Posted on 2013-01-31
hi, one of my clients have the virus where it copies the folders in a shared directory and renames them with teh .exe extensions. and hides the actual folders.
Currently, a computer is infected (which we cleaned up via malwarebytes, combofix, etc).
but the server (windows 2003 standard R2) is also infected. Its a domain controller, and has folder redirection for the my documents folder.
I've ran malwarebytes, and have found trojan.zbot.gen4. removed traces, but after reboot, it comes back. looking deeper---i see that certain files pop up momentarily (porn.exe, sexy.exe, autorun.ini, etc) in the admin user profile's (documents and settings\username). so these files pop up for a bit, then go hidden, and then the exe's get created on shares. also, MSCONFIG shows the nioul.exe in the startup.
I've contained it for now by running roguekiller and "Killing" the file(cant choose delete as it creates a copy of itself from somewhere else).
since its a server, cant run combo fix. any suggestions?