WinLogon#taskman & amazonaws.com in TCP/UPD connections

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by akronohio, Dec 5, 2010.

  1. akronohio

    akronohio Private E-2

    I'm finding a malware trace (HKLM/software/microsoft/windowsNT/currentversion/WinLogon#taskman)
    and I have noticed "amazonaws.com" in TCP/UPD connections.

    What I have done so far.....
    Before finding this site:
    Created a new (fresh) admin account
    Ran my normal virus protection NOD32 (no virus found)
    Ran various programs, NORMAN, Housecall, Bitdefender, Panda, Sypbox, HitmanPro, SpywareBlaster, Superantispyware, Malwarebytes.

    I found a strange "scheduled task" --set to run on every bootup, every 1 hours--I deleted the task, then deleted the directory referenced --googleupdate.exe

    Rebooted, rescanned everything, still finding all the same problems....


    AFTER finding this site, I followed directions:
    removed/updated java
    emptied quarantined
    empties recycle bin
    ccleaner
    msconfig=normal
    (I dont have any disc emulators)
    Superantispyware (found winlogon#taskman)
    malwarebytes (nothing found)
    combofix
    rootrepeal
    mgtools

    Note: I do a lot of remote control to work, and a lot website work, so you WILL see:
    apache running
    hamachi
    teamviewer
    vnc
    dropbox
    cron
    talkswitch

    using "NETSTAT -a" I noticed open TCP/UPD connection to --> amazonaws.com I don't have a clue what that is all about...

    All logs attached in zipfile....

    I am having the exact same problems on my laptop, but we will face that another day.

    I accidently started to run MGtools.bat a second time (at the very end) and stopped it... if this messed up the log files, I can rerun it and post the log again...


    Thanks for any assistance....
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is from Google Update service which you still have installed.

    Why? You need to run the scans from the original account you were having a problem with.

    You have too many Admin accounts on this PC now. I suggest that you remove all but one. You currently have the below
    Code:
    Users on this computer:
    Is Admin? | Username
    ------------------
       Yes    | Administrator
       Yes    | backuplogin
       Yes    | Cobian
       Yes    | fresh admin
       Yes    | Kel
       Yes    | test
     
    I'm not seeing any malware in your logs. I just see a bunch of locked registry keys that are not normally locked so I suggest that you do the below.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

    After clicking Fix, exit HJT.



    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Dec 5, 2010
  3. akronohio

    akronohio Private E-2

    WOW, Thanks for that SUPERFAST response....

    I did as you requested....
    I deleted some (not all) of the admin accounts
    Administrator must be a system account, its not under accounts
    Cobian is needed for my backup program
    Kel account is ME (didnt delete, that's my main login)
    For some reason I like to have a backuplogin admin account, in case I get locked out

    but I did delete freshadmin and test..... I guess I could get rid of backuplogin and use the cobian if Im ever locked out.... sure, I will go back and delete backuplogin also....

    Someone once told me, if you have a virus, create a new admin account and do all the virus hunting from that new, fresh, admin account... I guess that was not accurate infomation (or necessary) - - I'm back to logging in using my normal account now....


    Anyways,

    WOW, the Malware Trace at
    hklm/software/microsoft/current version/winlogon#taskman
    is NOW GONE ! Yea!!!!!
    (according to superantispyware)

    Files requested are attached.....

    NOW - - - I have the same malware trace on my laptop,
    I assume I can NOT just do the exact same "fix" that you gave me, but
    instead should go through all steps again, and post a new posting with
    my new "laptop" logs, is that correct ?

    Thanks again !!!
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Depends on the situation and infection. Some infections will not even let you create another user account. And if you create a new account from an already infected account, you will in many cases just be creating a new account with the same infection. It would be better just to have a restricted user account on the PC and change to permission on it when necessary to run scans requiring admin privies or you could also just make use of the Run As Admin feature.

    It would be best to run the cleaning procedure and start a new thread for your laptop and make sure that you indicate it is second PC.

    Your logs are basically clean, but one left over driver from Google Update still did not get removed like it should have. Let's try again. Make sure that you shutdown NOD32, Spybot's Teatimer or any other running protection before you continue.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)

    After clicking Fix, exit HJT.


    And just to be redundant, open a command prompt window by clicking Start, Run, and enter cmd and click OK. If the window opens type each of the below commands in. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.

    sc stop gupdate
    sc delete gupdate


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  5. akronohio

    akronohio Private E-2

    Strange Entry has returned in msconfig---
    hkcu\software\microsoft\windowsnt\currentversion\windows:run
    hkcu\software\microsoft\windowsnt\currentversion\windows:Load
    the entry is just a bunch of weird boxes (see jpg attached)

    I Ran analyse (HJT) and it would NOT remove 06/restrictions
    and it would NOT remove 023/google update

    I'm gona reboot right now, try again, then upload the mglogs


    (see attached jpg)
     

    Attached Files:

  6. akronohio

    akronohio Private E-2

    Okay, I'm back from a reboot....
    Both HJT items are gone.... Restrictions and Googleupdate

    Still have the strange startup characters in the msconfig startup

    SuperAntiSpyware is showing the same MalwareTrace that started this whole thing is back (see jpg)

    ARGH !!!
     

    Attached Files:

  7. akronohio

    akronohio Private E-2

    I ran various online spyware and virus checkers.....
    I even tried in SAFE mode....
    EVERYTHING says all is clear, but
    I still have BOTH problems shown in the JPGs in the following two posts....

    The "#taskman"
    and
    the "weird characters in msconfig startup"

    I will wait for further instructions.....
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to complete the rest of my last fix and attach the new log requested. In fact, first rerun GetLogs.bat today so that we a more recent log which shows the current status of your PC from today.
     
  9. akronohio

    akronohio Private E-2

    I'm terribly sorry for not following directions correctly, I will pay closer attention.....

    I have added winpatrol which keeps popping up with something is being added to my startup win.ini

    still having problems

    here is my MGLogs.zip file....

    (I will be going out of town tomorrow, actually about 24 hours from now, and will be gone 'till Monday, if you don't hear back from me)

    again - THANKS THANKS THANKS
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You already
    You should not be installing or running anything we do not ask you to run. WinPatrol could get in the way of any cleanup steps including the fixing of registry keys like I previously asked you to fix with analyse.exe. However exactly what in win.ini is it saying is being added.

    Uninstall or completely shutdown WinPatrol right now. Also shutdown NOD32. Also you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer

    Then continue.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Kel\Desktop\msconfig.exe /auto
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} -
    O16 - DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} -
    O16 - DPF: {B2DCBF69-EF93-4252-BBC7-BD870EBD9EDE} -

    After clicking Fix, exit HJT.

    Your PC is not in Normal Startup mode. You need to run MSconfig and select normal startup. Then reboot your PC.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  11. akronohio

    akronohio Private E-2

    Followed directions....
    uninstalled winpatrol, shut down nod32 scanning, turned off teatimer
    registry entry "fixme.reg" added successfully
    removed entries from analyze.exe HJT
    rebooted for normal mode
    ran getlogs, see attached


    Before uninstalling winpatrol, i did NOT get another popup with the "winpatrol is stopping installation of win.ini autorun", so I don't know exactly what the screen said, but I took a snapshot of the "history" screen (see attached screenshot)

    You asked how things are working now.....

    I ran msconfig to look at the startup items, and I still see the strange startup characters that appears to be the virus. (see attached screenshot)
    I slid the screen over to see the entire line (not on screen shot) and it says
    HKCU\software\microsoft\windows NT\currentversion\Windows:Run
    for the "location"

    I ran superantispyware, where I usually see the hklm/software/microsoft/windowsnt/currentversion/winlogon#taskman and
    superantispyware did not find any problems.....

    Question:

    Can I turn NOD32 on so that I can feel safer while working on my computer (I have some work that I need to get done and need to check my email also).
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you take these snapshots before running GetLogs.bat or after running GetLogs.bat

    Yes you can renable NOD. It only needs to be disabled while running scans or fixes.

    Also let's run one more registry patch.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Do you still see the entry in MSConfig or is it gone now.
     
    Last edited: Dec 8, 2010
  13. akronohio

    akronohio Private E-2

    It was after....

    I will take another one right now....

    This was taken at 5:36pm

    Now there are two...

    I slide the screen to the right to see the "location"
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's what I thought because in the logs, those registry entries were clean.

    Yes because the first one I had you fix with the first registry patch, was changed again. You have something running that is modifying these keys and it just takes a little while for them to get changed after a reboot.

    Run the below registry patch and quickly check MSconfig afterwards and those should not show if the patch was merged in okay. Then reboot your PC into safe mode and keep checking MSconfig periodically to see if those entries reappear in safe mode.



