possible virus or trojan. need help!

nonsence used Ask the Experts™
my computer host name has changed from PDC to Y9V703

i didn't issue this command. and what's even more interesting is that i'm not on a network, i'm on the internet, but that's it. i even have the windows 2000 server certificate dervice installed. but right now shut down. also have dns server and iis server but all shut down....

i run isa server 2000 as the firewall, and have symantec corp edition 8.1 as the anti virus scanner.
i don't see any new ports open, nor does my virus scanner detect any viruses. it's bee updated everyday, and so is my windows patches.....

any ideas?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2004


i don't think it can just be spyware. cus this is a pritty major change to my system. banner advertising or keeping track of what web pages i go to is one thing. but changing the host name of a win2k server is another thing too lol
when i right click on my computer to check the host name it says pdc, but in the event viewer and everything else. it says it' changed to Y9V703
Top Expert 2004

Did you run the spyware and still seeing the change

Also check these pop-up blockers

Pop-up blocker:






Google toolbar: toolbar.google.com

Did you scan the entire system for virus and worms

Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.


so far nothing important has come up. just a few cookies and banner ads from download accelerator plus. stuff like that

i don't really trust my anti virus right now. i think i'm gonna have to reinstall and hope it doesn't happen again. cus i don't have space to do a ghost image and analyze it later :-(

What is the event log message that tells you the name is different?

By the services you are running, it seems you have Windows 2000 Server, is this your desktop machine? If this is the PDC on a domain, the name cannot be changed without destroying Active Directory, so I'd keep that in mind.
Anyway the event log message(s) would help a great deal.


every log in the event log has changed to the host name Y9V703. yet everything runs fine, all logins are under the Y9V703 name, same for the security policies, even ISA Server 2000 which i use as the firewall is fine with the new host name. which is odd, because typically changing the host name on a well configured isa server makes isa first try to access things from the old host name, and then it defaults to the new host name, which makes it still work. just when loading the mmc it lags a bit while it finds the proper host name to connect to....but in this case it's fine.
and yes it is windows 2000 server. but it's not a domain controller nor does it have active directory installed. it's just a single machine, no network, nothing, i just run test apps and trial apps, develope programs on it, etc. it's basically my own personal computer though.
the only noticeable error messages i got were, just before the name change in my System Log

Source: DCOM
Category: None
Event: 10005
User: Admon
Computer: PDC
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service NISUM with arguments "-Service" in order to run the server:

Admon, is the Administrator account. i just renamed it.
i got about 30 error messages like this. and afterwards the log files would show "Computer: Y9V703" for everything.

hmmmm, now that i think about it. probably the only big change i made to the system on that day was to uninstall vmware workstation 4 for windows. could that have caused the problem? all the nt services were shut off and turned to manual when i uninstalled vmware. damn it, i think that might have been it. it's the only thing that makes sense now..... :-( arrggg!!!!
Do you have Norton Internet Security installed or Norton Personal Firewall?
The NISUM seems to be a NIS service that is not starting...
All the services are set to manual? That's very odd...

Well the first troubleshooting step is always, what changed?
But I can't imagine VMWare would do all this damage on it's way out, I've installed and uninstalled it a number of times, never had any catastrophic problems like this.

I'm sure you've done a full system scan, if not try that. Also, NAVCE only updates weekly, if you want the absolute latest definitions goto: www.sarc.com and download the intelligent updater and run that on your server if the definitions don't match the defintion date on www.sarc.com

You said the name in the computer identification tab is still PDC, if you click on the "more..." button is the NETBIOS name "Y9V703" ? Is it possible you just never noticed this was the NETBIOS name? Do previous logs have PDC as the computername? Can we pinpoint when it changed?

I'm asking more questions than answering sorry. ;p


not all services are set to manual. just the vmware ones i wasn't using before i uninstalled it.
i don't have norton internet security or personal firewall because this is a server os.
my anti virus is set to update everyday.
what is the nis service anyways?
yes i can pinpoint EXACTLY when the change happened. i just don't know why it happened. if i look in my log files, everything is logged to PDC, and then the next day. everything starts getting logged to Y9V703.

About the updates, even if you set NAVCE to update hourly, Symantec only puts weekly definitions on their NAVCE update servers. Read here to find out how to use an ftp script to change that:

But that still doesn't resolve your query... Is there a problem with just changing it back and seeing if anything else strange happens?
If you fear an unknown (by symantec) trojan or virus, I would do the following:
Check your services, sort them by "Description" most added services have no description, take note of the names of the services, and perhaps post them here if you are unsure of any of them.
Then run msconfig, click on startup tab, verify that everything there is something that you know is supposed to run at startup.
Run windowsupdates, make sure you have all critical updates. The DCOM (blaster) vulnerability is still one of the better script kiddie tools to break into a system, so just make sure you are patched up.

Then open Task Manager and verify that everything running there is a program you recognize.


i am familiar with all the services that are running. i did research a while ago to see what each service does, what ports it uses and if i need it to have internet access. lots of the ports that the symantec discovery service uses i block using the firewall. no need for my av server to look for clients on the internet. also the intel pds service is blocked at the firewall, and lots of others that i have configured.
now, i just uninstalled the dns, dhcp and cert services from the computer. no change, but it seems that it's not my host name that's been changed it only the netbios name. so that's a plus, but again, the netbios name i originally specified when i installed the operating system was PDC. why it changed, i still don't know. and why does the windows event viewer use the netbios name instead of the host name, i don't know....lol
but i think i'm gonna just finalize the answer soon. i'll give most marks to sunray_2003, and assistant marks to dyerseve.

can anyone tell me though how to change the netbios name? when i go to the properties for my computer, click the network identification tab, click properties, click more, the netbios name is greyed out and i can't change it. any other way?

Change the computername to something else, then change it back, then the NETBIOS name should match.
If that fails, there is probably a way to change it in the registry, let me know.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial