We help IT Professionals succeed at work.
Get Started

Conficker Returning on a Server

Last Modified: 2016-11-23
My gosh I thought we were years beyond this.  Here is the scenario.

I have a Small Business Server 2011box, and my customer allowed another vendor to install a copy machine monitor on it.  I am not even sure how he managed to infect the box, but what's done is done.  I know this box needs to be completely reloaded, however that is not a possible  option at this time.

Here is what I know and what I have done.

Have tried to install MS08-067 and 068 plus MS09-001.  I cannot can't get any version of the files to install.  They simply report that they are not applicable to my system.

The virus drops a task called AT1.job in the windows task folder.  The task is created every hour on the hour.

The MRT tool will remove it.

KidoKiller only detects the task that is created and will also remove it.

Malware Bytes would throw a notification up and block the attempt to create the task, but would also block other services so not a viable solution.  I would rather find the source anyway rather than block it.

A randomly named .dll file is placed in Windows/System

It has propagated to another Server 2008 box on the network that is joined to the SBS domain.  A third server, on the same network remains clean.  Both infected Servers are HP ProLiant DL480.  I found one blurb on the net about a false positive being generated by HP Data Protection.  I do not believe the to be the case here.  Ironically, the server that remains cleans is a Dell.

I have 18 workstations on the network.  11 running Windows 10, 6 running Windows 7, all 64 bit.  There is NO Windows XP or what I think could be vulnerable machines on this network.

All updates and patches have been applied to all servers and workstations.

445 is blocked at my firewall

USB Autorun is disabled on all my build by default.

I have a Sonic Wall, but am not seeing any traffic that would be cause for alarm.

The ONLY symptoms I see on the network are the task creation and an occasional unexplained reboot.  I found the issue looking for a cause for the restart.  (since managing the issue manually by running a daily removal, restarts have subsided)

I have run Conficker/Downadup Network scan tools and they come up empty.  Just to be sure, I have just built a 32 bit machine to run the same tools.
Watch Question
IT Manager
This problem has been solved!
Unlock 1 Answer and 1 Comment.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE