My gosh I thought we were years beyond this. Here is the scenario.
I have a Small Business Server 2011box, and my customer allowed another vendor to install a copy machine monitor on it. I am not even sure how he managed to infect the box, but what's done is done. I know this box needs to be completely reloaded, however that is not a possible option at this time.
Here is what I know and what I have done.
Have tried to install MS08-067 and 068 plus MS09-001. I cannot can't get any version of the files to install. They simply report that they are not applicable to my system.
The virus drops a task called AT1.job in the windows task folder. The task is created every hour on the hour.
The MRT tool will remove it.
KidoKiller only detects the task that is created and will also remove it.
Malware Bytes would throw a notification up and block the attempt to create the task, but would also block other services so not a viable solution. I would rather find the source anyway rather than block it.
A randomly named .dll file is placed in Windows/System
It has propagated to another Server 2008 box on the network that is joined to the SBS domain. A third server, on the same network remains clean. Both infected Servers are HP ProLiant DL480. I found one blurb on the net about a false positive being generated by HP Data Protection. I do not believe the to be the case here. Ironically, the server that remains cleans is a Dell.
I have 18 workstations on the network. 11 running Windows 10, 6 running Windows 7, all 64 bit. There is NO Windows XP or what I think could be vulnerable machines on this network.
All updates and patches have been applied to all servers and workstations.
445 is blocked at my firewall
USB Autorun is disabled on all my build by default.
I have a Sonic Wall, but am not seeing any traffic that would be cause for alarm.
The ONLY symptoms I see on the network are the task creation and an occasional unexplained reboot. I found the issue looking for a cause for the restart. (since managing the issue manually by running a daily removal, restarts have subsided)
I have run Conficker/Downadup Network scan tools and they come up empty. Just to be sure, I have just built a 32 bit machine to run the same tools.