Jump to content
JimBob59

False Positive: Winlogon#Taskman key value = 0000 ?

Recommended Posts

I'm been using SAS only for a short time but have run perhaps 20 or so daily scans.

I always check for updates first.

Yesterday in addition to the typical cookies, I had one other entry:

Malware.Trace

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman

but there is no entry after it....

I went into the registry and opened the Taskman key and when looking at it in normal mode it appears blank.

When I edit in binary it shows as: "0000 "

What's going on here?

Thoughts appreciated!

Share this post


Link to post
Share on other sites

Hi JimBob,

I have exactly the same problem:

Malware.Trace HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman

With no other details of this 'infection' shown.

I also have the same registry entry.

I use 3 other 'AntiMalware' scanners on my PC and the Logs are clean.

Windows XP SP3.

I am puzzled too and would greatly appreciate any ideas.

Share this post


Link to post
Share on other sites

I've got nut'n as yet....

If I understand correctly the "Taskman" key allows the Winlogon process to load an additional task manager type program which may be required for special situations. Typically there is none.

I think if there is none specified usually the key does not exist at all.

So the fact that our systems have this key installed (even with apparently a zero value) may be why SAS is pushing the alarm button.

I'm not sure if we should panic or not :unsure:

Share this post


Link to post
Share on other sites

I've got nut'n as yet....

If I understand correctly the "Taskman" key allows the Winlogon process to load an additional task manager type program which may be required for special situations. Typically there is none.

I think if there is none specified usually the key does not exist at all.

So the fact that our systems have this key installed (even with apparently a zero value) may be why SAS is pushing the alarm button.

I'm not sure if we should panic or not :unsure:

I have the same, not having run SAS in a couple of weeks. Avast finds nothing, Malwarebytes finds nothing and neither does ESET online scan.I do not know if my situation is slightly different to you two but

I go to the address .....Winlogon/ and I do not find any taskman key in there. But if I run SAS it will find it. Ask to clean and reboot and back it is. But I do not know what this is. I am hoping for a new update that will not show this problem :)

Correction. I have the identical problem as I did find now the taskman key with a value of 0000

Edited by peterg2

Share this post


Link to post
Share on other sites

Hi,

I have not tried this yet but here is another person - today too - who has the same problem and supposedly he was able to have his problem fixed. Here

is the link. Forget about the amazonaws.com part of his topic. Go to the first post.

http://forums.majorgeeks.com/showthread.php?p=1565215

Peter:

Interesting ... that guy does not say one way or the other if there was actually a key value in his Taskman key from what I read. Did I miss it?

Share this post


Link to post
Share on other sites

Peter:

Interesting ... that guy does not say one way or the other if there was actually a key value in his Taskman key from what I read. Did I miss it?

You did not miss anything. I ran combofix now and it quarantied about 4 files, three of which I *know* as fact are clean. It also quarantied tcpip.reg which I am looking through now. I still am no wiser

as to what has happened. Yes, I re-ran Superantispyware and I was "clean" but I do not know if I had malware to begin with. So I reverted back and am looking for a fix.

Share this post


Link to post
Share on other sites

My situation has got worse.

I found 2 lines of strange squares and Symbols in the MSCONFIG startup list relating to the Registry Entry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows: One is RUN / One is LOAD.

I've also lost all my 'Restore points', and now my 'Internet Connection' has vanished. [i'm having to use a

different PC to post this].

I must have more wrong with my machine than the 'Winlogon#Taskman' problem. I'm going to Format and do a fresh

installation of my software.

Thank you both for the info and suggestions, I hope you get things sorted.

Share this post


Link to post
Share on other sites

Sorry to hear about it Presario2. I too am thinking of wiping the drive and reinstalling although I supposedly have cleaned out whatever that malware.trace....#taskman was with combofix.The first time I ran combofix I did not like what it was doing as clearly some files were completely benign but were quarantined. I then ran Gmer thinking there was maybe a rootkit but nothing was found. I then waited until the next day for the updated combofix and this time no files were quarantined and I had no problems with internet connectivity (the previous combofix scan quarantined tcpip.reg). Seemingly everything is all clear now, be it with Avast, Mbam, SAS, eset online scan. However, I still would like to know what exactly this is or was.

Share this post


Link to post
Share on other sites

It appears it was indeed a false positive.

I updated with the latest SAS signatures this morning and re-ran the scan and Taskman was not mentioned in the results window - just some tracking cookies.

I checked my registry just to be sure nothing else had modifed the key and the key was still there with the same 0000 value ... but is no longer being flagged.

Share this post


Link to post
Share on other sites

JimBob59,

Thanks very much. Greatly appreciated. In my case however I do not have the Taskman entry Value 0000 anymore. This must have been taken out with the last combofix run. However,

this whole business made me think as to why I, and perhaps you two had this entry. I had a look on on my C drive and I do see that in June I did briefly download and install

Sysinternals Suite which includes Process Explorer which is an alternative Taskmanager. I think this might have been the cause of my having this entry. I quote from this pdf link:

http://preview.tinyurl.com/2v3p6fp

Beneath the WinLogon key (listed previously) is a value named TaskMan that

might be of interest to investigators because it allows the user to choose an applica-

tion to replace the Task Manager.This value doesn’t exist by default but can be

added. In fact, installing Process Explorer from SysInternals allows you to choose

Process Explorer to replace the usual Task Manager. If the TaskMan value exists

beneath the WinLogon key, you should consider this “suspicious” under most

normal circumstances and investigate the application listed in the data thoroughly.

Share this post


Link to post
Share on other sites

JimBob59,

Thanks very much. Greatly appreciated. In my case however I do not have the Taskman entry Value 0000 anymore. This must have been taken out with the last combofix run. However,

this whole business made me think as to why I, and perhaps you two had this entry. I had a look on on my C drive and I do see that in June I did briefly download and install

Sysinternals Suite which includes Process Explorer which is an alternative Taskmanager. I think this might have been the cause of my having this entry. I quote from this pdf link:

http://preview.tinyurl.com/2v3p6fp

Beneath the WinLogon key (listed previously) is a value named TaskMan that

might be of interest to investigators because it allows the user to choose an applica-

tion to replace the Task Manager.This value doesn’t exist by default but can be

added. In fact, installing Process Explorer from SysInternals allows you to choose

Process Explorer to replace the usual Task Manager. If the TaskMan value exists

beneath the WinLogon key, you should consider this “suspicious” under most

normal circumstances and investigate the application listed in the data thoroughly.

Peter:

Oh for crying out loud....

That's where I picked it up then ..........

I use the SysInternals PE program ...

Sheezzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×