A very famous virus ... actually it's not one virus, there is a lot of new computer viruses that do the samething ... DISABLE WINDOWS TASK MANAGER .
Some anti-viruss are just able to remove the virus but without fixing this problem... others are able to fix it also known as anti-spywares ... now how this process take place, how the infection is done ... and how to fix it yourself ?
The "Disable windows task manager" is not an overrided process, it's an option built in the windows to let administrators able to prevent limited users from opening the task manager, that's why if someone is infected with this virus and press the [Alt+Ctrl+Del] buttons the windows pop-up a message saying (Task Manager has been disabled by your administrator.) !!
Well let's first discuss how, as a system administrator can disable the task manger :
-Open Run
-Type "gpedit.msc"
-Press Enter
-Open User Configurations >> Administrative Templates >> System >> Ctrl+Alt+Del Options
-Open "Remove Task Manager"
-Now you have three options, not configured and disabled are closely the same, enabled is what's enable the -remove task manger- operation ... i.e. disable it !
Now, why such option exists in the windows ?
It's a very useful option when you're an administrator and don't want to let other users use the task manager by a way to view running process, close any of them, view other users or many other controls ...
Obviously ... the lately mentioned configuration should exists in the windows registry, so all we need now is to know where is it exactly and see how we can deal with it to enable/disable the task manager ...
-Open the windows registry [Run, type "regedit" then press enter]
-Open "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\" (HKCU is HKEY_CURRENT_USER)
-If there isn't a subkey called "System" then you don't have any configured administrative operation on the system section ... ok let's open the "gpedit.msc" again and disable the "Remove Task Manger" option ... after a refresh you'll be able to see this subkey "System" and contains a DWORD value called "DisableTaskMgr" , and its value is set to "0" ...
-Actually the value "DisableTaskMgr" should not exists if "Remove Task Manger" is set to "Not Configured" ... or if it has a value so "0" means "Disabled" and "1" means "Enabled" .
Now as you can see, all you need to do is to play with this value ... a virus generally set it to "1" so removing it or setting it to "0" could be a solution ... changing it from "gpedit.msc" also could be a solution ...
The problem is when the virus disable by the same method the "gpedit.msc" and the "regedit" !! [I'll discuss this later, they are the same methods generally ...]
The solution could be simply by a "reg" script or just a vbscript ... it's very easy :
Regscript:
-Open a text file
-Write in it:
Windows Registry Editor Version 5.00
#By Amahdy www.amahdy.com
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]"DisableTaskMgr"=dword:00000000
-Save the file as "EnableTaskMgr.reg" (be careful the extension should be ".reg" not ".txt")
-Double click on the file ...
-Press "Yes" then "Ok" and that's all, you're done !
VBScript:
-Open a text file
-Write in it:
Option Explicit
' By Amahdy www.amahdy.com
Dim WSHShell
Set WSHShell = WScript.CreateObject("WScript.Shell")
WSHShell.RegDelete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
MsgBox "DONE!"
-Save the file as "EnableTaskMgr.vbs" (be careful the extension should be ".vbs" not ".txt")
-Double click on the file ...
-Wait the confirmation "DONE!" message .. and you're done ...
NOTES:
-The first method doesn't let a limited user activate this option but the second one does ...
-I'm assuming you're using it when you're infected with the virus, so unexpected errors due to for example the "System" subkey doesn't exists isn't my case here.
-All the previous work is similar with the "HKLM" or "HKEY_LOCAL_MACHINE" ... many viruses attack both locations also ... but this is the most important.
I have just started with the task manager because it's the most important to start killing the virus process from it... after that you may repair every thing quietly ... I believe task manager is really the most important you need just to open it... the virus maybe timed to disable the task manager but once you open it , the virus can't do anything unless it's timed also to end the task manager process so do it quickly and end the virus process before it ends you ! finally the worst case is the virus which remove the task manager at all ... I'll discuss solutions for this later !
This method can helps fixing virus problems, without the need to install anti-viruses, or any extra fixing tool .. and scan the pc and make it hangs up ...etc ... I'll try to discuss many of those methods here ... the handy fixing methods ;-)
