Windows XP Task Manager starts and instantly teminates

  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

All of sudden, it seems, task manager will not stay running. I cntl/alt/del it starts an instantly terminates. Anyone know why?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Found this:
http://www.mcse.ms/message899814.html


Google:
Task Manager Closes

Good Luck
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

Ran NAV, AdAware, Spybot, Found no viruses. Still have problem.
???
  • KnightHawk
  • Born
  • Born
  • KnightHawk
  • Posts: 4
  • Loc: Alwayes Here

Post 3+ Months Ago

i'm quite sure that u have a "worm or spam" that make your TASK manager stop no antivirus can detect it try this :-

"SPYBOT" you can find it at download.com it's free ware maybe it can help if not try to go 2 "msconfig" then "startup" tab and disable unknown files that start with unknown letters.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Can you run regedit? or does that terminate also?

If so, my best guess is what's included in the link JrzyCrim provided above

Probably W32.Spybot.Worm
http://securityresponse.symantec.com/av ... .worm.html

You might also check the replies here (scroll down to see):
http://www.experts-exchange.com/Applica ... 77095.html
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

installed an ran spyboth and ad aware.
Still task manager flashes and terminates.
also REGEDIT does the same
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Search through the links provided carefully. If you are still having trouble download Hijack This

Run it, click scan, save your log and post it here. Don't fix anything yet. Just post your log and we'll see what's going on...
  • SimonTemplar
  • Novice
  • Novice
  • User avatar
  • Posts: 21

Post 3+ Months Ago

dude i have seen this before but it is a worm over there in your system
unfourtinatly the only solution was to reinstall the system. i have done all what i know which toke like 5 hours and the same problem still there
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

I have run hijack. What do I look for?
and yes REGEDIT does the same this.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

JrzyCrim wrote:
Run it, click scan, save your log and post it here. Don't fix anything yet. Just post your log and we'll see what's going on...
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

You can post your hijackthis log here. We'll help if possible.
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

Logfile of HijackThis v1.98.2
Scan saved at 9:18:54 PM, on 9/1/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\OHWNBEIU.EXE
C:\QUICKENW\QAGENT.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\KMaestro\KMaestro.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Tom Palmer\My Documents\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AOL Instent Messenger] OHWNBEIU.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\RunOnce: [AOL Instent Messenger] OHWNBEIU.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanButton 2.1.lnk = C:\Program Files\ScanButton 2.1\ScanButton.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

I don't see anything that needs to be fixed. Your log looks clean to me.


Try the online virus scan here and see if it turns up anything:

http://housecall.trendmicro.com/

In the meantime, I'll see if I can turn up any other causes for your problem.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Man -- that looks pretty darn clean to me.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Given the fact that you apparently use AIM, there is a possibility of this:

http://reviews.cnet.com/5208-6132-0.htm ... eID=372092

Although I don't see any evidence of it in your log file. Also checked several variants (under symantec's name)
http://reviews.cnet.com/5208-6132-0.htm ... eID=372092

Looks like you have the same problem as the first link, but I don't see in your log where it might be.

Have you tried MSCONFIG and does it close too, like others are having problems with?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Those sneaky bastards. I think this is the problem: OHWNBEIU.EXE

Kill that process: Enter this in start > Run:

TASKKILL /F /IM OHWNBEIU.EXE


Run Hijack this again, scan and fix these entries:

O4 - HKLM\..\Run: [AOL Instent Messenger] OHWNBEIU.EXE
O4 - HKCU\..\RunOnce: [AOL Instent Messenger] OHWNBEIU.EXE

Go to your system32 directory and delete OHWNBEIU.EXE.


