We help IT Professionals succeed at work.

Seems I get Conficker.B but everything works. How to remove it definitively?

Hi eveybody.

I know that there are many questions about Conficker already but I need your help anyway please.
Time ago I noticed on 2 server (2008 R2) that I got a strange task on "Task Scheduler" called "At1" (from Monday to Sunday at 7.00 am)...after a short search I realize I've got Conficker..

The anomaly is that we didn't noticed any issue with the network, windows update, on the services or in daily web use, as a matter of fact the servers are already patched with KB958644.

I run severals tools like malwarebytes, stinger, conficker removal tool and windows malicious removal tool (WMRT) that find "Win32/Conficker.B". Especially WMRT find and remove it (the task disappear) but when I restart the servers "At1" task in Task Scheduler come back.
I run WMRT throught a script on all the clients (about 40) and "SEEMS" they are clean..

So the question is: I can I remove it definitively??

many thanks in advance
Watch Question

You may not like this answer.. but I would backup your data and rebuild the server.

I second the rebuild.
Sudeep SharmaTechnical Designer

Conficker is the smart virus and it brute force the weak Admin/administrator passwords. Further if it has taken a system and you try to clean it using the Administrator's credentials then it has those credentials too.

So changing the password, and isolating the system unless cleaned and patched are the few things that you could do.

Further, you may need to find the source of the infection as well. I believe that there is some other system in your network which is creating those tasks on the server. Or it could be some process itself which is creating it.

I would advise to use Process Monitor to find the process which is creating those tasks.

For the infected system on the network a good AV software would be able to find the source easily. I have MSE catching the Conficker infected systems trying to create the files and processes, not sure what AV you are using for primary protection.
@aindelicato and @ryan80: Thanks for the replies but I can't rebuild the servers now.

@SSharma: So you suggest to take off the servers from the network, change the admin password and then clean the systems?

I think that there is some process itself which is creating it, because I scanned the clients and they "seems" to be clean by Conficker (with a scan of MWRT nothing strange in the log file)...do you agree with me?

I've already tryed Process Monitor, but it shows thousand and thousand of tasks and I don't know neither what I'm searching for...do you suggest any filter to decrease the number of tasks?

I'm searching for a "non-invasive" solution because stop the servers of our customer means to stop their business...

Many thanks in advance
Simple Geek from the '70s
Distinguished Expert 2019
You are dealing with a rather nasty virus.. You will have to do some shutdowns.. Does their business run 24/7?  Can you do it during the off hours?  that or bring in some hardware, do a p2v into virtual machines and run on your hardware (charging the customer appropriately) while you clean out the infected machines. hopefully their data is located in a data storage device or on a separate hard drive  

This is the classic an ounce of prevention prevents a pound of cure..
Microsoft will help you
If you can't go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.
You are putting the customer's business at risk.  If you cannot afford downtime, then I suggest building a new server, then migrating your customer's data to the new clean, secure server.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.