Locked Task manager

[CrashGate3]

Recently I've been the victim of a trojan which kept opening popups all over the place as well as disabling Explorer's search function and locking the task manager to protect itself.

I think I've got rid of the trojan (the popups have stopped and it no loger keeps requesting to connect to the net when I'm offline) but the Task manager is still 'locked by my administrator' and the search function still does nothing.

Any advice?

 

[BouncingSoul]

Start>Run> Type 'regedit'

Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: DisableTaskMgr
Type: REG_DWORD
Value: 1=Enablethis key, that is DISABLE TaskManager
Value: 0=Disablethis key, that is Don't Disable, Enable TaskManager

I've had this issue before with spyware/trojans, this should fix it.

 

[CrashGate3]

Its got rid of the run option on my start menu too.

I tried it with a command prompt and was told that registry editing is disabled too.

I've just dropped to the Admin account on safe mode and ran regedit from there, with theres no Software\Microsoft\Windows\CurrentVersion\Policies\System key. The path goes up to Software\Microsoft\Windows\CurrentVersion\Policies and then just has an 'explorer' folder - no System one. Do I just add the System key?

 

[kcnychief]

If you don't have the run option, you could always do Windows Key + R which will bring up the Run Dialog - that may be worth a shot.

The SYSTEM key may not be there, it's not on my system either. But it is safe to create.

Can you post a screenshot of your particular error when trying to access Task manager?

 

[CrashGate3]

This is what I get when I Ctrl-Alt-Del.

I went into the Admin account in safe mode (the only one that will let me at the registry), added a System key to the Policies path and added a new DWORD called DisableTaskMgr and set it to 0.

Didn't work

This is what I get if I try Windows Key + R

 

[CrashGate3]

Blehhh... I think I'll just reformat.

 

[kcnychief]

It sounds as if you have lost administrative access under the account you are normally running.

Login as the Admin account in Safe Mode or in Windows if you can access it, go to the Control Panel and user accounts. Does it list your normal account as a computer administrator?

 

[American Zombie]

Task Manager can be restored by downloading then running this file.

Enable Task Manager

As far as the Run command not being you may be able to restore it through Taskbar and Start Menu Properties.

Right-Click Taskbar > Properties > Start Menu tab > Customize > Advanced

Another way is to just Right-Click the Start button then select properties.

Scroll down through the list of "Start menu items" to the "Run command" option then make sure it has a checkmark next to it.

 

[kcnychief]

That file is the same key he already entered and apparently it didn't work for him.

It seems to me as if he's trapped in some sort of low privelege mode, probably as a standard user.

 

[American Zombie]

Going into the admin account in safe mode would not work as the keys for current user (HKCU) will be the admin account and not his user account.

If you do not believe me then go into safe mode and log into the administrator account and see if any software you have installed is listed under HKCU.

 

[kcnychief]

I may have mis-stated my point.

I understand that HKCU is related only to the logged in user, I was just simply pointing out that he already did that entry which you applied. But, providing the .REG file you applied should allow him to double-click and run under his profile. I have a feeling it will get denied though as it seems he doesn't have access to anything.

 

[Shamus MacNoob]

looks more like a case of mmc and someone locking down the pc like i do at work.

 

[Shamus MacNoob]

Recently I've been the victim of a trojan which kept opening popups all over the place as well as disabling Explorer's search function and locking the task manager to protect itself.

I think I've got rid of the trojan (the popups have stopped and it no loger keeps requesting to connect to the net when I'm offline) but the Task manager is still 'locked by my administrator' and the search function still does nothing.

Any advice?

What did you use to get rid of this Trojan? What was it called ... I would like to research the Trojan sounds like I should know this one by name and the exact way to rid a computer of it, so seeing as you were able to identify it and remove can you share the process .. thanks.

 

[CrashGate3]

Did it manually.

I used 3DMark 06 to get a list of running processes and found one called Nero7_Keymaker.exe - kind of suspiscious as I neither use nor have ever used Nero, one that needed a keygen or otherwise.:laugh:

I went into the admin account, where the search still worked, and searched for anything with 'Nero' in the name. It found 4 files with Nero7_keymaker in the name - one, the exe in Program Files\Messenger, and 3 others in Windows\Prefetch. Deleted them all and the exe stopped autorunning on startup, the popups stopped immediately and certain programs like Ad-Aware and bizarrely, Notepad, that would close a few seconds after being opened began behaving normally again.

Unfortunately as you can see, I was left with some fallout - I'm guessing the locked things were due to it messing with the registry rather than anything the exe was doing.

I reformatted in the end.

 

[MYcomputerisscrewed]

Hi i have the exact same virus - no task manager, no run command etc... I want to do a complete restore of my system wiping everything to make sure its completley gone but it seems to have deleted this option - when the computer is starting up i can press F1 etc and see most of the options but the option to completley wipe my pc has gone - any idea how i can get past the virus to do this?

Thanks

 

[Electronic Punk]

http://www.spywareinfo.com/~merijn/downloads.html

See if you can download Hijackthis so we can determine what might be running.

 

[MYcomputerisscrewed]

Hi i tried to run it - but as with adaware etc on my pc it just closed it before it could even start up.

 

[MYcomputerisscrewed]

Ah one sec i found a link on that site about it - ok it closes as if it were the Coolwebsearch issue mentioned on that site - i downloaded the fix but it says CWS hasnt been found!

 

[MYcomputerisscrewed]

Hey i managed to get hijackthis to do a scan in safe mode

Logfile of HijackThis v1.99.1
Scan saved at 16:05:11, on 31/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\RossThinkpad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwcache.sns.york.ac.uk:8080
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,qqhxkjl.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rmalt] C:\Program Files\Messengers\Setup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/york/support/plugins/ebraryRdr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146073884455
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7E71C93-A6C2-4827-87C9-928F8F9346FD}: NameServer = 195.92.195.94
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

 

[sparky1477]

Ok guys, this one pissed me off so I had to take it out . Below are instructions that fixed this for me.

1) Reboot your machine into safe mode

2) Since I could not use the run command go to C:\WINDOWS\PCHealth\HelpCtr\Binaries and run msconfig, this will allow you to remove the .exe from the registry so that when you reboot it won't run, also remove the Messengers directory under C:\Program Files (not the messenger directory)

3) Once in safe mode go to Control Panel | Administrative Tools | Computer Management | once there create a new user and call it whatever you want, give it a password, and make sure to add it to the Administrators group.

3) Boot your machine normally, once in windows go to C:\windows, find regedit.exe, hold down shift and right click regedit.exe and select Run as. Choose The Following User and enter the information for the user you created in safe mode.

4) This should allow you to run regedit and acutally edit the registry.

5) Go to [HKEY_USERS\S-1-5-21-448539723-790525478-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Policies\

The S-1-5-21-448539723-790525478-1801674531-1003 portion will be different on your machine but the number will be similar in length. There will be a key similar to this for every user on your machine. Once you found policies remove system. Highlight explorer, in the right pane remove all keys except NoDriveTypeAutoRun and reboot.

6) Make sure you clean up the registry and remove the nero7_keymaker.exe entries so that it doesn't change your registry back. Using run and type msconfig will allow you to change this.

Questions or comments or need help send me an email.