Seems I get Conficker.B but everything works. How to remove it definitively?

Posted on 2012-08-16
Last Modified: 2013-11-22
Hi eveybody.

I know that there are many questions about Conficker already but I need your help anyway please.
Time ago I noticed on 2 server (2008 R2) that I got a strange task on "Task Scheduler" called "At1" (from Monday to Sunday at 7.00 am)...after a short search I realize I've got Conficker..

The anomaly is that we didn't noticed any issue with the network, windows update, on the services or in daily web use, as a matter of fact the servers are already patched with KB958644.

I run severals tools like malwarebytes, stinger, conficker removal tool and windows malicious removal tool (WMRT) that find "Win32/Conficker.B". Especially WMRT find and remove it (the task disappear) but when I restart the servers "At1" task in Task Scheduler come back.
I run WMRT throught a script on all the clients (about 40) and "SEEMS" they are clean..

So the question is: I can I remove it definitively??

many thanks in advance
Question by:SIES di Andrea Barbon
    LVL 12

    Expert Comment

    You may not like this answer.. but I would backup your data and rebuild the server.
    LVL 12

    Expert Comment

    I second the rebuild.
    LVL 29

    Expert Comment

    by:Sudeep Sharma
    Conficker is the smart virus and it brute force the weak Admin/administrator passwords. Further if it has taken a system and you try to clean it using the Administrator's credentials then it has those credentials too.

    So changing the password, and isolating the system unless cleaned and patched are the few things that you could do.

    Further, you may need to find the source of the infection as well. I believe that there is some other system in your network which is creating those tasks on the server. Or it could be some process itself which is creating it.

    I would advise to use Process Monitor to find the process which is creating those tasks.

    For the infected system on the network a good AV software would be able to find the source easily. I have MSE catching the Conficker infected systems trying to create the files and processes, not sure what AV you are using for primary protection.

    Author Comment

    by:SIES di Andrea Barbon
    @aindelicato and @ryan80: Thanks for the replies but I can't rebuild the servers now.

    @SSharma: So you suggest to take off the servers from the network, change the admin password and then clean the systems?

    I think that there is some process itself which is creating it, because I scanned the clients and they "seems" to be clean by Conficker (with a scan of MWRT nothing strange in the log file) you agree with me?

    I've already tryed Process Monitor, but it shows thousand and thousand of tasks and I don't know neither what I'm searching you suggest any filter to decrease the number of tasks?

    I'm searching for a "non-invasive" solution because stop the servers of our customer means to stop their business...

    Many thanks in advance
    LVL 77

    Accepted Solution

    You are dealing with a rather nasty virus.. You will have to do some shutdowns.. Does their business run 24/7?  Can you do it during the off hours?  that or bring in some hardware, do a p2v into virtual machines and run on your hardware (charging the customer appropriately) while you clean out the infected machines. hopefully their data is located in a data storage device or on a separate hard drive  

    This is the classic an ounce of prevention prevents a pound of cure..
    Microsoft will help you
    If you can't go to, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.
    LVL 12

    Expert Comment

    You are putting the customer's business at risk.  If you cannot afford downtime, then I suggest building a new server, then migrating your customer's data to the new clean, secure server.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
    The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now