    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
  15. akronohio

    akronohio Private E-2

    Patch worked...
    Did patch, checked msconfig, bad things were gone.
    IMMEDIATELY rebooted into SAFE MODE
    Checked msconfig
    bad things were still gone
    closed msconfig, waited 5 minutes, started msconfig again, still all good, closed msconfig, waited 5 minutes, started msconfig again, still all good, closed msconfig, waited 5 minutes, started msconfig again, still all good

    Tested for nearly 20 minutes in safe mode.
    Rebooted into normal mode (so that I could have internet access again, and get to this web site adn post this reply)

    during the boot up process, as QUICKLY as I could, I checked msconfig (while still booting) and BOTH weird lines were back again...

    I did nothing but come here and post this reply
    (I did not rerun fixme.reg)
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So it seems that something you load in normal mode, but not in safe mode, is the problem.

    Let's try using MSconfig for its intended debugging purpose. Run MSconfig, and disable all of the below startups which I will list by registry key names. You should be able to easily find them and disable them.
    Then run the last fixME.reg patch again which should remove the problem items in the "load" and "run" keys. Then immediately reboot your PC into normal boot mode again but keeping all of those items disable via MSconfig which will warn you at startup that you are in selective start mode. Just ignore this message. See if/when those lines return.
     
  17. akronohio

    akronohio Private E-2

    Ohhhhh Myyyyyyy

    It's ONE of those disabled things !!!

    The bad lines have NOT returned...
    I've been powered up for about 5 minutes, and still all is okay !!

    Something in that list is a naughty program......

    What next? Turn them on one at a time?
    Manually start each one until I see the problem?
    Oh, I'm excited, we are getting close....
    Breathe...Breathe...Breathe...Breathe...

    Okay, I'm calm now.... I won't do ANYTHING 'till you tell me.....
    What's next.....

    p.s. Each time I re-check msconfig, I conpletely close it, and restart msconfig. That's correct, right ?
     
  18. akronohio

    akronohio Private E-2

    I looked over the list
    (I didn't do anything)

    but, if this helps, ,,
    I got a new video camera,
    it came with free software,
    Software came from ARC-Soft,
    the problem started shortly after that...
    maybe a coincedence (sp?)

    Just thought I would pass that along to you...
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Or try the powers of two approach to zero in faster. (i.e., keep cutting the list in half until you get the problem back and then work on whichever ones were last enabled to zero in more). But remember you have to reboot each time to see the affects.

    Yes.
     
  20. akronohio

    akronohio Private E-2

    WOW !

    "Malwarebytes Anti-Malware (reboot)"="\"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe\" /runcleanupscript"

    So, now what? Completely uninstall Malwarebytes via control panel ?

    EVERYTHING else is turned back on....

    Turn Malwarebytes on - problem occurs
    Turn Malwarebytes off - problem goes away

    Did it 3 times - on - off - on - off - on - off - to be sure....

    WOW, how did that happen? Breath--Breath--Breath--Breath--I'm excited!

    Now What ?
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Malwarebytes does not put anything in those regsistry keys that I know of. I do not see them on any PC I have ever used it on and alsonot in the thousands of posts put in this forum each month. Is this the free version of Malwarebytes?
     
  22. akronohio

    akronohio Private E-2

    Yes, it is the free version of malware bytes....
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay well we don't need that startup item anyway so let's try something. First run MSConfig and put your PC back to normal startup mode so that everything runs.

    Now run the below fixME2.reg patch.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now reboot your PC. Are those entries gone now and do they stay gone?
     
  24. akronohio

    akronohio Private E-2

    Put msconfig back to normal
    ran the fixme2.reg
    registry loaded okay, no errors

    System booted, NO PROBLEMS found....
    No weird things in startup
    Everything is turned on
    MSConfig is in normal mode

    All appears good.....

    Now what?
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  26. akronohio

    akronohio Private E-2

    The computer still seems to be behaving..... THANKS !

    I am getting ready to go out of town until next Monday,
    and I do not want to rush the "clean up process", so I
    am going to finish packing for my trip, and let the cleanup
    wait until early next week.... I hope that is okay....

    I WILL drop you a note (unless this thread gets locked)
    and let you know when I have completed the cleanup.

    Again, Thanks so much for everything, and for all of your time.
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
     
  28. akronohio

    akronohio Private E-2

    I was finally able to do the "clean up" on my system (I got home late Monday, then we had a terrible snow storm in Ohio, ech!)

    Anyway, I did all the clean up and everything seems GREAT !

    Thanks again for everything !
     
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds