Task Manager Problems

First turn off system restore. This will delete all your restore points, which is where a lot of virii live. That`s why AVG wont be able to kill it, because it can`t get into system restore.

Now run your antivirus programme again. See if it finds/kills it this time.

If it does, reboot your system, and turn system restore back on.

Regards Howard :grinthumb

howard, you said "virii", is that the official "plural" of virus? lol

Ya run your AV scan again and post here (if anything is found) the PATH to the file, including the file name. Or just post your scan log, whatever.

Do you get some type of error when you try to open Task Manager? Like press ctrl-alt-del? Or right-click the Task Bar and select Task Manager. Any popups?

Otherwise, if Task Manager is just plain "off", there is a registry key to turn it back on:
Go into the registry (start-run 'regedit'). And follow this:

Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: DisableTaskMgr
Type: REG_DWORD
Value: 1=Enablethis key, that is DISABLE TaskManager
Value: 0=Disablethis key, that is Don't Disable, Enable TaskManager

This taken from http://www.windowsnetworking.com/kb...ableDisableTaskManagerinWindowsXPHomePro.html

Good luck.

howard, you said "virii", is that the official "plural" of virus? lol

Click to expand...

Having just looked it up in the dictionary, I have to say I`m completely wrong. There is no such word as virii. The correct plural of virus is viruses.

I therefore will never again use virii to mean viruses.

Regards Howard :haha: :haha:

Well, at least this thread has done some good

I had system restore turned off to begin with :/

AVG detected "Trojan horse BackDoor.Iroffer.f" as an infected and imbedded object, and was unable to quarantine or delete it.

Oh, and regarding task manager.

No message or notice when i ctrl+alt+del, just nothing.

When I run taskmgr.exe I'm told that another program is using it.

To remove the Trojan horse BackDoor.Iroffer.f manually, you need to access the task manager which clearly you cannot do at the moment.

Go HERE and follow the instructions exactly.

Once you have done that go HERE for intstructions on how to post your Hijackthis log.

Regards Howard

Or copy c:\windows\tskman.exe to another directory, and rename it e.g. tsk.exe;
double-click that to kill any nast processes.

I think it's "taskmgr.exe", right? You may also be able to rename it from "EXE" to "COM". That works for regedit I know.

Download PrcView from this link: http://www.svrops.com/svrops/downloads/zipfiles/PrcView.zip

That should get you into your processes to remove that junk. If not, use the DOS version "pv" that comes with it to do the job from a command prompt.

A little ooops from RBS there. Excuseable as like us he is suffering with the heat.

I was unable to find a 'tskmgr.exe' in my WINDOWS file, but there was a TASKMAN.exe. I was unable to open it; I tried changing the name to tsk.exe, and was unable to open that as well.

Had already done what RBS' post (the one HH linked to) said to do, and followed HJT with NAV and AVG, and this time they all found nothing.

Still, no task manager action is happening :dead:

I'm pretty sure I'm clean by HJT's account, but I've attached a log anyway.

Vigilante corrected the file to: taskmgr.exe.

Taskman.exe was put there by either AUTOTROJ-C TROJAN or FORBOT-T WORM

So turn off system restore and boot into safe mode.

Assuming AVG is up-to-date run it.
Then move HiJackThis to somewhere such as C:\HJT. You haven't read the stickies.
Then post a new HJT.log.

System restore needs to be turned back on - when all is clean.

AVG isn't letting me update... It seems to only have settings for dialup.

I tried downloading the update directly, then just uploading the update into the program, but it didn't recognize the file as a new update.

Go back to safe mode with system restore still turned off. Type taskmgr.exe in the run box (hopefully it is still there). On the Processes tab look for TASKMAN.EXE right click (if it is there) and select End Process. Then in Explorer search for TASKMAN.EXE and delete all references.

Clear out you Temp files. Try Crap Cleaner If you don't want to use it the download page tells where all your temp files are.

The we can attach a HJT.log.

Ok, I did what you said, and TASKMAN is history. Used CC as well, and still no task manager worky.

Any suggestions on how to get my AVG updated?

You should have a Control Centre running in the system tray. Icon is a square quartered in four colours. Click Update Manager and then click the update button and choose Internet.
Search for taskmgr.exe in Explorer. It should be in \system32. If it is not there may well be one under \service pack\I386 which you can copy to the correct location. If not come back.

Something seems fishy cause if taskmgr was "missing", it would say it was missing. If it was a policy, Windows would say it has been disabled by your administrator. But if simply "nothing" happens when running it, it could be that it is infected or corrupt. Could very well be that when running taskmgr you are running the very same virus you're trying to kill!
Just a theory.

I still say download PrcView and run that. It will give you an even MORE detailed view of your processes and let you kill them. The "real" taskmgr most likely needs to be extracted from an XP disk and restored.

Thanks for your intervention Vigilante. I'm not sure if has actual run taskmgr yet. Watch this space.

AVG won't connect to the internet... I use DSL, and the settings for the updater appear to work only with dialup?

I tried rebooting and scanning again... and the worms showed up on AdAware again. I've enclosed the following HJT log, but it doesn't appear (to me) to reveal anything.

After this, when I tried running taskmgr.exe in Run, it again told me that the program is already running.

I will download PrcViewer now, but I think it may solve the problem if I can just figure out how to update AVG :hotbounce

Ran PrcView, and here are the 'suspicious' processes running. (Suspicious = unfamiliar).

cisvc, claiming to be a MS Corp. "content index service"
cidaemon, claiming to be a MS Corp. "Indexing Service filter daemon"
6 scvhosts running, shouldn't there only be 3 or 4?
windows and symantec updates are both running... this seems odd to me.

That's all for now, thanks for recommending the program!

The worm is in a process called winupdates...

I'm able to use taskmgr after I've killed it in processes, but it reopens itself and I am again unable to open TM... any thoughts?

You should should not be running two anti-virus programs I'd favour AVG.

Turn system restore off. Restart in safe mode.
Run HJT and check the following in the box to their left.

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [sasktelinstall] D:\install\Xtras\OE_Patch.exe
O4 - HKLM\..\Run: [myNetWatchman] C:\Program Files\myNetWatchman\NWClient.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe


Delete:
C:\Program Files\winupdates --all files and folders.
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe

Run Crap Cleaner & post new log.

Turn on system restore if all is clean.

If I might recommend another program to try, it's called "autoruns" and you can get it from sysinternals: http://www.sysinternals.com/Utilities/Autoruns.html

Check in each tab for your suspicious entries (in safe mode) and remove them there. Or post here first. You can save a log by using the save button, but it's not laid out very well, but post that here if you like. You can also check startups for each user account up in the menu. Note that this program almost literally checks EVERY conceivable startup location. Places in the registry you would never know contain a startup. Far more places then adware progs and hijackthis check. So it's a good prog to run.

Speaking of user accounts, make sure you run your virus scanner, adware scanners, and HJT in EACH user account, in Safe Mode. As each account can have it's own spyware and startups.

As for your AVG, you might read around this page: http://www.grisoft.com/doc/42/lng/us/tpl/tpl01

I think you may have a proxy set, or some other connection. Maybe you can change it by this info. Or maybe that will lead you somewhere. They also have instructions to manually update.

cheers