Strange scheduled tasks on Windows Server 2003

malwarewindows-server-2003

A few days ago, I noticed that our Windows Server 2003 system has strange scheduled tasks. I do not know where they came from or who set them up. I deleted them and they came up again today. They have names such as "At1","At2", "At3" and the status says that they are running.

When I open their properties, the run command looks like rundll32.exe zfypspqu.u,ygxjgq.

What it could be? Does my server have some virus? I did a scan with nod32 and it didn't report anything. I do not have anything unusual set up on this server – it's only running SQLServer 2005 with ReportServer. Two other servers with similar configuration do not have these strange scheduled tasks.

Best Answer

That's a Conficker infection.

Basic steps to remove it:

Run the latest release of Microsoft's Malicous Software Removal Tool.
Install the KB958644 patch.

If you have multiple systems, make sure you fix them all.

The full Microsoft guide for protecting yourself from Conficker is here.

Good luck, I've had to deal with a Conficker infection at a smallish client, about 30 servers spread throughout 12 sites, it was not fun.

Related Solutions

Windows Scheduled Task Reporting

Schtasks is your friend for this - AT is old and does not (SFAIK) comprehend tasks creates with schtasks. Unfortunately, the Win32_ScheduledTask WMI object is based on AT, otherwise it would be perfect for this.

Unfortunately, neither AT nor schtasks report on the user that the job runs as. There's probably a COM object somewhere that lets you get at that; maybe you could ask on stackoverflow?

If you want to script it you would probably do something like this:

$servers = 'server1','server2','server3'
$allTasks = @()
$servers | %{ 
    $data = schtasks /query /S $_ /fo list
    # Data looks like this:
    # <blank line> 
    # HostName:      [SERVER]
    # TaskName:      [TASK NAME]
    # Next Run Time: 12:00:00 PM, 5/9/2009
    # Status:        [BLANK or SOME ERROR]
    foreach ($line in $data){
        $blob=""|select Host, Task, Next, Status
        [void]$foreach.MoveNext(); $l = $foreach.Current.length;
        $blob.Host = $foreach.current.substring(15, $l-15)
        [void]$foreach.MoveNext(); $l = $foreach.Current.length;
        $blob.Task = $foreach.current.substring(15, $l-15)
        [void]$foreach.MoveNext(); $l = $foreach.Current.length;
        $blob.Next = $foreach.current.substring(15, $l-15)
        [void]$foreach.MoveNext(); $l = $foreach.Current.length;
        $blob.Status = $foreach.current.substring(15, $l-15)
        $allTasks += $blob
    }
}
$allTasks|format-table

This has become an evil code essay - it would be easier to use the /FO csv option to dump to a text file the use import-csv to get the data back into PS, but that way you lose the server name. So instead you get to show off a bit and do custom object creation and hacking around with the foreach enumerator. Calling MoveNext moves you to the next item in the list, so you skip the first empty line of output and then take each of the next 4 lines and make them into something useful.

Windows scheduled task fails to complete with error code 0xc000013a

Troubleshooting scheduled scripts:

If you haven't already, check the Scheduled Tasks log file, in the GUI under Advanced > View Log. Search the file for "***" to find the most recent entries, and you may see a little extra error info.
Define a log file to capture output, and send both standard out and standard error there. Change any echo OFF to echo ON to be sure you're not supressing any error messages.
For example, if your script is called ftp.data.cmd then your scheduled task might look like this,

cmd /c ftp.data.cmd >> ftp.data.log 2>&1
Is the script hanging? Maybe the task scheduler is killing the script (hence the CTRL+C error code) after some specified period of time. Add some of these at strategic points in your scipt,

echo %DATE% %TIME%
Are you sure the account running the script has permissions / access to everything in the script?
If you can't get any joy, run this command and post the output here, maybe we can start with the scheduling,

schtasks /query /v /fo LIST /s YOURSERVER

Best Answer

Related Solutions

Windows Scheduled Task Reporting

Windows scheduled task fails to complete with error code 0xc000013a

Related Topic