seven45
asked on
trojan.zbot.gen4 virus
hi, one of my clients have the virus where it copies the folders in a shared directory and renames them with teh .exe extensions. and hides the actual folders.
Currently, a computer is infected (which we cleaned up via malwarebytes, combofix, etc).
but the server (windows 2003 standard R2) is also infected. Its a domain controller, and has folder redirection for the my documents folder.
I've ran malwarebytes, and have found trojan.zbot.gen4. removed traces, but after reboot, it comes back. looking deeper---i see that certain files pop up momentarily (porn.exe, sexy.exe, autorun.ini, etc) in the admin user profile's (documents and settings\username). so these files pop up for a bit, then go hidden, and then the exe's get created on shares. also, MSCONFIG shows the nioul.exe in the startup.
I've contained it for now by running roguekiller and "Killing" the file(cant choose delete as it creates a copy of itself from somewhere else).
since its a server, cant run combo fix. any suggestions?
Currently, a computer is infected (which we cleaned up via malwarebytes, combofix, etc).
but the server (windows 2003 standard R2) is also infected. Its a domain controller, and has folder redirection for the my documents folder.
I've ran malwarebytes, and have found trojan.zbot.gen4. removed traces, but after reboot, it comes back. looking deeper---i see that certain files pop up momentarily (porn.exe, sexy.exe, autorun.ini, etc) in the admin user profile's (documents and settings\username). so these files pop up for a bit, then go hidden, and then the exe's get created on shares. also, MSCONFIG shows the nioul.exe in the startup.
I've contained it for now by running roguekiller and "Killing" the file(cant choose delete as it creates a copy of itself from somewhere else).
since its a server, cant run combo fix. any suggestions?
David Kroll
Did you remove nioul.exe from the startup? In the admin user's profile directory, check for any files that are just a bunch of random numbers and/or letters and delete those. Look for any files or folders that were created in the last several days and determine whether they're legit or not.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yea, I'm at the same point right now. I've unhid the folders, and deleted teh exe files along with the autorun, and a mpeg file in the shares. I also found a file called "kill.exe" in the c:\documents and settings\username\. directory that i deleted and am using rogue killer to stop the nioul.exe process (that resides in the same directory). but upon reboot, there seems to be a master file somewhere else that keeps putting back infection.
What i did do differently for now with some results is after a malwarebytes scan reboot, i logged in using a different domain admin account. and so far the file/virus seems to be contained-- meaning, it's not popping all over the place-so we have some reprieve. However, this is not a full solution.
My question: can we just disable the main admin account called "administrator" and sign in from now on using the alternate domain admin user account?
What i did do differently for now with some results is after a malwarebytes scan reboot, i logged in using a different domain admin account. and so far the file/virus seems to be contained-- meaning, it's not popping all over the place-so we have some reprieve. However, this is not a full solution.
My question: can we just disable the main admin account called "administrator" and sign in from now on using the alternate domain admin user account?
Norton Power Eraser didn't work?
ASKER
it didn't find anything
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Although the other comments helped/assisted (therefore, marked as part of the solution), the ultimate fix for it was with the comments i posted above by running the msert.exe and blocking ports, etc.