About Jesse H. Expertise I have been working with Windows XP since it was released. I know a lot of shortcuts; some are specific to Windows XP and some work with previous versions of Windows, too. I am working in the Windows registry almost on a daily basis, so I can help with configurations, too.
Experience I have worked with Windows XP since it was released. Before it was released, I worked with Windows 2000 and Windows NT.<BR>
Expert: Jesse H. Date: 5/16/2005 Subject: Task manager has been disabled
Question -------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
-------------------------
Followup To
Question -
Hi Jesse, when I press ctl /alt /del on my keyboard to close non responsive programes I get an error message saying "YOUR TASK MANAGER HAS BEEN DISABLED BY YOUR ADMINISTRATOR" This is a family PC and only me and my family go on it. I am not sure why this has started doing this or indeed how to fix it. Any help on repairing or fixing this problem would be greatly beneficial to me. I am operating on XP and have been doing so for about 4 months now having spent about 4 years with windows 98. I am in no way a pc wiz so if you are able to help please dont give me too much jargon I may not understand everything you refer to although I do know my way round a little . Many thanks, Robert
Answer -
Hi, Robert!
You can correct this error by using the Group Policy Editor for Windows XP. Use the following steps:
========
1. Click Start, Run, type gpedit.msc and click OK.
3. Double-click the Remove Task Manager option from the Group Policy menu.
You can then disable or set the policy to Not Configured. Disabling or setting this policy to Not Configured should solve the problem.
========
I do not know exactly why this would have turned off for you. You may want to check your system for viruses and worms because some of them may disable the Task Manager to prevent you from stopping them. I'm not sure that you have a virus or a worm, I just find it peculiar that the Task Manager was suddenly disabled.
Let me know if you need anything else.
Sincerely,
Jesse
jesse thanks for your prompt reply. I have gone to run and entered gpedit.msc however when I click on OK I get an error message saying that it could not be found. I retyped it several times and still my pc couldnt find it. Any thoughts?
Robert.
Answer -
Hi, Robert!
I apologize, I did not realize that gpedit.msc was not available with Windows XP Home Edition.
Instead of typing "gpedit.msc" into the Run dialog box, type "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f". Nothing else needs to be done once you have typed this command and hit enter. This will make the same changes as gpedit, just more directly.
I did test this command on my machine and it worked, but I have Windows XP Professional, not Home Edition. If it doesn't work still, let me know.
Sincerely,
Jesse
Jesse, thanks again for your promopt reply.I ahve copied and pasted your instruction to type in my run comand and it apears to accept it. However, when I try CTL/ALT/DEL I am still getting the same result."Task manager has been disabled by your administrator" I tried going in through the steps you mentioned and when I got to SYSTEM there is nowhere else to go "v DisableTaskMgr /t REG_DWORD /d 0 /f" does not appear. I am not sure if thats because I have home edition or not, but its not there .?
Robert.
Answer -
Hi, Robert!
When you say that you "tried going in through the steps [I] mentioned", what does that mean? What steps are you talking about?
It could be that the command failed and you didn't know it because the windows popped up and went away to quickly. To figure out if the command is being taken, type "cmd" into the Run dialog box. In the windows that pops up, type the REG command again. You should get a message that reads, "The operation completed successfully".
Sincerely,
Jesse
Jesse, sorry I didnt make myself quite clear- When I said I went throught he steps I ment I went to "start-run-HKCU-Software-Microsoft-Windows-CurrentVersion-Policies-System -v DisableTaskMgr -t REG_DWORD /d 0 /f" by using my mouse and clicking open each folder in turn. When I got to System there was nothing else in the folder. That is what I ment when I said I had gone trough the steps sorry for the confusion.
However, I also have now tried what you suggested and typed CMG in the run box. Then copied and pasted the REG comand as you sugested.It did say the operation had been completed sucessfully but on trying ctl/alt/del I still get the same message. Im sorry this seems to be causing a problem.
Robert.
Answer -
Hi, Robert!
Sorry that I did not get back to you yesterday. Type "cmd" into the Run dialog box, like you did last time. However, this time type "REG query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" in the windows that pops up. Send me the output from this command.
If you could send this to me today before 6 PM Eastern Time, that would be great. I am going on vacation starting tomorrow and I will not be back until December 30.
Sincerely,
Jesse
Jesse many thanks for your return. I did as you asked and written below is the response after typing what you said I should, and pressing enter.
There is no urgency for this to be repaired so if you dont get to reply to me until after your break that isnt a problem. I appreciate your help whenever it comes. Thanks
Robert
Answer -
Hi, Robert!
