGate3

    CrashGate3 OSNN Junior Addict

    Messages:
    24
    :(

    Its got rid of the run option on my start menu too.

    I tried it with a command prompt and was told that registry editing is disabled too. :(

    I've just dropped to the Admin account on safe mode and ran regedit from there, with theres no Software\Microsoft\Windows\CurrentVersion\Policies\System key. The path goes up to Software\Microsoft\Windows\CurrentVersion\Policies and then just has an 'explorer' folder - no System one. Do I just add the System key?
     
    Last edited: Jul 29, 2006
  4. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    If you don't have the run option, you could always do Windows Key + R which will bring up the Run Dialog - that may be worth a shot.

    The SYSTEM key may not be there, it's not on my system either. But it is safe to create.

    Can you post a screenshot of your particular error when trying to access Task manager?
     
  5. CrashGate3

    CrashGate3 OSNN Junior Addict

    Messages:
    24
    [​IMG]

    This is what I get when I Ctrl-Alt-Del.

    I went into the Admin account in safe mode (the only one that will let me at the registry), added a System key to the Policies path and added a new DWORD called DisableTaskMgr and set it to 0.

    Didn't work :(


    [​IMG]

    This is what I get if I try Windows Key + R
     
  6. CrashGate3

    CrashGate3 OSNN Junior Addict

    Messages:
    24
    Blehhh... I think I'll just reformat.
     
  7. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    It sounds as if you have lost administrative access under the account you are normally running.

    Login as the Admin account in Safe Mode or in Windows if you can access it, go to the Control Panel and user accounts. Does it list your normal account as a computer administrator?
     
  8. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,931
    Location:
    Seattle
    Task Manager can be restored by downloading then running this file.

    Enable Task Manager

    As far as the Run command not being you may be able to restore it through Taskbar and Start Menu Properties.

    Right-Click Taskbar > Properties > Start Menu tab > Customize > Advanced

    Another way is to just Right-Click the Start button then select properties.

    Scroll down through the list of "Start menu items" to the "Run command" option then make sure it has a checkmark next to it.
     
  9. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    That file is the same key he already entered and apparently it didn't work for him.

    It seems to me as if he's trapped in some sort of low privelege mode, probably as a standard user.
     
  10. American Zombie

    American Zombie Moderator Staff Member Political User

    Messages:
    2,931
    Location:
    Seattle
    Going into the admin account in safe mode would not work as the keys for current user (HKCU) will be the admin account and not his user account.

    If you do not believe me then go into safe mode and log into the administrator account and see if any software you have installed is listed under HKCU.
     
  11. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I may have mis-stated my point.

    I understand that HKCU is related only to the logged in user, I was just simply pointing out that he already did that entry which you applied. But, providing the .REG file you applied should allow him to double-click and run under his profile. I have a feeling it will get denied though as it seems he doesn't have access to anything.
     
  12. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    looks more like a case of mmc and someone locking down the pc like i do at work.
     
  13. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    What did you use to get rid of this Trojan? What was it called ... I would like to research the Trojan sounds like I should know this one by name and the exact way to rid a computer of it, so seeing as you were able to identify it and remove can you share the process .. thanks.
     
  14. CrashGate3

    CrashGate3 OSNN Junior Addict

    Messages:
    24
    Did it manually.

    I used 3DMark 06 to get a list of running processes and found one called Nero7_Keymaker.exe - kind of suspiscious as I neither use nor have ever used Nero, one that needed a keygen or otherwise.:laugh:

    I went into the admin account, where the search still worked, and searched for anything with 'Nero' in the name. It found 4 files with Nero7_keymaker in the name - one, the exe in Program Files\Messenger, and 3 others in Windows\Prefetch. Deleted them all and the exe stopped autorunning on startup, the popups stopped immediately and certain programs like Ad-Aware and bizarrely, Notepad, that would close a few seconds after being opened began behaving normally again.

    Unfortunately as you can see, I was left with some fallout - I'm guessing the locked things were due to it messing with the registry rather than anything the exe was doing.

    I reformatted in the end.
     
  15. MYcomputerisscrewed

    MYcomputerisscrewed OSNN One Post Wonder

    Messages:
    4
    Hi i have the exact same virus - no task manager, no run command etc... I want to do a complete restore of my system wiping everything to make sure its completley gone but it seems to have deleted this option - when the computer is starting up i can press F1 etc and see most of the options but the option to completley wipe my pc has gone - any idea how i can get past the virus to do this?

    Thanks
     
  16. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
  17. MYcomputerisscrewed

    MYcomputerisscrewed OSNN One Post Wonder

    Messages:
    4
    Hi i tried to run it - but as with adaware etc on my pc it just closed it before it could even start up.
     
  18. MYcomputerisscrewed

    MYcomputerisscrewed OSNN One Post Wonder

    Messages:
    4
    Ah one sec i found a link on that site about it - ok it closes as if it were the Coolwebsearch issue mentioned on that site - i downloaded the fix but it says CWS hasnt been found!
     
  19. MYcomputerisscrewed

    MYcomputerisscrewed OSNN One Post Wonder

    Messages:
    4
    Hey i managed to get hijackthis to do a scan in safe mode

    Logfile of HijackThis v1.99.1
    Scan saved at 16:05:11, on 31/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\RossThinkpad\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.sns.york.ac.uk:8080
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qqhxkjl.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [rmalt] C:\Program Files\Messengers\Setup.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
    O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.mmohsix.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/york/support/plugins/ebraryRdr.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146073884455
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A7E71C93-A6C2-4827-87C9-928F8F9346FD}: NameServer = 195.92.195.94
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
     
  20. sparky1477

    sparky1477 OSNN One Post Wonder

    Messages:
    2
    Ok guys, this one pissed me off so I had to take it out :). Below are instructions that fixed this for me.

    1) Reboot your machine into safe mode

    2) Since I could not use the run command go to C:\WINDOWS\PCHealth\HelpCtr\Binaries and run msconfig, this will allow you to remove the .exe from the registry so that when you reboot it won't run, also remove the Messengers directory under C:\Program Files (not the messenger directory)

    3) Once in safe mode go to Control Panel | Administrative Tools | Computer Management | once there create a new user and call it whatever you want, give it a password, and make sure to add it to the Administrators group.

    3) Boot your machine normally, once in windows go to C:\windows, find regedit.exe, hold down shift and right click regedit.exe and select Run as. Choose The Following User and enter the information for the user you created in safe mode.

    4) This should allow you to run regedit and acutally edit the registry.

    5) Go to [HKEY_USERS\S-1-5-21-448539723-790525478-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Policies\

    The S-1-5-21-448539723-790525478-1801674531-1003 portion will be different on your machine but the number will be similar in length. There will be a key similar to this for every user on your machine. Once you found policies remove system. Highlight explorer, in the right pane remove all keys except NoDriveTypeAutoRun and reboot.

    6) Make sure you clean up the registry and remove the nero7_keymaker.exe entries so that it doesn't change your registry back. Using run and type msconfig will allow you to change this.

    Questions or comments or need help send me an email.
     
    Last edited: Aug 6, 2006