[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


possible virus or trojan. need help!

Posted on 2003-10-25
Medium Priority
Last Modified: 2013-12-04
my computer host name has changed from PDC to Y9V703

i didn't issue this command. and what's even more interesting is that i'm not on a network, i'm on the internet, but that's it. i even have the windows 2000 server certificate dervice installed. but right now shut down. also have dns server and iis server but all shut down....

i run isa server 2000 as the firewall, and have symantec corp edition 8.1 as the anti virus scanner.
i don't see any new ports open, nor does my virus scanner detect any viruses. it's bee updated everyday, and so is my windows patches.....

any ideas?
Question by:nonsence
  • 5
  • 4
  • 2
LVL 49

Accepted Solution

sunray_2003 earned 320 total points
ID: 9622103

Author Comment

ID: 9622250
i don't think it can just be spyware. cus this is a pritty major change to my system. banner advertising or keeping track of what web pages i go to is one thing. but changing the host name of a win2k server is another thing too lol
when i right click on my computer to check the host name it says pdc, but in the event viewer and everything else. it says it' changed to Y9V703
LVL 49

Expert Comment

ID: 9622992
Did you run the spyware and still seeing the change

Also check these pop-up blockers

Pop-up blocker:






Google toolbar: toolbar.google.com

Did you scan the entire system for virus and worms

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

ID: 9632158
so far nothing important has come up. just a few cookies and banner ads from download accelerator plus. stuff like that

i don't really trust my anti virus right now. i think i'm gonna have to reinstall and hope it doesn't happen again. cus i don't have space to do a ghost image and analyze it later :-(


Expert Comment

ID: 9636835
What is the event log message that tells you the name is different?

By the services you are running, it seems you have Windows 2000 Server, is this your desktop machine? If this is the PDC on a domain, the name cannot be changed without destroying Active Directory, so I'd keep that in mind.
Anyway the event log message(s) would help a great deal.

Author Comment

ID: 9637264
every log in the event log has changed to the host name Y9V703. yet everything runs fine, all logins are under the Y9V703 name, same for the security policies, even ISA Server 2000 which i use as the firewall is fine with the new host name. which is odd, because typically changing the host name on a well configured isa server makes isa first try to access things from the old host name, and then it defaults to the new host name, which makes it still work. just when loading the mmc it lags a bit while it finds the proper host name to connect to....but in this case it's fine.
and yes it is windows 2000 server. but it's not a domain controller nor does it have active directory installed. it's just a single machine, no network, nothing, i just run test apps and trial apps, develope programs on it, etc. it's basically my own personal computer though.
the only noticeable error messages i got were, just before the name change in my System Log

Source: DCOM
Category: None
Event: 10005
User: Admon
Computer: PDC
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service NISUM with arguments "-Service" in order to run the server:

Admon, is the Administrator account. i just renamed it.
i got about 30 error messages like this. and afterwards the log files would show "Computer: Y9V703" for everything.

hmmmm, now that i think about it. probably the only big change i made to the system on that day was to uninstall vmware workstation 4 for windows. could that have caused the problem? all the nt services were shut off and turned to manual when i uninstalled vmware. damn it, i think that might have been it. it's the only thing that makes sense now..... :-( arrggg!!!!

Assisted Solution

dyerseve earned 80 total points
ID: 9637517
Do you have Norton Internet Security installed or Norton Personal Firewall?
The NISUM seems to be a NIS service that is not starting...
All the services are set to manual? That's very odd...

Well the first troubleshooting step is always, what changed?
But I can't imagine VMWare would do all this damage on it's way out, I've installed and uninstalled it a number of times, never had any catastrophic problems like this.

I'm sure you've done a full system scan, if not try that. Also, NAVCE only updates weekly, if you want the absolute latest definitions goto: www.sarc.com and download the intelligent updater and run that on your server if the definitions don't match the defintion date on www.sarc.com

You said the name in the computer identification tab is still PDC, if you click on the "more..." button is the NETBIOS name "Y9V703" ? Is it possible you just never noticed this was the NETBIOS name? Do previous logs have PDC as the computername? Can we pinpoint when it changed?

I'm asking more questions than answering sorry. ;p

Author Comment

ID: 9639810
not all services are set to manual. just the vmware ones i wasn't using before i uninstalled it.
i don't have norton internet security or personal firewall because this is a server os.
my anti virus is set to update everyday.
what is the nis service anyways?
yes i can pinpoint EXACTLY when the change happened. i just don't know why it happened. if i look in my log files, everything is logged to PDC, and then the next day. everything starts getting logged to Y9V703.

Expert Comment

ID: 9641455
About the updates, even if you set NAVCE to update hourly, Symantec only puts weekly definitions on their NAVCE update servers. Read here to find out how to use an ftp script to change that:

But that still doesn't resolve your query... Is there a problem with just changing it back and seeing if anything else strange happens?
If you fear an unknown (by symantec) trojan or virus, I would do the following:
Check your services, sort them by "Description" most added services have no description, take note of the names of the services, and perhaps post them here if you are unsure of any of them.
Then run msconfig, click on startup tab, verify that everything there is something that you know is supposed to run at startup.
Run windowsupdates, make sure you have all critical updates. The DCOM (blaster) vulnerability is still one of the better script kiddie tools to break into a system, so just make sure you are patched up.

Then open Task Manager and verify that everything running there is a program you recognize.

Author Comment

ID: 9641746
i am familiar with all the services that are running. i did research a while ago to see what each service does, what ports it uses and if i need it to have internet access. lots of the ports that the symantec discovery service uses i block using the firewall. no need for my av server to look for clients on the internet. also the intel pds service is blocked at the firewall, and lots of others that i have configured.
now, i just uninstalled the dns, dhcp and cert services from the computer. no change, but it seems that it's not my host name that's been changed it only the netbios name. so that's a plus, but again, the netbios name i originally specified when i installed the operating system was PDC. why it changed, i still don't know. and why does the windows event viewer use the netbios name instead of the host name, i don't know....lol
but i think i'm gonna just finalize the answer soon. i'll give most marks to sunray_2003, and assistant marks to dyerseve.

can anyone tell me though how to change the netbios name? when i go to the properties for my computer, click the network identification tab, click properties, click more, the netbios name is greyed out and i can't change it. any other way?

Expert Comment

ID: 9641792
Change the computername to something else, then change it back, then the NETBIOS name should match.
If that fails, there is probably a way to change it in the registry, let me know.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Loops Section Overview
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question