Solved

windows/task stuff

Posted on 2007-11-23
20
403 Views
Last Modified: 2010-04-02
Hi,

I have an infected system (xp), it won't let me launch any tool, as soon as I go to the folder which contains the cleaning tools, it shuts the folder.
I tried some online scanners, but not much help, one sees the system clean, another keeps cleaning it from a virus, and one reports a long list of locked objects, which are partly the same as the combofix log (I could run it once, after which the folder keeps shutting).

My question is can I delete all the stuff in the windows/tasks folder? Most of them are .job extension

Or if you can think of some solution.

System restore is off, and I can't work in safe mode.

Thank you
0
Comment
Question by:keneso
  • 8
  • 7
  • 3
  • +1
20 Comments
 
LVL 32

Expert Comment

by:DrDamnit
ID: 20340018
Hello keneso,

You're going to need to boot up with BartPE, and run a command line virus scanner. You can also kill stuff that is starting up from BartPE by doing a remote edit of the registry. Once you get that done, you'll need to start up in safe mode and run smitfraudfix.

Regards,

DrDamnit
0
 
LVL 7

Author Comment

by:keneso
ID: 20340087
Thank you.

Unfortunatelly as I said I can't work in safe mode, and the pc doesn't have cd drive, would I be able to use a pen drive with BartPE?

Anyway, can I delete the task folder stuff?

0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 20340151
BartPE on USB: http://www.911cd.net/forums/index.php?showtopic=10806

Have tried bootcfg to boot in safe mode? Something like: bootcfg /raw /safeboot:network /id 1
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 20340156
Yes, with BartPE and / or safemode (if the command line will get you to be able to boot up in safe mode) you'll be able to delete the task folder stuff.
0
 
LVL 15

Expert Comment

by:qz8dsw
ID: 20340413
Can you upload the combofix log to ee-stuff.com  (Type in the full path and filename to the log yourself instead of browsing)
Or if that does not work try this Click on start then run and type in cmd.exe
Hopefully a command prompt will open up
then type in the following command followed by an enter
copy <full path and filename of combofix.log> c:\fred.txt

Hopefully now you'll have a file fred.txt in C:\ which you should be able to view/upload

Terry
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20340581
Yes you can delete any suspicious tasks or jobs in the windows\task folder.
A lot of infections nowadays are having files or jobs in the windows\tasks folder.
You can delete them manually or either using a batch file or using Combofix CFScript, do you have a combofix log?
If so, then just show us the combofix log by uploading the log at EE-Stuff.com or at any hosting sites.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20340596
We can also look at the tasks in that folder by running this command below:
-----------------------------------------------------------------------------------------------

dir %Windir%\tasks /a h > files.txt
notepad files.txt

-----------------------------------------------------------------------------------------------

* Open notepad, then copy and paste the text between the lines into it.
* Save this as findjobs.bat , choose to save it as *all files and place it on your desktop.
* Doubleclick on findjobs.bat and post the content of the txtfile you get in your next reply
0
 
LVL 7

Author Comment

by:keneso
ID: 20342297
I've deleted all the task .job stuff, save this one
2004-10-01 05:40:32 C:\WINDOWS\Tasks\1-Click Maintenance.job
from the combofix log.

But I can't delete the
c:\windows\system32\ctfkpjkq.exe

The kaspersky, and panda logs are older than the combofix one

Like said I can't boot in safe mode the pc is a "dialogue flybook", and when hitting F8 prompts to hit F9 and takes me to the recovery panel, and doesn't have the safe mode otion, just the repair system, which would restore the system to original status, with loss of data.
0
 
LVL 7

Author Comment

by:keneso
ID: 20342393
Oooops I forgot the link to the logs
http://www.internetetc.it/ee_stuff/mauro/
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 400 total points
ID: 20342640
Those jobs are still showing in Kaspersky's log, are you sure they are gone or did you delete them after Kaspersky scan?

c:\windows\system32\ctfkpjkq.exe
So you've deleted all those bad jobs, but the above file won't go?

You can use Combofix to delete it using CFScript.
Open notepad and copy/paste the text inside the lines below into it
---------------------------------------------------------------------------------------

File::
c:\windows\system32\ctfkpjkq.exe

---------------------------------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot)



This registry entry below, I would suggest removing it, means deleting the "explorer.exe" subkey under Image File Execution Options.
When or if a scanner removes or delete the value of the "Debugger" which is this file --> c:\windows\system32\kbiseeqf.ver
you will lose your explorer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
Debugger="c:\windows\system32\kbiseeqf.ver"

Please do not delete the value of the Debugger without deleting the registry entry first.

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20342646
Can we look at a hijackthis log as well please?

Also run this tool, let's see what it comes up with.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back



OR:, download and install AVG Antispyware, also free.
http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20342649
Never mind SDFix, forgot you can't run in safe mode.
0
 
LVL 7

Author Comment

by:keneso
ID: 20342966
>>Those jobs are still showing in Kaspersky's log, are you sure they are gone or did you delete them after Kaspersky scan?

Yes I deleted them after the kaspersky scan.

I am doing the combofix stuff you suggested right now, I'll report back.
0
 
LVL 7

Author Comment

by:keneso
ID: 20343019
Ok, I did the combofix stuff, and the new log shows again lots of .job files in windows\tasks, but when I go there there are only two one the maintenance one and one that by looking in the properties seems related to combofix it's this
C:\windows\tasks\At1 - C:\windows\system32\cmd.exe

There is no key like
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]

>>Please do not delete the value of the Debugger without deleting the registry entry first.

Shall I delete this anyway?
Debugger="c:\windows\system32\kbiseeqf.ver"

Can't run hijackthis, as like other tools, save combofix, when I try to launch it, it closes the folder, or the browser, as I tried to go to hijackthis' site as well.
0
 
LVL 7

Author Comment

by:keneso
ID: 20343098
Ok, I updated
http://www.internetetc.it/ee_stuff/mauro/
with the new logs: hijackthis, and combofix 02
0
 
LVL 7

Author Comment

by:keneso
ID: 20343368
It seems like this

File::
c:\windows\system32\ctfkpjkq.exe

worked, the ctfkpjkq.exe is not there and I could run besides hijackthis another couple apps.

I'll get back monday.
0
 
LVL 15

Expert Comment

by:qz8dsw
ID: 20343534
Open a command prompt (Click on start, then run and type in cmd.exe then hit enter)
Type in the following (each line followed by an enter)
%systemdrive%
cd \windows\tasks
dir /ah
Does that show you alot of .job files?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 400 total points
ID: 20344305
>>>Shall I delete this anyway?
Debugger="c:\windows\system32\kbiseeqf.ver"<<<

No, I wouldn't suggest to delete that file without deleting the registry entry, big chance that your explorer will not load.
Combofix 02 log is not showing the Image File Execution Options\explorer.exe entry, so just leave it for now.

Let's use Combofix to delete those bad tasks.
Delete the old CFSCript.txt that you already have on your desktop, or just replace it with this new one.

Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------------
File::
C:\WINDOWS\Tasks\adahfed.job
C:\WINDOWS\Tasks\aonxkdkl.job
C:\WINDOWS\Tasks\arz.job
C:\WINDOWS\Tasks\baybsgjz.job
C:\WINDOWS\Tasks\bdpu.job
C:\WINDOWS\Tasks\beah.job
C:\WINDOWS\Tasks\bfmctuc.job
C:\WINDOWS\Tasks\bmc.job
C:\WINDOWS\Tasks\bno.job
C:\WINDOWS\Tasks\bntrrq.job
C:\WINDOWS\Tasks\boixrwdu.job
C:\WINDOWS\Tasks\bon.job
C:\WINDOWS\Tasks\burzev.job
C:\WINDOWS\Tasks\bvul.job
C:\WINDOWS\Tasks\cbk.job
C:\WINDOWS\Tasks\cgb.job
C:\WINDOWS\Tasks\chd.job
C:\WINDOWS\Tasks\cpfvyss.job
C:\WINDOWS\Tasks\cpnl.job
C:\WINDOWS\Tasks\cqv.job
C:\WINDOWS\Tasks\crmkdu.job
C:\WINDOWS\Tasks\dapr.job
C:\WINDOWS\Tasks\dbltkqlb.job
C:\WINDOWS\Tasks\ddljksdu.job
C:\WINDOWS\Tasks\dfvgb.job
C:\WINDOWS\Tasks\dgvkpcft.job
C:\WINDOWS\Tasks\dmaeuqz.job
C:\WINDOWS\Tasks\dme.job
C:\WINDOWS\Tasks\dnxqjnze.job
C:\WINDOWS\Tasks\dqdoatjk.job
C:\WINDOWS\Tasks\drn.job
C:\WINDOWS\Tasks\eahbxvel.job
C:\WINDOWS\Tasks\eddezqn.job
C:\WINDOWS\Tasks\eiit.job
C:\WINDOWS\Tasks\emjhpe.job
C:\WINDOWS\Tasks\enhxics.job
C:\WINDOWS\Tasks\epjrp.job
C:\WINDOWS\Tasks\epws.job
C:\WINDOWS\Tasks\eth.job
C:\WINDOWS\Tasks\fadztdhu.job
C:\WINDOWS\Tasks\fcw.job
C:\WINDOWS\Tasks\fgztqp.job
C:\WINDOWS\Tasks\fiuc.job
C:\WINDOWS\Tasks\fvztxqzj.job
C:\WINDOWS\Tasks\fwmjml.job
C:\WINDOWS\Tasks\fzfuzwg.job
C:\WINDOWS\Tasks\gdqayt.job
C:\WINDOWS\Tasks\ghjlmmig.job
C:\WINDOWS\Tasks\gibumgcu.job
C:\WINDOWS\Tasks\gshk.job
C:\WINDOWS\Tasks\gtcxjp.job
C:\WINDOWS\Tasks\guwouw.job
C:\WINDOWS\Tasks\haccsa.job
C:\WINDOWS\Tasks\hdphn.job
C:\WINDOWS\Tasks\hek.job
C:\WINDOWS\Tasks\hganeudw.job
C:\WINDOWS\Tasks\hlji.job
C:\WINDOWS\Tasks\hoahd.job
C:\WINDOWS\Tasks\hrcv.job
C:\WINDOWS\Tasks\hwdsuvkg.job
C:\WINDOWS\Tasks\hyjd.job
C:\WINDOWS\Tasks\ifbqgwc.job
C:\WINDOWS\Tasks\ikastvr.job
C:\WINDOWS\Tasks\ikfliv.job
C:\WINDOWS\Tasks\inazxt.job
C:\WINDOWS\Tasks\irdrecw.job
C:\WINDOWS\Tasks\iyeoiap.job
C:\WINDOWS\Tasks\jdagoym.job
C:\WINDOWS\Tasks\jjz.job
C:\WINDOWS\Tasks\jlft.job
C:\WINDOWS\Tasks\jmktn.job
C:\WINDOWS\Tasks\jpztls.job
C:\WINDOWS\Tasks\jujs.job
C:\WINDOWS\Tasks\jwha.job
C:\WINDOWS\Tasks\jza.job
C:\WINDOWS\Tasks\klqpur.job
C:\WINDOWS\Tasks\kncnsi.job
C:\WINDOWS\Tasks\lcvwjv.job
C:\WINDOWS\Tasks\les.job
C:\WINDOWS\Tasks\lesxw.job
C:\WINDOWS\Tasks\lht.job
C:\WINDOWS\Tasks\lhtxbhbv.job
C:\WINDOWS\Tasks\llyl.job
C:\WINDOWS\Tasks\lnqjk.job
C:\WINDOWS\Tasks\lnrmoqzz.job
C:\WINDOWS\Tasks\lqcsrfwy.job
C:\WINDOWS\Tasks\lqucv.job
C:\WINDOWS\Tasks\lwwaq.job
C:\WINDOWS\Tasks\mhh.job
C:\WINDOWS\Tasks\mjgbrpk.job
C:\WINDOWS\Tasks\mkeok.job
C:\WINDOWS\Tasks\mkjzxkui.job
C:\WINDOWS\Tasks\mmscxyw.job
C:\WINDOWS\Tasks\mswwpv.job
C:\WINDOWS\Tasks\mycas.job
C:\WINDOWS\Tasks\ndepmn.job
C:\WINDOWS\Tasks\nfimjjs.job
C:\WINDOWS\Tasks\nfsix.job
C:\WINDOWS\Tasks\ngtptgpt.job
C:\WINDOWS\Tasks\njp.job
C:\WINDOWS\Tasks\nmud.job
C:\WINDOWS\Tasks\nndt.job
C:\WINDOWS\Tasks\nopys.job
C:\WINDOWS\Tasks\now.job
C:\WINDOWS\Tasks\nqbrmvmx.job
C:\WINDOWS\Tasks\nrwzct.job
C:\WINDOWS\Tasks\nszchcjy.job
C:\WINDOWS\Tasks\ntuvpw.job
C:\WINDOWS\Tasks\nuyar.job
C:\WINDOWS\Tasks\nvv.job
C:\WINDOWS\Tasks\nxggf.job
C:\WINDOWS\Tasks\oagbop.job
C:\WINDOWS\Tasks\ockt.job
C:\WINDOWS\Tasks\odusjgd.job
C:\WINDOWS\Tasks\ojlrozw.job
C:\WINDOWS\Tasks\olpecnx.job
C:\WINDOWS\Tasks\omh.job
C:\WINDOWS\Tasks\ospucsfy.job
C:\WINDOWS\Tasks\pdwe.job
C:\WINDOWS\Tasks\pgeszf.job
C:\WINDOWS\Tasks\pgxvuw.job
C:\WINDOWS\Tasks\phyqr.job
C:\WINDOWS\Tasks\pjsmq.job
C:\WINDOWS\Tasks\pma.job
C:\WINDOWS\Tasks\pnbbofdc.job
C:\WINDOWS\Tasks\poui.job
C:\WINDOWS\Tasks\poynlc.job
C:\WINDOWS\Tasks\pqqpfir.job
C:\WINDOWS\Tasks\pzclyjql.job
C:\WINDOWS\Tasks\qak.job
C:\WINDOWS\Tasks\qbtd.job
C:\WINDOWS\Tasks\qeg.job
C:\WINDOWS\Tasks\qeinhuv.job
C:\WINDOWS\Tasks\qkza.job
C:\WINDOWS\Tasks\qnikg.job
C:\WINDOWS\Tasks\qtvj.job
C:\WINDOWS\Tasks\ramnro.job
C:\WINDOWS\Tasks\rccpai.job
C:\WINDOWS\Tasks\rlfus.job
C:\WINDOWS\Tasks\rlznjud.job
C:\WINDOWS\Tasks\rmcg.job
C:\WINDOWS\Tasks\rmgzn.job
C:\WINDOWS\Tasks\rrhcectp.job
C:\WINDOWS\Tasks\rsa.job
C:\WINDOWS\Tasks\rugsd.job
C:\WINDOWS\Tasks\runefn.job
C:\WINDOWS\Tasks\sbnsc.job
C:\WINDOWS\Tasks\scj.job
C:\WINDOWS\Tasks\snstx.job
C:\WINDOWS\Tasks\ssbwojvg.job
C:\WINDOWS\Tasks\taxunc.job
C:\WINDOWS\Tasks\tcqbxjab.job
C:\WINDOWS\Tasks\tfbyy.job
C:\WINDOWS\Tasks\tfjhlvn.job
C:\WINDOWS\Tasks\tjgve.job
C:\WINDOWS\Tasks\tvbgozz.job
C:\WINDOWS\Tasks\two.job
C:\WINDOWS\Tasks\uajdmjn.job
C:\WINDOWS\Tasks\unuf.job
C:\WINDOWS\Tasks\uqfghqtf.job
C:\WINDOWS\Tasks\uqhrei.job
C:\WINDOWS\Tasks\usa.job
C:\WINDOWS\Tasks\uvgcxxye.job
C:\WINDOWS\Tasks\uxrb.job
C:\WINDOWS\Tasks\vixru.job
C:\WINDOWS\Tasks\vjavtfs.job
C:\WINDOWS\Tasks\vlyuscp.job
C:\WINDOWS\Tasks\voeqek.job
C:\WINDOWS\Tasks\vssy.job
C:\WINDOWS\Tasks\vuwmppdl.job
C:\WINDOWS\Tasks\vxrrw.job
C:\WINDOWS\Tasks\waqz.job
C:\WINDOWS\Tasks\wdx.job
C:\WINDOWS\Tasks\wey.job
C:\WINDOWS\Tasks\wflcqv.job
C:\WINDOWS\Tasks\wvdlko.job
C:\WINDOWS\Tasks\wvhya.job
C:\WINDOWS\Tasks\wxwu.job
C:\WINDOWS\Tasks\xelahm.job
C:\WINDOWS\Tasks\xnbxhs.job
C:\WINDOWS\Tasks\xqq.job
C:\WINDOWS\Tasks\xxkzcg.job
C:\WINDOWS\Tasks\xzmu.job
C:\WINDOWS\Tasks\ycecc.job
C:\WINDOWS\Tasks\ycrgudj.job
C:\WINDOWS\Tasks\ydta.job
C:\WINDOWS\Tasks\yfb.job
C:\WINDOWS\Tasks\yfjfpgd.job
C:\WINDOWS\Tasks\yteotk.job
C:\WINDOWS\Tasks\yzmluu.job
C:\WINDOWS\Tasks\zex.job
C:\WINDOWS\Tasks\zgbls.job
C:\WINDOWS\Tasks\zorfjtb.job
C:\WINDOWS\Tasks\ztisf.job
C:\WINDOWS\Tasks\zzyoevh.job
--------------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), and upload the result please.




About this registry entry below. Did you set up your external drive/USB/Thumb drive to autorun command of this file -->"setup.exe"? Do you know what that file is?

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32af14e2-b386-11db-9865-81ed23c290cd}]
AutoRun\command- E:\setup.exe


Can you work in safe mode yet?
If so try running SDFix and MSN Cleaner, let's check what they find.
1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back


2.  Download MsnCleaner_eng.zip but don't use it yet.
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip

Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
0
 
LVL 7

Author Comment

by:keneso
ID: 20357469
>>qz8dsw

It did show a few, I tried del whatever.job, but would say file not found.

I did rpggamergirl's suggestion again with the combofix, and now the system appears to be clean, got and installed kaspersky av.

Thank you all for the time, and efforts, rpggamergirl gets the goodies.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20363443
Glad to know the problem has been resolved.

Thanks!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
OfficeMate Freezes on login or does not load after login credentials are input.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now