Solved

trojan.zbot.gen4 virus

Posted on 2013-01-31
9
828 Views
Last Modified: 2013-03-24
hi,  one of my clients have the virus where it copies the folders in a shared directory and renames them with teh .exe extensions.  and hides the actual folders.

Currently, a computer is infected (which we cleaned up via malwarebytes, combofix, etc).
but the server (windows 2003 standard R2) is also infected. Its a domain controller, and has folder redirection for the my documents folder.  

I've ran malwarebytes, and have found trojan.zbot.gen4.  removed traces, but after reboot, it comes back.    looking deeper---i see that certain files pop up momentarily (porn.exe, sexy.exe, autorun.ini, etc) in the admin user profile's (documents and settings\username).  so these files pop up for a bit, then go hidden, and then the exe's get created on shares.   also, MSCONFIG shows the nioul.exe in the startup.

I've contained it for now by running roguekiller and "Killing" the file(cant choose delete as it creates a copy of itself from somewhere else).  

since its a server, cant run combo fix.    any suggestions?
0
Comment
Question by:seven45
9 Comments
 
LVL 11

Expert Comment

by:David Kroll
Comment Utility
Did you remove nioul.exe from the startup?  In the admin user's profile directory, check for any files that are just a bunch of random numbers and/or letters and delete those.  Look for any files or folders that were created in the last several days and determine whether they're legit or not.
0
 
LVL 23

Assisted Solution

by:tailoreddigital
tailoreddigital earned 250 total points
Comment Utility
0
 
LVL 1

Assisted Solution

by:Joel Harder
Joel Harder earned 250 total points
Comment Utility
We have had the same virus.  Trend never caught it yesterday and they seemed to think it was a new strain of a similiar virus.  I physically removed the exe's from the server and unhid everything using "attrib -H -S /S /D" and "attrib -H /S /D" from the commandline on each of the shared folders because there were so many directories hidden underneath them.

The biggest problem we've had is Malwarebytes will find the files (when we browse to those directories they are already gone) but when we let it clean and reboot it detects them again in those same directories...  Haven't been able to figure out that behavior unless the exe is only there as long as it takes to run and replicate...
0
 

Author Comment

by:seven45
Comment Utility
Yea,  I'm at the same point right now.  I've unhid the folders, and deleted teh exe files along with the autorun, and a mpeg file in the shares.   I also found  a file called "kill.exe" in the c:\documents and settings\username\. directory that i deleted and am using rogue killer to stop the nioul.exe process (that resides in the same directory).  but upon reboot, there seems to be a master file somewhere else that keeps putting back infection.  

What i did do differently for now with some results is after a malwarebytes scan reboot, i logged in using a different domain admin account.  and so far the file/virus seems to be contained-- meaning, it's not popping all over the place-so we have some reprieve.  However, this is not a full solution.  

My question:  can we just disable the main admin account called "administrator" and sign in from now on using the alternate domain admin user account?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 23

Expert Comment

by:tailoreddigital
Comment Utility
Norton Power Eraser didn't work?
0
 

Author Comment

by:seven45
Comment Utility
it didn't find anything
0
 

Assisted Solution

by:seven45
seven45 earned 0 total points
Comment Utility
i ran a microsoft scanner (msert) found on www.microsoft.com/security/scanner/en-us/default.aspx.   it finds the virus and removes it, but on reboot...so far, i've seen that it's still there.   i also see a new virus that it detects but doesn't remove---i think that's the source:

 Found VirTool:JS/Obfuscator.BV (detected suspiciously)

any  ideas on manual removal of this particular virus?
0
 

Accepted Solution

by:
seven45 earned 0 total points
Comment Utility
update:  what has helped me so far.  

1. do not use the username profile that was last used when infected.
2. block incoming/outgoing ports on the network firewall--for 8000, 8002, 9004, 7005
3. create gpo to block autorun for all (cd, usb, etc)--apply it at the highest level.
4. download the microsoft scanner (listed in my previous comment).
5. ipconfig /flushdns on all pc's that microsoft scanner infected.  
(I got these tips from microsoft--except number 1--i'm doing that as a precaution).

so far, the scan found and removed, running another scan to see if it stays clean after a reboot.   will keep you guys posted.
0
 

Author Closing Comment

by:seven45
Comment Utility
Although the other comments helped/assisted (therefore, marked as part of the solution), the ultimate fix for it was with the comments i posted above by running the msert.exe and blocking ports, etc.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now