problem with Task Manager and cash

hi all
am new here
anyone said welcome!!

i have a strange problem
sometimes when i close any program (word -notebad -ultra edite - outlook or any else)
it closed without problem but its still shown at the task manager as running process
and i should end it manually from task manager

also, if i closed the notebad fro example and i need it again so, i tried to open it
but nothing work it dosn`t start, i should go to task manager and close the old running process for notebad and run the program again then its start correctly
any one have an explain??

 

Hello engms and welcome to the Board

I assume that in your problem with Task Manager and cash you meant crash.

Do you get a blue screen or any error messages from the system?

Go to the Control Panel via the Start menu, then Performance and maintenance (if you're using XP view).

Then Administrative Tools, then Computer Management.

On the left you will see Event Viewer. Expand that (click on the plus sign).

Then click on System. See if there are any errors being logged by the system when the problem occurs.

Right clicking on a line and then clicking on Properties will give you a window with more info concerning that line. You'll see in the top section right below the down arrow, a text graphic sysmbol. Clicking on that will place the error info text into your clipboard (memory). Bring up Notepad and right click and paste, that will transfer it to Notepad. You can then paste the text into your next post here.

Regards - Charles

 

engms--Yes, do what charlesvar suggests, but it will not hurt anything to try a quick and dirty fix for TaskManager
#113 left on this page
http://www.kellys-korner-xp.com/xp_tweaks.htm

 

Task Manager has been disabled by your Administrator is what I get.
I am the only one using this PC and have no idea why this has come up.
I have tried Welshjims fix which is only good as long as I don't reboot.
I would like to get to the source of the problem and fix it there.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 9/15/2006
Time: 8:41:06 PM
User: N/A
Computer: HOME-NV1B5UCVNT
Description:
The Application Layer Gateway Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
----------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7009
Date: 9/15/2006
Time: 8:41:06 PM
User: N/A
Computer: HOME-NV1B5UCVNT
Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

 

Hi Roy,

I don't think the Application Layer Gateway Service error has anything to do with the problem with TM.

But to test that, go into the Services page of XP and if Application Layer Gateway Service is set to manual, set it to Automatic and see if that eliminates the error.

Regards - Charles

 

Charles,

The ALG service not starting can be related. If a virus or other malware stops it from running.

The Task Manager is a frequent first step for malware, as it attempts to protect itself from being terminated.


If using XP Pro, reset the default permissions on the registry and hard drives: http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

Reboot and then visit the comments by MS-MVP Ramesh Srinivasan:
http://www.mvps.org/sramesh2k/ToolsQuit.htm

 

I still haven't won the battle on this one

 

Hi Roy,

Picking up on Bill's idea, post a HJT log and we'll take a look at it.

Download HijackThis from here: http://radiosplace.com/

Regards - Charles

 

Logfile of HijackThis v1.99.1
Scan saved at 7:55:34 AM, on 9/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\BAxBEx\bxOE\bxOEPluginAR.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Advanced WindowsCare V2\Awc.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\ALPass\ALPass.EXE
C:\Program Files\Plaxo\2.10.0.32\PlaxoHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\SiteAdv.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: ALPassHelper Class - {00533B73-E574-46E9-B06A-FDF4592E67CB} - C:\WINDOWS\system32\ApsHelper08.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\saIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\saIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [bxAutoZipOE] C:\Program Files\Common Files\BAxBEx\bxOE\bxOEPluginAR.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe "
O4 - HKLM\..\Run: [Advanced WindowsCare] "C:\Program Files\Advanced WindowsCare V2\Awc.exe" /startup
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe "
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ALPass] C:\Program Files\ALPass\ALPass.EXE /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.10.0.32\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: avast! Antivirus.lnk = C:\Program Files\Avast4\ashAvast.exe
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ALPass\ALPass.exe
O9 - Extra 'Tools' menuitem: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ALPass\ALPass.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150404694250
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Hi Roy,

First, I don't see anything malicious running and we can pretty much rule that out. Others may see something that I don't though.

I do see these two entries:

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

The missing file condition I don't think should be there. Don't fix them with HJT - they are both Services and I don't know what the effect would be. I did find the Avast forum http://forum.avast.com/ you should ask there - can't find a forum for Prevx, does have a Support page. It may turn out not to be significant or maybe needing a re install.

Troubleshooting the TM problem:

Do this - fix the problem with the script from Kellys that Jim linked to that you write is temporary until the next boot. When you boot after the fix, boot into Safe Mode. If the fix sticks, then that would indicate that its one of the apps that's doing this. In that case, I woud suggest shutting down all the startup items, and restarting with no apps running. Then after that, startup each seperately. Start with the "heavy hitters" - Avast, ZA, Prevx - each have Services running, so have to disable the service entries for each one and then re enable the Service to start it up again. But you can't rule anything out, almost all apps/printer/mouse processes write to the Registry.

You may want to use Autoruns to disable the startups with, easier and more comprehensive than msconfig http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

If TM still gives you a problem in Safe Mode, then there is something broken in Windows.

You can start with using sfc scannow http://www.helpwithwindows.com/WindowsXP/howto-24.html and if no joy, a Windows repair http://www.michaelstevenstech.com/XPrepairinstall.htm

Or another suggestion is to try a Reg cleaner http://www.hoverdesk.net/freeware.htm

Be carefull with it, make manual System Restore points before making any changes and if presented with a lot of "fixes ", do a little at a time - don't fix tens or hundreds of entries at a time

Regards - Charles

 

Hi Roy,

Turns out I missed something nasty, thanks to TeMerc for catching it.

This line
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe

Fix that line in HJT and then delete kernels8.exe - try to delete it in Safe Mode. If the file still won't delete - Use Move On Boot, download from here:
http://www.snapfiles.com/get/moveonboot.html to delete it. It will add a new item to your right click Context Menu, target that file with Move on Boot, and then reboot.

Then, scan with Ewido:

The following is TeMerc's instructions on scanning with Ewido:

1. 
   Repost another HJT log afterwards.
   
   I'm moving this thread to the malware removal section.
   
   Regards - Charles

 

The following registry key is changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
"¢ DisableTaskMgr = 1

Which would explain why Task Manager does not work.

Your problem is discussed here:
http://www.avira.com/en/threats/section/fulldetails/id_vir/2525/tr_dldr.tibs.hh.html

You might want to supplement Ewido with an Antivirus scan, as nominally this is a virus/trojan and not spyware. Consider doing two on-line scans (I would do Kaspersky and Trend Micro): http://windowsxp.mvps.org/Scanners.htm

 

That line is becoming more and more blurred with each passing say. Especially as so many spywares are labeled trojans more than viruses.

 

Found the Prevx forum at CastleCops: http://www.castlecops.com/f146-Prevx1.html

Regards - Charles

 

Charles,
Thanks for taking time out to help me with this issue, sorry for the delay but I have only just gotten around to following your suggestion.
I loaded the "script" tried and it worked, I then booted into safe mode and it worked OK.
I rebooted the PC and the Task Manager is functioning OK now.

Thanks for your helpful advice.

Roy66