Announcement

Collapse
No announcement yet.

delete specific scheduled task

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • delete specific scheduled task

    Is there a way to delete a specific scheduled task looping through the whole domain? We currently have a worm in our environment that creates scheduled tasks starting with "at" and need to delete them out.

    Apparently WMI needs the specific JobID to delete the task...anyone know another way to get the name and delete the task through a script?

  • #2
    Re: delete specific scheduled task

    Use this Batch
    Code:
    @echo off
    
    For /f "tokens=1,*" %%t in (
       'AT.exe ^| find /i /v "ID" ^| find /v "------------"'
       ) Do (
       AT.exe %%t /Delete
       echo.%date% %computername% %%u >>"c:\logAT.txt"
    )
    Or, command line:
    Code:
    @for /f "tokens=1,*" %t in ('AT.exe ^| find /i /v "ID" ^| find /v "------------"') do @(AT.exe %t /delete) & @(echo.%date% %computername% %u)>>"c:\logAT.txt"
    You must run it during computer start up, because normal users are not allowed to run AT.exe

    note: it will delete ALL and only scheduled tasks that were added with the AT scheduler or Win32_ScheduledJob ("job names" starting with "at"##).


    \Rems
    Last edited by Rems; 14th March 2009, 18:10.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: delete specific scheduled task

      Thanks for the quick reply rems, we are sorta in a jam.

      Is there way to do a wildcard search so I can only delete the tasks with "job names" starting with "at"?

      That is our problem...because we don't want to delete everything that was created...just match the string for the job names that the worm as made.

      I'm not sure if running this as a startup script will work too...but will work for just plain users.

      Comment


      • #4
        Re: delete specific scheduled task

        Sorry I see what you mean now, the worm is only using the AT command...so nothing else will get effected.

        Anyway to run the remotely, against say the whole domain?

        Comment


        • #5
          Re: delete specific scheduled task

          put this sample in a loop. You'll have to add code that find, all computer objects in the domain


          Code:
          '# start loop
          
          strComputer = "."   '<-- replace with the actual name of each computer
          
          '# connect to the computer
          Set objWMIService = GetObject("winmgmts:" _
              & "{impersonationLevel=impersonate}!\\"_
              & strComputer & "\root\cimv2")
          
          '# find all AT tasks
          Set colScheduledJobs = objWMIService.ExecQuery _
              ("Select * from Win32_ScheduledJob")
          
          '# Delete them all
          For Each objJob in colScheduledJobs
          
             objJob.Delete()
          
          Next
          \Rems

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment


          • #6
            Re: delete specific scheduled task

            Thanks! I kept banging my head over this...I was actually trying it that way...but I only saw to use a specific job ID!!! Once again, I owe you. Thank you for your help as always.

            Comment


            • #7
              Re: delete specific scheduled task

              Rems - Here is what I have so far...It is running extremely slow. Do you know how to speed it up at all? I think it's mostly running slow when it hits machines that are not on, or don't exist anymore.

              Code:
              'OU to query
              Delete_Tasks "Computers"
              
              Sub Delete_Tasks(sOU)
              
               On Error Resume Next
              
               Set objRootDSE = GetObject("LDAP://rootDSE")
               strDNSDomain = objRootDSE.Get("defaultNamingContext")
              
               'Start the ADO connection
               Set objCommand = CreateObject("ADODB.Command")
               Set objConnection = CreateObject("ADODB.Connection")
               objConnection.Provider = "ADsDSOObject"
               objConnection.Open "Active Directory Provider"
               objCommand.ActiveConnection = objConnection
              
               'Set the ADO connection query strings
               StartNode = strDNSDomain
               SearchScope = "subtree"
              
               FilterString = "(&(sAMAccountType=805306369)(name=*WAY*))"
              
               Attributes = "adspath"
              
               'Create the LDAP-Query
               LDAPQuery = "<LDAP://OU=" & sOU & "," & StartNode & ">;" & FilterString & ";" _
                          	& Attributes & ";" & SearchScope
              
               objCommand.CommandText = LDAPQuery
               objCommand.Properties("Page Size") = 100
               objCommand.Properties("Timeout") = 30
               objCommand.Properties("Cache Results") = False
              
               Set objRecordSet = objCommand.Execute
              
               If NOT objRecordSet.eof Then
                objRecordSet.MoveFirst
                 While Not objRecordset.EOF
                  	Set objRecord = GetObject(objRecordSet.Fields("AdsPath").Value)
              	strComputer = objRecord.CN
              		Set objWMIService = GetObject("winmgmts:" _
                  			& "{impersonationLevel=impersonate}!\\"_
                  			& strComputer & "\root\cimv2")
              		If Err.number=0 Then
              		Set colScheduledJobs = objWMIService.ExecQuery _
                  			("Select * from Win32_ScheduledJob")
              
              			For Each objJob in colScheduledJobs
                 				objJob.Delete()
              			Next
              		Else
              			'move to next machine
              		End IF
                  	objRecordSet.MoveNext
                Wend
               End If
              End Sub
              
              msgbox "Done!"
              WScript.Quit

              Comment


              • #8
                Re: delete specific scheduled task

                Do a Ping test before connecting to check if the computer is connectable
                see: Function IsConnectible by R. Mueller

                sample
                Code:
                DIM objShell : Set objShell = CreateObject("WScript.Shell")
                
                ' loop
                strComputer = "localhost" '<-- computernames here
                
                If (IsPingable(strComputer) = True) then
                
                  ' you can make the connection
                
                End If
                 
                
                Function IsPingable(ByVal strHost)
                  If Trim(strHost) <> "" Then
                     strCommand = "Ping.exe -n 3 -w 750 " & strHost
                     Set objExecObject = objShell.Exec _
                        ("%comspec% /c title " & strHost _
                        & chr(38) & strCommand)
                     Do While Not objExecObject.StdOut.AtEndOfStream
                        strText = objExecObject.StdOut.ReadLine()
                        If Instr(strText, "TTL=") > 0 _
                          Then IsPingable = True : Exit Do
                     Loop
                     If IsPingable = True then
                        With GetObject("winmgmts:root\cimv2")
                           For Each objProcess in .ExecQuery _
                              ("SELECT commandline FROM Win32_Process" _
                              & " WHERE Name = 'ping.exe'",,48)
                              If objProcess.commandline = strCommand _
                                Then objProcess.Terminate() : Exit For
                           Next
                        End With
                     End If
                  End If
                  If (not IsPingable = True) Then IsPingable = False
                End Function
                \Rems

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: delete specific scheduled task

                  Works perfectly. Thanks. Here is the final script and what I have been using on my OU's, I added logging into the script so we know which machines are infected, and also change it to 1 ping instead of 3 to make it faster:

                  Code:
                  'OU to query
                  Delete_Tasks "test"
                  
                  Sub Delete_Tasks(sOU)
                  
                   On Error Resume Next
                  
                   strLogFile = "C:\log.txt"
                   Set objFSO = CreateObject("Scripting.FileSystemObject")
                   Set objFile = objFSO.OpenTextFile(strLogFile, 8) 
                  
                   Set objRootDSE = GetObject("LDAP://rootDSE")
                   strDNSDomain = objRootDSE.Get("defaultNamingContext")
                  
                   'Start the ADO connection
                   Set objCommand = CreateObject("ADODB.Command")
                   Set objConnection = CreateObject("ADODB.Connection")
                   objConnection.Provider = "ADsDSOObject"
                   objConnection.Open "Active Directory Provider"
                   objCommand.ActiveConnection = objConnection
                  
                   'Set the ADO connection query strings
                   StartNode = strDNSDomain
                   SearchScope = "subtree"
                  
                   FilterString = "(&(sAMAccountType=805306369)(name=*))"
                  
                   Attributes = "adspath"
                  
                   'Create the LDAP-Query
                   LDAPQuery = "<LDAP://OU=" & sOU & "," & StartNode & ">;" & FilterString & ";" _
                              	& Attributes & ";" & SearchScope
                  
                   objCommand.CommandText = LDAPQuery
                   objCommand.Properties("Page Size") = 100
                   objCommand.Properties("Timeout") = 30
                   objCommand.Properties("Cache Results") = False
                  
                   Set objRecordSet = objCommand.Execute
                  
                   If NOT objRecordSet.eof Then
                    objRecordSet.MoveFirst
                     While Not objRecordset.EOF
                      	Set objRecord = GetObject(objRecordSet.Fields("AdsPath").Value)
                  	strComputer = objRecord.CN
                  			If (IsPingable(strComputer) = True) then
                  				Set objWMIService = GetObject("winmgmts:" _
                      					& "{impersonationLevel=impersonate}!\\"_
                      					& strComputer & "\root\cimv2")
                  
                  				Set colScheduledJobs = objWMIService.ExecQuery _
                      					("Select * from Win32_ScheduledJob")
                  
                  					For Each objJob in colScheduledJobs
                     						objJob.Delete()
                          						objFile.WriteLine Now & vbTab & "Deleted Tasks From: " & strComputer
                  					Next
                     			End If
                      	objRecordSet.MoveNext
                    Wend
                   End If
                  objFile.Close
                  End Sub
                  
                  Function IsPingable(ByVal strHost)
                    If Trim(strHost) <> "" Then
                       strCommand = "Ping.exe -n 1 -w 750 " & strHost
                       Set objShell = CreateObject("WScript.Shell")
                       Set objExecObject = objShell.Exec _
                          ("%comspec% /c title " & strHost _
                          & chr(38) & strCommand)
                       Do While Not objExecObject.StdOut.AtEndOfStream
                          strText = objExecObject.StdOut.ReadLine()
                          If Instr(strText, "TTL=") > 0 _
                            Then IsPingable = True : Exit Do
                       Loop
                       If IsPingable = True then
                          With GetObject("winmgmts:root\cimv2")
                             For Each objProcess in .ExecQuery _
                                ("SELECT commandline FROM Win32_Process" _
                                & " WHERE Name = 'ping.exe'",,48)
                                If objProcess.commandline = strCommand _
                                  Then objProcess.Terminate() : Exit For
                             Next
                          End With
                       End If
                    End If
                    If (not IsPingable = True) Then IsPingable = False
                  End Function
                  
                  msgbox "Done!"
                  WScript.Quit

                  Comment


                  • #10
                    Re: delete specific scheduled task

                    I don't know if this helps, but I found this Kapersky Net-Worm.Win32.Kido remover to do the job very quickly.
                    It removes the scheduled jobs immediately.

                    It has commandline switches so you can deploy it via GPO.

                    http://support.kaspersky.com/faq/?qid=208279973
                    Last edited by emagin; 11th April 2009, 06:21.

                    Comment


                    • #11
                      Re: delete specific scheduled task - Net-Worm.Win32.Kido (aka: Conficker, Downadup)

                      I have also found out the following.
                      These issues are all caused by confiker worm.
                      Removing the scheduled tasks is not enough.

                      If you run above exe you need to use switches:
                      -j -t -a -x -z -y

                      -z will restore critical services that get turned off by worm
                      • Background Intelligent Transfer Service (BITS)
                      • Windows Automatic Update Service (wuauserv),
                      • Error Reporting Service (ERSvc/WerSvc)

                      Comment


                      • #12
                        Re: delete specific scheduled task

                        You may also try to install the latest Microsoft latest Malicious removal tool March 2009

                        Comment


                        • #13
                          Re: delete specific scheduled task

                          Thanks.

                          There are different variant's of the Conflicker worm that do different things. All these methods work and help aid in the removal of the worm...but the best thing to do is make sure all your machines are patched with the latest MS updates.

                          WSUS is great tool for this if you are the net/sys admin in your company.

                          The best description of the worm I have found yet so far is here: http://mtc.sri.com/Conficker/

                          and the Conflicker C Analysis

                          You can read about the latest variant that was updated on April 8th on Fsecure. We should probably start a new thread, possibly on the General Security forum if we want to continue talking about Conflicker. Thanks!

                          Comment

                          Working...
                          X