?
Solved

trojan.zbot.gen4 virus

Posted on 2013-01-31
9
Medium Priority
?
844 Views
Last Modified: 2013-03-24
hi,  one of my clients have the virus where it copies the folders in a shared directory and renames them with teh .exe extensions.  and hides the actual folders.

Currently, a computer is infected (which we cleaned up via malwarebytes, combofix, etc).
but the server (windows 2003 standard R2) is also infected. Its a domain controller, and has folder redirection for the my documents folder.  

I've ran malwarebytes, and have found trojan.zbot.gen4.  removed traces, but after reboot, it comes back.    looking deeper---i see that certain files pop up momentarily (porn.exe, sexy.exe, autorun.ini, etc) in the admin user profile's (documents and settings\username).  so these files pop up for a bit, then go hidden, and then the exe's get created on shares.   also, MSCONFIG shows the nioul.exe in the startup.

I've contained it for now by running roguekiller and "Killing" the file(cant choose delete as it creates a copy of itself from somewhere else).  

since its a server, cant run combo fix.    any suggestions?
0
Comment
Question by:seven45
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 11

Expert Comment

by:David Kroll
ID: 38840671
Did you remove nioul.exe from the startup?  In the admin user's profile directory, check for any files that are just a bunch of random numbers and/or letters and delete those.  Look for any files or folders that were created in the last several days and determine whether they're legit or not.
0
 
LVL 23

Assisted Solution

by:tailoreddigital
tailoreddigital earned 1000 total points
ID: 38840712
0
 
LVL 1

Assisted Solution

by:Joel Harder
Joel Harder earned 1000 total points
ID: 38841197
We have had the same virus.  Trend never caught it yesterday and they seemed to think it was a new strain of a similiar virus.  I physically removed the exe's from the server and unhid everything using "attrib -H -S /S /D" and "attrib -H /S /D" from the commandline on each of the shared folders because there were so many directories hidden underneath them.

The biggest problem we've had is Malwarebytes will find the files (when we browse to those directories they are already gone) but when we let it clean and reboot it detects them again in those same directories...  Haven't been able to figure out that behavior unless the exe is only there as long as it takes to run and replicate...
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:seven45
ID: 38841791
Yea,  I'm at the same point right now.  I've unhid the folders, and deleted teh exe files along with the autorun, and a mpeg file in the shares.   I also found  a file called "kill.exe" in the c:\documents and settings\username\. directory that i deleted and am using rogue killer to stop the nioul.exe process (that resides in the same directory).  but upon reboot, there seems to be a master file somewhere else that keeps putting back infection.  

What i did do differently for now with some results is after a malwarebytes scan reboot, i logged in using a different domain admin account.  and so far the file/virus seems to be contained-- meaning, it's not popping all over the place-so we have some reprieve.  However, this is not a full solution.  

My question:  can we just disable the main admin account called "administrator" and sign in from now on using the alternate domain admin user account?
0
 
LVL 23

Expert Comment

by:tailoreddigital
ID: 38841938
Norton Power Eraser didn't work?
0
 

Author Comment

by:seven45
ID: 38841943
it didn't find anything
0
 

Assisted Solution

by:seven45
seven45 earned 0 total points
ID: 38846715
i ran a microsoft scanner (msert) found on www.microsoft.com/security/scanner/en-us/default.aspx.   it finds the virus and removes it, but on reboot...so far, i've seen that it's still there.   i also see a new virus that it detects but doesn't remove---i think that's the source:

 Found VirTool:JS/Obfuscator.BV (detected suspiciously)

any  ideas on manual removal of this particular virus?
0
 

Accepted Solution

by:
seven45 earned 0 total points
ID: 38848085
update:  what has helped me so far.  

1. do not use the username profile that was last used when infected.
2. block incoming/outgoing ports on the network firewall--for 8000, 8002, 9004, 7005
3. create gpo to block autorun for all (cd, usb, etc)--apply it at the highest level.
4. download the microsoft scanner (listed in my previous comment).
5. ipconfig /flushdns on all pc's that microsoft scanner infected.  
(I got these tips from microsoft--except number 1--i'm doing that as a precaution).

so far, the scan found and removed, running another scan to see if it stays clean after a reboot.   will keep you guys posted.
0
 

Author Closing Comment

by:seven45
ID: 39015244
Although the other comments helped/assisted (therefore, marked as part of the solution), the ultimate fix for it was with the comments i posted above by running the msert.exe and blocking ports, etc.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question