Solved

possible virus or trojan. need help!

Posted on 2003-10-25
11
456 Views
Last Modified: 2013-12-04
my computer host name has changed from PDC to Y9V703

i didn't issue this command. and what's even more interesting is that i'm not on a network, i'm on the internet, but that's it. i even have the windows 2000 server certificate dervice installed. but right now shut down. also have dns server and iis server but all shut down....

i run isa server 2000 as the firewall, and have symantec corp edition 8.1 as the anti virus scanner.
i don't see any new ports open, nor does my virus scanner detect any viruses. it's bee updated everyday, and so is my windows patches.....

any ideas?
0
Comment
Question by:nonsence
  • 5
  • 4
  • 2
11 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 80 total points
Comment Utility
0
 
LVL 3

Author Comment

by:nonsence
Comment Utility
i don't think it can just be spyware. cus this is a pritty major change to my system. banner advertising or keeping track of what web pages i go to is one thing. but changing the host name of a win2k server is another thing too lol
when i right click on my computer to check the host name it says pdc, but in the event viewer and everything else. it says it' changed to Y9V703
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
Did you run the spyware and still seeing the change

Also check these pop-up blockers

Pop-up blocker:
---------------
http://home.rochester.rr.com/artcfox/Pop-Down/

http://www.panicware.com/product_psfree.html

http://zdnet.search.com/search?channel=56&cat=279tag=st.zd.sr.srch.zdnet&q=popup+killer

http://12ghosts.com/ghosts/popup.htm

http://www.webwasher.com/client/home/index.html?lang=de_EN

http://www.adsgone.com/download.asp

Google toolbar: toolbar.google.com

Did you scan the entire system for virus and worms

Sunray
0
 
LVL 3

Author Comment

by:nonsence
Comment Utility
so far nothing important has come up. just a few cookies and banner ads from download accelerator plus. stuff like that

i don't really trust my anti virus right now. i think i'm gonna have to reinstall and hope it doesn't happen again. cus i don't have space to do a ghost image and analyze it later :-(

0
 

Expert Comment

by:dyerseve
Comment Utility
What is the event log message that tells you the name is different?

By the services you are running, it seems you have Windows 2000 Server, is this your desktop machine? If this is the PDC on a domain, the name cannot be changed without destroying Active Directory, so I'd keep that in mind.
Anyway the event log message(s) would help a great deal.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Author Comment

by:nonsence
Comment Utility
every log in the event log has changed to the host name Y9V703. yet everything runs fine, all logins are under the Y9V703 name, same for the security policies, even ISA Server 2000 which i use as the firewall is fine with the new host name. which is odd, because typically changing the host name on a well configured isa server makes isa first try to access things from the old host name, and then it defaults to the new host name, which makes it still work. just when loading the mmc it lags a bit while it finds the proper host name to connect to....but in this case it's fine.
and yes it is windows 2000 server. but it's not a domain controller nor does it have active directory installed. it's just a single machine, no network, nothing, i just run test apps and trial apps, develope programs on it, etc. it's basically my own personal computer though.
the only noticeable error messages i got were, just before the name change in my System Log

Source: DCOM
Category: None
Event: 10005
User: Admon
Computer: PDC
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service NISUM with arguments "-Service" in order to run the server:
{E3871F20-5A83-11D3-AF4F-00600811C705}

Admon, is the Administrator account. i just renamed it.
i got about 30 error messages like this. and afterwards the log files would show "Computer: Y9V703" for everything.

hmmmm, now that i think about it. probably the only big change i made to the system on that day was to uninstall vmware workstation 4 for windows. could that have caused the problem? all the nt services were shut off and turned to manual when i uninstalled vmware. damn it, i think that might have been it. it's the only thing that makes sense now..... :-( arrggg!!!!
0
 

Assisted Solution

by:dyerseve
dyerseve earned 20 total points
Comment Utility
Do you have Norton Internet Security installed or Norton Personal Firewall?
The NISUM seems to be a NIS service that is not starting...
All the services are set to manual? That's very odd...

Well the first troubleshooting step is always, what changed?
But I can't imagine VMWare would do all this damage on it's way out, I've installed and uninstalled it a number of times, never had any catastrophic problems like this.

I'm sure you've done a full system scan, if not try that. Also, NAVCE only updates weekly, if you want the absolute latest definitions goto: www.sarc.com and download the intelligent updater and run that on your server if the definitions don't match the defintion date on www.sarc.com

You said the name in the computer identification tab is still PDC, if you click on the "more..." button is the NETBIOS name "Y9V703" ? Is it possible you just never noticed this was the NETBIOS name? Do previous logs have PDC as the computername? Can we pinpoint when it changed?

I'm asking more questions than answering sorry. ;p
0
 
LVL 3

Author Comment

by:nonsence
Comment Utility
not all services are set to manual. just the vmware ones i wasn't using before i uninstalled it.
i don't have norton internet security or personal firewall because this is a server os.
my anti virus is set to update everyday.
what is the nis service anyways?
yes i can pinpoint EXACTLY when the change happened. i just don't know why it happened. if i look in my log files, everything is logged to PDC, and then the next day. everything starts getting logged to Y9V703.
0
 

Expert Comment

by:dyerseve
Comment Utility
About the updates, even if you set NAVCE to update hourly, Symantec only puts weekly definitions on their NAVCE update servers. Read here to find out how to use an ftp script to change that:
http://service1.symantec.com/SUPPORT/ent-security.nsf/pfdocs/2002091816510548?Open&dtype=corp

But that still doesn't resolve your query... Is there a problem with just changing it back and seeing if anything else strange happens?
If you fear an unknown (by symantec) trojan or virus, I would do the following:
Check your services, sort them by "Description" most added services have no description, take note of the names of the services, and perhaps post them here if you are unsure of any of them.
Then run msconfig, click on startup tab, verify that everything there is something that you know is supposed to run at startup.
Run windowsupdates, make sure you have all critical updates. The DCOM (blaster) vulnerability is still one of the better script kiddie tools to break into a system, so just make sure you are patched up.

Then open Task Manager and verify that everything running there is a program you recognize.
0
 
LVL 3

Author Comment

by:nonsence
Comment Utility
i am familiar with all the services that are running. i did research a while ago to see what each service does, what ports it uses and if i need it to have internet access. lots of the ports that the symantec discovery service uses i block using the firewall. no need for my av server to look for clients on the internet. also the intel pds service is blocked at the firewall, and lots of others that i have configured.
now, i just uninstalled the dns, dhcp and cert services from the computer. no change, but it seems that it's not my host name that's been changed it only the netbios name. so that's a plus, but again, the netbios name i originally specified when i installed the operating system was PDC. why it changed, i still don't know. and why does the windows event viewer use the netbios name instead of the host name, i don't know....lol
but i think i'm gonna just finalize the answer soon. i'll give most marks to sunray_2003, and assistant marks to dyerseve.

can anyone tell me though how to change the netbios name? when i go to the properties for my computer, click the network identification tab, click properties, click more, the netbios name is greyed out and i can't change it. any other way?
0
 

Expert Comment

by:dyerseve
Comment Utility
Change the computername to something else, then change it back, then the NETBIOS name should match.
If that fails, there is probably a way to change it in the registry, let me know.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
OfficeMate Freezes on login or does not load after login credentials are input.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now