+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
Windows Server 2000/2003 Thread, AT1.job Scheduled task in Technical; Hi there, I was wondering if anyone could help me. We had the Conficker virus when our anti-virus went down ...
  1. #1

    Join Date
    Jun 2009
    Posts
    57
    Thank Post
    22
    Thanked 1 Time in 1 Post
    Rep Power
    0

    AT1.job Scheduled task

    Hi there, I was wondering if anyone could help me.

    We had the Conficker virus when our anti-virus went down for the day. We managed to remove it but now we're having random task's being created in Scheduled tasks. We get task's named AT1 - AT10 that are randomly generated, if we delete them they will be back in a couple of hours.

    I had a look at what the task's do and there trying to start rundll32.dll but with a mix of characters at the end such as..

    rundll32.dll edfeee,fdsa

    Any help would be appreicated

    Cheers

    AT1.job AT10.job create automatically scheduled task [Merged] - Kaspersky Lab Forum

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    The machines doing this are still infected.

  3. #3

    Join Date
    Jun 2009
    Posts
    57
    Thank Post
    22
    Thanked 1 Time in 1 Post
    Rep Power
    0
    It's only our admin server thats doing it. We've run the Conficker removal tool, Sophos, Stinger, and Windows Coficker tool but there all showing up clean. I tried the KK removal tool just encase it was the Kido virus, it removes the Task's but only for them to come back in a few hours.

  4. #4

    Join Date
    Jun 2009
    Posts
    57
    Thank Post
    22
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Bump . Any ideas?

  5. #5
    DAZZD88's Avatar
    Join Date
    Apr 2009
    Location
    Sunderland, Tyne and Wear
    Posts
    788
    Thank Post
    163
    Thanked 77 Times in 66 Posts
    Rep Power
    47
    You're definitely still Confickered at the moment mate. We're battling Conficker at our place as I type. We're doing it without shutting the network down too....been going about a month maybe longer.


    Anyway, my advice is to shut down the server and boot it in safe mode > Sophos Conficker removal tool > Reboot into Windows (normal) > Check services and scheduled tasks > Check the Sophos conficker tool log (in the %temp% directory of the user you ran it as) and see what it did > If it couldn't remove the files etc... do it manually and then run the tool again.

  6. #6

    Join Date
    Sep 2005
    Posts
    143
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    18
    We have also been infected with this recently.
    Can anyone explain to me why, if your machine has been cleaned, patched, sophos fully up to date (on-active scanner is active for files on read+write) are machines still being infected?
    Surely if you disconnect a machine, clean it up, patch it, enable sophos, reconnect this machine should not be reinfected?
    Maybe my clean up tools are lying to me?

  7. #7
    DAZZD88's Avatar
    Join Date
    Apr 2009
    Location
    Sunderland, Tyne and Wear
    Posts
    788
    Thank Post
    163
    Thanked 77 Times in 66 Posts
    Rep Power
    47
    I'm assuming your on about the patch for the vulnerability mentioned in MS08-067?

    We found that even with patching the virus returns. We don't believe it stops all variants of Conficker but simply removes a mechanism of infection. We have recently locked down all of the firewalls on our workstations to only allow the ports and programs we specify and it seems to have stopped (or slowed to a virtual stop) the spread of the virus through file shares.

    We keep finding machines with partial infections but usually only ones that haven't been fully cleaned and this is simply because our Enterprise Console is acting up (server needs a rebuild).


    If your machines have an inactive on-access scanner try re-protecting the machine and it may well fail, most likely due to the computer browser services not running. For this to run you must have the firewall service running. There are also other services that Conficker stops running such as BITS, error reporting, BIT defender and Automatic Updates (there are more I think but I'm not sure).

    Anyways, to get your machines protected again check the above services, make sure there are TCP ports open in your firewall for Sophos (8192, 8193 and 8194) and the Enterprise Console should squirt Sophos straight onto the machine. Failing that try installing it manually from the CID (central installation directory) on your Sophos server.


    If all that fails then to Google you must go.


    Hope that helps.

  8. #8

    Join Date
    Sep 2005
    Posts
    143
    Thank Post
    0
    Thanked 3 Times in 3 Posts
    Rep Power
    18
    I thought about firewalling the pcs, but wasnt sure what ports should be left open to allow normal operation and block the spread of the virus.

    I use this script currently on startup to help clean pcs + fix broken services - hope its of some use to others

    Code:
    set server=YOURSERVER
    set share=YOURSHARE
    
    rem Stop Server service so that infection doesnt happen while we turn off sophos
    sc config browser start= disabled
    net stop browser /y
    sc config lanmanserver start= disabled
    net stop lanmanserver /y
    
    rem Fix Windows update services
    sc sdset bits "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"
    sc sdset wuauserv "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"
    
    rem Check Essential Services are set correctly and running
    sc config wuauserv start= auto
    net start "automatic updates"
    sc config bits start= demand
    sc config dhcp start= auto
    net start "dhcp client"
    sc config dnscache start= auto
    net start "dns client"
    sc config eventlog start= auto
    net start "event log"
    sc config audiosrv start= auto
    net start "windows audio"
    sc config w32time start= auto
    net start "windows time"
    sc config lanmanworkstation start= auto
    net start "workstation"
    sc config wscsvc start= auto
    net start wscsvc
    sc config ERSvc start= auto
    net start ERSvc
    
    rem disable task scheduler while we clean up
    sc config schedule start= disabled
    net stop "task scheduler"
    AT /Delete /Yes
    
    rem Disabling "AutoPlay"
    reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
    
    rem Turn off sophos on-access scanning so it will let us remove the virus via symantecs scanner
    sc config savservice start= disabled
    net stop savservice
    
    rem Scan/patch PC for cleanup
    rem KB
    \\%SERVER%\%SHARE%\con-patch-xp.exe /quiet /norestart
    
    rem MS malicious software removal tool (quite/silent mode)
    \\%SERVER%\%SHARE%\mrt-june09.exe /q
    
    rem Symantec conficker scanner
    \\%SERVER%\%SHARE%\FixDwndp.exe /SILENT /LOG=c:\%computername%_%username%_logFixDownadup.txt
    
    
    rem Turn on Sohpos, renable Server service, enable task scheduler
    sc config savservice start= auto
    net start savservice
    sc config browser start= auto
    net start browser
    sc config lanmanserver start= auto
    net start lanmanserver
    sc config schedule start= auto
    net start schedule
    You can check if sophos is installed with this too and make it install if your having problems with your enterprise console.
    Code:
    @ECHO OFF
    REM --- Check for an existing installation of Sophos AutoUpdate
    if exist "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
    REM --- Deploy to Windows 2000/XP/2003
    \\sophosserver\InterChk\ESXP\Setup.exe -updp "\\sohposserver\InterChk\ESXP" -user "yourdomain\administrator" -pwd "your password" -mng yes
    REM --- End of the script
    :_End
    After this you can do a full sophos scan to try and catch anything thats missed. This combination has helped me clean things up, but im still getting some reinfections.

    You can also roll these scripts out using psexec remotely - however this dosent always work as some pcs become unreachable over the network, probably due to service termination - mstsc into this machines to install manually.

  9. #9
    DAZZD88's Avatar
    Join Date
    Apr 2009
    Location
    Sunderland, Tyne and Wear
    Posts
    788
    Thank Post
    163
    Thanked 77 Times in 66 Posts
    Rep Power
    47
    If you firewall the machines using Windows Firewall and Group Policy it's a piece of cake to add the exceptions into the firewall. See attached pics for enlightenment.

    When adding program exceptions use the %programfiles% variable.

    Depending on how your GPO refresh interval is set then you should have it filtered through to all machines within a couple of hours at most.
    Attached Images Attached Images

  10. #10

    Join Date
    Jul 2009
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi Frazer,

    re: "Can anyone explain to me why, if your machine has been cleaned, patched, sophos fully up to date (on-active scanner is active for files on read+write) are machines still being infected?"

    Conficker has three ways to get on a machine
    1) vulnerability
    2) File sharing
    3) USB

    If you have patched, you have stopped no 1.

    Even with an anti-virus enabled, it can still use no 1. It needs admin access as it uses C$/admin$ to connect to machine. An infected machine will try and guess admin passwords, or use the logged on account. If it has the rights, it will drop the DLL (odd extension) in System32.

    With the AV enabled, it will stop it loading so wont actually be infected, it will have a malicious file on it and a scheduled task attempting to load it. This is why Task Scheduler should be disabled so it cannot attempt to load.

    The best way to stop it is blocking file sharing access between clients - this stops them being reinfected.

    Or, setup Wireshark (or SMB file sniffer) on a machine that keeps getting the file dropped - this way, you can find out which machine is dropping it. Usually you will find a weak point where a machine has no AV etc.

    Hope that helps.

    Rockin.

  11. #11

    Join Date
    Sep 2009
    Location
    TURKEY
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi mans.I am sertunc.I have a problem thıs confıcker . Anybody know how can ı fix thıs problem

  12. #12
    DAZZD88's Avatar
    Join Date
    Apr 2009
    Location
    Sunderland, Tyne and Wear
    Posts
    788
    Thank Post
    163
    Thanked 77 Times in 66 Posts
    Rep Power
    47
    I think Rockin has summed things up quite nicely in terms of actions you should take. You do need to remember to alter the permissions on the scheduled tasks folder to stop the virus creating tasks to reinfect the machine. To fo this you can remove all permissions except (I think) admins, system and sophos. This should stop tasks being recreated.

  13. #13
    doddsworthy's Avatar
    Join Date
    Jul 2009
    Location
    Washington
    Posts
    18
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    what other steps have you taken to stop this conficker because we have tried. windows updates, Windows Defender. Deleting scheduled tasks everything but seem to be infected again

  14. #14

    Join Date
    Dec 2007
    Location
    Nottinghamshire
    Posts
    187
    Thank Post
    59
    Thanked 21 Times in 19 Posts
    Rep Power
    17
    We currently have Conficker floating about somewhere not sure where. We followed this

    Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker

    In my experience you have to be slow and methodical to remove it. We are just left to find which wireless device has it on.

  15. #15

    Join Date
    Sep 2009
    Location
    TURKEY
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hey gays we deleted thıs virus ı ı used trendt mıcro sys-clean pattenrn no:439.now our system clean

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Script to create a scheduled task
    By FN-GM in forum Scripts
    Replies: 3
    Last Post: 2nd May 2009, 07:17 PM
  2. Exmerge Scheduled Task crashing
    By adamf in forum Windows
    Replies: 3
    Last Post: 1st December 2008, 11:00 AM
  3. Scheduled Task Error code 0x35
    By Stuart_C in forum Windows
    Replies: 0
    Last Post: 25th November 2008, 10:27 AM
  4. Scheduled task not displaying on desktop
    By Jobos in forum Windows
    Replies: 2
    Last Post: 30th April 2008, 03:16 PM
  5. Deploy a scheduled task!
    By Ste_Harve in forum How do you do....it?
    Replies: 2
    Last Post: 14th September 2007, 02:04 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •