Strange scheduled tasks on Windows Server 2003
A few days ago, I noticed that our Windows Server 2003 system has strange scheduled tasks. I do not know where they came from or who set them up. I deleted them and they came up again today. They have names such as "At1","At2", "At3" and the status says that they are running.
When I open their properties, the run command looks like rundll32.exe zfypspqu.u,ygxjgq
.
What it could be? Does my server have some virus? I did a scan with nod32 and it didn't report anything. I do not have anything unusual set up on this server - it's only running SQLServer 2005 with ReportServer. Two other servers with similar configuration do not have these strange scheduled tasks.
That's a Conficker infection.
Basic steps to remove it:
- Run the latest release of Microsoft's Malicous Software Removal Tool.
- Install the KB958644 patch.
If you have multiple systems, make sure you fix them all.
The full Microsoft guide for protecting yourself from Conficker is here.
Good luck, I've had to deal with a Conficker infection at a smallish client, about 30 servers spread throughout 12 sites, it was not fun.
Try to scan, disinfect, apply patch for all computers in your network at the same time if possible, had bad experience with it (B version, our network has around 300 computers in 3 sites)
http://www.confickerworkinggroup.org
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ENT/Enterprise#toc10
I update batch file to apply for GPO (got it somewhere on Internet)
@echo off
REM ########################################
REM Version 6 - 10:19pm Pacific Jan 4th, 2009
REM Created by Ckemper and Shainw
REM For disabling infection points and potentially removing Conficker.B malware
REM http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.B
REM #####################################
REM #####################################
REM
REM Modify <domain.com> to your domain name in the script portion below.
REM Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\<domain.com>\scriptsfolder (aka, Netlogon share).
REM
REM Please drop the following tools\files in the Netlogon share for this to work
REM
REM Getver.exe - attached with this batch file.
REM SC.EXE - attached with this batch file (can get from a WS2003 or Windows XP system, not native to Windows 2000)
REM REG.exe - attached with this batch file (can get from WS2003 or Windows XP system, not native to Windows 2000)
REM windows-kb890830-v2.6.exe - x86 version of MSRT, available from Microsoft Security Support Engineer
REM windows-kb890830-x64-v2.6.exe - x64 version of MSRT, available from Microsoft Security Support Engineer
REM sleep.exe - for use with the MSRT tool, attached with batch file
REM Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except
REM the Itanium update as this script does not support Itanium. Place all 3 updates in the Netlogon directory.
REM Security update MS08-038 for Windows Vista and Windows Server 2008 - http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
REM This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to
REM autorun, same as the one listed above in KB953252.
REM
REM Place all above in the netlogon directory and edit the <domain.com> values in the script below.
REM
REM Create a Startup Script policy and reference this batch file. This needs to be a Startup Script and not a Logon script, so that the
REM script runs under the machine account.
REM Link the GPO with the Startup Script to the OU and Groups where you want it to apply.
REM
REM We do not recommend you use this on DC's or critical servers, those should be cleaned manually so that the services
REM disabled below do not need to be left disabled for an extended period of time.
REM
REM Also note that you can set both the Server service (lanmanserver) and Task Scheduler server (schedule) to disabled via group policy
REM If that is done, then those items can be remarked out below
REM
REM ###########################################
REM
REM
REM Methods of spread we will be disabling -
REM
REM
REM We will disable the Server service and Task Scheduler service.
REM
REM Why disable the Server service? This is due to Weak Passwords which the malware attempts to exploit.
REM The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a
REM complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question
REM mark or exclamation point.
REM
REM Why disable the Task Scheduler service? This is because the malware creates several AT jobs that run every hour to reinfect the system.
REM
REM MS08-067 security update. This security update needs to be applied ASAP via your normal patch management process.
REM http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
REM
REM Why install MS08-067? This is the main attack vector of the malware.
REM
REM Autorun - To block the autorun feature, we must apply an and set a registry value.
REM
REM Why disable Autorun? This is because the malware drops a binary file called Autorun.inf on all removable drives.
