What is this Task Scheduler entry?

July 22, 2014 at 01:54:44
Specs: Win 7
I found this entry in Task Scheduler:

{25553AF8-504C-41E8-BCCF-17854140FA3F}

It has no description.
The trigger is just "When the task is created or modified".

I didn't find anything about it with Google. Any idea what it is?

-- Jeff, in Minneapolis


See More: What is this Task Scheduler entry?

Report •

#1
July 22, 2014 at 04:19:09
"I didn't find anything about it with Google"
Good to see you are having a go Jeff, I checked as well.
When Googling doesn't find anything, it is time to become suspicious & change the key words in the search.

Malware loves Windows Task Scheduler
http://www.infoworld.com/t/malware/...

Now need to get some clues, many, many directions to try, my instinct guides me to these tools to try first.

Step 1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
To run Unhide, simply download it onto your Desktop If your default download location is not the Desktop, drag it out of it's location onto the Desktop.and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.
When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt.
Copy & Paste the contents of the log in your next post please. Let me know if it doesn't produce a log.

Step 2: Reboot.

Step 3: Run Defogger & then Combofix.
http://majorgeeks.com/Defogger_d708...
http://www.bleepingcomputer.com/dow...
Please download DeFogger and save it onto your Desktop If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Once downloaded, double-click on the DeFogger icon to start the tool.
Double click DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.
This program can enable and disable CD emulation, often required in removing difficult malware. Some CD Emulation programs use a hidden driver that may be seen as a rootkit or that will interfere with the proper operation of the anti-rootkit scanner.
Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"

If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

message edited by Johnw


Report •

#2
July 23, 2014 at 00:29:32
John,

Thanks for your extensive reply!

I read the first link, "Malware loves Windows Task Scheduler".
Good info.

After reading the second link, on Unhide.exe, I wonder if that is
the page you meant to link. As the author says, far down the page
in the comments, "As for unhiding files, the only time you ever want
to use this program is if you were infected with the FakeHDD rogue."
and "For these infections, you should completely remov[e] the virus
and unhide should be the last thing you run." Clearly this is not my
situation. My shortcuts did not go missing, alerts are not popping
up, and the only "system optimization program" I've ever run is
CCleaner.

While checking in Task Scheduler again to grab a bit of info that I
didn't include in my first post (the fact that the last time the entry in
question is listed as having run was last October), I discovered
something I missed before: What the entry does. It starts a copy
of Foxit Reader located inside a folder which was in turn inside my
Temp folder, but no longer exists, and probably hasn't existed since
the day I installed Foxit Reader last October.

I'll read the rest of your post, and maybe follow more of the links,
but it looks like this specific Task Scheduler entry is innocuous and
I will delete it. Sure would have been nice if it had been given a
name and description, though.

-- Jeff, in Minneapolis


Report •

#3
July 23, 2014 at 00:54:19
"but it looks like this specific Task Scheduler entry is innocuous and
I will delete it. Sure would have been nice if it had been given a
name and description, though"

I prefer to leave no stone unturned, this should give us that info.

Download Farbar Recovery Scan Tool and save it to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run.
The first time the tool is run, it makes also another log (Addition.txt). Upload the logs to a site of your choosing & give us the link please.

message edited by Johnw


Report •

Related Solutions

#4
July 23, 2014 at 01:33:05
""For these infections, you should completely remov[e] the virus
and unhide should be the last thing you run."

Thanks for that, my head had completely got mixed up with that tool & not for the first time either.

message edited by Johnw


Report •

Ask Question