Windows Server 2000/2003 Thread, AT1.job Scheduled task in Technical; Hi there, I was wondering if anyone could help me.
We had the Conficker virus when our anti-virus went down ...
24th June 2009, 02:44 PM #1
- Rep Power
AT1.job Scheduled task
Hi there, I was wondering if anyone could help me.
We had the Conficker virus when our anti-virus went down for the day. We managed to remove it but now we're having random task's being created in Scheduled tasks. We get task's named AT1 - AT10 that are randomly generated, if we delete them they will be back in a couple of hours.
I had a look at what the task's do and there trying to start rundll32.dll but with a mix of characters at the end such as..
Any help would be appreicated
AT1.job AT10.job create automatically scheduled task [Merged] - Kaspersky Lab Forum
24th June 2009, 02:45 PM #2
The machines doing this are still infected.
24th June 2009, 02:50 PM #3
- Rep Power
It's only our admin server thats doing it. We've run the Conficker removal tool, Sophos, Stinger, and Windows Coficker tool but there all showing up clean. I tried the KK removal tool just encase it was the Kido virus, it removes the Task's but only for them to come back in a few hours.
25th June 2009, 09:30 AM #4
- Rep Power
Bump . Any ideas?
26th June 2009, 10:34 AM #5
You're definitely still Confickered at the moment mate. We're battling Conficker at our place as I type. We're doing it without shutting the network down too....been going about a month maybe longer.
Anyway, my advice is to shut down the server and boot it in safe mode > Sophos Conficker removal tool > Reboot into Windows (normal) > Check services and scheduled tasks > Check the Sophos conficker tool log (in the %temp% directory of the user you ran it as) and see what it did > If it couldn't remove the files etc... do it manually and then run the tool again.
7th July 2009, 10:28 AM #6
- Rep Power
We have also been infected with this recently.
Can anyone explain to me why, if your machine has been cleaned, patched, sophos fully up to date (on-active scanner is active for files on read+write) are machines still being infected?
Surely if you disconnect a machine, clean it up, patch it, enable sophos, reconnect this machine should not be reinfected?
Maybe my clean up tools are lying to me?
7th July 2009, 10:56 AM #7
I'm assuming your on about the patch for the vulnerability mentioned in MS08-067?
We found that even with patching the virus returns. We don't believe it stops all variants of Conficker but simply removes a mechanism of infection. We have recently locked down all of the firewalls on our workstations to only allow the ports and programs we specify and it seems to have stopped (or slowed to a virtual stop) the spread of the virus through file shares.
We keep finding machines with partial infections but usually only ones that haven't been fully cleaned and this is simply because our Enterprise Console is acting up (server needs a rebuild).
If your machines have an inactive on-access scanner try re-protecting the machine and it may well fail, most likely due to the computer browser services not running. For this to run you must have the firewall service running. There are also other services that Conficker stops running such as BITS, error reporting, BIT defender and Automatic Updates (there are more I think but I'm not sure).
Anyways, to get your machines protected again check the above services, make sure there are TCP ports open in your firewall for Sophos (8192, 8193 and 8194) and the Enterprise Console should squirt Sophos straight onto the machine. Failing that try installing it manually from the CID (central installation directory) on your Sophos server.
If all that fails then to Google you must go.
Hope that helps.
7th July 2009, 12:39 PM #8
- Rep Power
I thought about firewalling the pcs, but wasnt sure what ports should be left open to allow normal operation and block the spread of the virus.
I use this script currently on startup to help clean pcs + fix broken services - hope its of some use to others
You can check if sophos is installed with this too and make it install if your having problems with your enterprise console.
rem Stop Server service so that infection doesnt happen while we turn off sophos
sc config browser start= disabled
net stop browser /y
sc config lanmanserver start= disabled
net stop lanmanserver /y
rem Fix Windows update services
sc sdset bits "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"
sc sdset wuauserv "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"
rem Check Essential Services are set correctly and running
sc config wuauserv start= auto
net start "automatic updates"
sc config bits start= demand
sc config dhcp start= auto
net start "dhcp client"
sc config dnscache start= auto
net start "dns client"
sc config eventlog start= auto
net start "event log"
sc config audiosrv start= auto
net start "windows audio"
sc config w32time start= auto
net start "windows time"
sc config lanmanworkstation start= auto
net start "workstation"
sc config wscsvc start= auto
net start wscsvc
sc config ERSvc start= auto
net start ERSvc
rem disable task scheduler while we clean up
sc config schedule start= disabled
net stop "task scheduler"
AT /Delete /Yes
rem Disabling "AutoPlay"
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
rem Turn off sophos on-access scanning so it will let us remove the virus via symantecs scanner
sc config savservice start= disabled
net stop savservice
rem Scan/patch PC for cleanup
\\%SERVER%\%SHARE%\con-patch-xp.exe /quiet /norestart
rem MS malicious software removal tool (quite/silent mode)
rem Symantec conficker scanner
\\%SERVER%\%SHARE%\FixDwndp.exe /SILENT /LOG=c:\%computername%_%username%_logFixDownadup.txt
rem Turn on Sohpos, renable Server service, enable task scheduler
sc config savservice start= auto
net start savservice
sc config browser start= auto
net start browser
sc config lanmanserver start= auto
net start lanmanserver
sc config schedule start= auto
net start schedule
After this you can do a full sophos scan to try and catch anything thats missed. This combination has helped me clean things up, but im still getting some reinfections.
REM --- Check for an existing installation of Sophos AutoUpdate
if exist "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
REM --- Deploy to Windows 2000/XP/2003
\\sophosserver\InterChk\ESXP\Setup.exe -updp "\\sohposserver\InterChk\ESXP" -user "yourdomain\administrator" -pwd "your password" -mng yes
REM --- End of the script
You can also roll these scripts out using psexec remotely - however this dosent always work as some pcs become unreachable over the network, probably due to service termination - mstsc into this machines to install manually.
7th July 2009, 12:58 PM #9
If you firewall the machines using Windows Firewall and Group Policy it's a piece of cake to add the exceptions into the firewall. See attached pics for enlightenment.
When adding program exceptions use the %programfiles% variable.
Depending on how your GPO refresh interval is set then you should have it filtered through to all machines within a couple of hours at most.
19th July 2009, 02:43 PM #10
- Rep Power
re: "Can anyone explain to me why, if your machine has been cleaned, patched, sophos fully up to date (on-active scanner is active for files on read+write) are machines still being infected?"
Conficker has three ways to get on a machine
2) File sharing
If you have patched, you have stopped no 1.
Even with an anti-virus enabled, it can still use no 1. It needs admin access as it uses C$/admin$ to connect to machine. An infected machine will try and guess admin passwords, or use the logged on account. If it has the rights, it will drop the DLL (odd extension) in System32.
With the AV enabled, it will stop it loading so wont actually be infected, it will have a malicious file on it and a scheduled task attempting to load it. This is why Task Scheduler should be disabled so it cannot attempt to load.
The best way to stop it is blocking file sharing access between clients - this stops them being reinfected.
Or, setup Wireshark (or SMB file sniffer) on a machine that keeps getting the file dropped - this way, you can find out which machine is dropping it. Usually you will find a weak point where a machine has no AV etc.
Hope that helps.
12th September 2009, 12:42 PM #11
- Rep Power
Hi mans.I am sertunc.I have a problem thıs confıcker . Anybody know how can ı fix thıs problem
14th September 2009, 09:25 AM #12
I think Rockin has summed things up quite nicely in terms of actions you should take. You do need to remember to alter the permissions on the scheduled tasks folder to stop the virus creating tasks to reinfect the machine. To fo this you can remove all permissions except (I think) admins, system and sophos. This should stop tasks being recreated.
7th October 2009, 03:59 PM #13
what other steps have you taken to stop this conficker because we have tried. windows updates, Windows Defender. Deleting scheduled tasks everything but seem to be infected again
7th October 2009, 04:28 PM #14
We currently have Conficker floating about somewhere not sure where. We followed this
Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker
In my experience you have to be slow and methodical to remove it. We are just left to find which wireless device has it on.
7th October 2009, 05:53 PM #15
- Rep Power
By FN-GM in forum Scripts
Last Post: 2nd May 2009, 08:17 PM
By adamf in forum Windows
Last Post: 1st December 2008, 12:00 PM
By Stuart_C in forum Windows
Last Post: 25th November 2008, 11:27 AM
By Jobos in forum Windows
Last Post: 30th April 2008, 04:16 PM
By Ste_Harve in forum How do you do....it?
Last Post: 14th September 2007, 03:04 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)