Scheduled Tasks
November 7, 2006 on 9:29 pm | In Malware analysis | 6 CommentsOriginally posted Jan 14 2005, 08:19 PM
A while ago Bobbi Flekman found that recent LOP versions use the Task Scheduler to add to the burden.
The variants that do this can be recognized by the completely random and idiotic named SearchBars
( example: http://www.ffbmcrgzoflssg.com/uVY4pfXrBF4B9Rsh073xVcCkhrcDs5DvBdJ1KbjS7hLALyLQ/rLN23C6NhVXySGN.html )
Usually they will have .exe files as a BHO as opposed to the normal .dll
After encountering a victim here http://www.geekstogo.com/forum/index.php?showtopic=6609 that could not find the Tasks that showed up in the StartUpList I went looking for another way to get the tasks in the Scheduler.
Which I found at JSI: http://www.jsiinc.com/SUBF/TIP2600/rh2621.htm
That made it easy. All you need is a tiny batch
@echo off
if exist c:\tasks.txt del c:\tasks.txt
jt /se >>c:\tasks.txt
I uploaded the package for that to http://metallica.geekstogo.com/findlop.zip
Canned speech:
Download and unzip to one folder:
http://metallica.geekstogo.com/findlop.zip
Inside the folder find findlop.bat
Doubleclick it and it will create the file C:\findlop.txt
Find that file and copy the content into your next post.
Once you have the tasks you can remove them by putting another batch in the same folder:
@echo off
jt /sd randomlopname123.job
jt /sd randomlopname456.job
jt /sd randomlopname789.job
if exist c:\tasks.txt del c:\tasks.txt
jt /se >>c:\tasks.txt
Or tell the victim which ones to delete manually. 🙂
6 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
Originally posted Mar 28 2005, 07:46 PM
FBJ pointed out to me that it is possible to get the filenames as well by adding annother switch to the jt commandline.
The batch that looks for Scheduled Tasks now looks like:
@echo off
if exist c:\findlop.txt del c:\findlop.txt
jt /se p >>c:\findlop.txt
notepad.exe c:\findlop.txt
It can be downloaded here:
http://castlecops.com/zx/Metallica/findlop.zip
http://metallica.geekstogo.com/findlop.zip
Comment by metallica — November 7, 2006 #
Originally posted Apr 22 2006, 07:10 PM
Another batch. This one can be used to find the complete folder names.
The example below will work for a lot of Windows installs, but you may have to adapt it in some cases if Windows is not installed on the C partition or if the paths do not fit due to different languages.
Copy the part in bold below into notepad and save it as direxie.bat
Set Filetype to “All files”
cd\
cd C:\Documents and Settings\%UserName%\Application Data
dir /x > C:\directory.txt
cd C:\Documents and Settings\All Users\Application Data
dir /x >> C:\directory.txt
cd C:\Program Files
dir /x >> C:\directory.txt
start notepad C:\directory.txt
Start the file by doubleclicking direxie.bat
That will open a file called directory.txt. Post the content of that file.
Comment by metallica — November 7, 2006 #
Hi there to every body, it’s my first pay a quick visit of this web site; this blog
includes amazing and in fact excellent material for visitors.
my web page: search engine optimization (google.com)
Comment by google.com — January 3, 2014 #
Greetings from California! I’m bored at work so I decided to
browse your site on my iphone during lunch break. I really like the knowledge you present
here and can’t wait to take a look when I get home. I’m amazed at how fast your blog loaded on my cell phone ..
I’m not even using WIFI, just 3G .. Anyhow, great site!
Comment by short order — May 3, 2014 #
[…] years ago, I wrote a little batch file to find and delete Scheduled Tasks added by an adware variant called LOP. With the introduction of […]
Pingback by Scheduled Tasks | Malwarebytes Unpacked — March 23, 2015 #
[…] years ago, I wrote a little batch file to find and delete Scheduled Tasks added by an adware variant called LOP. With the introduction of […]
Pingback by Scheduled Tasks - No False Positives - Cybersecurity news, views and scrutiny — May 14, 2021 #