Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot remove Winlogon\taskman backdoor bot


  • Please log in to reply
35 replies to this topic

#1 swanseajack61

swanseajack61

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 July 2009 - 01:46 AM

I am having major issues with my laptop. It will only start in safe mode as when I start it in normal mode Windows Explorer keeps closing itself and shut down my system so that nothing will run and the screen goes blank.

I have run scans under malware bytes and get the backdoorbot message below, it says it has been removed but I am still getting the problems and when I run the scan again it re-appears. I have tried running AVG, spybot. ad-adaware and also Malware bytes but no joy. I have turned off my system restore but the problem will not go away. I even went into start up programmes to see if it was something I could remove from there but no joy.

I really need help on this as I have now been trying for over a week with no joy. Thanks in advance.

Here is the message that appears and the name of the infection.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman

BC AdBot (Login to Remove)

 


#2 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:02:10 PM

Posted 20 July 2009 - 07:24 AM

Since you can't boot-up into Normal mode, try to do the following:

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#3 swanseajack61

swanseajack61
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 July 2009 - 12:50 PM

Thanks for trying to help, I really apprecaite it. I have posted my log below, I have manageged to get onto normal mode to post this but it seems what ever is infecting my laptop isnt being picked up. Soon as i start using it keeps trying to shut down windows exlporer by saying it is not working and willl restart, it also does this for task manager and pretty much anything else that trys to run in normal mode. I am praying you can help.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/20/2009 at 06:27 PM

Application Version : 4.26.1006

Core Rules Database Version : 3952
Trace Rules Database Version: 1894

Scan type : Complete Scan
Total Scan Time : 01:04:22

Memory items scanned : 277
Memory threats detected : 0
Registry items scanned : 7001
Registry threats detected : 0
File items scanned : 113019
File threats detected : 6

Adware.Tracking Cookie
C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@ads.bleepingcomputer[1].txt
C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@ads.lucidmedia[1].txt
C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@ads1.ad-driver[1].txt
C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@atdmt[1].txt
C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@doubleclick[2].txt
C:\Users\daniel\AppData\Roaming\Microsoft\Windows\Cookies\Low\daniel@imrworldwide[2].txt

#4 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:02:10 PM

Posted 20 July 2009 - 12:58 PM

Follow these instructions, then post the log:

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Also, download Process Explorer and post the log:
Process Explorer Download Link

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#5 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:02:10 PM

Posted 20 July 2009 - 01:01 PM

P.S.- I encountered similar problems with trying to remove System Security 2009 from a friends computer. After running Process Explorer I was able to "kill" the process that wasn't allow me to run Task Manager or MBAM. Post the Process Explorer log and hopefully we can figure out what is going on.

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#6 swanseajack61

swanseajack61
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 July 2009 - 01:50 PM

P.S.- I encountered similar problems with trying to remove System Security 2009 from a friends computer. After running Process Explorer I was able to "kill" the process that wasn't allow me to run Task Manager or MBAM. Post the Process Explorer log and hopefully we can figure out what is going on.


Could this be the problem rundll32.exe that seems to open up everytime it trys close a process down. Let me know if you want me to post any more logs. Thanks for this I really apprecaite it.

Process PID CPU Description Company Name
System Idle Process 0 98.46
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 388
csrss.exe 464
wininit.exe 508
services.exe 564
svchost.exe 840
WmiPrvSE.exe 3252
unsecapp.exe 3348
svchost.exe 916
svchost.exe 956
svchost.exe 1092
audiodg.exe 1212
svchost.exe 1124
dwm.exe 6140 Desktop Window Manager Microsoft Corporation
svchost.exe 1140
taskeng.exe 3552
taskeng.exe 5072 Task Scheduler Engine Microsoft Corporation
wuauclt.exe 2396 Windows Update Automatic Updates Microsoft Corporation
taskeng.exe 4288
SLsvc.exe 1248
svchost.exe 1292
svchost.exe 1456
AAWService.exe 1788
spoolsv.exe 1940
svchost.exe 1964
ALaunchSvc.exe 912
AppleMobileDeviceService.exe 1220
avgwdsvc.exe 1384
avgrsx.exe 824
avgnsx.exe 1020
mDNSResponder.exe 1392
eDSService.exe 1424
eLockServ.exe 1644
eNet Service.exe 2032
LSSrvc.exe 1660
MobilityService.exe 1192
svchost.exe 2200
RichVideo.exe 2260
svchost.exe 2328
svchost.exe 2412
WerFault.exe 5912 Windows Problem Reporting Microsoft Corporation
SearchIndexer.exe 2516
SearchProtocolHost.exe 1956
SearchFilterHost.exe 5212
XAudio.exe 2636
plasservice.exe 2660
avgemc.exe 2708
avgcsrvx.exe 2952
eRecoveryService.exe 2756
capuserv.exe 2824
ePowerSvc.exe 2976
SDWinSec.exe 3212
lsass.exe 576
lsm.exe 584
csrss.exe 2232
winlogon.exe 2428
GoogleToolbarNotifier.exe 6040 GoogleToolbarNotifier Google Inc.
procexp[1].exe 4444 1.54 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
ieuser.exe 1704 Internet Explorer Microsoft Corporation
explorer.exe 3724 Windows Explorer Microsoft Corporation
rundll32.exe 4072
rundll32.exe 5908

#7 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:02:10 PM

Posted 20 July 2009 - 02:06 PM

We need to run Root Repeal:

Download the following tool and only use as directed!
Download here

Install RootRepeal and select *Files* then scan only.

Posted Image

When the scan has completed there will be a list of files generated.Some will be ok(legitimate files) but some will be related to the Rootkit and it's hidden payload of files.

Posted Image

You will need to identify which is the CLB driver only and here's how.

This is not as difficult as it appears because it will be 1 of files listed with a .sys extension.

It will also carry one of the following prefix's in its filename +random letters+ .sys extension.

TDSS
Seneka
GAOPDX
UAC
ovfst
kungsf
SKYNET
MSIVX
hjgrui
wzszx
ESQUL
geyekr

*letters can appear in either upper case or lower case.

** the number of random letters vary so could be only a couple or upto 32 which has been seen so far.

***in my screenshot it is the file UACewsflctd.sys that is the Rootkit driver.

UAC prefix + random characters in this case= ewsflctd and .sys extension

Since there is a level of randomization in the file naming protocol there are many computations of how the file will be named and the list will be exhaustive.

But here are some examples so hopefully you can see the pattern forming.

TDSSspax.sys
TDSSServ.sys
GAOPDXserv.sys
gaopdxohocrlokojvgccmieiquramguxlachqk.sys
UACmxegjtve.sys
UACd.sys
Senekarstpqyy.sys
ovfsthxkwpjtxfk.sys
kungsfxwrtceey.sys
SKYNEToyfjtpeo.sys
MSIVXwfjwbpbivasavbfjmtkibegxvnftiqxt.sys
hjgruisaroylnf.sys
wzszxthydgteuirn.sys
ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
geyekrhfgdvswdstsak.sys

Once you have identified the CLB driver then use your mouse to highlight it in the Rootrepeal window after *Files* scan.
Next right mouse click on it and select *wipe file* option only then immediately reboot the computer!!!!

You will only need to attack the CLB driver as the rest once no longer being protected are easy pickings for MBAM :thumbsup:

Next install and update MBAM and run a quick scan!

Allow it to delete what it detects and reboot immediately.

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#8 swanseajack61

swanseajack61
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 July 2009 - 02:40 PM

Hi

It wont let me run the programme it keeps shutting it down before I get a chance to install it. Is there another programme I could try, sorry to be a pain.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:10 PM

Posted 20 July 2009 - 02:44 PM

Did you get Malwarebytes installed??? If so,try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 swanseajack61

swanseajack61
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 July 2009 - 02:49 PM

Did you get Malwarebytes installed??? If so,try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Hi sorry I am not the best at these things. I cant use the fix as I cant run root repeal as it wont let me install it keeps shutting it down.

Can you explain what you want me to do in Malwarebytes again?

#11 swanseajack61

swanseajack61
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 July 2009 - 02:51 PM

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00429430
Attempt to write to address: 0x00d6f000

Thats the error message I get???

#12 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:02:10 PM

Posted 20 July 2009 - 03:05 PM

Ignore the fact the steps are not numeric:
  • Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

    Malwarebytes' Anti-Malware Download Link
  • Once downloaded, close all programs and Windows on your computer, including this one.
  • Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
  • When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
  • MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.


    Posted Image

  • On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for System Security related files.
  • MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.


    Posted Image

  • When the scan is finished a message box will appear as shown in the image below.


    Posted Image

    You should click on the OK button to close the message box and continue with the SystemSecurity removal process.
  • You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
  • A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.


    Posted Image

    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
  • When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
  • You can now exit the MBAM program.
If MalwareBytes will not run:
Rename MBAM setup to something like "winlogon.bat"
After MBAM installs, go to 'C' drive, 'Programs", 'Malwarebytes Antimalware'; and change MBAM.exe to 'Myspace.bat'. Double click and see if it will run.

Edited by golfdude, 20 July 2009 - 03:11 PM.

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#13 swanseajack61

swanseajack61
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 July 2009 - 03:11 PM

Ignore the fact the steps are not numeric:

  • Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

    Malwarebytes' Anti-Malware Download Link
  • Once downloaded, close all programs and Windows on your computer, including this one.
  • Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
  • When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button. If MalwareBytes' prompts you to reboot, please do not do so.
  • MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.


    Posted Image

  • On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for System Security related files.
  • MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.


    Posted Image

  • When the scan is finished a message box will appear as shown in the image below.


    Posted Image

    You should click on the OK button to close the message box and continue with the SystemSecurity removal process.
  • You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
  • A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.


    Posted Image

    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
  • When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
  • You can now exit the MBAM program.


Thanks again for the reply. I have been trying Mallware bytes for days in safe mode and when I can boot up as normal but with no joy, only the message below. Should I run it again and am I doing something wrong in relation to the settings?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman

#14 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:02:10 PM

Posted 20 July 2009 - 03:24 PM

did you rename the exe file?

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#15 swanseajack61

swanseajack61
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 July 2009 - 03:26 PM

did you rename the exe file?


To do that will I have to uninstall it and then resave the exe file.

Cheers (again lol)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users