One last test before I make a final conclusion on this one. Type "cmd" into the Run dialog again. This time, type in the "REG add" command immediately followed by the "REG query" command. The most important part is that the "REG add" command has a 0 (zero) after the /d option. The "REG query" command should return the DisableTaskMgr value set to 0x0, not 0x1.
After you have run both of those commands, type a third command that reads, "REG query HKLM\Software\Microsoft\Windows\CurrentVersion\Run". Please send the output from all three commands.
I suspect this test will fail (i.e. you will get back a 0x1, not a 0x0 from the original "REG query" command), but I do need to make sure before I have you go down the next path.
Sincerely,
Jesse
jesse, I did as yuo asked and the responses are- after the First one- "operation completed succesfully"
Second one- was the same as before
This all means nothing to me but I am sure you knwo what it all means. As you said I got back my 0x1 for task manager though.
Robert.
Answer -
Hi, Robert!
I apologize that it took me a few days after my vacation to get back to this one. I have been searching and I cannot find, from the information you have provided, any proof that you have a virus/spyware running on your system. However, I cannot think of anything else that would be disabling the Task Manager after you enable it.
So, I would like to get more detailed information from you. The easiest way to do this is to use a free utility called HijackThis!. You can download this utility from "http://computercops.biz/downloads-file-328.html". All you need to do is unzip this file into a directory of your choosing and then run the HijackThis.exe file. When you do this, go to the Misc Tools tab and check both checkboxes in the StartupList section. Then, click on the Back button and then click on the Scan button. When the scan is finished, the Scan button will change to a Save Log button; click on the Save Log button. Save the log to a directory and then copy and paste the information to me.
Let me know if you have any troubles getting the log file.
Sincerely,
Jesse
Jesse Hope you had a nice vacation. Many thanks for getting back to me.I did as you requested above . However, I couldnt find the misc tools tab or startup section. It seemed to go right to a scan logfile. so I scanned and saved that. I have copied and posted below.I hope its what you require. If not please let me know.
Many thanks.
Robert
Logfile of HijackThis v1.99.0
Scan saved at 20:11:01, on 05/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I found it, I found it, I found it! It took a little while, but the HijackThis output showed me what I needed to know. If you look in the output towards the top, you will find a line that reads, "C:\WINDOWS\EXPIORER.EXE". This was intended to look like explorer.exe, so I knew that it couldn't be good. When I did a search on this, I knew I found what was ailing your machine. I knew because one of the symptoms mentioned was a disabled Task Manager.
You computer is infected with the trojan horse named Magic PS. You can get some information on Magic PS (including information on how to remove it) at "http://pcprotectdotcom.com/modules.php?name=News&file=article&sid=4&mode=&order=0&thold=0".
The removal appears to be fairly easy, but I am afraid that the consequences of this trojan horse are a little bit more severe. Since this trojan horse was first placed on your machine, every time you have logged into Yahoo Messenger, a PM has been sent to an attacker with your user id and password included. This means that the attacker has had access to your account for the past couple weeks, at least. I truly hope that you use Yahoo Messenger in a more recreational sense, as opposed to a business or private sense.
Unless you happened to sign up for Yahoo Paydirect before you got Magic PS, then I believe your current Yahoo account is lost and you will have to create a new one. The article above discusses this, too.
I guess this is a sort of good news/bad news scenario, but at least you know what is wrong and how to fix it. Also, the article above will tell you how to prevent it from happening again.
Let me know if this helps.
Sincerely,
Jesse
Jesse many thanks for this information. from reading the articles on it it does appear I have this trojan. The good thing is My yahoo account is still active and I do not use Yahoo for anything else other than yahoo chat and a few e-mails for yahoo groups and sending cards to freinds etc. Unfortunately things do not seem to be as easy as they should be. I went to the site and read up on how to remove and prevent. One of the first things it asks you to do is open the run box and RUN gpedit.msc I have tried this but I get an error message saying that Windows couldnt find the file on my computer. Hence I couldnt continue with the deletion or removal. I am not pc literate enough to find the file or extentions of it elsewhere if it indeed can be found. I am very sorry this is causing you this much trouble. But your help is REALLY appreciated, and I am learning along the way also.
P.S Do you suggest every one in the family with a yahoo account changes their passwords when this is eventually sorted?
many thanks. Robert.
Answer -
Hi, Robert!
