Possible Virus Problem
Posted on 2003-11-17
I have a customer who has a Windows 2000 Server w/SP4 that was originally have a problem with Backup Exec. After rebooting the server, I could get into Backup Exec and I performed a test backup successfully. When their nightly backup runs, it fails (nothing gets backed up). Upon further investigating, I have found the following issues with the server:
1. Can't access the properties of the Local Area Connection, gives message "An unexpected error has occurred."
2. In Internet Explorer, if I click on Help, About it does not show what version of IE it is.
3. If I go into Add/Remove programs, it doesn't show anything listed.
4. When I checked the processes that are running, I saw one in particular, WINCFGMAN32.EXE, whose utilization would spike somewhere between 75% and 90%, go to zero, spike again, go to 0, and so on, so the CPU Utilization looks like a rollercoaster. I found WINCFGMAN32.EXE in C:\WINNT\SYSTEM32 however, I get zero hits when I search Google, zero hits on Microsoft, and zero hits on Symantec. I tried to end the process but it said "Access denied."
5. Network Monitor won't run, can't find NETMON.EXE.
6. If I click on Start, Find the search window doesn't open, nothing happens.
7. If I go into Device Manager and double-click on a device, the property window does not appear. If I then try to close Device Manager, I get a message stating that Device Manager can't close until all of the property windows are closed.
8. I can't run Windows Update.
9. Symantec Antivirus Corporate Edition 8.1 real-time protection does not run and if I try to open SAVCE it opens for about 2 seconds then goes away. Sometimes if I'm not quick enough the password prompt for SAVCE will disappear before I've had a chance to type in the whole password.
10. If I go to Microsoft's Knowledge Base and try to select a specific product to search, the product list is blank.
11. The customer has a LAN modem which for the last few days has not been working most of the time. I'm not sure if it's related to the server problems or not. I had previously tried running the virus detection program from Symantec's web site but it never did run.
All users can login fine and access their data and print to the network plotter which prints through the server. I have run the virus removal tools for Blaster, Sobig, Swen and Welchia and each found zero instances of those viruses. I'm figuring it's most likely a virus problem.
If anyone has heard anything about the file WINCFGMAN32.EXE, please let me know. If you have any thoughts, ideas, etc. I would greatly appreciate hearing your input.