Hello Everybody, We have one ms sql db server clustered on a windows server 2003 r2 x64 Enterprise Edition. We have been facing an unusuall issue where the registry and task manager seems to be unaccessable. Whenever we try to access both of them it say that it has been disabled by the administrator. When i tried googling the same it asked me to do some changes in the local gpedit.msc which did not help at all. Hence I downloaded process explorer from sysinternal to check and found an unusuall entry in the process explorer window. Please find the screenshot for the same. Also the process explorer window is closing automatically. Request you to please find me a solution. Waiting for your kind reply. Regards, Amit Khamkar.

Looks like a Virus infection to me at first glance. Make sure AV definitions are updated on the server and run a full system scan. Also, update latest windows patches applicable. You might as well want to install Malwarebytes Antimalware and scan the server to know if the server is infected.I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

HI, I am sorry and I know it sounds crazy but we do not have an AV engine on the server. Its a live production server hence cant reboot it! Thanks! Regards, Amit Khamkar.

Hi amit, Its a well known Virus/Worm. Kindly update your antivirus definitions and rum a full scan of your system. As Santhosh suggested use Malwarebytes to remove the virus.Regards, Rafic If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

HI, I am sorry and I know it sound crazy but we do not have an AV engine on the server. Its a live production server hance cant reboot it! Thanks! Regards, Amit Khamkar. I am afraid, without the help of any security applications, you can fix the issues described in your post !I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

There used to be a free tool called RRT ( Restriction Removal Tool ) which was capable of fixing issues like removing restrictions imposed by virus from Task Manager and registry. I am not sure, if its still available for free. Use your favorite search engine and search for it. if use RRT, you don't have to reboot your server as far as I remember.I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Yes, I do agree with Santhosh and Rafic. It is a confiker virus, it will create the schedule tasks like At1 At2 At3 etc., when you check in process explorer you will see the running tasks rundll32.exe Take the action to clean it. Thanks

Well, you all were right and I was able to see a task scheduled in the task scheduler with name A1 and A2. Also that I was able to open regedit and task manager through elevated command prompt. But when I tried killing the process, but it regenerates itself, how I dont really know. The solutions you asked me to apply did not really help. Is there any other way out. Thankyou!Regards, Amit Khamkar.

Well, you all were right and I was able to see a task scheduled in the task scheduler with name A1 and A2. Also that I was able to open regedit and task manager through elevated command prompt. But when I tried killing the process, but it regenerates itself, how I dont really know. The solutions you asked me to apply did not really help. Is there any other way out. Thankyou! Regards, Amit Khamkar. As far as I know, there is no way to eliminate viruses from operating system manually until and unless you know in and out of that OS and its registry settings or if you know how virus/malware works and attacks OS files and spreads across network. Is there a reason why you cant install AV or any other security application on the server in question ? By NOT installing AV on server, you might be risking your network !!!I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

you can try this link http://www.ozzu.com/windows-tutorials/tutorial-task-manager-regedit-etc-won-open-part-t44857-30.html

Hi, Sorry! But it did not help either. Thanks.Regards, Amit Khamkar.

Hi Amit, Thank you for the post. You could use Image File Execution Options registry key to stop the process running. I assume the process name virusA.exe, create the same registry key virusA.exe in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Then create new new string with the name Debugger and value C:\WINDOWS\system32\cmd.exe. Now if virusA.exe is run by system, the cmd.exe will be launched instead. http://www.osix.net/modules/article/?id=781 You could also download Microsoft Safety Scanner tool to scan your system. http://www.microsoft.com/security/scanner/en-us/default.aspx If there are more inquiries on this issue, please feel free to let us know. RegardsRick Tan TechNet Community Support

Hi Amit, Thank you for the post. You could use Image File Execution Options registry key to stop the process running. I assume the process name virusA.exe, create the same registry key virusA.exe in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Then create new new string with the name Debugger and value C:\WINDOWS\system32\cmd.exe. Now if virusA.exe is run by system, the cmd.exe will be launched instead. http://www.osix.net/modules/article/?id=781 You could also download Microsoft Safety Scanner tool to scan your system. http://www.microsoft.com/security/scanner/en-us/default.aspx If there are more inquiries on this issue, please feel free to let us know. RegardsRick Tan TechNet Community Support

Hi, We have finally installed an av engine from microsoft and have the virus cleaned from the server entirely. The only thing that remains is that we are still not able to access taskmgr from run and from the task bar. Waiting for reply. Regards, Amit Khamkar.

Try suggestions from following links How To Enable Windows Task Manager When Disabled By a Virus http://www.addictivetips.com/windows-tips/how-to-enable-windows-task-manager-when-disabled-by-a-virus/ How to remove virus that disables task manager http://mtsandeep.hubpages.com/hub/how-to-remove-virus-that-disables-task-manager Regedit and Task manager disabled by virus http://forum.soft32.com/windows/Regedit-Task-manager-disabled-virus-ftopict380168.html I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....

Try suggestions from following links How To Enable Windows Task Manager When Disabled By a Virus http://www.addictivetips.com/windows-tips/how-to-enable-windows-task-manager-when-disabled-by-a-virus/ How to remove virus that disables task manager http://mtsandeep.hubpages.com/hub/how-to-remove-virus-that-disables-task-manager Regedit and Task manager disabled by virus http://forum.soft32.com/windows/Regedit-Task-manager-disabled-virus-ftopict380168.html I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. - .... .- -. -.- ... --..-- ... .- -. - --- ... ....