REM
REM
REM For environments that use Windows Update to deploy updates. This section will install MS08-067.
REM You must place the updates that was downloaded from the link above in the Netlogon share and modify <domain.com>
REM to your domain. Also, you must remove the REM**** from in front of the lines, note there is one at the bottom also. Note that the
REM Windows Vista and WS2008 file is the same for both - Windows6.0-KB958644-x86.msu.
REM
if /i %PROCESSOR_ARCHITECTURE% == IA64 goto :End
REM ****IF not exist %windir%\$NtUninstallKB958644$ goto Check
REM ****IF exist %windir%\$NtUninstallKB958644$ goto Clean
REM ****:Check
REM ****IF not exist %windir%\Servicing\Packages\Package_for_KB958644*.* goto Install
REM ****IF exist %windir%\Servicing\Packages\Package_for_KB958644*.* goto Clean
REM ****:Clean
REM
REM Checking if already run successfully
REM
\\<domain.com>\netlogon\sc.exe query wuauserv | find "STOPPED" > nul
if %ErrorLevel% EQU 0 goto INIT
if %ErrorLevel% EQU 1 goto END
:INIT
REM
REM Stopping and Disabling services
REM
\\<domain.com>\netlogon\GETVER.EXE > nul
if %ErrorLevel% EQU 50 goto SC_Stop
if %ErrorLevel% EQU 51 goto SC_Stop
if %ErrorLevel% EQU 52 goto SC_Stop
if %ErrorLevel% EQU 60 goto Vista_2008Server_SC_Stop
:SC_Stop
\\<domain.com>\netlogon\sc.exe stop lanmanserver
\\<domain.com>\netlogon\sc.exe stop schedule
\\<domain.com>\netlogon\sc.exe config lanmanserver start= disabled
\\<domain.com>\netlogon\sc.exe config schedule start= disabled
goto MSRT_RUN
:Vista_2008Server_SC_Stop
\\<domain.com>\netlogon\reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f
goto MSRT_RUN
:MSRT_RUN
REM
REM Running MSRT locally
REM
REM
REM Checking for x86 or x64
REM Make sure to edit the <servername>\<share> in the lines below so the logs can be copied up to a central server if desired.
REM Otherwise the copying of the mrt.log can be remarked out.
REM Notice the copy of the MRT.log up to a central location has <servername>\<share with write perms>. This is on purpose.
REM In most cases, opening a share with everyone write permissions on a DC is not recommended, it is suggested to use a
REM member server or workstation.
REM
if /i %PROCESSOR_ARCHITECTURE% == x86 goto x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto x64
:x86
call \\<domain.com>\netlogon\Sleep.exe 10
Start /wait \\<domain.com>\netlogon\Windows-KB890830-V2.6.exe /q
copy %windir%\debug\mrt.log \\<servername>\<share>\Logs\%computername%_%username%_mrt.log
goto Tasks
:x64
call \\<domain.com>\netlogon\Sleep.exe 10
Start /wait \\<domain.com>\netlogon\windows-kb890830-x64-v2.6.exe /q
copy %windir%\debug\mrt.log \\<servername>\<share>\%computername%_%username%_mrt.log
goto Tasks
REM
REM Deleting all scheduled tasks, we have to do this due to the potential random naming of the scheduled task job.
REM Note, even though we are disabling the Task Scheduler service above, these still need to be remove for when the Task Scheduler service is
REM started up again. Erase command is available on Windows 2000 and above OS, so we do not need to make available on Netlogon share.
REM
:Tasks
attrib -h %windir%\tasks\*.job
AT /delete /yes
REM old entry -erase %windir%\tasks\*.job /f /q
REM
REM Checking for and installing Autorun hotfix. Turning off Autorun for all drives, the malware can spread via this mechanism.
REM Download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium.
REM Download the Windows Vista and Windows Server 2003 update - http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
REM
IF not exist %windir%\$NtUninstallKB950582$ goto Next
IF exist %windir%\$NtUninstallKB950582$ goto Autorun
:Next
IF not exist %windir%\Servicing\Packages\Package_for_KB950582*.* goto 950582
IF exist %windir%\Servicing\Packages\Package_for_KB950582*.* goto Autorun
:950582
REM
REM Checking OS version for install of KB950582
REM
\\<domain.com>\netlogon\GETVER.EXE > nul
if %ErrorLevel% EQU 50 goto Win2K_950582
if %ErrorLevel% EQU 51 goto WinXP_950582
if %ErrorLevel% EQU 52 goto Win2003_950582
if %ErrorLevel% EQU 60 goto Vista_2008Server_950582
REM
REM WIN2k section
REM
:Win2k_950582
\\<domain.com>\netlogon\Windows2000-KB950582-x86-ENU.EXE /quiet /norestart
goto Autorun
REM
REM WINXP section
REM
:WinXP_950582
if /i %PROCESSOR_ARCHITECTURE% == x86 goto WinXP_950582_x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto WinXP_950582_x64
:WinXP_950582_x86
\\<domain.com>\netlogon\WindowsXP-KB950582-x86-ENU.exe /quiet /norestart
goto Autorun
:WinXP_950582_x64
\\<domain.com>\netlogon\WindowsServer2003.WindowsXP-KB950582-x64-ENU.exe /quiet /norestart
goto Autorun
REM
REM WIN2003 section
REM
:Win2003_950582
if /i %PROCESSOR_ARCHITECTURE% == x86 goto Win2003_950582_x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto Win2003_950582_x64
:Win2003_950582_x86
\\<domain.com>\netlogon\WindowsServer2003-KB950582-x86-ENU.exe /quiet /norestart
goto Autorun
:Win2003_950582_x64
\\<domain.com>\netlogon\WindowsServer2003.WindowsXP-KB950582-x64-ENU.exe /quiet /norestart
goto Autorun
REM
REM Vista_2008 section
REM
:Vista_2008Server_950582
if /i %PROCESSOR_ARCHITECTURE% == x86 goto Vista_2008Server_950582_x86
if /i %PROCESSOR_ARCHITECTURE% == AMD64 goto Vista_2008Server_950582_x64
:Vista_2008Server_950582_x86
wusa.exe \\<domain.com>\netlogon\Windows6.0-KB950582-x86.msu /quiet /norestart
goto Autorun
:Vista_2008Server_950582_x64
wusa.exe \\<domain.com>\netlogon\Windows6.0-KB950582-x64.msu /quiet /norestart
goto Autorun
:Autorun
\\<domain.com>\netlogon\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
REM
REM Removing Hidden setting
REM
\\<domain.com>\netlogon\reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 0x1 /f
REM
REM Enabling Automatic Updates, Background Intelligent Transfer and Error Reporting services
REM
\\<domain.com>\netlogon\sc.exe config wuauserv start= auto
\\<domain.com>\netlogon\sc.exe config BITS start= auto
\\<domain.com>\netlogon\sc.exe config ERsvc start= auto
REM
REM Restarting
REM
Shutdown.exe /r
REM ****:Install
REM ****\\<domain.com>\netlogon\GETVER.EXE > nul
REM ****if %ErrorLevel% EQU 50 goto Win2K
REM ****if %ErrorLevel% EQU 51 goto WinXP
REM ****if %ErrorLevel% EQU 52 goto Win2003
REM ****if %ErrorLevel% EQU 60 goto Vista_2008Server
REM ****:Win2k
REM ****\\<domain.com>\netlogon\Windows2000-KB958644-x86-ENU.EXE /quiet /forcerestart
REM ****:WinXP
REM ****\\<domain.com>\netlogon\WindowsXP-KB958644-x86-ENU.exe /quiet /forcerestart
REM ****:Win2003
REM ****\\<domain.com>\netlogon\WindowsServer2003-KB958644-x86-ENU.exe /quiet /forcerestart
REM ****:Vista_2008Server
REM ****wusa.exe \\<domain.com>\netlogon\Windows6.0-KB958644-x86.msu /quiet
:End
Exit