Conficker uses scheduled tasks to run periodically looking for new infectable computers.
A friend asked me to take a look at their laptop last night, which I haven't had the time to yet, but I'm positive this is the same thing they have. Thanks for pointing out the batch file on the root of C: Jason From: John Aldrich [mailto:[email protected]] Sent: Friday, December 04, 2009 8:39 AM To: NT System Admin Issues Subject: New virus trick I was at a seminar yesterday put on by Sunbelt and during a break I had a chance to talk to one of the presenters and told him of a recent malware incident I'd cleaned up. He'd never heard of such a trick before so I thought I'd bring it to y'all's attention so you can be on the lookout for it. Basically it was the same old malware that's been going around with the Antivirus Pro sort of stuff, but the twist was that even using Malware Bytes we were not able to get rid of it. After I was poking around a bit, (I don't recall why I was looking at the root of C:, but I was) I noticed a batch file in the root of the C: drive that, when I opened it and looked at it, it created a bunch of scheduled tasks to re-download the malware/adware. I wised up and deleted that file, then went into the Scheduled Tasks and deleted all the malware-created scheduled tasks. Then I was able to successfully clean the stuff out! What really got us was that Malware Bytes would clean it, then say it needed to reboot to finish, and then as soon as we came back, the fake antivirus was right back there. What I believe it was doing was re-downloading itself from the internet each time we cleaned it. So, anyway, if you guys ever have a problem like this, it wouldn't hurt to check the scheduled tasks! [cid:[email protected]][cid:[email protected]] ------------------------------------------------------------------------------------------ The pages accompanying this email transmission contain information from MJMC, Inc., which is confidential and/or privileged. The information is to be for the use of the individual or entity named on this cover sheet. If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, distribution, or copying of this communication is strictly prohibited. If you received this transmission in error, please immediately notify us by telephone so that we can arrange for the retrieval of the original document. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<inline: image001.jpg>>
<<inline: image002.jpg>>
