AT1.job Scheduled task

[Haux]

Hi there, I was wondering if anyone could help me.

We had the Conficker virus when our anti-virus went down for the day. We managed to remove it but now we're having random task's being created in Scheduled tasks. We get task's named AT1 - AT10 that are randomly generated, if we delete them they will be back in a couple of hours.

I had a look at what the task's do and there trying to start rundll32.dll but with a mix of characters at the end such as..

rundll32.dll edfeee,fdsa

Any help would be appreicated

Cheers

AT1.job AT10.job create automatically scheduled task [Merged] - Kaspersky Lab Forum

[Geoff]

The machines doing this are still infected.

[Haux]

It's only our admin server thats doing it. We've run the Conficker removal tool, Sophos, Stinger, and Windows Coficker tool but there all showing up clean. I tried the KK removal tool just encase it was the Kido virus, it removes the Task's but only for them to come back in a few hours.

[Haux]

Bump . Any ideas?

[DAZZD88]

You're definitely still Confickered at the moment mate. We're battling Conficker at our place as I type. We're doing it without shutting the network down too....been going about a month maybe longer.


Anyway, my advice is to shut down the server and boot it in safe mode > Sophos Conficker removal tool > Reboot into Windows (normal) > Check services and scheduled tasks > Check the Sophos conficker tool log (in the %temp% directory of the user you ran it as) and see what it did > If it couldn't remove the files etc... do it manually and then run the tool again.

[Frazer]

We have also been infected with this recently.
Can anyone explain to me why, if your machine has been cleaned, patched, sophos fully up to date (on-active scanner is active for files on read+write) are machines still being infected?
Surely if you disconnect a machine, clean it up, patch it, enable sophos, reconnect this machine should not be reinfected?
Maybe my clean up tools are lying to me?

[DAZZD88]

I'm assuming your on about the patch for the vulnerability mentioned in MS08-067?

We found that even with patching the virus returns. We don't believe it stops all variants of Conficker but simply removes a mechanism of infection. We have recently locked down all of the firewalls on our workstations to only allow the ports and programs we specify and it seems to have stopped (or slowed to a virtual stop) the spread of the virus through file shares.

We keep finding machines with partial infections but usually only ones that haven't been fully cleaned and this is simply because our Enterprise Console is acting up (server needs a rebuild).


If your machines have an inactive on-access scanner try re-protecting the machine and it may well fail, most likely due to the computer browser services not running. For this to run you must have the firewall service running. There are also other services that Conficker stops running such as BITS, error reporting, BIT defender and Automatic Updates (there are more I think but I'm not sure).

Anyways, to get your machines protected again check the above services, make sure there are TCP ports open in your firewall for Sophos (8192, 8193 and 8194) and the Enterprise Console should squirt Sophos straight onto the machine. Failing that try installing it manually from the CID (central installation directory) on your Sophos server.


If all that fails then to Google you must go.


Hope that helps.

[Frazer]

I thought about firewalling the pcs, but wasnt sure what ports should be left open to allow normal operation and block the spread of the virus.

I use this script currently on startup to help clean pcs + fix broken services - hope its of some use to others

Code:

set server=YOURSERVER
set share=YOURSHARE

rem Stop Server service so that infection doesnt happen while we turn off sophos
sc config browser start= disabled
net stop browser /y
sc config lanmanserver start= disabled
net stop lanmanserver /y

rem Fix Windows update services
sc sdset bits "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"
sc sdset wuauserv "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"

rem Check Essential Services are set correctly and running
sc config wuauserv start= auto
net start "automatic updates"
sc config bits start= demand
sc config dhcp start= auto
net start "dhcp client"
sc config dnscache start= auto
net start "dns client"
sc config eventlog start= auto
net start "event log"
sc config audiosrv start= auto
net start "windows audio"
sc config w32time start= auto
net start "windows time"
sc config lanmanworkstation start= auto
net start "workstation"
sc config wscsvc start= auto
net start wscsvc
sc config ERSvc start= auto
net start ERSvc