If you go back up to the top of this note, you will find that my first suggestion to you was to use gpedit.msc, but I didn't realize that it was not available on the Home Edition of XP. I suspect that the person who wrote the article also didn't know that or assumed that everyone was running the Professional edition.
Anyway, if you go back and take a look at my second note I sent to you (if the e-mails you get are like the ones I get, you should have a history of all the notes we have sent back and forth just above this message), it will give you an alternative to using gpedit.msc.
Also, don't worry about this issue being any trouble to me, it hasn't been. In fact, I've learned a few things myself. I hadn't tried the HijackThis utility before and now I think I will have to install it on my grandparents' computer because they have been having computer issues for a few months. I keep going over there to fix it, but it keeps coming back, maybe that output will prove useful.
Sincerely,
Jesse
Jesse, hi. Me again. I managed to do what you said above and I have been and done what it said on the site you sent me to. I followed the steps and seached for "magic w" and also under regedit searched for all files with "sender exe" in the name. Unfortunately I found no reference to either file or folder in any sesrch I did. I did download spybot and have run it a few times. I uninstalled messenger and also reinstalled that and changed my password. Guess what? I still havn't solved the problem. I still keep getting the error message I had before. Im not sure what else to do or where to look for these files or indeed if this magic trojan has been deleted or made inert.
Robert.
Answer -
Hi, Robert!
Have you killed the Magic PS process that is running on your machine? It sounds like that might be the part you are missing. If you have, then perhaps the problem is that there is more than one Magic PS process running on your machine. Go through the list from step 1 on the website I sent you and kill any process that matches those names. Since Task Manager is disabled, you will need to use the Term product that the article briefly mentions. You can download it from "http://www.nesoft.org/terminator/term.exe".
Also, when doing the search for "magic_w", make sure to include the "_" between the "magic" and "w".
Let me know what happens.
Sincerely,
Jesse
jesse, sorry I have not replied I never got your response. I just checked today and it got sent. I have re done what you asked me to do. I still cannot find any magic_w file or sender exe. on my pc. I have run spybot on several occasions and it seems to get stuck riight at the end. Not sure why. I also had a private message from some yahoo user telling me my system had been hacked as in the section "HOW CAN I TELL IF I HAVE MAGIC PS " from the support web site you sent me.I imediately changed my password. I have done another hijack this log file and copied it below EXPIORER is still there. I am not sure if this will give you any information or not But I thought it may save time if you needed it.
Thanks. Robert.
P.S. I have also looked at some problems people are having and are using hijack this to help them on www.techguy.org. This may help you in future problems.
Logfile of HijackThis v1.99.0
Scan saved at 20:34:19, on 31/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
When I went back and took a look at the web site, I didn't find a step that had you deleting the "C:\WINDOWS\EXPIORER.EXE" file. So, after you kill the "C:\WINDOWS\EXPIORER.EXE" process using the Term product I mentioned in my previous e-mail, go in and delete the "C:\WINDOWS\EXPIORER.EXE" file (be careful to not delete the "C:\WINDOWS\EXPLORER.EXE" file). Also, make sure that you are searching the registry for "sender.exe", not "sender exe". Let me know if this helps.
Sincerely,
Jesse
Jesse, thanks for the quick response. I killed expiorer with the terminator programme I have also found and deleted two files named expiorer.exe both were in a folder called PREFETCH. I have searched again for files in registry called sender.exe and also used the search facility on my pc. still no luck there. I restarted my pc and terminator and the expiorer programme was again running. I suppose it is in a start up programe somewhere. I deleted it again and restarted my p.c again- still the same results I am afraid.........Robert.
Answer -
Hi, Robert!
I've been trying to find some different instructions for the manual removal of this trojan, but I cannot find any such instructions. However, I did find a utility that claims to remove Magic-PS. The only problem is that Magic-PS has evolved and this removal utility is only good against Magic-PS v1.5 and below. You can find out what version you have by taking a look at the section labeled "Ok How Can I Tell If I Got Magic PS" on the web page I sent you a while ago.
Even if you find out that you have a higher version of Magic-PS, I think you should still try this removal utility, just in case it works. You can get the utility at "http://pcprotectdotcom.com/modules.php?name=Downloads&d_op=getit&lid=1#dl". Let me know what happens.
Sincerely,
Jesse
Jesse, thanks again for your reply. I cannot get the download you talk of above because I am not a registered user of the site. I registered today to try and get it but it wouldnt let me in, perhaps it takes a day or so for new accounts to be active.I will try again tomorrow. However,in the meantime I have managed to do a couple of things. I ran terminator and deleted the expiorer file I then went back to near the start of this long string of emails where you told me to -
type "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f". Nothing else needs to be done once you have typed this command and hit enter.
I then tried task manager and it worked---- it was back... I restarted my machine but unfortunately the expiorer file had returned, so I did the same again with the same results- I can get task manager but only after following the two steps to delete expiorer and then enable my task manager as outlined by yourself. Although there is still the prolem somewhere within my pc even if I cant faind it.(I ran a search again for expiorer with no results) At least it is some progress I suppose from what we have had. I shall try to download the fix tomorrow and let you know what happens from that. If you think there is any more I can do from what I have told you above then please let me knnow.
Many thanks.
Robert.
Answer -
Hi, Robert!
That is a little odd because I just joined that website this morning, too. I was able to get immediate access, but maybe I was just on at the right time.
I got an idea. Try searching for "magic_w" again, but this time, put "magic_w" in the Containing Text field. I think, since you are using XP Home Edition, your search window (Start -> Search) looks a little different than mine, but play around with the different options until you find a Containing Text field. Make sure it searched the entire disk drive and don't put anything in any of the other fields. Let me know what you find.
Sincerely,
Jesse
jesse, I managed to join the site and downloaded the anti mps programe I unzipped it as instructed but when I tried to run the programe I get an error message which reads----"component "comdlg32.ocx"or one of its dependancies is not correctly registered: a file is missing or invalid. I tried this several times but with no luck... I have also done a search for magic_w and came up with a couple of things where I had copied and saved conversations into a word documaent I ignored these but it came back with another reference. I tried to find it on my p.c. but couldnt. Perhaps I wasnt looking right.It means little to me really but I am sure you understand it- heres waht it said. C:\documents and settings\all users\application\data\spybot-search&destroy\backups. I hope this helps
Robert.
Answer -
Hi, Robert!
Go to "http://windowsxp.mvps.org/comdlg32.htm" for instructions on how to get around the error message you are receiving. If you get the same or a similar error message after following the steps on that web page, then go to "http://support.microsoft.com/kb/q192461/" and install the VBRun60.exe package from that web site.
It sounds like SpyBot has information about the Magic-PS trojan, perhaps it can detect earlier versions, but not the one you have. By the way, the path you supplied is a little wrong; within the "All Users" directory, there is another directory named "Application Data", not just "Application". Either way, I don't think you should delete that file.
I am going to hope that the removal utility works. If it doesn't then I think I will be trying to get in contact with the person who wrote the article and see if they have any ideas.
Sincerely,
Jesse
Jese, I have done as you said and downloaded both programes you asked me to- I am still getting the error message. I can still use terminator to delete the expiorer file and then I type "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f" into the run box which does enable my taks manager again. This little programe is a pain, I am also trying to get this sorted myself, I have also searched for more information about this on the net but I cant seem to get any other information than you seem to have passed on to me. sorry.. not sure where we go from here.
Robert
Answer -
Hi, Robert!
I have sent a private message to the person who wrote the article we have been referencing. I asked him for any help he may be willing and able to give. One thing that I do need to know is what version of the trojan you have. You can find this out by looking in your message archive and finding the messages that are being sent by the trojan. Let me know and I will pass that information along. I'll let you know what I get back.
Sincerely,
Jesse
Jesse, I am very sorry but I deleted the messages when i found out it was those that were causing me the problems. I will await to hear from you. As I have said before- no rush. thanks.
Robert.
Answer -
Hi, Robert!
Sorry that I haven't gotten back to you in a long time, I hope all is well with you. I have been waiting to get a response from the forum I posted to. I finally heard back from them, but now they want a fresh HijackThis log. Please send me a new HijackThis log and then I will pass it along to them. They have promised to answer ASAP this time.
Sincerely,
Jesse
Jesse,thanks for getting back to me. I have just done a hijack this log and copied and pasted it below for you. As you can see the expiorer exe is still there. Many thanks, Robert.
Logfile of HijackThis v1.99.0
Scan saved at 19:02:51, on 13/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Okay, I have some more news from the people helping me out with this one. The following is what they sent to me:
===========
Hello
While offline with all browsers and folders closed>
In control panel add-remove program's uninstall these programs
(if present) in this order, always restart the pc if an uninstaller prompts you to.
'Search Toolbar'
'WebSearch Toolbar'
'WebSearch Tools',
'Search Assistant'
And as the last step >> 'Win-Tools Easy Installer'.
it will say an internet connection is needed, its not,
at that prompt click "no" then another prompt click "no" then it will want to restart the PC click OK and windows will restart, if not restart it yourself.
