Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Task Scheduler service stops and auto configures itself to disabled

Posted on 2011-03-13
15
Medium Priority
?
1,080 Views
Last Modified: 2012-05-11
Windows Server 2003 SP2. I have a batch file configured to shutdown all the PCs on the LAN every night at 10.30. Lately, I come in in the morning and they are all still running. When I interrogated the server, I find that the task scheduler service has stopped and is set to disabled. Obviously, I then set it back to started and automatic but every day at some stage it resets itself back to stopped and disabled. Weird what? I'm thinking virus but not sure really how to tackle this. I have Symantec Client Security running and it reports that the Conficker virus is active but every instance it encounters it, it manages to delete it successfuly. I have also scanned with the W32. downadup removal tool from Symantec but it doesn't find it. It's the same file that is identified every time (nowfeee.wi) in the system32 folder but I can never find the file. It's a bit of a phantom.
0
Comment
Question by:Paulduberry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
  • 3
  • +1
15 Comments
 
LVL 12

Expert Comment

by:jmlamb
ID: 35124683
The Task Scheduler service must be running and properly configured to run tasks. If you had stopped scheduled tasks manually from the Scheduled Tasks window, the service stops and does not initialize the next time you start the computer. If the service is not configured to log on as the local system account, it may not start.

To check the settings for the service:

1. Click Start, click Control Panel, and then double-click Administrative Tools.
2. Click Computer Management.
3. Expand Services and Applications, and then click Services.
4. Right-click the Task Scheduler service, and then click Properties.
5. On the General tab, make sure that the startup type is set to automatic, and that the service status is Started. If the service is not running, click Start.
6. On the Log On tab, make sure that the local system account is selected, and that the Allow service to interact with desktop check box has a check mark.
7. Click OK, and then quit Computer Management.

http://support.microsoft.com/kb/308558
0
 
LVL 44

Assisted Solution

by:Davis McCarn
Davis McCarn earned 1600 total points
ID: 35128104
That guy is probably all over your network and, once it got in, has hidden its root process so Symantec can't see it.
According to this the Malicious Software Removal Tool can get it; but, read the article: http://support.microsoft.com/kb/962007
0
 

Author Comment

by:Paulduberry
ID: 35188283
DavisMcCarn, I read the KB from MS and went through it all step-by-step. According to the KB, the Malicious Software Removal Tool is automatically downloaded from Windows Update. If that is the case, then there is nothing to do except hope that it finds and removes the bug. At least, that's my understanding of it. It clearly isn't doing it's job. I have followed the other steps in the article also including the manual removal procedure but it hasn't made any difference.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:Paulduberry
ID: 35188349
jmlamb,

My post states that I have to manually start the task scheduler service every day despite the fact it is configured to start automatically. The other settings are configured also as mentioned in your post.
0
 
LVL 71

Assisted Solution

by:Qlemo
Qlemo earned 400 total points
ID: 35188409
MRT might be downloaded automatically, but if there is suspicion, always start Windows Update manually. Some Updates only come optionally. I would not trust in MRT to be downloaded.

Nevertheless, it seems not to help. The usual recommendations made by the Virus and Malicious Tools Experts is to use MBAM (http://www.malwarebytes.org/mbam.php) and ComboFix (http://www.bleepingcomputer.com/download/anti-virus/combofix). The latter is a very sophisticated tool, and should only be used with extreme care (regarding applying changes) - the analysis can be run without concerns. I would start with MBAM, and see if that helps.
0
 
LVL 44

Accepted Solution

by:
Davis McCarn earned 1600 total points
ID: 35188911
If the MRT was downloaded and run, the most recent copy will be in your C:\Windows\System32 folder as MRT.EXE and the most recent version is from 3/10/2011.  I often check for it as it lets me know the last time a system got it (meaning, if they thought they got infected in March; but the last MRT is from December lets me know something happened in January)
You should specifically download and run the MRT manually.
0
 

Author Comment

by:Paulduberry
ID: 35189163
I attempted to download and run MRT manually but couldn't find any option to do so. Would you be able to send me a link please?
0
 

Author Comment

by:Paulduberry
ID: 35191238
Never mind. I found MRT.exe in the system32 folder as described. Thanks. It's dated 9-3-2011. I am currently scanning.
0
 

Author Comment

by:Paulduberry
ID: 35191434
Question, Is it advisable to run ComboFix on Windows Server 2003 considering this computer is central to our organization and has a lot of critical data that needs to be available 24-7?
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35191606
That's one of many reasons I suggested using MBAM first. ComboFix will isolate the server machine, and the author does not "support" it running on a server. Most probably there will be no issue, but if, then it is severe. I don't know if I would take the risk.
0
 

Author Comment

by:Paulduberry
ID: 35193656
MRT didn't find any bugs. Running MBAM now.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35194185
When I asked for advice regarding your case, a much more versed Expert than me advised against using ComboFix on Servers and 64bit OS. Sorry I mentioned it, but I forgot you are talking about a Server when I did.

Let's hope MBAM finds something.
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 35194271
0
 

Author Comment

by:Paulduberry
ID: 35202824
DavisMcCarn, Running that download  at the moment. This is my last hope. I'll close the ticket tomorrow regardless of the outcome.
0
 

Author Closing Comment

by:Paulduberry
ID: 35208817
Guys, I still have the problem. I will probably have to wipe the server to make this bugger disappear but thanks anyway to all who contributed.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question