Conficker Returning on a Server

Lanopy
Lanopy used Ask the Experts™
on
My gosh I thought we were years beyond this.  Here is the scenario.

I have a Small Business Server 2011box, and my customer allowed another vendor to install a copy machine monitor on it.  I am not even sure how he managed to infect the box, but what's done is done.  I know this box needs to be completely reloaded, however that is not a possible  option at this time.

Here is what I know and what I have done.

Have tried to install MS08-067 and 068 plus MS09-001.  I cannot can't get any version of the files to install.  They simply report that they are not applicable to my system.

The virus drops a task called AT1.job in the windows task folder.  The task is created every hour on the hour.

The MRT tool will remove it.

KidoKiller only detects the task that is created and will also remove it.

Malware Bytes would throw a notification up and block the attempt to create the task, but would also block other services so not a viable solution.  I would rather find the source anyway rather than block it.

A randomly named .dll file is placed in Windows/System

It has propagated to another Server 2008 box on the network that is joined to the SBS domain.  A third server, on the same network remains clean.  Both infected Servers are HP ProLiant DL480.  I found one blurb on the net about a false positive being generated by HP Data Protection.  I do not believe the to be the case here.  Ironically, the server that remains cleans is a Dell.

I have 18 workstations on the network.  11 running Windows 10, 6 running Windows 7, all 64 bit.  There is NO Windows XP or what I think could be vulnerable machines on this network.

All updates and patches have been applied to all servers and workstations.

445 is blocked at my firewall

USB Autorun is disabled on all my build by default.

I have a Sonic Wall, but am not seeing any traffic that would be cause for alarm.

The ONLY symptoms I see on the network are the task creation and an occasional unexplained reboot.  I found the issue looking for a cause for the restart.  (since managing the issue manually by running a daily removal, restarts have subsided)

I have run Conficker/Downadup Network scan tools and they come up empty.  Just to be sure, I have just built a 32 bit machine to run the same tools.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
You keep using Windows software to detect and "remove" it. Most viruses are smart enough to let you think it's removed, and just comes back the next hour or reboot. That's because the virus already has the upper hand and has more control over the system than the antivirus or other scanner does.
You need to shutdown ALL servers and PC's, and scan them all at the same time, WITHOUT starting Windows (use special antivirus boot cd or usb). The antivirus scanner has the upper hand now (it's the only running process, because the virus hidden gets only started with the Windows system), and will be able to remove the virus. Free versions are Avast (use the Rescuedisk feature, after it's already installed on a CLEAN PC), or download it from AVG http://www.avg.com/ww-en/download.prd-arl (again, do this on a CLEAN PC)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial