Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

The Case of the Hidden Scheduled Tasks

Posted by William Diaz on July 9, 2010


This case provided a good opportunity to use Sysinternal’s Autoruns to detect and remove some malware that had found its way onto one of our workstations. What was happening was that some unknown process on this workstation was going out to the Internet at the same time every hour and attempting to download a suspicious executable named Zl0.exe and drop in it the local temp folder for the user, which by default is C:\Documents and Settings\username\Local Settings\TEMP\ for Windows XP (actually, we redirect this to a custom folder).

We knew this because our virus protection had been configured to stop all unknown exe files from writing to or starting from from this location. The attempt to download the file was stopped by the host intrusion detection but the process responsible for trying to download it was undetected.

Before starting, I verified Zl0.exe was, in fact, malware by searching it on the Internet. A quick scan of the system’s running processes with Process Explorer didn’t reveal anything out of the ordinary. Since the download was taking place each hour, I assumed the Windows Task Scheduler job was involved. The Task Scheduler is actually a service hosted within svchost.exe, along with many other services, so killing the process was not really practical. Another advantage to relying on the Task Scheduler was that the suspicious process could be started by a legitimate process, run, attempt to do what it wants to do, stop, and when you go to investigate with process monitoring utilities, it is not detected.

To confirm my suspicion, I opened the Task Scheduler. However, there were no abnormal scheduled jobs, even after checking the View Hidden Tasks from the Advanced menu:


To investigate further, I ran Autoruns on the workstation. Think of Autoruns as everything you want but is lacking from Msconfig. Msconfig only shows you what is set to start from a few common Windows locations–HKCU-Run, HKLM-Run, Startup, and Common Startup:

By comparison, Autoruns displays a complete list of all startup items from all locations.

From within Autoruns, I started a search using CTRL+F, looking for Zl0.exe. I found a hit (along with its companion, mas.exe)  and, indeed, it was sitting right inside the Task Scheduler as a {GUID}.job, hidden from the normal Task Scheduler GUI.

Normally, when using Autoruns to troubleshoot suspicious processes, it is usually best to disable them by un-checking them before actually deleting so they can be enabled again if they turn out to be valid. In this case, however, I had no doubt this was our offender and so I deleted both of the jobs. For good measure, I examined all the entries from Autoruns and found nothing else abnormal.

After deleting the items, I wanted to make sure the registry was clean of any references to the two above exes. Normally, if the item is present at startup, you look in the Run key under HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER. But these locations were already covered by Msconfig and Autoruns and nothing abnormal was there. Oddly enough, however, a manual search of the registry under HKEY_USERS\S-1-5-21… (the SID of the logged on user) I found some more references to the exes above (and some other strings pointing to other malware):


Since HKEY_CURRENT_USER can be thought of as a pointer to the logged on profile under HKU, I should have seen these same reg values there. I would have liked to examine this in more details but the demands of workstation security took precedence.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: