August 2, 2016 at 9:14 am
Attached has a SQL Server Agent Job that I didn't create named "vb". I've delete it but keeps reappearing after some time.
Does anyone knows where it comes from? Your help is Greatly appreciated!
August 2, 2016 at 9:21 am
Is it being created by another job or by a store procedure? Query the command column of msdb.dbo.sysjobsteps, and the definition column on sys.sql_modules in every database to see whether "vb" is mentioned.
John
August 2, 2016 at 1:54 pm
Thank you for the quick reply!
I've ran the below statements in every database and "vb" is not mentioned. It appears that it is not being created by another job or procedure.
The "vb" job was already deleted when I ran the below statements. I will re-run the below statements again if/when the "vb" job reappears. Thank you again!
STATEMENTS USED IN EVERY DATABASE (SEE BELOW);
select * from sys.sql_modules
where definition like '%vb%'
select * from msdb.dbo.sysjobsteps
where command like '%vb%'
August 2, 2016 at 5:24 pm
If and when it shows up again, you may want to query msdb..sysjobs as well. That will at least tell you when the job was created and the owner which might give you some more clues on what is going on with that job. Could help track things down.
Sue
August 3, 2016 at 1:55 pm
Thank you for the reply! I will also execute the below statement if/when the job shows up again. Thanks again!
select * from msdb..sysjobs
August 15, 2016 at 2:50 pm
The SQL Server Agent "vb" job appeared again!
I ran the below queries in every database and the results were the same (Screenshot attached);
select * from sys.sql_modules
where definition like '%vb%'
select * from msdb.dbo.sysjobsteps
where command like '%vb%'
select * from msdb..sysjobs
where name like '%vb%'
Also I opened the job step and it's trying to execute "c:\hexbhao.exe". The file doesn't exist on my PC but I now see "c:\xpbhao.exe" and "c:\zybhao.exe". I've googled the files but no results to see what's happening?
Your help is Greatly appreciated!
August 15, 2016 at 3:10 pm
It must be getting created by some application installed (or possibly even some malware that's installed, the file names don't sound legit)
Try running a server-side trace for a while and see what application recreates the job
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
August 16, 2016 at 3:20 am
try also searching for the hex version of vb.
select * from sys.sql_modules
where definition like '%7662%'
Most malware I've seen on sql server execute a hex version of the code which gets "translated" at execution time so searching for the string alone is not enough.
on your case as you are getting a new job created I would also search for the add job statements (both char and hex versions of it) on the sql_modules and on last executed jobs
SELECT deqs.last_execution_time AS [Time], dest.text AS [Query], dest.*
FROM sys.dm_exec_query_stats AS deqs
CROSS APPLY sys.dm_exec_sql_text(deqs.sql_handle) AS dest
where dest.text like '%job%'
or dest.text like '%6A6F62%'
or dest.text like '%vb%'
or dest.text like '%7662%'
ORDER BY deqs.last_execution_time DESC
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply