Win XP Task Manager opens but instantly closes again

Hi,
I'm having a problem with Task Manager in Windows XP. It was fine until a few days ago and now, when I open it (ctrl Alt Delete), it opens for a split second then immediately closes.

Can anyone suggest why this is happening and how I can fix it?


Thanks

C

Don't know but my comp is also playing up and its not just the task manger that is not working but when I had gone in to DOS to see what programs are running (In case I saw any viruses) this also closes on the open command after a couple of seconds

Most likely Spyware or a Virus.

You should do a complete Virus Scan. If you currently have you own anti-virus program, you should update the definitions and scan.

If you don't have any virus protection, go here:
http://housecall.trendmicro.com/

Next, you should scan for spyware. A good program is Adaware.
http://www.lavasoftusa.com/software/adaware/

Follow the instructions after installing:
Launch adaware and update the definitions:

1) Go to settings (gear at the top), Tweak, Scanning Engine: Make sure 'Unload recognized process during scanning' is checked.
2) Under Cleaning Engine, make sure 'Let Windows remove files in use after next reboot' is checked. Click Proceed. Click Start
3) Use Custom Scanning Options. Make sure 'Activate in-depth scan' is checked.
4) Click Customize, Click Select Drives + Folders, Check the drive on which your OS is installed. Click Proceed, Click Next.
5) After Scanning has completed, Right-click in the found objects area, select all, click Next, click OK and let it remove all items.
6) Reboot.

Next, download hijack this, run it, click scan, save log, and post the log here.
https://ssl.perfora.net/tools.radiospla ... ckThis.exe

It see this forum

Windows XP Task Manager starts and instantly teminates

cerio -- some people spent a lot of time giving help and answers in this thread:

http://www.ozzu.com/mswindows-forum/windows-task-manager-starts-and-instantly-teminates-t30390.html

Please read it first and see if any of that helps you.

Sorry about that lads (and ladies) that was the forum I was suppose to print the link for. However, after being in there I have all the virus software avg, spybout, ad-ware 6, spyhunter2 etc. and I can't find the problem. The task manger is still disappearing as is DOS and hijeckthis does not seem to what to kick-in either? It seem to start but then closes. I am just about to restart in safe mode I will post and results.

Right,

once in safe mode I ran hijectthis and the log is as follows

Logfile of HijackThis v1.98.2
Scan saved at 14:52:17, on 12/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Virus software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meshcomputers.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [D4F181E3] C:\WINDOWS\System32\tvvothbzu.exe
O4 - HKLM\..\Run: [Microsoft Update] wssvrs.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\wpras.exe

O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\Run: [restrictanonymous]

O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\7.tmp.exe

O4 - HKLM\..\Run: [Outlook Express Config] bbkzh.exe
O4 - HKLM\..\Run: [Outlook Express] znoov.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\urslwne.exe
O4 - HKLM\..\Run: [blah service] smnp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [Microsoft Update] wssvrs.exe
O4 - HKLM\..\RunServices: [4212CFD1] C:\WINDOWS\System32\tvvothbzu.exe

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [EnableDCOM] N
O4 - HKLM\..\RunServices: [MSN Messenger] jdkmety.exe
O4 - HKLM\..\RunServices: [Outlook Express Config] bbkzh.exe
O4 - HKLM\..\RunServices: [Outlook Express] znoov.exe
O4 - HKLM\..\RunServices: [blah service] smnp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe

O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O16 - DPF: {315D1BD2-0165-48AE-9F91-9CC271704FBA} (LRNPrint Class) - file://E:\Webfiles\LRN Viewer\HTML\lrniehlp.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Any ideas would be greatly appreciated

thanks

Let's start by getting rid of the W32/Rbot-BV worm:
http://www.sophos.com/virusinfo/analyses/w32rbotbv.html

Make sure system restore is disabled.

While in safe mode go to c:\Windows\System32
Delete WSSVRS.EXE

Go to regedit.
Delete the following keys

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wssvrs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = wssvrs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = wssvrs.exe

I'll type up a few more instructions to get rid of another worm here in a second. You might as well wait for that before you do the above so you can get rid of both of them at the same time.

The other worm I see is WORM_SPYBOT.BR

http://www.trendmicro.com/vinfo/virusen ... BR&VSect=T

While in safe mode go to
C:\Windows\System32\
delete SCRGRD.EXE.EXE

In regedit delete the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Restore = “scrgrd.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
Microsoft Restore = “scrgrd.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Restore = “scrgrd.exe”

Rerun Hijackthis and check these and "fix"

O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [EnableDCOM] N
O4 - HKLM\..\RunServices: [MSN Messenger] jdkmety.exe
O4 - HKLM\..\RunServices: [Outlook Express Config] bbkzh.exe
O4 - HKLM\..\RunServices: [Outlook Express] znoov.exe
O4 - HKLM\..\RunServices: [blah service] smnp.exe


That should get you far enough along to where you can run your other spyware removal tools without these creeping back in. They should have caught them the first time around, but give it a go around again. Do all of this in safe mode with system restore off.

ATNO/TW

Excellent Advise put to good use. Comp is working well. The only problem was that I had to do it for ever user on the computer which was a real pain but can't be helped. The only reason I mention it is if any one else is having the same problem. Anyway, thanks again for the advise.

Hey guys i am having same problem with task manager,reg edit and msconfig. I am posting my hijackthis also.Any help will be appreciated.I am off to work so I will check the forum later this evening. Thanks

Logfile of HijackThis v1.97.7
Scan saved at 11:15:44 AM, on 9/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Protector Plus\PPAVMon.exe
C:\Program Files\Protector Plus\PPServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\icemgr.exe
C:\WINDOWS\System32\CSSRS.EXE
C:\WINDOWS\SYSCFG16.EXE
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7A60A650-7737-5241-77F7-D8C1EC8EBCF0} - C:\WINDOWS\Lpaqmkxk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Search - {C6122C8E-5963-D4C9-AF60-9AF6DD4EBAC4} - C:\WINDOWS\Lpaqmkxk.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Winsock2 driver] CSSRS.EXE
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] icemgr.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] icemgr.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] CSSRS.EXE
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] icemgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Royal Vegas Poker (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.38 ... assets.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8853E9D-2756-4137-A186-A723A4323909}: NameServer = 205.188.146.146

First of all, turn off system restore.

//Edit, in case you are not sure how to turn off system restore:

For Windows XP

Log on an administrative account.
Right-click the My Computer icon on the desktop and click Properties.
Click the System Restore tab.
Select Turn off System Restore.
Click Apply > Yes > OK.
Continue with the scan/clean process. Files under the _Restore folder can now be deleted.
Re-enable System Restore by clearing Turn off System Restore.

----------------
First worm, Backdoor.Win32.Wisdoor.19968:

1- Reboot to safe mode. (You can reboot to safe mode by pressing F8. on startup)

2. Using Windows Explorer, uncheck "Hide file extensions for known file types". - [Tools] -> [Folder Options...] -> [View] -> click "Hide file extensions for known file types", also uncheck "Hide protected operating system files", click Yes to confirm and click ok.

3. Confirm if "SYSCFG16.EXE" is executing and terminate the process. [Window Task Manager] -> [Process]

- Example execution of Window Task Manager: In the Windows 95/98/ME system, press "CTRL+ALT+DELETE" and in the Windows NT/2000/XP system, press "CTRL+SHIFT+ESC".

4. Find out the following file in the window folder and delete it.

- SYSCFG16.EXE (File size : 19,968 bytes, File attribute : Hide)

5. After selecting [Start] -> [Run], type "regedit". (Registry editor is executed.)

6. Search for the value in the following path with the registry editor and delete it.

- HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
Run

- Name : Windows System Configuration
- Data : (Windows folder)\SYSCFG16.EXE

7. Close the registry editor.

8. Reboot the system.

//You have McAffee antivirus, I strongly recommend you to get the last virus definition from Mcafee.

//Rescan with hijack this and post you log again.

Second one, WORM_AGOBOT.FX

1- Again, start in safe mode
2- Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
3- In the left panel, find the following key:
- HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
Run

4- In the right panel, locate and delete the entry:

WinFX = "cssrs.exe"
Display Drivers = "cssrs.exe"

5- In the left panel, find the following key:
- HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
RunServices

6- In the right panel, locate and delete the entry:
WinFX = "cssrs.exe"
Display Drivers = "cssrs.exe"

7- Again in the left panel, locate and delete the following:
HKEY_LOCAL_MACHINE\
System\
CurrentControlSet\
Services\
Driver

8- Close Registry Editor and restart your system
9- Go to C:\WINDOWS\System32\ and delete this file CSSRS.EXE

Note: Check your spelling very well when you delete this file, it is CSSRS.exe NOT CSRSS.exe, this last one is in fact a system file

Not sure about this ones, I will research on them, if no one came with some information:

O2 - BHO: (no name) - {7A60A650-7737-5241-77F7-D8C1EC8EBCF0} - C:\WINDOWS\Lpaqmkxk.dll
O3 - Toolbar: Search - {C6122C8E-5963-D4C9-AF60-9AF6DD4EBAC4} - C:\WINDOWS\Lpaqmkxk.dll

O4 - HKLM\..\Run: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] icemgr.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] icemgr.exe