rem disable task scheduler while we clean up
sc config schedule start= disabled
net stop "task scheduler"
AT /Delete /Yes

rem Disabling "AutoPlay"
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

rem Turn off sophos on-access scanning so it will let us remove the virus via symantecs scanner
sc config savservice start= disabled
net stop savservice

rem Scan/patch PC for cleanup
rem KB
\\%SERVER%\%SHARE%\con-patch-xp.exe /quiet /norestart

rem MS malicious software removal tool (quite/silent mode)
\\%SERVER%\%SHARE%\mrt-june09.exe /q

rem Symantec conficker scanner
\\%SERVER%\%SHARE%\FixDwndp.exe /SILENT /LOG=c:\%computername%_%username%_logFixDownadup.txt


rem Turn on Sohpos, renable Server service, enable task scheduler
sc config savservice start= auto
net start savservice
sc config browser start= auto
net start browser
sc config lanmanserver start= auto
net start lanmanserver
sc config schedule start= auto
net start schedule

You can check if sophos is installed with this too and make it install if your having problems with your enterprise console.

Code:

@ECHO OFF
REM --- Check for an existing installation of Sophos AutoUpdate
if exist "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
REM --- Deploy to Windows 2000/XP/2003
\\sophosserver\InterChk\ESXP\Setup.exe -updp "\\sohposserver\InterChk\ESXP" -user "yourdomain\administrator" -pwd "your password" -mng yes
REM --- End of the script
:_End

After this you can do a full sophos scan to try and catch anything thats missed. This combination has helped me clean things up, but im still getting some reinfections.

You can also roll these scripts out using psexec remotely - however this dosent always work as some pcs become unreachable over the network, probably due to service termination - mstsc into this machines to install manually.

[DAZZD88]

If you firewall the machines using Windows Firewall and Group Policy it's a piece of cake to add the exceptions into the firewall. See attached pics for enlightenment.

When adding program exceptions use the %programfiles% variable.

Depending on how your GPO refresh interval is set then you should have it filtered through to all machines within a couple of hours at most.

[rockin]

Hi Frazer,

re: "Can anyone explain to me why, if your machine has been cleaned, patched, sophos fully up to date (on-active scanner is active for files on read+write) are machines still being infected?"

Conficker has three ways to get on a machine
1) vulnerability
2) File sharing
3) USB

If you have patched, you have stopped no 1.

Even with an anti-virus enabled, it can still use no 1. It needs admin access as it uses C$/admin$ to connect to machine. An infected machine will try and guess admin passwords, or use the logged on account. If it has the rights, it will drop the DLL (odd extension) in System32.

With the AV enabled, it will stop it loading so wont actually be infected, it will have a malicious file on it and a scheduled task attempting to load it. This is why Task Scheduler should be disabled so it cannot attempt to load.

The best way to stop it is blocking file sharing access between clients - this stops them being reinfected.

Or, setup Wireshark (or SMB file sniffer) on a machine that keeps getting the file dropped - this way, you can find out which machine is dropping it. Usually you will find a weak point where a machine has no AV etc.

Hope that helps.

Rockin.

[sertunc]

Hi mans.I am sertunc.I have a problem thıs confıcker . Anybody know how can ı fix thıs problem

[DAZZD88]

I think Rockin has summed things up quite nicely in terms of actions you should take. You do need to remember to alter the permissions on the scheduled tasks folder to stop the virus creating tasks to reinfect the machine. To fo this you can remove all permissions except (I think) admins, system and sophos. This should stop tasks being recreated.

[doddsworthy]

what other steps have you taken to stop this conficker because we have tried. windows updates, Windows Defender. Deleting scheduled tasks everything but seem to be infected again

[notalot]

We currently have Conficker floating about somewhere not sure where. We followed this

Sophos Anti-Virus for Windows 2000+: removing W32/Confick and Mal/Conficker

In my experience you have to be slow and methodical to remove it. We are just left to find which wireless device has it on.

[sertunc]

Hey gays we deleted thıs virus ı ı used trendt mıcro sys-clean pattenrn no:439.now our system clean