Win XP Task Manager opens but instantly closes again

*lol -- that's not surprising if he's on dial-up.

I think your idea might do the trick, although I can't recommend it as I have never tried it.

That's probably not it. I just ran hijackkthis in XP and it adds the caps like yours did.

That log is incredibly small. Did you do that in safe mode? If so, try running it in regular Windows and repost if different.

He did the update from an XP SP2 CD-ROM not via a dial-up connection - it probably would have been quicker via dial-up ! (It only took 20 mins on my PC)

Anyway, I tried copying explorer.exe from my pc but this didn't work as the pc would not even boot into windows becuase of a missing .dll file. Good job I made a backup of the explorer.EXE! I've now restored the original explorer.EXE and it is booting into windows as before with the same problems.

I've also noticed that if you click on search in windows explorer that the following message appears:

"Cannot load library for language 'JScript' Path: 'C:\Program files\Common Files\Symantec shared\script blocking\scrauth.dll' Please contact Kaspersky Lab for the solution"

However, the solution at:

http://www.kaspersky.com/faq?qid=148845452

involves editing the registry, which I can't even get into !

The hijack was run in normal windows not safe mode. I did clean up a bit with hijack earlier though (should have mentioned that earlier, sorry) - I've restored the backup though now with hijack to before I started cleaning up and here is the original log:

Logfile of HijackThis v1.98.2
Scan saved at 00:13:31, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Temp\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol022.cab

I see why you nixed what you did, however, at the moment I'm out of ideas. I can't see anything in your current log that's a problem.

ok, thanks for your time anyway. I think I might try and uninstall SP2 and see if that makes any difference.

Cheers

Wait a minute. I'm confused. If you have SP2 installed, then why does your log show SP1?

Now I'm even more confused. You say this was the original log:


but the date on the first one you posted was 9/10/2004


So which is current?

Good point, looks like the SP2 installation that took over 24hrs really did cause some major problems.

However, I've just finished removing SP2 via add/remove prgrms and the problem remains:

Here's a revised log after the uninstall:

Logfile of HijackThis v1.98.2
Scan saved at 00:53:49, on 10/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.btopenworld.com/searchpane
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol022.cab

Off to bed now as its 1am in England ! C U in the morning...

P.S. I've noticed that windows task mgr (which I can open after killing explorer.exe in hijack) shows a process called:

csrss.exe

which hijack does not ???

That's an OK file
http://www.liutilities.com/products/win ... ary/csrss/

I'm also having a similar problem, except most antivirus programs also close and hijack this seems to get killed as well. I get a popup for just a few ms and then it goes away each time I run.

Also, I periodically get some popups that say you must click yes to continue.

This is a family member's computer and I've removed a bunch of viruses and adware removed a bunch too. HouseCall scanner won't work because it crashes IE. I'm sure these are all related. Do you think it might be a root kit? Any ideas how to proceed?

TIA.

A little progress, I have found that by running regedt32.exe or regedit.exe from c:\i386 I am able to edit the registry. Could this mean that the versions of regedt and regedt32 that are being run by typing a command in at "run" are bogus versions stored elsewhere?

I'm currently perusing the registry now for dodgy entries.

More info if it will help: although if i run regedt32 .exe and regedit directly from c:\i386 they run fine, if i copy the exact same files (regedt32.exe and regedit.exe) from c:\i386 to the c:\windows folder and run them from c:\windows they just close down straight away??? It's almost as if something is detecting if regedit is being run from c:\windows but not if it is run from c:\i386???? very perplexing.

I've reinstalled XP SP2 and turned on the firewall, upon rebooting the firewall came up with a message about blocking explorer accessing the internet and the problem remains. Also, every time I enable the firewall it disables itself a few seconds later!!


Any suggestions anyone?

i dont know much, but after trying lots of stuff, i solved my prob by running the house call service of the trend microsystems website. it detected this kind of virus and fixed it for me. u might want to try that.