Empty your temp's and and with internet options > temporary internet files.
"delete files" and [X] offline content
delete these now empty folders if still there.
C:\Program Files\Toolbar
C:\Program Files\Common Files\WinTools
==========================
Next:
Download install and update Ad-Aware SE ver 1.5
Is it SpyBot 1.3 you have ? if not replace it
Tutorial - The home of Spybot-S&D!: http://www.safer-networking.org/en/tutorial/index.html
================================
After that and you have restarted the PC >Quote:
C:\DOCUME~1\Rob\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
Your running Hijackthis from a temp and it still hasnt been unzipped, neither is a good idea.
Create a new folder, for instance C:\AntiSpyware
Download the exe from here to that new folder. http://www.merijn.org/files/HijackThis.exe
This is necessary to ensure you have backups should anything go wrong
Make and post a new log.
===========
Let me know if you have any questions or concerns regarding these steps.
Sincerely,
Jesse
Jesse hi, thanks for the info.
I started to follow the steps you sent and just got stumped. I do not appear to have the
"Search toolbar"
"Websearch toolbar"
or "Websearch tools"
I do have "search assistant" However,when I try to remove it, it says I need an internet connection. When I click continue, my pc locks up and I have to restart it.
I have not attempted to follow any more of the instructions before I contacted you with what I should do .
I can also tell you that I do have "win-tools easy installer" when I get to that part.
I also checked a couple of other things.
The ad-aware version I have is 6.0 do I have to uninstall it and get an earlier version?
I have Spybot version 1.3
I also have Spyware blaster version 3.2 installed
Answer -
Hi, Robert!
When it asks about an internet connection click no, not continue, they are a little tricky about it.
HI Jesse, I had a few isssues doing what you said, there was only "connect or cancel" for the internet connection thing for search asssitant. however, I scoured my pc and found a file called "salm" which contained the said file so I deleted it and was then able to remove it from remove/add programes. I followed all the other steps and just did a hijack this log again. Please find this below, hope it helps. Many thanks.
Robert.
Logfile of HijackThis v1.99.1
Scan saved at 23:35:59, on 20/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
===============
Start Hijackthis and place a check next to these items,
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) [WE do not mean stop the programs in the tray area near the clock]
====================================
Hit fix checked and close Hijackthis.
Restart your PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\Program Files\asdfe57 delete folder
Go submit these to here > http://virusscan.jotti.org/
C:\WINDOWS\msnmsgq.exe
C:\WINDOWS\EXPIORER.EXE
Important
Delete the contents of all your temp folders, as in. Open C:\ then >
C:\documents and settings\(all your pc users)\local settings\temp
Note: Some systems have temporary internet files, Application Data and History in that temp, if so leave them and delete all other folders and files inside that temp..
Delete the contents of the C:\windows\temp folder
Empty the recycle bin
Clear Internet Explorers's cache
1. In Control Panel, open Internet Options.
2. Click the General tab, and then under Temporary Internet files, click Delete Files.
3. In the Delete Files dialog box, click to select the Delete all offline content check box.
4. wait for the hourglass to disapear
5. Click OK.
In control panel java> click delete temps files .
Post a fresh log please and the results of the Jotti scan.
===============
Let me know if you have any questions about this information.
Sincerely,
Jesse
Jesse HI, I have not been able to get back to you before now. It kept telling me you were maxed out so I couldnt send you a reply before today.
I am not sure if you would find it easier to contact me direct. if you do my email is>
r.fogg@dsl.pipex.com
I Have found EXPIORER EXE by visiting my sons settings and searching WINDOWS in there. But when I try to find it to submit it to JOTTI I cant seem to find it by browsing. Perhaps I am looking in the wrong place. I have also found and deleted this EXPIORER EXE from my sons settings.
I have 4 uses on this pc. One each for me my wife and the children. I also went through the other users and TASK MANAGER is highlighted in bold as if it can be accessed on 2 accounts but not on mine or one of the others. When I tried to open task manager on the users it showed accessible I say just a quick flash of it on my screen and then it disappeared. Not sure if this has anything to do with what we are trying to do or not. Just thought I would let you know.
PLEASE FIND BELOW THE JOTI RESULTS AND THE HIJACK THIS LOG AS REQUESTED.
ROBERT.
Sometimes Windows and its search will not know a file exists. So, what you should do next is to download an application named Pocket Killbox version 2.0.0.175. This application is used to, among other things, delete files on a reboot of your machine.
You can download the application from one of these locations:
