• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 535
  • Last Modified:

Seems I get Conficker.B but everything works. How to remove it definitively?

Hi eveybody.

I know that there are many questions about Conficker already but I need your help anyway please.
Time ago I noticed on 2 server (2008 R2) that I got a strange task on "Task Scheduler" called "At1" (from Monday to Sunday at 7.00 am)...after a short search I realize I've got Conficker..

The anomaly is that we didn't noticed any issue with the network, windows update, on the services or in daily web use, as a matter of fact the servers are already patched with KB958644.

I run severals tools like malwarebytes, stinger, conficker removal tool and windows malicious removal tool (WMRT) that find "Win32/Conficker.B". Especially WMRT find and remove it (the task disappear) but when I restart the servers "At1" task in Task Scheduler come back.
I run WMRT throught a script on all the clients (about 40) and "SEEMS" they are clean..

So the question is: I can I remove it definitively??

many thanks in advance
0
SIES di Andrea Barbon
Asked:
SIES di Andrea Barbon
1 Solution
 
aindelicatoCommented:
You may not like this answer.. but I would backup your data and rebuild the server.
0
 
ryan80Commented:
I second the rebuild.
0
 
Sudeep SharmaTechnical DesignerCommented:
Conficker is the smart virus and it brute force the weak Admin/administrator passwords. Further if it has taken a system and you try to clean it using the Administrator's credentials then it has those credentials too.

So changing the password, and isolating the system unless cleaned and patched are the few things that you could do.

Further, you may need to find the source of the infection as well. I believe that there is some other system in your network which is creating those tasks on the server. Or it could be some process itself which is creating it.

I would advise to use Process Monitor to find the process which is creating those tasks.

For the infected system on the network a good AV software would be able to find the source easily. I have MSE catching the Conficker infected systems trying to create the files and processes, not sure what AV you are using for primary protection.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
SIES di Andrea BarbonAuthor Commented:
@aindelicato and @ryan80: Thanks for the replies but I can't rebuild the servers now.

@SSharma: So you suggest to take off the servers from the network, change the admin password and then clean the systems?

I think that there is some process itself which is creating it, because I scanned the clients and they "seems" to be clean by Conficker (with a scan of MWRT nothing strange in the log file)...do you agree with me?

I've already tryed Process Monitor, but it shows thousand and thousand of tasks and I don't know neither what I'm searching for...do you suggest any filter to decrease the number of tasks?

I'm searching for a "non-invasive" solution because stop the servers of our customer means to stop their business...

Many thanks in advance
0
 
David Johnson, CD, MVPOwnerCommented:
You are dealing with a rather nasty virus.. You will have to do some shutdowns.. Does their business run 24/7?  Can you do it during the off hours?  that or bring in some hardware, do a p2v into virtual machines and run on your hardware (charging the customer appropriately) while you clean out the infected machines. hopefully their data is located in a data storage device or on a separate hard drive  

This is the classic an ounce of prevention prevents a pound of cure..
Microsoft will help you
If you can't go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.
http://www.microsoft.com/security/pc-security/conficker.aspx
0
 
aindelicatoCommented:
You are putting the customer's business at risk.  If you cannot afford downtime, then I suggest building a new server, then migrating your customer's data to the new clean, secure server.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now