?
Solved

trojan.zbot.gen4 virus

Posted on 2013-01-31
9
Medium Priority
?
849 Views
Last Modified: 2013-03-24
hi,  one of my clients have the virus where it copies the folders in a shared directory and renames them with teh .exe extensions.  and hides the actual folders.

Currently, a computer is infected (which we cleaned up via malwarebytes, combofix, etc).
but the server (windows 2003 standard R2) is also infected. Its a domain controller, and has folder redirection for the my documents folder.  

I've ran malwarebytes, and have found trojan.zbot.gen4.  removed traces, but after reboot, it comes back.    looking deeper---i see that certain files pop up momentarily (porn.exe, sexy.exe, autorun.ini, etc) in the admin user profile's (documents and settings\username).  so these files pop up for a bit, then go hidden, and then the exe's get created on shares.   also, MSCONFIG shows the nioul.exe in the startup.

I've contained it for now by running roguekiller and "Killing" the file(cant choose delete as it creates a copy of itself from somewhere else).  

since its a server, cant run combo fix.    any suggestions?
0
Comment
Question by:seven45
9 Comments
 
LVL 11

Expert Comment

by:David Kroll
ID: 38840671
Did you remove nioul.exe from the startup?  In the admin user's profile directory, check for any files that are just a bunch of random numbers and/or letters and delete those.  Look for any files or folders that were created in the last several days and determine whether they're legit or not.
0
 
LVL 23

Assisted Solution

by:tailoreddigital
tailoreddigital earned 1000 total points
ID: 38840712
0
 
LVL 1

Assisted Solution

by:Joel Harder
Joel Harder earned 1000 total points
ID: 38841197
We have had the same virus.  Trend never caught it yesterday and they seemed to think it was a new strain of a similiar virus.  I physically removed the exe's from the server and unhid everything using "attrib -H -S /S /D" and "attrib -H /S /D" from the commandline on each of the shared folders because there were so many directories hidden underneath them.

The biggest problem we've had is Malwarebytes will find the files (when we browse to those directories they are already gone) but when we let it clean and reboot it detects them again in those same directories...  Haven't been able to figure out that behavior unless the exe is only there as long as it takes to run and replicate...
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:seven45
ID: 38841791
Yea,  I'm at the same point right now.  I've unhid the folders, and deleted teh exe files along with the autorun, and a mpeg file in the shares.   I also found  a file called "kill.exe" in the c:\documents and settings\username\. directory that i deleted and am using rogue killer to stop the nioul.exe process (that resides in the same directory).  but upon reboot, there seems to be a master file somewhere else that keeps putting back infection.  

What i did do differently for now with some results is after a malwarebytes scan reboot, i logged in using a different domain admin account.  and so far the file/virus seems to be contained-- meaning, it's not popping all over the place-so we have some reprieve.  However, this is not a full solution.  

My question:  can we just disable the main admin account called "administrator" and sign in from now on using the alternate domain admin user account?
0
 
LVL 23

Expert Comment

by:tailoreddigital
ID: 38841938
Norton Power Eraser didn't work?
0
 

Author Comment

by:seven45
ID: 38841943
it didn't find anything
0
 

Assisted Solution

by:seven45
seven45 earned 0 total points
ID: 38846715
i ran a microsoft scanner (msert) found on www.microsoft.com/security/scanner/en-us/default.aspx.   it finds the virus and removes it, but on reboot...so far, i've seen that it's still there.   i also see a new virus that it detects but doesn't remove---i think that's the source:

 Found VirTool:JS/Obfuscator.BV (detected suspiciously)

any  ideas on manual removal of this particular virus?
0
 

Accepted Solution

by:
seven45 earned 0 total points
ID: 38848085
update:  what has helped me so far.  

1. do not use the username profile that was last used when infected.
2. block incoming/outgoing ports on the network firewall--for 8000, 8002, 9004, 7005
3. create gpo to block autorun for all (cd, usb, etc)--apply it at the highest level.
4. download the microsoft scanner (listed in my previous comment).
5. ipconfig /flushdns on all pc's that microsoft scanner infected.  
(I got these tips from microsoft--except number 1--i'm doing that as a precaution).

so far, the scan found and removed, running another scan to see if it stays clean after a reboot.   will keep you guys posted.
0
 

Author Closing Comment

by:seven45
ID: 39015244
Although the other comments helped/assisted (therefore, marked as part of the solution), the ultimate fix for it was with the comments i posted above by running the msert.exe and blocking ports, etc.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question