Registry Editor and Task Manager disabled

[Guest]

I also have been struggling with the "Registry Editor disabled by System
Administrator" and "Task Manager disabled by
System Administrator" issue. I have run many anti-virus and spy-ware
removal programs suggested here several times,
including running them in "Safe Mode". I have also followed the suggested
procedures or programs for editing my Registry
via some other method to to restore the value to "0" which enables the
Registry Editor and Task Manager from the "1" that
has been placed in the "value", to no avail as well.

The only program that seems to catch this problem is Ad-Aware SE Personal
(or Ad-Aware 6.0) which consistantly find this
object even after I have just removed it with that program. Upon a
consequtive run of the Ad-Aware, those objects continue
to be consistantly found again and again.

Here is a description of what Ad-Aware is finding:

Vendor:Windows
Category:Vulnerability
Object Type:RegData
Size:4 Byte
Object:HKEY_USERS:S-1-5-21-507921405-436374069-1708537768-1004\software\microsoft\windows\currentversion\policies\system"DisableRegistryTools"()
Location:...\software\microsoft\windows\currentversion\policies\system
"DisableRegistryTools" ()
Last Activity:11-17-2004
Risk Level:Low
TAC index:3
Commentossible unintended lockout from Registry Editor (Regedit access
disabled)
Description:General Windows Security Issue. Your system security may be
compromised. The specifics of the possible compromised item are listed in the
comments section.


Vendor:Windows
Category:Vulnerability
Object Type:RegData
Size:4 Byte
Object:HKEY_USERS:S-1-5-21-507921405-436374069-1708537768-1004\software\microsoft\windows\currentversion\policies\system"DisableTaskMgr"()
Location:...\software\microsoft\windows\currentversion\policies\system
"DisableTaskMgr" ()
Last Activity:11-17-2004
Risk Level:Low
TAC index:3
Commentossible unintended lockout from Task Manager (Task manager access
disabled)
Description:General Windows Security Issue. Your system security may be
compromised. The specifics of the possible compromised item are listed in the
comments section.

I am running WindowsXP Home Edition, Service Pack 2 (SP2). I even tried to
un-install SP2 and re-install it again to no
avail.

HELP!!!

 

[Doug Knox MS-MVP]

Are you in a Domain or corporate environment? If so, then they can enforce policies like these, even if you don't want them to. If not, then you are infected with some type of virus/malware that is reinforcing these settings. In addition to AdAware, check out SpyBot Search and Destroy, www.safer-networking.org. Also ensure that your AV software is up to date, and scan your system in Safe Mode.

 

[Guest]

Doug Knox,

I am not in a Domain nor a corporate environment. This is a home
computerthus the WindowsXP Home Edition . I have run Ad-Aware SE Personal
and Ad-Aware 6.0 several times a day, always checking for an update on each
execution, hoping they would have a new list which would permanently delete
whatever I am infected with. I have followed the same procedure using SpyBot
Search and Destroy, also checking daily for new update list, as well as
several other anti-virus (Nortons, McAfee, MicroTrend, etc) and other spy bot
removal programs. Still no success. Any other suggestions?

Thanks,

spongebobiwan

 

[Guest]

As a P.S. to my last post, I have in fact executed the attempt to remove the
infection in Safe Mode

 

[Doug Knox MS-MVP]

Something that is being executed on your system is doing this. Windows XP Home does not support Group Policies, so these restrictions are not being enforced from there. Take a close look at what's being loaded at Startup. You can use MSCONFIG, or for a more readable presentation, see www.dougknox.com, Win XP Utilities, Startup Programs Tracker.

 

[Guest]

Further Update:

Upon re-running MicroTrend's Housecall via internet connection, the
following 2 objects were found and listed as possible virus:
C:\windows\system32\tapi32init.ext
C:\windows\intranet32.exe
However, Housecall could not remove the items as it said they were "in use".

I then re-started my computer in Safe Mode to look for those files, but they
could not be found, even in DOS mode. I could not run MicroTrends Housecall
in Safe Mode, as it requires an internet connection. Also, I can say that I
can get into Registry Editor and Task Manager in Safe Mode, however the
objects previously mentioned as found by Ad-Aware SE Personal where the
registry values were changed from a "0" to a "1" could not be found using
Registry Editor in Safe Mode.

Next suggestion?

spongebobiwan

 

[Guest]

SUCCESS!!!!

The following procedure removed the found possible virus as previously
posted, and restored function of both Registry Editor, and Task Manager:

Re-started my computer in Safe Mode with Networking

Started up Internet Explorer

Went to http://housecall.trendmicro.com/

Ran Housecall and found the previously listed files
(C:\windows\system32\tapi32init.exe and C:\windows\intranet32.exe)

Deleted those two files

Re-started Windows in Standard Mode

Ran the regtools.vbs program posted on this newsgroup to enable Registry
Editor (re-start of computer is necessary to enable Registry Editor)

Re-started computer

Executed Registry Editor (Start - run - regedit - okay) to open up Registry
Editor

In Registry Editor - went to HK_USERS,
S-1-5-20-507921405-436374069-17085537768-1004, Software, Microsoft, Windows,
CurrentVersion, Policies, System

Edited the Value of "Disable TaskMgr" from "1" to "0" to return enabling of
Task Manager


This prodecure returned my ability to use both Registry Editor and Task
Manager and removed the virus or spyware that was disabling it. I hope this
helps others with this problem.

spongebobiwan

 

[Doug Knox MS-MVP]

Glad you got it sorted out!

 

[Malke]

Further Update:

Upon re-running MicroTrend's Housecall via internet connection, the
following 2 objects were found and listed as possible virus:
C:\windows\system32\tapi32init.ext
C:\windows\intranet32.exe
However, Housecall could not remove the items as it said they were "in
use".

I then re-started my computer in Safe Mode to look for those files,
but they
could not be found, even in DOS mode. I could not run MicroTrends
Housecall
in Safe Mode, as it requires an internet connection. Also, I can say
that I can get into Registry Editor and Task Manager in Safe Mode,
however the objects previously mentioned as found by Ad-Aware SE
Personal where the registry values were changed from a "0" to a "1"
could not be found using Registry Editor in Safe Mode.

Next suggestion?

Try running TrendMicro's Sysclean in Safe Mode, as follows:

TrendMicro's Sysclean is an extensive antivirus tool which has the
advantage of not needing to be installed. It requires two parts - the
scanning engine and the virus pattern files.

1. Create a new folder on your Desktop or the C: drive named something
useful like "Sysclean".
2. Go here and download the two parts of the program to that folder:

http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files

The pattern files will be zipped - extract them with your unzipper (like
WinZip) or if you have XP, you can just open the folder. You need to
put the extracted files in the Sysclean folder you made.

3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
tapping the F8 key as the computer is starting up to get to the proper
menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com.
Start the scan. After the scan is finished, look at the log. You may
need to make a note of where any viruses were found if they were not
able to be removed so you can manually delete them.

Make sure you've enabled the ability to see all hidden files and
protected operating system files as well as extensions.

Malke