Scheduled Tasks

November 7, 2006 on 9:29 pm | In Malware analysis | 6 Comments

Originally posted  Jan 14 2005, 08:19 PM

A while ago Bobbi Flekman found that recent LOP versions use the Task Scheduler to add to the burden.

The variants that do this can be recognized by the completely random and idiotic named SearchBars
( example: http://www.ffbmcrgzoflssg.com/uVY4pfXrBF4B9Rsh073xVcCkhrcDs5DvBdJ1KbjS7hLALyLQ/rLN23C6NhVXySGN.html )
Usually they will have .exe files as a BHO as opposed to the normal .dll

After encountering a victim here http://www.geekstogo.com/forum/index.php?showtopic=6609 that could not find the Tasks that showed up in the StartUpList I went looking for another way to get the tasks in the Scheduler.

Which I found at JSI: http://www.jsiinc.com/SUBF/TIP2600/rh2621.htm

That made it easy. All you need is a tiny batch

@echo off
if exist c:\tasks.txt del c:\tasks.txt
jt /se >>c:\tasks.txt

I uploaded the package for that to http://metallica.geekstogo.com/findlop.zip

Canned speech:

Download and unzip to one folder:
http://metallica.geekstogo.com/findlop.zip

Inside the folder find findlop.bat

Doubleclick it and it will create the file C:\findlop.txt
Find that file and copy the content into your next post.

Once you have the tasks you can remove them by putting another batch in the same folder:
@echo off
jt /sd randomlopname123.job
jt /sd randomlopname456.job
jt /sd randomlopname789.job
if exist c:\tasks.txt del c:\tasks.txt
jt /se >>c:\tasks.txt

Or tell the victim which ones to delete manually. 🙂

6 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Originally posted Mar 28 2005, 07:46 PM

    FBJ pointed out to me that it is possible to get the filenames as well by adding annother switch to the jt commandline.

    The batch that looks for Scheduled Tasks now looks like:

    @echo off
    if exist c:\findlop.txt del c:\findlop.txt
    jt /se p >>c:\findlop.txt
    notepad.exe c:\findlop.txt

    It can be downloaded here:
    http://castlecops.com/zx/Metallica/findlop.zip
    http://metallica.geekstogo.com/findlop.zip

    Comment by metallica — November 7, 2006 #

  2. Originally posted Apr 22 2006, 07:10 PM

    Another batch. This one can be used to find the complete folder names.
    The example below will work for a lot of Windows installs, but you may have to adapt it in some cases if Windows is not installed on the C partition or if the paths do not fit due to different languages.

    Copy the part in bold below into notepad and save it as direxie.bat
    Set Filetype to “All files”

    cd\
    cd C:\Documents and Settings\%UserName%\Application Data
    dir /x > C:\directory.txt
    cd C:\Documents and Settings\All Users\Application Data
    dir /x >> C:\directory.txt
    cd C:\Program Files
    dir /x >> C:\directory.txt
    start notepad C:\directory.txt

    Start the file by doubleclicking direxie.bat
    That will open a file called directory.txt. Post the content of that file.

    Comment by metallica — November 7, 2006 #

  3. Hi there to every body, it’s my first pay a quick visit of this web site; this blog
    includes amazing and in fact excellent material for visitors.

    my web page: search engine optimization (google.com)

    Comment by google.com — January 3, 2014 #

  4. Greetings from California! I’m bored at work so I decided to
    browse your site on my iphone during lunch break. I really like the knowledge you present
    here and can’t wait to take a look when I get home. I’m amazed at how fast your blog loaded on my cell phone ..
    I’m not even using WIFI, just 3G .. Anyhow, great site!

    Comment by short order — May 3, 2014 #

  5. […] years ago, I wrote a little batch file to find and delete Scheduled Tasks added by an adware variant called LOP. With the introduction of […]

    Pingback by Scheduled Tasks | Malwarebytes Unpacked — March 23, 2015 #

  6. […] years ago, I wrote a little batch file to find and delete Scheduled Tasks added by an adware variant called LOP. With the introduction of […]

    Pingback by Scheduled Tasks - No False Positives - Cybersecurity news, views and scrutiny — May 14, 2021 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^