Task Manager Blocked

I am using a vista operating system and i’ve recently found out that I cannot access my Task Manager. I have tried every way of opening Task Manager that I am aware of but all I get is “Task Manager has been disabled by your administrator”.

I have downloaded your Avast anti virus software to see if there are any viruses that are on my system but all i found was false positives such as Track Mania decompression bombs and the Norton anti virus updater. I’ve found out that other antivirus software clashes with each other on the same system which may be causing these problems. The results of the scan came back with nothing else apart from these two problems but there were some files that couldn’t be scanned due to the files being password protected. I’m worried that these files may be infected.

I’m also worried there may be an undetectable exe posing as a system file behind the scenes and I would like some advice on what to do.

Thank you. :slight_smile:

A malware behavior… run a full avast scanning.
To correct that:
http://windowsxp.mvps.org/Taskmanager_error.htm or
http://support.microsoft.com/?scid=kb%3Ben-us%3B555480&x=8&y=14 or
http://www.pchell.com/support/taskmanagerdisabled.shtml or
http://www.diskdatarecovery.net/task-manager-has-been-disabled-by-your-administrator (an automated tool)

Are you using avast side-by-side with Norton?

I have tried most of these solutions and none of them seem to work. The run program cannot find Gpedit.msc and regedit and also been blocked by my administrator. The rest of the solutions are not working also. I removed Norton 360 about a year ago but some files were left on my system such as updater’s and system checks. These were still installed when i installed Avast Anti-virus software. Also I have already done a full system scan with Avast and it didn’t find anything, just files that cannot be scanned due to password protection.

Who is your administrator? Is this a computer used at home?
You should run the Norton Removal Tool (run as administrator) as it could be contributing to or even causing the problem.
Software conflicts can be a pain to investigate.
Or it could indeed be malware related. You might get a better idea after running the tool.
(FYI, the same tool is available at the Symantec site. It’s not just someones’ answer to remove Norton. It’s official.)

By the way, a file unable to be scanned because of password protection is not necessarily a threat, (and most often it is OK), the original path/name/location of the file can be seen if the report page is maximized, and the headers moved as required. Often you will see such files in system restore point (System volume information) - normal - the computer has encrypted it. Or in the quarantine of some other applications, such as Spybot. Those examples are common, and nothing to worry about.

It’s a home computer and I am currently set to administrator. I have installed the Norton Remove Tool and have successfully removed Norton from my computer but the problem still remains as I still cannot access Task Manager. Is this being caused by malware then if Norton wasn’t behind it?

Some malware does block some actions to make it harder for you to remove them, so it would be worth trying some other scans.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

First try this, do a search for Taskmgr.exe (should be in the system32 folder), it is possible that this run command is intercepted but if you copy the file when found and copy it to a temporary location C:\ will do for now and rename it taskmgr1.exe double clicking that would get around any intercept based on the taskmgr.exe.

I downloaded and installed MalwareBytes anti-virus software and it found several threats which have been successfully removed from my system and I can now access task manager again.

Thank you very much for everyone’s help
;D ;D

You’re welcome.

However, we asked for the log to be posted as it gives an idea what has been going on in your system, as we may need to suggest other options.

Don’t stop short, continue with the other program that was also suggested.

Do you have C:\Windows\System32\Taskmgr.exe file?
If you upload it to www.virustotal.com will it return clean?

Below are my scan results from MalwareBytes Anti-Virus and www.virustotal.com
I will post a log of SUPERAntiSpyware once it’s completed the scan.
Would you like a scan log from Avast as well?

MalwareByte Anti-Virus Results

Malwarebytes’ Anti-Malware 1.39
Database version: 2451
Windows 6.0.6001 Service Pack 1

17/07/2009 18:06:51
mbam-log-2009-07-17 (18-06-51).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 302994
Time elapsed: 1 hour(s), 32 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{013dfa9d-4a04-4907-b043-46bde4b090e6} (Trojan.Banker) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{013dfa9d-4a04-4907-b043-46bde4b090e6} (Trojan.Banker) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{013dfa9d-4a04-4907-b043-46bde4b090e6} (Trojan.Banker) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\conquer 2.0\log\5102-5128.exe (Spyware.Banker) → Quarantined and deleted successfully.
C:\Windows\System32\inform.dat (Malware.Trace) → Quarantined and deleted successfully.

www.virustotal.com results

File taskmgr.exe received on 2009.07.18 15:36:32 (UTC)
Antivirus Version Last Update Result
AhnLab-V3 5.0.0.2 2009.07.18 -
AntiVir 7.9.0.220 2009.07.17 -
Antiy-AVL 2.0.3.7 2009.07.17 -
Authentium 5.1.2.4 2009.07.18 -
Avast 4.8.1335.0 2009.07.17 -
AVG 8.5.0.387 2009.07.18 -
BitDefender 7.2 2009.07.18 -
CAT-QuickHeal 10.00 2009.07.17 -
ClamAV 0.94.1 2009.07.18 -
Comodo 1692 2009.07.18 -
DrWeb 5.0.0.12182 2009.07.18 -
eSafe 7.0.17.0 2009.07.16 -
eTrust-Vet 31.6.6623 2009.07.18 -
F-Prot 4.4.4.56 2009.07.17 -
F-Secure 8.0.14470.0 2009.07.18 -
Fortinet 3.120.0.0 2009.07.18 -
GData 19 2009.07.18 -
Ikarus T3.1.1.64.0 2009.07.18 -
Jiangmin 11.0.800 2009.07.18 -
K7AntiVirus 7.10.796 2009.07.18 -
Kaspersky 7.0.0.125 2009.07.18 -
McAfee 5679 2009.07.17 -
McAfee+Artemis 5679 2009.07.17 -
McAfee-GW-Edition 6.8.5 2009.07.18 -
Microsoft 1.4803 2009.07.18 -
NOD32 4256 2009.07.18 -
Norman 6.01.09 2009.07.17 -
nProtect 2009.1.8.0 2009.07.18 -
Panda 10.0.0.14 2009.07.17 -
PCTools 4.4.2.0 2009.07.18 -
Prevx 3.0 2009.07.18 -
Rising 21.38.52.00 2009.07.18 -
Sophos 4.43.0 2009.07.18 -
Sunbelt 3.2.1858.2 2009.07.18 -
Symantec 1.4.4.12 2009.07.18 -
TheHacker 6.3.4.3.370 2009.07.17 -
TrendMicro 8.950.0.1094 2009.07.18 -
VBA32 3.12.10.8 2009.07.17 -
ViRobot 2009.7.17.1841 2009.07.17 -
VirusBuster 4.6.5.0 2009.07.16 -
Additional information
File size: 163840 bytes
MD5…: ef8ae178fae3c5f97e383753eb1df3ba
SHA1…: 3905028a10cf6227d4ef827b64df59283bc31a83
SHA256: db9f21389fd7454a16d68a555d8c573a2e9bb4551f4f1c43cb3791a15348bbd2
ssdeep: 3072:rKgL/cXwFt+miwpeK272MWtwVHu3/JeZj:mgL/6wFt+n7Q+pZ

PEiD…: -
TrID…: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xa31d
timedatestamp…: 0x47918e94 (Sat Jan 19 05:45:56 2008)
machinetype…: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x18b98 0x18c00 6.45 5112828ef8afbb496c098df629049143
.data 0x1a000 0x1c44 0x1a00 0.90 6a1e6ebb59baeac6e98584f8b53e0805
.rsrc 0x1c000 0xbbe8 0xbc00 4.93 f33628dbad91e613ba1596481f04ff72
.reloc 0x28000 0x1894 0x1a00 6.65 be99cca93b2730b82eb7ea73c1d28348

( 14 imports )
> ADVAPI32.dll: RegCloseKey, RegSetValueExW, RegCreateKeyExW, RegQueryValueExW, RegOpenKeyExW, SetTokenInformation, OpenProcessToken, LookupAccountSidW, CreateWellKnownSid, IsValidSid, GetTokenInformation, EnumServicesStatusExW, CloseServiceHandle, QueryServiceConfigW, OpenServiceW, StartServiceW, OpenSCManagerW, ControlService, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenThreadToken
> KERNEL32.dll: LoadLibraryA, InterlockedCompareExchange, FreeLibrary, GetProcAddress, Sleep, GetComputerNameW, SetEvent, lstrcmpW, QueueUserWorkItem, GetThreadTimes, lstrlenA, MultiByteToWideChar, GetTempPathW, IsWow64Process, CreateFileW, HeapAlloc, GetProcessHeap, DuplicateHandle, HeapFree, GetCurrentDirectoryW, GetVersionExW, lstrcmpiW, GetLastError, GetProcessAffinityMask, SetProcessAffinityMask, GetTimeFormatW, GetModuleFileNameW, QueryFullProcessImageNameW, GetExitCodeThread, OpenProcess, GetPriorityClass, ReadProcessMemory, GetTickCount, lstrlenW, CompareStringW, GetNumberFormatW, GetLocaleInfoW, HeapSize, HeapReAlloc, LocalFree, LocalAlloc, FormatMessageW, HeapSetInformation, SetPriorityClass, CreateMutexW, GetCurrentProcessId, ProcessIdToSessionId, DeviceIoControl, SetLastError, GetCurrentThread, FindResourceExW, LoadResource, LockResource, UnhandledExceptionFilter, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoW, InterlockedExchange, DelayLoadFailureHook, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, CloseHandle, CreateProcessW, ExpandEnvironmentStringsW, WaitForSingleObject, SetProcessShutdownParameters, CreateThread, CreateEventW, ReleaseMutex
> GDI32.dll: CreateDIBSection, CreatePen, GetStockObject, CreateRectRgn, CreateSolidBrush, GetTextExtentPoint32W, CreateFontIndirectW, GetCharWidth32W, CreateCompatibleBitmap, Rectangle, SetBkMode, SetTextColor, CreateCompatibleDC, DeleteDC, GetCurrentObject, GetObjectW, BitBlt, SelectObject, MoveToEx, LineTo, GetDeviceCaps, DeleteObject
> USER32.dll: SetMenuDefaultItem, EnumWindowStationsW, ShowWindowAsync, SetThreadDesktop, EndTask, GetGuiResources, PostMessageW, CharLowerBuffW, IsDlgButtonChecked, GetWindowTextW, CheckDlgButton, EnableWindow, TrackPopupMenuEx, SetDlgItemTextW, SetScrollInfo, DialogBoxParamW, EndDialog, GetScrollInfo, SetScrollPos, GhostWindowFromHungWindow, HungWindowFromGhostWindow, ReleaseDC, SystemParametersInfoW, GetWindowLongW, SetWindowLongW, CallWindowProcW, DefWindowProcW, LoadCursorW, SetCursor, GetDC, GetWindowTextLengthW, PeekMessageW, GetCursorPos, OpenWindowStationW, GetProcessWindowStation, GetDlgCtrlID, InvalidateRect, UpdateWindow, CreateWindowExW, DrawTextW, FillRect, ChangeWindowMessageFilter, SetProcessDPIAware, SetProcessWindowStation, FindWindowW, GetWindowThreadProcessId, AllowSetForegroundWindow, SendMessageTimeoutW, MessageBoxW, CreateDialogParamW, GetMessageW, TranslateAcceleratorW, IsDialogMessageW, TranslateMessage, DispatchMessageW, IsZoomed, PostQuitMessage, MoveWindow, MessageBeep, DestroyWindow, GetClassLongW, RegisterClassW, CloseWindowStation, EnumDesktopsW, KillTimer, GetMenuItemInfoW, GetDialogBaseUnits, GetDesktopWindow, CascadeWindows, GetLastActivePopup, GetThreadDesktop, GetSystemMetrics, GetSysColor, LoadIconW, SetTimer, EnableMenuItem, GetForegroundWindow, PostThreadMessageW, MonitorFromRect, LoadMenuW, GetSubMenu, RemoveMenu, DestroyMenu, GetKeyState, GetFocus, GetClassNameW, GetNextDlgTabItem, SetFocus, GetParent, MonitorFromPoint, GetMonitorInfoW, LoadAcceleratorsW, OpenIcon, SetForegroundWindow, LoadImageW, DestroyIcon, GetShellWindow, ShowWindow, BeginDeferWindowPos, GetWindowRect, DeferWindowPos, EndDeferWindowPos, IsIconic, BeginPaint, EndPaint, DrawEdge, GetClientRect, SetWindowPos, SetMenu, GetDlgItem, MapWindowPoints, SendMessageW, SetMenuItemInfoW, SetMenuInfo, MsgWaitForMultipleObjects, IsWindow, GetMenu, CheckMenuRadioItem, CheckMenuItem, DeleteMenu, LoadStringW, SetWindowTextW, GetClassInfoW, SwitchToThisWindow, TileWindows, OpenDesktopW, CloseDesktop, EnumWindows, GetWindow, IsWindowVisible, InternalGetWindowText, RegisterWindowMessageW, IsHungAppWindow, SetRect
> msvcrt.dll: _controlfp, _except_handler4_common, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _exit, _cexit, __wgetmainargs, free, wcsrchr, _wcsdup, _wcsicmp, strrchr, _i64tow_s, memcpy, _ui64tow_s, wcsstr, memmove, _ftol2, _vsnwprintf, memset
> IPHLPAPI.DLL: GetAdaptersAddresses, GetIfEntry2, NhGetInterfaceNameFromDeviceGuid
> COMCTL32.dll: ImageList_SetIconSize, ImageList_Create, ImageList_Remove, -, -, ImageList_ReplaceIcon, -, -, -, -, -, -, -, CreateStatusWindowW, HIMAGELIST_QueryInterface, ImageList_Destroy, -
> SHLWAPI.dll: -, -, PathAppendW, PathRemoveExtensionW, PathAddExtensionW, StrStrW, StrCmpIW, -, StrDupW, -, StrFormatByteSizeW, -, -
> SHELL32.dll: Shell_NotifyIconW, -, CommandLineToArgvW, -, SHParseDisplayName, SHOpenFolderAndSelectItems, -, ShellExecuteExW, ShellAboutW, -, -
> ntdll.dll: NtSetInformationFile, NtOpenProcessToken, NtQueryInformationToken, RtlInitializeCriticalSection, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlDeleteCriticalSection, NtOpenThread, NtClose, RtlTimeToElapsedTimeFields, NtOpenThreadToken, NtQueryInformationProcess, RtlInitUnicodeString, RtlNtStatusToDosError, NtQuerySystemInformation, WinSqmAddToStream, NtOpenFile
> Secur32.dll: GetUserNameExW
> UxTheme.dll: SetWindowTheme
> wevtapi.dll: EvtSubscribe, EvtClose
> VDMDBG.dll: VDMTerminateTaskWOW, VDMEnumTaskWOWEx

( 0 exports )

PDFiD.: -
RDS…: NSRL Reference Data Set

ThreatExpert info: <a href=‘http://www.threatexpert.com/report.aspx?md5=ef8ae178fae3c5f97e383753eb1df3ba’ target=‘_blank’>http://www.threatexpert.com/report.aspx?md5=ef8ae178fae3c5f97e383753eb1df3ba&lt;/a&gt;

Seems to be clean… The problem could be on registry.

@ Kimiteshu
Which file did you upload to virustotal ?

Files Infected:
c:\program files\conquer 2.0\log\5102-5128.exe (Spyware.Banker) → Quarantined and deleted successfully.
It would have been nice if we could have sent a sample of this to avast to help improve detections, though that would entail restoring it from the MBAM Quarantine, which I’m loath to do.

C:\Windows\System32\inform.dat (Malware.Trace) → Quarantined and deleted successfully.
This one as the name implies is a trace of an infection as .dat files in their own right aren’t malicious (perhaps why nothing was detected in VT if this is the one you uploaded), but contain data and or instructions for associated malware. In this case it may be data gathered by something like the spyware.banker.

So If you do any on-line banking I would recommend that you change your password (to a strong one) an probably change any other passwords with any security implications.

The registry entries as you mentioned in your earlier post was what blocked the Task Manager and other registry tools.

I uploaded Task Manager, sorry I forgot to add the finished status to the log as well.

The log below had the same result as the first time I scanned it with virustotal.

File taskmgr.exe received on 2009.07.18 16:31:40 (UTC)
Current status: finished
Result: 0/41 (0%)

Is there any other scans you would like me to do that can help avast with their research?

I am currently doing a SUPERAntiSpyware and avast scan that can be added on here as well if you wish.

Well I didn’t think the taskmgr.exe was infected, but being blocked/intercepted as I mentioned earlier, which would account for it not being found to be infected by VT.

If you can’t open a clean task manager executable, I think the problem is on the registry.

Try going to Kellys-Corner, and downloading number 51 right, and running iit.
If no luck, try number 113 left.
Caveat: I’ve not tried these particular fixes, have had no need, but have read good things about the site, and used some other fixes.
These files (or one of them), when run, will add/modify registry entries, which should re-enable the taskmanager.