Looking through some other logs on the web I saw various programs masquerading as AOL Instant Messenger. That certainly is an odd name for a file.
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

wat about this

Quote:
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe


that looks suspicious..
"Pop up"
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Foxy wrote:
wat about this

Quote:
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe


that looks suspicious..
"Pop up"


That's actually a program used to control pop-ups:
http://www.liutilities.com/products/win ... ary/dpps2/

I think JrzyCrm has it though. I was wondering about that file, and just assumed it to be part of AIM. I couldn't find anything on the net about it period. I'm pretty positive Jim's solution will fix it.
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

I glanced over that file the first time. It caught my attention but not enough to really pursue it as a problem. Going over the log again, I noticed it does have an odd filename. The fact that I couldn't find anything about it either increased my suspicion so I did a google search for "O4 - HKLM\..\Run: [AOL Instent Messenger]". There where some posted logs that contained similar entries that needed to be removed:

O4 - HKLM\..\Run: [AOL Instent Messenger] DBDUCTIF.EXE and
O4 - HKCU\..\RunOnce: [AOL Instent Messenger] EEPBIUNJ.EXE for example.

I don't believe AIM places any files in system32; at least not executables. I could be wrong though.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Makes sense. I tried the same search, but used the whole key for the search. No wonder I didn't find anything.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

OMG are we blind or what? Look at the spelling in the regkey:

Quote:
[AOL Instent Messenger]


Since when is "Instant" spelled "Instent"? *lmao
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

!!! I didn't even notice that. Geez, that should have been a dead give away.

*hangs head in shame* :lol:
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

Lazy Aol cant spell correctly :P


eh, good to know..
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

heehee...I didn't see it either until I saw them all grouped together in Jims prior post. Then I'm like, "what's up with that"?
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

For the benefit of TDP1954x I'm posting the removal instructions (modified) again. In case he missed my first post.
----------------------------------------

I think this is the problem: OHWNBEIU.EXE

Kill that process: Enter this in start > Run:

TASKKILL /F /IM OHWNBEIU.EXE


Run Hijack this again, scan and fix these entries:

O4 - HKLM\..\Run: [AOL Instent Messenger] OHWNBEIU.EXE
O4 - HKCU\..\RunOnce: [AOL Instent Messenger] OHWNBEIU.EXE

Go to your system32 directory and delete OHWNBEIU.EXE.

If you can't delete that file or can't find it, try entering these commands from a command prompt:
Code: [ Select ]
attrib -r -h -s %systemroot%\system32\OHWNBEIU.EXE
del %systemroot%\system32\OHWNBEIU.EXE
  1. attrib -r -h -s %systemroot%\system32\OHWNBEIU.EXE
  2. del %systemroot%\system32\OHWNBEIU.EXE


See if you can launch task manager and regedit. Reboot and try task manager and regedit again. Do another scan with Hijack this and post the new log. Just to be safe...


In my search for a solutution, I did run across a nice little program called Process Explorer.
http://www.sysinternals.com/ntw2k/freew ... cexp.shtml

Its more detailed than Task Manager and it's free.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Try running MSCONFIG as well. This appears to be affected also. What it appears to me what this trojan is doing is attempting to block any means you have of killing it's processes.
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

rab virus check, found no viruses
  • JrzyCrim
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 2062

Post 3+ Months Ago

Okay. Try following the instructions in my last post and see if that takes care of the problem.
  • LAbrego
  • brego from LA
  • Web Master
  • User avatar
  • Posts: 2854

Post 3+ Months Ago

ATNO/TW wrote:
OMG are we blind or what? Look at the spelling in the regkey:

Quote:
[AOL Instent Messenger]


Since when is "Instant" spelled "Instent"? *lmao


LOL, I saw that at the first glance at Jim's post, but I never tought you didn't notice, in fact, I thought you where telling TDP1954x to fix it because you saw the spelling not the name of the file!! LOL
  • TDP1954x
  • Newbie
  • Newbie
  • TDP1954x
  • Posts: 11

Post 3+ Months Ago

Yes MSCONFIG does the same thing. Looks like my fate is sealed. Probably have to reload the os.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 132 posts
  • Users browsing this forum: No registered users and 73 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.