Another way to task manager please

***Nokia*** · March 22nd, 2006, 12:50 AM

I remember from my windows 98 days that there was a something config that would pull up a box like task manager, and on one of the tabs, there was startup processes

You can just go to your system information in 98 then > tools > System Configuration.

This has been removed from 2000 and later though so you just run msconfig from the run prompt and select the startup tab.

Typing "taskmagr" does work from the run prompt in XP home.

or right click on the task bar and the third option from the bottom is task manager
or, open a command prompt and type taskmgr
or, browse to C:/Windows/System32/taskman
or, Create a notepad document, then type taskmgr.exe then save it as ????.bat. Double click it and taskmanager should open.
or, type C:\windows\system32\taskmgr.exe in to the address bar of Internet Explorer.
or, try CTL SFT ESC instead of CTL ALT DEL.

or, if it has been disabled for some reason, copy the following in to the run prompt:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

This adds a key to the registry that enables task manager (if you are allowed to change the registry that is)

If you have been restricted from editing the registry, try pasting the following in to the run prompt:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

Again, it may or may not work depending on how locked down the box is and the method used to disable access to the registry.

Or if you have absolutly no rights to do pretty much anything, try the following:

Right-click the Start button and choose Open. Double-click Programs, then double-click Startup. Choose Start, Search, For Files or Folder, type taskmgr.exe in the top box, enter your start-up drive in the 'Look in' box (for most people it will be c:\), and click Search Now. When you see the Task Manager program file listed in the Search Results window, right-drag it to your open Startup folder. When you release the mouse button, choose Create Shortcut(s) Here. Now right-click the new shortcut and choose Properties. Select the Shortcut tab and choose Minimized from the Run drop-down list. Click OK. To keep Task Manager out of your way when you don't need it, double-click the shortcut to launch it, and in the menu bar at the top of the Task Manager window, choose Options, Hide When Minimized.

Task Manager will now start invisibly, but you'll be able to open its window anytime by double-clicking the CPU-usage icon in the system tray.

Or, if that does not work open the schedule a task wizard from the system tools folder > add a scheduled task > if taskmgr in not in the list browse to the taskmgr in the Windows/system32 folder or if access to the Windows folder has been disabled just type the path in > then select "start when pc boots up"! - this should by-pass any restrictions (providing scheduled tasks has not been disabled)

If you cant open it after trying all of the above..........fond a big hammer and take your frustration out on the box!!!

**rapier57** · March 22nd, 2006, 02:05 AM

From your first post, it sounds like the system may have a dialer infection, or a hijacker. In any case, it will take you hours to get a prompt that you can work with. It is just best to bounce the sucker (power off and on, do not throw out window) and take it into SAFE MODE! (as our buddy nihil suggested, and you will need local admin access for this). Make sure one of the first things you do is turn off System Restore. Then, proceed with the normal system cleaning operations (Hijackthis, spyware scans, AV scans, etc).

Once you are all cleaned up, don't forget to turn System Restore back on.

**JonnyFrond** · March 22nd, 2006, 02:13 AM

Well my geekable frocktoids, I am halfway through my problem now, and so far I would love to give Dalek some love, for his little startup program, brilliant, but I have been told that too much love can me dangerous, and Nokia for just being Nokia, and generally being a phone that works. Since microsoft stole all the OS help files and stuck them in the oh so helpfull Help center, the generally curious, but not curious enough to really be that bothered, just can't get to learn anything these days.

Update though, I have finally found a way to get into safe mode, as that was my problem I couldn't get to it. Done all so called scans, just doing more windows updates, and a couple of online Virusl scans, and I shall be posting a hijack this log in the morning I guess.

Over and out

Frurk Snoidal

***Nokia*** · March 22nd, 2006, 02:53 AM

Oh, kinda skipped a few posts back there, thought you where still wondering how to open the task manager up!

O well!

**JonnyFrond** · March 22nd, 2006, 11:45 AM

Ok, we're getting somewhere, this pc is now useable, there was about 20 things on start up, 5 of them were different internet connections all conflicting with each other.

I have 2 things left now, and they are "ntoskrnl.exe" is corrupt, I found this, but wanted to know if it is easy, or is it likely to take me 2 steps back.

And a hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 10:33:08, on 22/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.netscape.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPadNF\TPTray.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/game...ts/y/ot0_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1138189999820
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

This laptop is purely used fo the internet, messenger and itunes, and not much else. We are on BTinternet as our service provider. b

Thanks guys, you have got me out of some doo doo

Doo Doo FrooDoo

***brokencrow*** · March 22nd, 2006, 12:32 PM

Your Toshiba laptop sounds like a real booger. The HJT log looks pretty clean. You could delete this one, but it's not problematic at this point:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...fo/bt_side.html

You having issues with MSN Messenger?

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Personally, I'd run an online AV check (I prefer Panda's scan) just to make sure. HJT doesn't deal with the new 'rogues' out there, like vcodec and spyaxe, as well, so it's not as definitive as it once was.

Ugh, ntoskrnl.exe error? Sounds like Windows is corrupted. What kind of problems are you still having? Specific error messages?

***dalek*** · March 22nd, 2006, 01:25 PM

Jonno

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com

O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com

O14 - 'Reset Web Settings' hijack
What it looks like:

O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com

What to do:
If the URL is not the provider of your computer or your ISP, have HijackThis fix it.

HJT Tutorial

I would allow HJT to fix these.....

**JonnyFrond** · March 22nd, 2006, 01:25 PM

Yup, it's a booger for sure, but then it is the ideal computer to learn on, cos if it can't be fixed it can go in the bin. I was considering doing a OS reinstall, as I have XP, though I don't have any of the drivers for this laptopl and don't know where to get them. Is there a way to grab them off the laptop, put them on a disc and then put them back on after the install?

As for the ntoskrnl.exe On the boot up it always goes to the Windows advanced options menu where you choose to boot up normally or go to safe mode. Pick Start windows normally - windows xp home edition - Then this message:

Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\ntoskrnl.exe.
Please re-install a copy of the above file.

As I say, I can get passed it, but if it is easy to do, I would like to, as I am being a proud father at the moment, and the people in the house are polishing my ego.

J

p F;o)>

***dalek*** · March 22nd, 2006, 01:32 PM

ntoskrnl.exe

Could very well be a result of this W32/BOLZANO.L

This is a Windows 95/98 and NT virus that infects PE EXE files. It is a polymorphic, per-process resident and direct-action infector. The virus is encrypted in the host file and will be decrypted by a small decryptor consisting of random opcodes. The direct-action infection is fast: when an infected file is run, the virus goes through all the PE files in the various directories for infecting them.

The decrypted virus body contains strings of Windows API functions and directories used by the virus:

CreateFileMappingA, CreateThread, DeleteFileA, DosDateTimeToFileTime, FindClose, FindFirstFileA, FindNextFileA, GetCurrentDirectoryA, GetDriveTypeA, GetFileSize, GetLocalTime, GetTickCount, FileTimeToDosDateTime, MapViewOfFile, SetFileAttributesA, SetFileTime, UnmapViewOfFile, _llseek, _lopen, _lread, _lclose, _lwrite

C:\NTLDR
C:\WINNT\system32\ntoskrnl.exe
C:\WINNT\system32\MSV1_0.dll
\WINDOWS\Cookies\*.*
\WINNT\Cookies\*.*

If the administrative privileges are present, W32/Bolzano.l modifies NTOSKRNL.EXE and NTLDR.EXE in order to preserve these rights in some future sessions. With this trick it would be then possible for the virus to infect any file on an NTFS volume even only with Guest rights. The AVERT however did not try to produce this behaviour.

W32/Bolzano.l deletes the files in the Cookies sub-directory.

The a, b, c, h and i variants of this virus are simple PE appending virus and are not crypted.

The d variant does not replicate well and is nearly intended.

W32/Bolzano.e, f, g and l patch multiple CALL's in the host's code to point at the virus body instead of modifying the PE executeable's entry point.

The variants e, f, g and l are polymorphic viruses.

Source

Recommend a couple of online scans.....

***dalek*** · March 22nd, 2006, 01:43 PM

This is legitimate....

O18 Extra protocols and protocol hijackers
Field Value
Header Protocol
CLSID {828030A1-22C1-4009-854F-8E305202313F}
Name msnim
Path/File msgrapp.dll (often incorrectly listed by HijackThis as missing)
Status L
Description MSN Messenger 7.5
Viewed 4873 times since Jul 8 2005, 2200 Hours UTC-4.

STATUS KEY:

"L" - Legitimate
"O" - Open to Debate
"X" - Malware/Bad
"?" - Unknown

castlecops

Thread: Another way to task manager please

Thread Tools

Display

Posting Permissions