Task Manager Blocked

[Kimiteshu]

I am using a vista operating system and i've recently found out that I cannot access my Task Manager. I have tried every way of opening Task Manager that I am aware of but all I get is "Task Manager has been disabled by your administrator".

I have downloaded your Avast anti virus software to see if there are any viruses that are on my system but all i found was false positives such as Track Mania decompression bombs and the Norton anti virus updater. I've found out that other antivirus software clashes with each other on the same system which may be causing these problems. The results of the scan came back with nothing else apart from these two problems but there were some files that couldn't be scanned due to the files being password protected. I'm worried that these files may be infected.

I'm also worried there may be an undetectable exe posing as a system file behind the scenes and I would like some advice on what to do.

Thank you.  

[Lisandro]

A malware behavior... run a full avast scanning.
To correct that:
http://windowsxp.mvps.org/Taskmanager_error.htm or
http://support.microsoft.com/?scid=kb%3Ben-us%3B555480&x=8&y=14 or
http://www.pchell.com/support/taskmanagerdisabled.shtml or
http://www.diskdatarecovery.net/task-manager-has-been-disabled-by-your-administrator (an automated tool)

Are you using avast side-by-side with Norton?

[Kimiteshu]

I have tried most of these solutions and none of them seem to work. The run program cannot find Gpedit.msc and regedit and also been blocked by my administrator. The rest of the solutions are not working also. I removed Norton 360 about a year ago but some files were left on my system such as updater's and system checks. These were still installed when i installed Avast Anti-virus software. Also I have already done a full system scan with Avast and it didn't find anything, just files that cannot be scanned due to password protection.

[Tarq57]

Who is your administrator? Is this a computer used at home?
You should run the Norton Removal Tool (run as administrator) as it could be contributing to or even causing the problem.
Software conflicts can be a pain to investigate.
Or it could indeed be malware related. You might get a better idea after running the tool.
(FYI, the same tool is available at the Symantec site. It's not just someones' answer to remove Norton. It's official.)

[Tarq57]

By the way, a file unable to be scanned because of password protection is not necessarily a threat, (and most often it is OK), the original path/name/location of the file can be seen if the report page is maximized, and the headers moved as required. Often you will see such files in system restore point (System volume information) - normal - the computer has encrypted it. Or in the quarantine of some other applications, such as Spybot. Those examples are common, and nothing to worry about.

[Kimiteshu]

It's a home computer and I am currently set to administrator. I have installed the Norton Remove Tool and have successfully removed Norton from my computer but the problem still remains as I still cannot access Task Manager. Is this being caused by malware then if Norton wasn't behind it?

[DavidR]

Some malware does block some actions to make it harder for you to remove them, so it would be worth trying some other scans.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

####
First try this, do a search for Taskmgr.exe (should be in the system32 folder), it is possible that this run command is intercepted but if you copy the file when found and copy it to a temporary location C:\ will do for now and rename it taskmgr1.exe double clicking that would get around any intercept based on the taskmgr.exe.

[Kimiteshu]

I downloaded and installed MalwareBytes anti-virus software and it found several threats which have been successfully removed from my system and I can now access task manager again.

Thank you very much for everyone's help
 

[DavidR]

You're welcome.

However, we asked for the log to be posted as it gives an idea what has been going on in your system, as we may need to suggest other options.

Don't stop short, continue with the other program that was also suggested.

[Lisandro]

Do you have C:\Windows\System32\Taskmgr.exe file?
If you upload it to www.virustotal.com will it return clean?

[Kimiteshu]

Below are my scan results from MalwareBytes Anti-Virus and www.virustotal.com
I will post a log of SUPERAntiSpyware once it's completed the scan.
Would you like a scan log from Avast as well?

MalwareByte Anti-Virus Results

Malwarebytes' Anti-Malware 1.39
Database version: 2451
Windows 6.0.6001 Service Pack 1

17/07/2009 18:06:51
mbam-log-2009-07-17 (18-06-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 302994
Time elapsed: 1 hour(s), 32 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{013dfa9d-4a04-4907-b043-46bde4b090e6} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{013dfa9d-4a04-4907-b043-46bde4b090e6} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{013dfa9d-4a04-4907-b043-46bde4b090e6} (Trojan.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\conquer 2.0\log\5102-5128.exe (Spyware.Banker) -> Quarantined and deleted successfully.
C:\Windows\System32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully.

[Kimiteshu]

www.virustotal.com results

File taskmgr.exe received on 2009.07.18 15:36:32 (UTC)
Antivirus   Version   Last Update   Result
AhnLab-V3   5.0.0.2   2009.07.18   -
AntiVir   7.9.0.220   2009.07.17   -
Antiy-AVL   2.0.3.7   2009.07.17   -
Authentium   5.1.2.4   2009.07.18   -
Avast   4.8.1335.0   2009.07.17   -
AVG   8.5.0.387   2009.07.18   -
BitDefender   7.2   2009.07.18   -
CAT-QuickHeal   10.00   2009.07.17   -
ClamAV   0.94.1   2009.07.18   -
Comodo   1692   2009.07.18   -
DrWeb   5.0.0.12182   2009.07.18   -
eSafe   7.0.17.0   2009.07.16   -
eTrust-Vet   31.6.6623   2009.07.18   -
F-Prot   4.4.4.56   2009.07.17   -
F-Secure   8.0.14470.0   2009.07.18   -
Fortinet   3.120.0.0   2009.07.18   -
GData   19   2009.07.18   -
Ikarus   T3.1.1.64.0   2009.07.18   -
Jiangmin   11.0.800   2009.07.18   -
K7AntiVirus   7.10.796   2009.07.18   -
Kaspersky   7.0.0.125   2009.07.18   -
McAfee   5679   2009.07.17   -
McAfee+Artemis   5679   2009.07.17   -
McAfee-GW-Edition   6.8.5   2009.07.18   -
Microsoft   1.4803   2009.07.18   -
NOD32   4256   2009.07.18   -
Norman   6.01.09   2009.07.17   -
nProtect   2009.1.8.0   2009.07.18   -
Panda   10.0.0.14   2009.07.17   -
PCTools   4.4.2.0   2009.07.18   -
Prevx   3.0   2009.07.18   -
Rising   21.38.52.00   2009.07.18   -
Sophos   4.43.0   2009.07.18   -
Sunbelt   3.2.1858.2   2009.07.18   -
Symantec   1.4.4.12   2009.07.18   -
TheHacker   6.3.4.3.370   2009.07.17   -
TrendMicro   8.950.0.1094   2009.07.18   -
VBA32   3.12.10.8   2009.07.17   -
ViRobot   2009.7.17.1841   2009.07.17   -
VirusBuster   4.6.5.0   2009.07.16   -
Additional information
File size: 163840 bytes
MD5...: ef8ae178fae3c5f97e383753eb1df3ba
SHA1..: 3905028a10cf6227d4ef827b64df59283bc31a83
SHA256: db9f21389fd7454a16d68a555d8c573a2e9bb4551f4f1c43cb3791a15348bbd2
ssdeep: 3072:rKgL/cXwFt+miwpeK272MWtwVHu3/JeZj:mgL/6wFt+n7Q+pZ<br>
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0xa31d<br>timedatestamp.....: 0x47918e94 (Sat Jan 19 05:45:56 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x18b98 0x18c00 6.45 5112828ef8afbb496c098df629049143<br>.data 0x1a000 0x1c44 0x1a00 0.90 6a1e6ebb59baeac6e98584f8b53e0805<br>.rsrc 0x1c000 0xbbe8 0xbc00 4.93 f33628dbad91e613ba1596481f04ff72<br>.reloc 0x28000 0x1894 0x1a00 6.65 be99cca93b2730b82eb7ea73c1d28348<br><br>( 14 imports ) <br>&gt; ADVAPI32.dll: RegCloseKey, RegSetValueExW, RegCreateKeyExW, RegQueryValueExW, RegOpenKeyExW, SetTokenInformation, OpenProcessToken, LookupAccountSidW, CreateWellKnownSid, IsValidSid, GetTokenInformation, EnumServicesStatusExW, CloseServiceHandle, QueryServiceConfigW, OpenServiceW, StartServiceW, OpenSCManagerW, ControlService, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenThreadToken<br>&gt; KERNEL32.dll: LoadLibraryA, InterlockedCompareExchange, FreeLibrary, GetProcAddress, Sleep, GetComputerNameW, SetEvent, lstrcmpW, QueueUserWorkItem, GetThreadTimes, lstrlenA, MultiByteToWideChar, GetTempPathW, IsWow64Process, CreateFileW, HeapAlloc, GetProcessHeap, DuplicateHandle, HeapFree, GetCurrentDirectoryW, GetVersionExW, lstrcmpiW, GetLastError, GetProcessAffinityMask, SetProcessAffinityMask, GetTimeFormatW, GetModuleFileNameW, QueryFullProcessImageNameW, GetExitCodeThread, OpenProcess, GetPriorityClass, ReadProcessMemory, GetTickCount, lstrlenW, CompareStringW, GetNumberFormatW, GetLocaleInfoW, HeapSize, HeapReAlloc, LocalFree, LocalAlloc, FormatMessageW, HeapSetInformation, SetPriorityClass, CreateMutexW, GetCurrentProcessId, ProcessIdToSessionId, DeviceIoControl, SetLastError, GetCurrentThread, FindResourceExW, LoadResource, LockResource, UnhandledExceptionFilter, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoW, InterlockedExchange, DelayLoadFailureHook, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, CloseHandle, CreateProcessW, ExpandEnvironmentStringsW, WaitForSingleObject, SetProcessShutdownParameters, CreateThread, CreateEventW, ReleaseMutex<br>&gt; GDI32.dll: CreateDIBSection, CreatePen, GetStockObject, CreateRectRgn, CreateSolidBrush, GetTextExtentPoint32W, CreateFontIndirectW, GetCharWidth32W, CreateCompatibleBitmap, Rectangle, SetBkMode, SetTextColor, CreateCompatibleDC, DeleteDC, GetCurrentObject, GetObjectW, BitBlt, SelectObject, MoveToEx, LineTo, GetDeviceCaps, DeleteObject<br>&gt; USER32.dll: SetMenuDefaultItem, EnumWindowStationsW, ShowWindowAsync, SetThreadDesktop, EndTask, GetGuiResources, PostMessageW, CharLowerBuffW, IsDlgButtonChecked, GetWindowTextW, CheckDlgButton, EnableWindow, TrackPopupMenuEx, SetDlgItemTextW, SetScrollInfo, DialogBoxParamW, EndDialog, GetScrollInfo, SetScrollPos, GhostWindowFromHungWindow, HungWindowFromGhostWindow, ReleaseDC, SystemParametersInfoW, GetWindowLongW, SetWindowLongW, CallWindowProcW, DefWindowProcW, LoadCursorW, SetCursor, GetDC, GetWindowTextLengthW, PeekMessageW, GetCursorPos, OpenWindowStationW, GetProcessWindowStation, GetDlgCtrlID, InvalidateRect, UpdateWindow, CreateWindowExW, DrawTextW, FillRect, ChangeWindowMessageFilter, SetProcessDPIAware, SetProcessWindowStation, FindWindowW, GetWindowThreadProcessId, AllowSetForegroundWindow, SendMessageTimeoutW, MessageBoxW, CreateDialogParamW, GetMessageW, TranslateAcceleratorW, IsDialogMessageW, TranslateMessage, DispatchMessageW, IsZoomed, PostQuitMessage, MoveWindow, MessageBeep, DestroyWindow, GetClassLongW, RegisterClassW, CloseWindowStation, EnumDesktopsW, KillTimer, GetMenuItemInfoW, GetDialogBaseUnits, GetDesktopWindow, CascadeWindows, GetLastActivePopup, GetThreadDesktop, GetSystemMetrics, GetSysColor, LoadIconW, SetTimer, EnableMenuItem, GetForegroundWindow, PostThreadMessageW, MonitorFromRect, LoadMenuW, GetSubMenu, RemoveMenu, DestroyMenu, GetKeyState, GetFocus, GetClassNameW, GetNextDlgTabItem, SetFocus, GetParent, MonitorFromPoint, GetMonitorInfoW, LoadAcceleratorsW, OpenIcon, SetForegroundWindow, LoadImageW, DestroyIcon, GetShellWindow, ShowWindow, BeginDeferWindowPos, GetWindowRect, DeferWindowPos, EndDeferWindowPos, IsIconic, BeginPaint, EndPaint, DrawEdge, GetClientRect, SetWindowPos, SetMenu, GetDlgItem, MapWindowPoints, SendMessageW, SetMenuItemInfoW, SetMenuInfo, MsgWaitForMultipleObjects, IsWindow, GetMenu, CheckMenuRadioItem, CheckMenuItem, DeleteMenu, LoadStringW, SetWindowTextW, GetClassInfoW, SwitchToThisWindow, TileWindows, OpenDesktopW, CloseDesktop, EnumWindows, GetWindow, IsWindowVisible, InternalGetWindowText, RegisterWindowMessageW, IsHungAppWindow, SetRect<br>&gt; msvcrt.dll: _controlfp, _except_handler4_common, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _exit, _cexit, __wgetmainargs, free, wcsrchr, _wcsdup, _wcsicmp, strrchr, _i64tow_s, memcpy, _ui64tow_s, wcsstr, memmove, _ftol2, _vsnwprintf, memset<br>&gt; IPHLPAPI.DLL: GetAdaptersAddresses, GetIfEntry2, NhGetInterfaceNameFromDeviceGuid<br>&gt; COMCTL32.dll: ImageList_SetIconSize, ImageList_Create, ImageList_Remove, -, -, ImageList_ReplaceIcon, -, -, -, -, -, -, -, CreateStatusWindowW, HIMAGELIST_QueryInterface, ImageList_Destroy, -<br>&gt; SHLWAPI.dll: -, -, PathAppendW, PathRemoveExtensionW, PathAddExtensionW, StrStrW, StrCmpIW, -, StrDupW, -, StrFormatByteSizeW, -, -<br>&gt; SHELL32.dll: Shell_NotifyIconW, -, CommandLineToArgvW, -, SHParseDisplayName, SHOpenFolderAndSelectItems, -, ShellExecuteExW, ShellAboutW, -, -<br>&gt; ntdll.dll: NtSetInformationFile, NtOpenProcessToken, NtQueryInformationToken, RtlInitializeCriticalSection, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlDeleteCriticalSection, NtOpenThread, NtClose, RtlTimeToElapsedTimeFields, NtOpenThreadToken, NtQueryInformationProcess, RtlInitUnicodeString, RtlNtStatusToDosError, NtQuerySystemInformation, WinSqmAddToStream, NtOpenFile<br>&gt; Secur32.dll: GetUserNameExW<br>&gt; UxTheme.dll: SetWindowTheme<br>&gt; wevtapi.dll: EvtSubscribe, EvtClose<br>&gt; VDMDBG.dll: VDMTerminateTaskWOW, VDMEnumTaskWOWEx<br><br>( 0 exports ) <br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-
ThreatExpert info: &lt;a href='http://www.threatexpert.com/report.aspx?md5=ef8ae178fae3c5f97e383753eb1df3ba' target='_blank'&gt;http://www.threatexpert.com/report.aspx?md5=ef8ae178fae3c5f97e383753eb1df3ba&lt;/a&gt;

[Lisandro]

Seems to be clean... The problem could be on registry.

[DavidR]

@ Kimiteshu
Which file did you upload to virustotal ?

Files Infected:
c:\program files\conquer 2.0\log\5102-5128.exe (Spyware.Banker) -> Quarantined and deleted successfully.
It would have been nice if we could have sent a sample of this to avast to help improve detections, though that would entail restoring it from the MBAM Quarantine, which I'm loath to do.

C:\Windows\System32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully.
This one as the name implies is a trace of an infection as .dat files in their own right aren't malicious (perhaps why nothing was detected in VT if this is the one you uploaded), but contain data and or instructions for associated malware. In this case it may be data gathered by something like the spyware.banker.

So If you do any on-line banking I would recommend that you change your password (to a strong one) an probably change any other passwords with any security implications.

The registry entries as you mentioned in your earlier post was what blocked the Task Manager and other registry tools.

[Kimiteshu]

I uploaded Task Manager, sorry I forgot to add the finished status to the log as well.

The log below had the same result as the first time I scanned it with virustotal.

File taskmgr.exe received on 2009.07.18 16:31:40 (UTC)
Current status: finished
Result: 0/41 (0%)