According to our security developers, if your server is only running AtoM and you have removed the JndiLookup.class file as recommended on our wiki, then a security scan should not trigger a log4j vulnerability. Is it possible you have other applications that use Java (for example, logging / monitoring applications) installed on the server?
You could try doing a search across the server for other instances of that JndiLookup.class file. I'm not sure how other applications will handle having this file deleted, so if you find a second one from a different application install, I would suggest looking up the recommended mitigation instructions for that application and following those.
If that's not the case then a bit more information would be helpful - what scanning tool are you using, and what exactly is the error being returned? Did you follow our recommended installation instructions, or have you made any changes (and if so, what)? Anything else about this installation or server that you think would help us better understand the context of this issue? Thanks in advance!