• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 443
  • Last Modified:

windows/task stuff

Hi,

I have an infected system (xp), it won't let me launch any tool, as soon as I go to the folder which contains the cleaning tools, it shuts the folder.
I tried some online scanners, but not much help, one sees the system clean, another keeps cleaning it from a virus, and one reports a long list of locked objects, which are partly the same as the combofix log (I could run it once, after which the folder keeps shutting).

My question is can I delete all the stuff in the windows/tasks folder? Most of them are .job extension

Or if you can think of some solution.

System restore is off, and I can't work in safe mode.

Thank you
0
keneso
Asked:
keneso
  • 8
  • 7
  • 3
  • +1
2 Solutions
 
DrDamnitCommented:
Hello keneso,

You're going to need to boot up with BartPE, and run a command line virus scanner. You can also kill stuff that is starting up from BartPE by doing a remote edit of the registry. Once you get that done, you'll need to start up in safe mode and run smitfraudfix.

Regards,

DrDamnit
0
 
kenesoAuthor Commented:
Thank you.

Unfortunatelly as I said I can't work in safe mode, and the pc doesn't have cd drive, would I be able to use a pen drive with BartPE?

Anyway, can I delete the task folder stuff?

0
 
DrDamnitCommented:
BartPE on USB: http://www.911cd.net/forums/index.php?showtopic=10806

Have tried bootcfg to boot in safe mode? Something like: bootcfg /raw /safeboot:network /id 1
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
DrDamnitCommented:
Yes, with BartPE and / or safemode (if the command line will get you to be able to boot up in safe mode) you'll be able to delete the task folder stuff.
0
 
qz8dswCommented:
Can you upload the combofix log to ee-stuff.com  (Type in the full path and filename to the log yourself instead of browsing)
Or if that does not work try this Click on start then run and type in cmd.exe
Hopefully a command prompt will open up
then type in the following command followed by an enter
copy <full path and filename of combofix.log> c:\fred.txt

Hopefully now you'll have a file fred.txt in C:\ which you should be able to view/upload

Terry
0
 
rpggamergirlCommented:
Yes you can delete any suspicious tasks or jobs in the windows\task folder.
A lot of infections nowadays are having files or jobs in the windows\tasks folder.
You can delete them manually or either using a batch file or using Combofix CFScript, do you have a combofix log?
If so, then just show us the combofix log by uploading the log at EE-Stuff.com or at any hosting sites.
0
 
rpggamergirlCommented:
We can also look at the tasks in that folder by running this command below:
-----------------------------------------------------------------------------------------------

dir %Windir%\tasks /a h > files.txt
notepad files.txt

-----------------------------------------------------------------------------------------------

* Open notepad, then copy and paste the text between the lines into it.
* Save this as findjobs.bat , choose to save it as *all files and place it on your desktop.
* Doubleclick on findjobs.bat and post the content of the txtfile you get in your next reply
0
 
kenesoAuthor Commented:
I've deleted all the task .job stuff, save this one
2004-10-01 05:40:32 C:\WINDOWS\Tasks\1-Click Maintenance.job
from the combofix log.

But I can't delete the
c:\windows\system32\ctfkpjkq.exe

The kaspersky, and panda logs are older than the combofix one

Like said I can't boot in safe mode the pc is a "dialogue flybook", and when hitting F8 prompts to hit F9 and takes me to the recovery panel, and doesn't have the safe mode otion, just the repair system, which would restore the system to original status, with loss of data.
0
 
kenesoAuthor Commented:
Oooops I forgot the link to the logs
http://www.internetetc.it/ee_stuff/mauro/
0
 
rpggamergirlCommented:
Those jobs are still showing in Kaspersky's log, are you sure they are gone or did you delete them after Kaspersky scan?

c:\windows\system32\ctfkpjkq.exe
So you've deleted all those bad jobs, but the above file won't go?

You can use Combofix to delete it using CFScript.
Open notepad and copy/paste the text inside the lines below into it
---------------------------------------------------------------------------------------

File::
c:\windows\system32\ctfkpjkq.exe

---------------------------------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot)



This registry entry below, I would suggest removing it, means deleting the "explorer.exe" subkey under Image File Execution Options.
When or if a scanner removes or delete the value of the "Debugger" which is this file --> c:\windows\system32\kbiseeqf.ver
you will lose your explorer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
Debugger="c:\windows\system32\kbiseeqf.ver"

Please do not delete the value of the Debugger without deleting the registry entry first.

0
 
rpggamergirlCommented:
Can we look at a hijackthis log as well please?

Also run this tool, let's see what it comes up with.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back



OR:, download and install AVG Antispyware, also free.
http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0
0
 
rpggamergirlCommented:
Never mind SDFix, forgot you can't run in safe mode.
0
 
kenesoAuthor Commented:
>>Those jobs are still showing in Kaspersky's log, are you sure they are gone or did you delete them after Kaspersky scan?

Yes I deleted them after the kaspersky scan.

I am doing the combofix stuff you suggested right now, I'll report back.
0
 
kenesoAuthor Commented:
Ok, I did the combofix stuff, and the new log shows again lots of .job files in windows\tasks, but when I go there there are only two one the maintenance one and one that by looking in the properties seems related to combofix it's this
C:\windows\tasks\At1 - C:\windows\system32\cmd.exe

There is no key like
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]

>>Please do not delete the value of the Debugger without deleting the registry entry first.

Shall I delete this anyway?
Debugger="c:\windows\system32\kbiseeqf.ver"

Can't run hijackthis, as like other tools, save combofix, when I try to launch it, it closes the folder, or the browser, as I tried to go to hijackthis' site as well.
0
 
kenesoAuthor Commented:
Ok, I updated
http://www.internetetc.it/ee_stuff/mauro/
with the new logs: hijackthis, and combofix 02
0
 
kenesoAuthor Commented:
It seems like this

File::
c:\windows\system32\ctfkpjkq.exe

worked, the ctfkpjkq.exe is not there and I could run besides hijackthis another couple apps.

I'll get back monday.
0
 
qz8dswCommented:
Open a command prompt (Click on start, then run and type in cmd.exe then hit enter)
Type in the following (each line followed by an enter)
%systemdrive%
cd \windows\tasks
dir /ah
Does that show you alot of .job files?
0
 
rpggamergirlCommented:
>>>Shall I delete this anyway?
Debugger="c:\windows\system32\kbiseeqf.ver"<<<

No, I wouldn't suggest to delete that file without deleting the registry entry, big chance that your explorer will not load.
Combofix 02 log is not showing the Image File Execution Options\explorer.exe entry, so just leave it for now.

Let's use Combofix to delete those bad tasks.
Delete the old CFSCript.txt that you already have on your desktop, or just replace it with this new one.

Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------------
File::
C:\WINDOWS\Tasks\adahfed.job
C:\WINDOWS\Tasks\aonxkdkl.job
C:\WINDOWS\Tasks\arz.job
C:\WINDOWS\Tasks\baybsgjz.job
C:\WINDOWS\Tasks\bdpu.job
C:\WINDOWS\Tasks\beah.job
C:\WINDOWS\Tasks\bfmctuc.job
C:\WINDOWS\Tasks\bmc.job
C:\WINDOWS\Tasks\bno.job
C:\WINDOWS\Tasks\bntrrq.job
C:\WINDOWS\Tasks\boixrwdu.job
C:\WINDOWS\Tasks\bon.job
C:\WINDOWS\Tasks\burzev.job
C:\WINDOWS\Tasks\bvul.job
C:\WINDOWS\Tasks\cbk.job
C:\WINDOWS\Tasks\cgb.job
C:\WINDOWS\Tasks\chd.job
C:\WINDOWS\Tasks\cpfvyss.job
C:\WINDOWS\Tasks\cpnl.job
C:\WINDOWS\Tasks\cqv.job
C:\WINDOWS\Tasks\crmkdu.job
C:\WINDOWS\Tasks\dapr.job
C:\WINDOWS\Tasks\dbltkqlb.job
C:\WINDOWS\Tasks\ddljksdu.job
C:\WINDOWS\Tasks\dfvgb.job
C:\WINDOWS\Tasks\dgvkpcft.job
C:\WINDOWS\Tasks\dmaeuqz.job
C:\WINDOWS\Tasks\dme.job
C:\WINDOWS\Tasks\dnxqjnze.job
C:\WINDOWS\Tasks\dqdoatjk.job
C:\WINDOWS\Tasks\drn.job
C:\WINDOWS\Tasks\eahbxvel.job
C:\WINDOWS\Tasks\eddezqn.job
C:\WINDOWS\Tasks\eiit.job
C:\WINDOWS\Tasks\emjhpe.job
C:\WINDOWS\Tasks\enhxics.job
C:\WINDOWS\Tasks\epjrp.job
C:\WINDOWS\Tasks\epws.job
C:\WINDOWS\Tasks\eth.job
C:\WINDOWS\Tasks\fadztdhu.job
C:\WINDOWS\Tasks\fcw.job
C:\WINDOWS\Tasks\fgztqp.job
C:\WINDOWS\Tasks\fiuc.job
C:\WINDOWS\Tasks\fvztxqzj.job
C:\WINDOWS\Tasks\fwmjml.job
C:\WINDOWS\Tasks\fzfuzwg.job
C:\WINDOWS\Tasks\gdqayt.job
C:\WINDOWS\Tasks\ghjlmmig.job
C:\WINDOWS\Tasks\gibumgcu.job
C:\WINDOWS\Tasks\gshk.job
C:\WINDOWS\Tasks\gtcxjp.job
C:\WINDOWS\Tasks\guwouw.job
C:\WINDOWS\Tasks\haccsa.job
C:\WINDOWS\Tasks\hdphn.job
C:\WINDOWS\Tasks\hek.job
C:\WINDOWS\Tasks\hganeudw.job
C:\WINDOWS\Tasks\hlji.job
C:\WINDOWS\Tasks\hoahd.job
C:\WINDOWS\Tasks\hrcv.job
C:\WINDOWS\Tasks\hwdsuvkg.job
C:\WINDOWS\Tasks\hyjd.job
C:\WINDOWS\Tasks\ifbqgwc.job
C:\WINDOWS\Tasks\ikastvr.job
C:\WINDOWS\Tasks\ikfliv.job
C:\WINDOWS\Tasks\inazxt.job
C:\WINDOWS\Tasks\irdrecw.job
C:\WINDOWS\Tasks\iyeoiap.job
C:\WINDOWS\Tasks\jdagoym.job
C:\WINDOWS\Tasks\jjz.job
C:\WINDOWS\Tasks\jlft.job
C:\WINDOWS\Tasks\jmktn.job
C:\WINDOWS\Tasks\jpztls.job
C:\WINDOWS\Tasks\jujs.job
C:\WINDOWS\Tasks\jwha.job
C:\WINDOWS\Tasks\jza.job
C:\WINDOWS\Tasks\klqpur.job
C:\WINDOWS\Tasks\kncnsi.job
C:\WINDOWS\Tasks\lcvwjv.job
C:\WINDOWS\Tasks\les.job
C:\WINDOWS\Tasks\lesxw.job
C:\WINDOWS\Tasks\lht.job
C:\WINDOWS\Tasks\lhtxbhbv.job
C:\WINDOWS\Tasks\llyl.job
C:\WINDOWS\Tasks\lnqjk.job
C:\WINDOWS\Tasks\lnrmoqzz.job
C:\WINDOWS\Tasks\lqcsrfwy.job
C:\WINDOWS\Tasks\lqucv.job
C:\WINDOWS\Tasks\lwwaq.job
C:\WINDOWS\Tasks\mhh.job
C:\WINDOWS\Tasks\mjgbrpk.job
C:\WINDOWS\Tasks\mkeok.job
C:\WINDOWS\Tasks\mkjzxkui.job
C:\WINDOWS\Tasks\mmscxyw.job
C:\WINDOWS\Tasks\mswwpv.job
C:\WINDOWS\Tasks\mycas.job
C:\WINDOWS\Tasks\ndepmn.job
C:\WINDOWS\Tasks\nfimjjs.job
C:\WINDOWS\Tasks\nfsix.job
C:\WINDOWS\Tasks\ngtptgpt.job
C:\WINDOWS\Tasks\njp.job
C:\WINDOWS\Tasks\nmud.job
C:\WINDOWS\Tasks\nndt.job
C:\WINDOWS\Tasks\nopys.job
C:\WINDOWS\Tasks\now.job
C:\WINDOWS\Tasks\nqbrmvmx.job
C:\WINDOWS\Tasks\nrwzct.job
C:\WINDOWS\Tasks\nszchcjy.job
C:\WINDOWS\Tasks\ntuvpw.job
C:\WINDOWS\Tasks\nuyar.job
C:\WINDOWS\Tasks\nvv.job
C:\WINDOWS\Tasks\nxggf.job
C:\WINDOWS\Tasks\oagbop.job
C:\WINDOWS\Tasks\ockt.job
C:\WINDOWS\Tasks\odusjgd.job
C:\WINDOWS\Tasks\ojlrozw.job
C:\WINDOWS\Tasks\olpecnx.job
C:\WINDOWS\Tasks\omh.job
C:\WINDOWS\Tasks\ospucsfy.job
C:\WINDOWS\Tasks\pdwe.job
C:\WINDOWS\Tasks\pgeszf.job
C:\WINDOWS\Tasks\pgxvuw.job
C:\WINDOWS\Tasks\phyqr.job
C:\WINDOWS\Tasks\pjsmq.job
C:\WINDOWS\Tasks\pma.job
C:\WINDOWS\Tasks\pnbbofdc.job
C:\WINDOWS\Tasks\poui.job
C:\WINDOWS\Tasks\poynlc.job
C:\WINDOWS\Tasks\pqqpfir.job
C:\WINDOWS\Tasks\pzclyjql.job
C:\WINDOWS\Tasks\qak.job
C:\WINDOWS\Tasks\qbtd.job
C:\WINDOWS\Tasks\qeg.job
C:\WINDOWS\Tasks\qeinhuv.job
C:\WINDOWS\Tasks\qkza.job
C:\WINDOWS\Tasks\qnikg.job
C:\WINDOWS\Tasks\qtvj.job
C:\WINDOWS\Tasks\ramnro.job
C:\WINDOWS\Tasks\rccpai.job
C:\WINDOWS\Tasks\rlfus.job
C:\WINDOWS\Tasks\rlznjud.job
C:\WINDOWS\Tasks\rmcg.job
C:\WINDOWS\Tasks\rmgzn.job
C:\WINDOWS\Tasks\rrhcectp.job
C:\WINDOWS\Tasks\rsa.job
C:\WINDOWS\Tasks\rugsd.job
C:\WINDOWS\Tasks\runefn.job
C:\WINDOWS\Tasks\sbnsc.job
C:\WINDOWS\Tasks\scj.job
C:\WINDOWS\Tasks\snstx.job
C:\WINDOWS\Tasks\ssbwojvg.job
C:\WINDOWS\Tasks\taxunc.job
C:\WINDOWS\Tasks\tcqbxjab.job
C:\WINDOWS\Tasks\tfbyy.job
C:\WINDOWS\Tasks\tfjhlvn.job
C:\WINDOWS\Tasks\tjgve.job
C:\WINDOWS\Tasks\tvbgozz.job
C:\WINDOWS\Tasks\two.job
C:\WINDOWS\Tasks\uajdmjn.job
C:\WINDOWS\Tasks\unuf.job
C:\WINDOWS\Tasks\uqfghqtf.job
C:\WINDOWS\Tasks\uqhrei.job
C:\WINDOWS\Tasks\usa.job
C:\WINDOWS\Tasks\uvgcxxye.job
C:\WINDOWS\Tasks\uxrb.job
C:\WINDOWS\Tasks\vixru.job
C:\WINDOWS\Tasks\vjavtfs.job
C:\WINDOWS\Tasks\vlyuscp.job
C:\WINDOWS\Tasks\voeqek.job
C:\WINDOWS\Tasks\vssy.job
C:\WINDOWS\Tasks\vuwmppdl.job
C:\WINDOWS\Tasks\vxrrw.job
C:\WINDOWS\Tasks\waqz.job
C:\WINDOWS\Tasks\wdx.job
C:\WINDOWS\Tasks\wey.job
C:\WINDOWS\Tasks\wflcqv.job
C:\WINDOWS\Tasks\wvdlko.job
C:\WINDOWS\Tasks\wvhya.job
C:\WINDOWS\Tasks\wxwu.job
C:\WINDOWS\Tasks\xelahm.job
C:\WINDOWS\Tasks\xnbxhs.job
C:\WINDOWS\Tasks\xqq.job
C:\WINDOWS\Tasks\xxkzcg.job
C:\WINDOWS\Tasks\xzmu.job
C:\WINDOWS\Tasks\ycecc.job
C:\WINDOWS\Tasks\ycrgudj.job
C:\WINDOWS\Tasks\ydta.job
C:\WINDOWS\Tasks\yfb.job
C:\WINDOWS\Tasks\yfjfpgd.job
C:\WINDOWS\Tasks\yteotk.job
C:\WINDOWS\Tasks\yzmluu.job
C:\WINDOWS\Tasks\zex.job
C:\WINDOWS\Tasks\zgbls.job
C:\WINDOWS\Tasks\zorfjtb.job
C:\WINDOWS\Tasks\ztisf.job
C:\WINDOWS\Tasks\zzyoevh.job
--------------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), and upload the result please.




About this registry entry below. Did you set up your external drive/USB/Thumb drive to autorun command of this file -->"setup.exe"? Do you know what that file is?

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32af14e2-b386-11db-9865-81ed23c290cd}]
AutoRun\command- E:\setup.exe


Can you work in safe mode yet?
If so try running SDFix and MSN Cleaner, let's check what they find.
1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


2.  Download MsnCleaner_eng.zip but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip

Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
0
 
kenesoAuthor Commented:
>>qz8dsw

It did show a few, I tried del whatever.job, but would say file not found.

I did rpggamergirl's suggestion again with the combofix, and now the system appears to be clean, got and installed kaspersky av.

Thank you all for the time, and efforts, rpggamergirl gets the goodies.
0
 
rpggamergirlCommented:
Glad to know the problem has been resolved.

Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 8
  • 7
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now