Seems I get Conficker.B but everything works. How to remove it definitively?

Posted on 2012-08-16
Medium Priority
Last Modified: 2013-11-22
Hi eveybody.

I know that there are many questions about Conficker already but I need your help anyway please.
Time ago I noticed on 2 server (2008 R2) that I got a strange task on "Task Scheduler" called "At1" (from Monday to Sunday at 7.00 am)...after a short search I realize I've got Conficker..

The anomaly is that we didn't noticed any issue with the network, windows update, on the services or in daily web use, as a matter of fact the servers are already patched with KB958644.

I run severals tools like malwarebytes, stinger, conficker removal tool and windows malicious removal tool (WMRT) that find "Win32/Conficker.B". Especially WMRT find and remove it (the task disappear) but when I restart the servers "At1" task in Task Scheduler come back.
I run WMRT throught a script on all the clients (about 40) and "SEEMS" they are clean..

So the question is: I can I remove it definitively??

many thanks in advance
Question by:SIES di Andrea Barbon
LVL 12

Expert Comment

ID: 38300941
You may not like this answer.. but I would backup your data and rebuild the server.
LVL 12

Expert Comment

ID: 38301208
I second the rebuild.
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38301627
Conficker is the smart virus and it brute force the weak Admin/administrator passwords. Further if it has taken a system and you try to clean it using the Administrator's credentials then it has those credentials too.

So changing the password, and isolating the system unless cleaned and patched are the few things that you could do.

Further, you may need to find the source of the infection as well. I believe that there is some other system in your network which is creating those tasks on the server. Or it could be some process itself which is creating it.

I would advise to use Process Monitor to find the process which is creating those tasks.

For the infected system on the network a good AV software would be able to find the source easily. I have MSE catching the Conficker infected systems trying to create the files and processes, not sure what AV you are using for primary protection.
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

by:SIES di Andrea Barbon
ID: 38303754
@aindelicato and @ryan80: Thanks for the replies but I can't rebuild the servers now.

@SSharma: So you suggest to take off the servers from the network, change the admin password and then clean the systems?

I think that there is some process itself which is creating it, because I scanned the clients and they "seems" to be clean by Conficker (with a scan of MWRT nothing strange in the log file)...do you agree with me?

I've already tryed Process Monitor, but it shows thousand and thousand of tasks and I don't know neither what I'm searching for...do you suggest any filter to decrease the number of tasks?

I'm searching for a "non-invasive" solution because stop the servers of our customer means to stop their business...

Many thanks in advance
LVL 84

Accepted Solution

David Johnson, CD, MVP earned 2000 total points
ID: 38304119
You are dealing with a rather nasty virus.. You will have to do some shutdowns.. Does their business run 24/7?  Can you do it during the off hours?  that or bring in some hardware, do a p2v into virtual machines and run on your hardware (charging the customer appropriately) while you clean out the infected machines. hopefully their data is located in a data storage device or on a separate hard drive  

This is the classic an ounce of prevention prevents a pound of cure..
Microsoft will help you
If you can't go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.
LVL 12

Expert Comment

ID: 38305104
You are putting the customer's business at risk.  If you cannot afford downtime, then I suggest building a new server, then migrating your customer's data to the new clean, secure server.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question