TechSpot

Task Manager Problems

By Izopyn
Jun 22, 2005
  1. Hey... I've been up all night and day on this~

    I had a few bugs, spies, and ads on my computer yesterday that were preventing me to access task manager, and constantly opening up the LimeWire P2P program. I zapped everything I could with Norton, AdAware, Spybot and Hijack this in Safe Mode, removed LimeWire, and defragged just to be on the safe side. That fixed the problem~

    I did some research into LimeWire, and found several testimonies from more computer-savy than I claiming to have tried and tested LimeWire for any malicious files and found it to be free of them.

    So I redownloaded and installed LW, and now my task manager won't open again. Though, his time, Hijack, Adaware, Spybot and Norton tell me that my computer is clean. Hidden files and file extensions appear, and I've run everything in normal mode and Safe Mode. I've fiddled with msconfig trying all types of startup configurations, and still nothing.

    Does anyone have an insight?

    Thank you~
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Have you tried clicking start, run, and typing taskmgr.exe into the run box and hitting enter.

    If that works. Look for any unusual entries in the task manager window under processes.

    Regards Howard :wave: :wave:
     
  3. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    doesn't work, but I tried AVG and it told me that i have Win32.P2P-Worm.Alcan.a

    How can I fix this?
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    First turn off system restore. This will delete all your restore points, which is where a lot of virii live. That`s why AVG wont be able to kill it, because it can`t get into system restore.

    Now run your antivirus programme again. See if it finds/kills it this time.

    If it does, reboot your system, and turn system restore back on.

    Regards Howard :grinthumb
     
  5. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    howard, you said "virii", is that the official "plural" of virus? lol

    Ya run your AV scan again and post here (if anything is found) the PATH to the file, including the file name. Or just post your scan log, whatever.

    Do you get some type of error when you try to open Task Manager? Like press ctrl-alt-del? Or right-click the Task Bar and select Task Manager. Any popups?

    Otherwise, if Task Manager is just plain "off", there is a registry key to turn it back on:
    Go into the registry (start-run 'regedit'). And follow this:

    Hive: HKEY_CURRENT_USER
    Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
    Name: DisableTaskMgr
    Type: REG_DWORD
    Value: 1=Enablethis key, that is DISABLE TaskManager
    Value: 0=Disablethis key, that is Don't Disable, Enable TaskManager

    This taken from http://www.windowsnetworking.com/kb...ableDisableTaskManagerinWindowsXPHomePro.html

    Good luck.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Having just looked it up in the dictionary, I have to say I`m completely wrong. There is no such word as virii. The correct plural of virus is viruses.

    I therefore will never again use virii to mean viruses. :blush:

    Regards Howard :haha: :haha:
     
  7. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    Well, at least this thread has done some good :)

    I had system restore turned off to begin with :/

    AVG detected "Trojan horse BackDoor.Iroffer.f" as an infected and imbedded object, and was unable to quarantine or delete it.
     
  8. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    Oh, and regarding task manager.

    No message or notice when i ctrl+alt+del, just nothing.

    When I run taskmgr.exe I'm told that another program is using it.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    To remove the Trojan horse BackDoor.Iroffer.f manually, you need to access the task manager which clearly you cannot do at the moment.

    Go HERE and follow the instructions exactly.

    Once you have done that go HERE for intstructions on how to post your Hijackthis log.

    Regards Howard :)
     
  10. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Or copy c:\windows\tskman.exe to another directory, and rename it e.g. tsk.exe;
    double-click that to kill any nast processes.
     
  11. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    I think it's "taskmgr.exe", right? You may also be able to rename it from "EXE" to "COM". That works for regedit I know.

    Download PrcView from this link: http://www.svrops.com/svrops/downloads/zipfiles/PrcView.zip

    That should get you into your processes to remove that junk. If not, use the DOS version "pv" that comes with it to do the job from a command prompt.
     
     
  12. IronDuke

    IronDuke TS Rookie Posts: 1,267

    A little ooops from RBS there. Excuseable as like us he is suffering with the heat.
     
  13. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    I was unable to find a 'tskmgr.exe' in my WINDOWS file, but there was a TASKMAN.exe. I was unable to open it; I tried changing the name to tsk.exe, and was unable to open that as well.

    Had already done what RBS' post (the one HH linked to) said to do, and followed HJT with NAV and AVG, and this time they all found nothing.

    Still, no task manager action is happening :dead:

    I'm pretty sure I'm clean by HJT's account, but I've attached a log anyway.
     

    Attached Files:

  14. IronDuke

    IronDuke TS Rookie Posts: 1,267

    Vigilante corrected the file to: taskmgr.exe.

    Taskman.exe was put there by either AUTOTROJ-C TROJAN or FORBOT-T WORM

    So turn off system restore and boot into safe mode.

    Assuming AVG is up-to-date run it.
    Then move HiJackThis to somewhere such as C:\HJT. You haven't read the stickies.
    Then post a new HJT.log.

    System restore needs to be turned back on - when all is clean.
     
  15. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    AVG isn't letting me update... It seems to only have settings for dialup.

    I tried downloading the update directly, then just uploading the update into the program, but it didn't recognize the file as a new update.
     
  16. IronDuke

    IronDuke TS Rookie Posts: 1,267

    Go back to safe mode with system restore still turned off. Type taskmgr.exe in the run box (hopefully it is still there). On the Processes tab look for TASKMAN.EXE right click (if it is there) and select End Process. Then in Explorer search for TASKMAN.EXE and delete all references.

    Clear out you Temp files. Try Crap Cleaner If you don't want to use it the download page tells where all your temp files are.

    The we can attach a HJT.log.
     
  17. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    Ok, I did what you said, and TASKMAN is history. Used CC as well, and still no task manager worky.

    Any suggestions on how to get my AVG updated?
     
  18. IronDuke

    IronDuke TS Rookie Posts: 1,267

    You should have a Control Centre running in the system tray. Icon is a square quartered in four colours. Click Update Manager and then click the update button and choose Internet.
    Search for taskmgr.exe in Explorer. It should be in \system32. If it is not there may well be one under \service pack\I386 which you can copy to the correct location. If not come back.
     
  19. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    Something seems fishy cause if taskmgr was "missing", it would say it was missing. If it was a policy, Windows would say it has been disabled by your administrator. But if simply "nothing" happens when running it, it could be that it is infected or corrupt. Could very well be that when running taskmgr you are running the very same virus you're trying to kill!
    Just a theory.

    I still say download PrcView and run that. It will give you an even MORE detailed view of your processes and let you kill them. The "real" taskmgr most likely needs to be extracted from an XP disk and restored.
     
  20. IronDuke

    IronDuke TS Rookie Posts: 1,267

    Thanks for your intervention Vigilante. I'm not sure if has actual run taskmgr yet. Watch this space.
     
  21. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    AVG won't connect to the internet... I use DSL, and the settings for the updater appear to work only with dialup?

    I tried rebooting and scanning again... and the worms showed up on AdAware again. I've enclosed the following HJT log, but it doesn't appear (to me) to reveal anything.

    After this, when I tried running taskmgr.exe in Run, it again told me that the program is already running.

    I will download PrcViewer now, but I think it may solve the problem if I can just figure out how to update AVG :hotbounce
     
  22. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    Ran PrcView, and here are the 'suspicious' processes running. (Suspicious = unfamiliar).

    cisvc, claiming to be a MS Corp. "content index service"
    cidaemon, claiming to be a MS Corp. "Indexing Service filter daemon"
    6 scvhosts running, shouldn't there only be 3 or 4?
    windows and symantec updates are both running... this seems odd to me.

    That's all for now, thanks for recommending the program!
     
  23. Izopyn

    Izopyn TS Rookie Topic Starter Posts: 22

    The worm is in a process called winupdates...

    I'm able to use taskmgr after I've killed it in processes, but it reopens itself and I am again unable to open TM... any thoughts?
     
  24. IronDuke

    IronDuke TS Rookie Posts: 1,267

    You should should not be running two anti-virus programs I'd favour AVG.

    Turn system restore off. Restart in safe mode.
    Run HJT and check the following in the box to their left.

    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [sasktelinstall] D:\install\Xtras\OE_Patch.exe
    O4 - HKLM\..\Run: [myNetWatchman] C:\Program Files\myNetWatchman\NWClient.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab
    O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe


    Delete:
    C:\Program Files\winupdates --all files and folders.
    C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe

    Run Crap Cleaner & post new log.

    Turn on system restore if all is clean.
     
  25. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    If I might recommend another program to try, it's called "autoruns" and you can get it from sysinternals: http://www.sysinternals.com/Utilities/Autoruns.html

    Check in each tab for your suspicious entries (in safe mode) and remove them there. Or post here first. You can save a log by using the save button, but it's not laid out very well, but post that here if you like. You can also check startups for each user account up in the menu. Note that this program almost literally checks EVERY conceivable startup location. Places in the registry you would never know contain a startup. Far more places then adware progs and hijackthis check. So it's a good prog to run.

    Speaking of user accounts, make sure you run your virus scanner, adware scanners, and HJT in EACH user account, in Safe Mode. As each account can have it's own spyware and startups.

    As for your AVG, you might read around this page: http://www.grisoft.com/doc/42/lng/us/tpl/tpl01

    I think you may have a proxy set, or some other connection. Maybe you can change it by this info. Or maybe that will lead you somewhere. They also have instructions to manually update.

    cheers
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.