Don’t Overlook Scheduled Tasks / AT when cleaning malware…

One of our clients picked up some sort of infection over the weekend. The sucker was persistent, and after running the usual battery of utilities — RootkitRevealer, SDFix, ComboFix, Stinger running inside a WinXP PE shell — we got rid of the thing.

When I checked the post-infection System Event Viewer log, however, I got an interesting message:

Event Type:Error
Event Source:Schedule
Event Category:None
Event ID:7901
Time:9:00:00 PM
The At46.job command failed to start due to the following error:
The system cannot find the file specified.

Huh? At46.job? I know the machine doesn’t use the AT scheduler… let’s see…

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\administrator\>at
Status ID Day Time Command Line
 1 Each M T W Th F S Su 12:26 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 10 Each M T W Th F S Su 9:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 11 Each M T W Th F S Su 10:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 12 Each M T W Th F S Su 11:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 13 Each M T W Th F S Su 12:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 14 Each M T W Th F S Su 1:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 15 Each M T W Th F S Su 2:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 16 Each M T W Th F S Su 3:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 17 Each M T W Th F S Su 4:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 18 Each M T W Th F S Su 5:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 19 Each M T W Th F S Su 6:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 2 Each M T W Th F S Su 1:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 20 Each M T W Th F S Su 7:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 21 Each M T W Th F S Su 8:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
Error 22 Each M T W Th F S Su 9:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe

And so forth, with hourly jobs listed down thru job 72. (It kept adding duplicate schedules…)tasksched

You can see we got the infection eradicated before 9 PM, because the 9PM AT job show errors. 🙂

For those of you who prefer a GUI, you can see the same thing in the Scheduled Tasks pane in Control Panel

So, don’t overlook the AT scheduler as a place where infection might hide in an effort to replicate itself. This is the first time I’ve seen it there, and it will be a place I look at from here out…

Fixing Logon Failure errors in XP Home

A client running XP Home today had an issue with a machine running slowly, and in the (ab)normal course of troubleshooting, we came across some errors in the event viewer that caused us to reset the security descriptors back to their defaults… and in doing so, we broke his printer sharing. (Oops!)

For those of you at home, we reset the security back to baseline via the secedit utility — something we carry with us on our USB keys since it doesn’t ship with XP Home:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

So, since it’s XP Home, we didn’t have a lot of tools available to us, so we replied upon the Win2k3 Resource Kit tools to help us reset the Guest account, so it had access to the local printer:

The remote user was getting the message “Logon failure: the user has not been granted the requested logon type at this computer”

So we confirmed the guest account was turned on via:

net user guest /active:yes

And then we allowed it to logon from the network. (Case sensitivity rules in effect):

ntrights +r SeNetworkLogonRight -u Guest

And we had to remove the DENY right, since it takes precedence in all transactions:

ntrights -r SeDenyNetworkLogonRight -u Guest

Once we did that, the other computer was able to print again.