Conficker Returning on a Server

My gosh I thought we were years beyond this.  Here is the scenario.

I have a Small Business Server 2011box, and my customer allowed another vendor to install a copy machine monitor on it.  I am not even sure how he managed to infect the box, but what's done is done.  I know this box needs to be completely reloaded, however that is not a possible  option at this time.

Here is what I know and what I have done.

Have tried to install MS08-067 and 068 plus MS09-001.  I cannot can't get any version of the files to install.  They simply report that they are not applicable to my system.

The virus drops a task called AT1.job in the windows task folder.  The task is created every hour on the hour.

The MRT tool will remove it.

KidoKiller only detects the task that is created and will also remove it.

Malware Bytes would throw a notification up and block the attempt to create the task, but would also block other services so not a viable solution.  I would rather find the source anyway rather than block it.

A randomly named .dll file is placed in Windows/System

It has propagated to another Server 2008 box on the network that is joined to the SBS domain.  A third server, on the same network remains clean.  Both infected Servers are HP ProLiant DL480.  I found one blurb on the net about a false positive being generated by HP Data Protection.  I do not believe the to be the case here.  Ironically, the server that remains cleans is a Dell.

I have 18 workstations on the network.  11 running Windows 10, 6 running Windows 7, all 64 bit.  There is NO Windows XP or what I think could be vulnerable machines on this network.

All updates and patches have been applied to all servers and workstations.

445 is blocked at my firewall

USB Autorun is disabled on all my build by default.

I have a Sonic Wall, but am not seeing any traffic that would be cause for alarm.

The ONLY symptoms I see on the network are the task creation and an occasional unexplained reboot.  I found the issue looking for a cause for the restart.  (since managing the issue manually by running a daily removal, restarts have subsided)

I have run Conficker/Downadup Network scan tools and they come up empty.  Just to be sure, I have just built a 32 bit machine to run the same tools.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerIT ManagerCommented:
You keep using Windows software to detect and "remove" it. Most viruses are smart enough to let you think it's removed, and just comes back the next hour or reboot. That's because the virus already has the upper hand and has more control over the system than the antivirus or other scanner does.
You need to shutdown ALL servers and PC's, and scan them all at the same time, WITHOUT starting Windows (use special antivirus boot cd or usb). The antivirus scanner has the upper hand now (it's the only running process, because the virus hidden gets only started with the Windows system), and will be able to remove the virus. Free versions are Avast (use the Rescuedisk feature, after it's already installed on a CLEAN PC), or download it from AVG (again, do this on a CLEAN PC)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.