trojan.zbot.gen4 virus

hi,  one of my clients have the virus where it copies the folders in a shared directory and renames them with teh .exe extensions.  and hides the actual folders.

Currently, a computer is infected (which we cleaned up via malwarebytes, combofix, etc).
but the server (windows 2003 standard R2) is also infected. Its a domain controller, and has folder redirection for the my documents folder.  

I've ran malwarebytes, and have found trojan.zbot.gen4.  removed traces, but after reboot, it comes back.    looking deeper---i see that certain files pop up momentarily (porn.exe, sexy.exe, autorun.ini, etc) in the admin user profile's (documents and settings\username).  so these files pop up for a bit, then go hidden, and then the exe's get created on shares.   also, MSCONFIG shows the nioul.exe in the startup.

I've contained it for now by running roguekiller and "Killing" the file(cant choose delete as it creates a copy of itself from somewhere else).  

since its a server, cant run combo fix.    any suggestions?
Who is Participating?
seven45Connect With a Mentor Author Commented:
update:  what has helped me so far.  

1. do not use the username profile that was last used when infected.
2. block incoming/outgoing ports on the network firewall--for 8000, 8002, 9004, 7005
3. create gpo to block autorun for all (cd, usb, etc)--apply it at the highest level.
4. download the microsoft scanner (listed in my previous comment).
5. ipconfig /flushdns on all pc's that microsoft scanner infected.  
(I got these tips from microsoft--except number 1--i'm doing that as a precaution).

so far, the scan found and removed, running another scan to see if it stays clean after a reboot.   will keep you guys posted.
David KrollCommented:
Did you remove nioul.exe from the startup?  In the admin user's profile directory, check for any files that are just a bunch of random numbers and/or letters and delete those.  Look for any files or folders that were created in the last several days and determine whether they're legit or not.
tailoreddigitalConnect With a Mentor Commented:
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Joel HarderConnect With a Mentor Commented:
We have had the same virus.  Trend never caught it yesterday and they seemed to think it was a new strain of a similiar virus.  I physically removed the exe's from the server and unhid everything using "attrib -H -S /S /D" and "attrib -H /S /D" from the commandline on each of the shared folders because there were so many directories hidden underneath them.

The biggest problem we've had is Malwarebytes will find the files (when we browse to those directories they are already gone) but when we let it clean and reboot it detects them again in those same directories...  Haven't been able to figure out that behavior unless the exe is only there as long as it takes to run and replicate...
seven45Author Commented:
Yea,  I'm at the same point right now.  I've unhid the folders, and deleted teh exe files along with the autorun, and a mpeg file in the shares.   I also found  a file called "kill.exe" in the c:\documents and settings\username\. directory that i deleted and am using rogue killer to stop the nioul.exe process (that resides in the same directory).  but upon reboot, there seems to be a master file somewhere else that keeps putting back infection.  

What i did do differently for now with some results is after a malwarebytes scan reboot, i logged in using a different domain admin account.  and so far the file/virus seems to be contained-- meaning, it's not popping all over the place-so we have some reprieve.  However, this is not a full solution.  

My question:  can we just disable the main admin account called "administrator" and sign in from now on using the alternate domain admin user account?
Norton Power Eraser didn't work?
seven45Author Commented:
it didn't find anything
seven45Connect With a Mentor Author Commented:
i ran a microsoft scanner (msert) found on   it finds the virus and removes it, but on far, i've seen that it's still there.   i also see a new virus that it detects but doesn't remove---i think that's the source:

 Found VirTool:JS/Obfuscator.BV (detected suspiciously)

any  ideas on manual removal of this particular virus?
seven45Author Commented:
Although the other comments helped/assisted (therefore, marked as part of the solution), the ultimate fix for it was with the comments i posted above by running the msert.exe and blocking ports, etc.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.