This was an issue I ran into last week on one user's pc. Tried everything I could including comparing the registry of a "good" XP box. Never did find a solution to it. I set the user up on a spare machine and reformatted the infected one.
To: [email protected] Subject: RE: Can't run TaskManager From: [email protected] Date: Tue, 8 Sep 2009 14:04:23 -0500 Thanks! However, now that I can look at it, that value is indeed the "good" "%1" %* -- RMc "Damien Solodow" <[email protected]> wrote on 09/08/2009 01:20:33 PM: > To see HKEY_CLASSES on a remote machine look under HKLM\Software\Classes > > From: [email protected] [mailto:[email protected]] > Sent: Tuesday, September 08, 2009 2:20 PM > To: NT System Admin Issues > Subject: Re: Can't run TaskManager > > > Intersting, thanks! > > HelpDesk is running a full MalwareBytes scan on it anyway. VIPRE is > scheduled to run a deep scan as well late tonight. > > Other than TASKMGR.EXE returning a "not found", all _appears_ to be > running correctly. > > HKEY_CLASSES will not display on a remote registry connection, so > we'll need to look at it early WED morning. > -- > RMc > > Jeff Bunting <[email protected]> wrote on 09/08/2009 01:10:15 PM: > > > No, I think all is good if that key doesn't exist. I don't have a > > "System" subkey under policies on my XP workstation either. > > > > This malware did modify the .exe associations in the registry too, > > but it sounds like you are able to launch other executables OK, your > > problem could be something else. Might be worth a look at that key > > to see if it has been modified though. The default should be "%1" %* > > > > HKEY_CLASSES_ROOT\exefile\shell\open\command > > "%1" %* > > > > Jeff > > > On Tue, Sep 8, 2009 at 12:45 PM, <[email protected]> wrote: > > > > Is this registry key hidden? I can't find anything like this in > > either HKCU or HKUsers... > > > > However, the file "taskman.exe" shows, both in Explorer and from a > > "dir" command. However, if in Explorer I double-click the file > > icon, I get the "file not found" error pop-up. > > > > I'm about to do some deeper scans, but perhaps those could be > > aborted if it were simply a matter of whacking that registry entry. > > > > Thanks! > > -- > > Richard D. McClary > > Systems Administrator, Information Technology Group > > > > ASPCA® > > 1717 S. Philo Rd, Ste 36 > > Urbana, IL 61802 > > > > [email protected] > > > > P: 217-337-9761 > > C: 217-417-1182 > > F: 217-337-9761 > > www.aspca.org > > > > The information contained in this e-mail, and any attachments > > hereto, is from The American Society for the Prevention of Cruelty > to Animals® > > (ASPCA®) and is intended only for use by the addressee(s) named > > herein and may contain legally privileged and/or confidential > > information. If you are not the intended recipient of this e-mail, > > you are hereby notified that any dissemination, distribution, > > copying or use of the contents of this e-mail, and any attachments > > hereto, is strictly prohibited. If you have received this e-mail in > > error, please immediately notify me by reply email and permanently > > delete the original and any copy of this e-mail and any printout thereof. > > > > > > Jeff Bunting <[email protected]> wrote on 09/08/2009 10:59:48 AM: > > > > > > > Richard, > > > > > > There was a thread last week about a fake antivirus that disabled > > > task manager. It apparently disabled it via a registry key: > > > > > > > > > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] > > > "DisableTaskMgr" > > > > > > Jeff > > > > > On Tue, Sep 8, 2009 at 11:42 AM, <[email protected]> wrote: > > > > > > I have a desktop machine doing something troubling... > > > > > > It's a Dell PWS-380, WinXP-Pro SP2. > > > In an remote desktop session, I was wanting to see if a specific > > > process was running, so I right-clicked the task bar and chose > > > TaskManager. I got the hour glass icon for about a second, then > > > nothing - for quite a long time. > > > > > > I went to the desk and logged in locally. Same thing. I did a > > > "chkdsk /f" command and rebooted. > > > > > > Logging back in (locally) I did see a gray icon for VIPRE > > > Enterprise. Its agent version and definitions were current. I > > > initiated a deep scan. (Hopefully, none of this is relevent, but > > > VIPRE/SBamSvc was the process for which I was originally hunting.) > > > So far, VIPRE has not detected any malware (yet!). > > > > > > I still cannot run Task Manager on this machine - either by right- > > > clicking the task bar and selecting it, or by Ctrl-Alt-Del and > > > clicking the Task Manager button. > > > > > > SO, I go to the machine and run "taskmgr.exe". To that I get a > > > response - the file is not there. > > > > > > Any ideas as to what could have whacked that file? Thanks! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _________________________________________________________________ Hotmail® is up to 70% faster. Now good news travels really fast. http://windowslive.com/online/hotmail?ocid=PID23391::T:WLMTAGL:ON:WL:en-US:WM_HYGN_faster:082009 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
