trojan.zbot.gen4 virus

hi,  one of my clients have the virus where it copies the folders in a shared directory and renames them with teh .exe extensions.  and hides the actual folders.

Currently, a computer is infected (which we cleaned up via malwarebytes, combofix, etc).
but the server (windows 2003 standard R2) is also infected. Its a domain controller, and has folder redirection for the my documents folder.  

I've ran malwarebytes, and have found trojan.zbot.gen4.  removed traces, but after reboot, it comes back.    looking deeper---i see that certain files pop up momentarily (porn.exe, sexy.exe, autorun.ini, etc) in the admin user profile's (documents and settings\username).  so these files pop up for a bit, then go hidden, and then the exe's get created on shares.   also, MSCONFIG shows the nioul.exe in the startup.

I've contained it for now by running roguekiller and "Killing" the file(cant choose delete as it creates a copy of itself from somewhere else).  

since its a server, cant run combo fix.    any suggestions?
seven45Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David KrollCommented:
Did you remove nioul.exe from the startup?  In the admin user's profile directory, check for any files that are just a bunch of random numbers and/or letters and delete those.  Look for any files or folders that were created in the last several days and determine whether they're legit or not.
0
tailoreddigitalCommented:
0
Joel HarderCommented:
We have had the same virus.  Trend never caught it yesterday and they seemed to think it was a new strain of a similiar virus.  I physically removed the exe's from the server and unhid everything using "attrib -H -S /S /D" and "attrib -H /S /D" from the commandline on each of the shared folders because there were so many directories hidden underneath them.

The biggest problem we've had is Malwarebytes will find the files (when we browse to those directories they are already gone) but when we let it clean and reboot it detects them again in those same directories...  Haven't been able to figure out that behavior unless the exe is only there as long as it takes to run and replicate...
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

seven45Author Commented:
Yea,  I'm at the same point right now.  I've unhid the folders, and deleted teh exe files along with the autorun, and a mpeg file in the shares.   I also found  a file called "kill.exe" in the c:\documents and settings\username\. directory that i deleted and am using rogue killer to stop the nioul.exe process (that resides in the same directory).  but upon reboot, there seems to be a master file somewhere else that keeps putting back infection.  

What i did do differently for now with some results is after a malwarebytes scan reboot, i logged in using a different domain admin account.  and so far the file/virus seems to be contained-- meaning, it's not popping all over the place-so we have some reprieve.  However, this is not a full solution.  

My question:  can we just disable the main admin account called "administrator" and sign in from now on using the alternate domain admin user account?
0
tailoreddigitalCommented:
Norton Power Eraser didn't work?
0
seven45Author Commented:
it didn't find anything
0
seven45Author Commented:
i ran a microsoft scanner (msert) found on www.microsoft.com/security/scanner/en-us/default.aspx.   it finds the virus and removes it, but on reboot...so far, i've seen that it's still there.   i also see a new virus that it detects but doesn't remove---i think that's the source:

 Found VirTool:JS/Obfuscator.BV (detected suspiciously)

any  ideas on manual removal of this particular virus?
0
seven45Author Commented:
update:  what has helped me so far.  

1. do not use the username profile that was last used when infected.
2. block incoming/outgoing ports on the network firewall--for 8000, 8002, 9004, 7005
3. create gpo to block autorun for all (cd, usb, etc)--apply it at the highest level.
4. download the microsoft scanner (listed in my previous comment).
5. ipconfig /flushdns on all pc's that microsoft scanner infected.  
(I got these tips from microsoft--except number 1--i'm doing that as a precaution).

so far, the scan found and removed, running another scan to see if it stays clean after a reboot.   will keep you guys posted.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
seven45Author Commented:
Although the other comments helped/assisted (therefore, marked as part of the solution), the ultimate fix for it was with the comments i posted above by running the msert.exe and blocking ports, etc.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.