One of our customers has a Windows 2008 Terminal Server which was infected by someone opening an attachment in Outlook. About 2 hours after, they noticed some files were corrupt so after I investigated, I found the 2 running EXE files. Both are located in the users profile directory.
cakaqdecyszi.exe (i think this is Cutwail)
volcizgizxyr.exe (i think this is Zbot)
Also, the registry key is now:
I backed up that key and actually imported it into a clean user, but there is no sign of the unlock page. I did a backup, and now i logged back into the user with the virus. I'm running Process Monitor, but I don't see it encrypting more files. It just keeps trying to make HTTP and SMTP connections.
What's my next step? Do I just leave the bad user logged on until it shows me the unlock screen? Can someone PM the 0338 unlock program so I can run that from the clean user?