Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Super stubborn virus/worm problem, possibly W32/Rbot-II

Posted on 2004-09-13
Medium Priority
Last Modified: 2011-10-03
We've been fighting a major virus problem for several days now.  

The closest thing we have found that matches our symptoms is a virus found on Sophos called W32/Rbot-II,

Unfortunately, we have been unsucessful in our attempts to remove this (if it is truly the problem) virus/worm.  

Here are the details on our problem:

Windows 2000 Server with Exchange 2003
McAfee Groupshield and Netshield running with latest engine and DAT
All Microsoft critical updates have been installed.

1) IPC$, ADMIN$ shares disappear.  When re-shared they disappear after about 2 minutes.

2) Exploring network resources (network neighborhood) causes the error "Server not configured for transactions" for all computers on the network.

3) HTTP traffic on our LAN degrades after about 5 minutes.  First style sheets are lost, then entire pages.  HOWEVER, Google and MSNSearch will continue to work and no they are not cached pages.  In fact, all things Google are available via HTTP.

4) Upon disconnecting the server's network cable, HTTP access is immediately restored to the entire LAN.  Plug it back in and traffic stops after about 5 minutes or so.

5) The program "Sygate.exe" is found in the following registry keys:

    Whenever these keys are deleted they are restored after about 30 seconds.  This happens without closing the registry editor.  ALSO, there is no file by the name "sygate.exe" on the server, nor have we ever installed a Sygate firewall.

5)  After some time, McAfee NetShield will be disabled.  Groupshield is unaffected.

6)  Does not appear to be related to our Exchange 2003 software.  We have disabled all services related to Exchange, plugged the network cable back into the jack and after about 5 minutes the LAN begins to lose HTTP access.  Shares still disappear.

Corrective steps that have failed:

1)  Virus scanners:  We've run nearly everyone you can think of in both normal and safe modes.  We've disabled services for NetShield before running other software.  Scanners we have run include Sophos, Panda, Symantec, AVG both online versions and downloaded trial versions.

2)  Worm Removal Tools:  Have run numerous removal tools with no success.

3)  At one point, Panda's online scanner found the virus GAOBOT.GEN and removed it from three files.  This corrected the problem UNTIL we rebooted the server.  The problem came right back and Panda can no longer find GAOBOT.

4) Adaware does not remove it.

5) From time to time, scanners have found GAOBOT, NETSKY and some others I don't remember the names of.

6) Workstations are periodically probed for the LSASS exploit vulnerability.  Also, the I/Frame vulnerability has been tested by something trying to access the server.  These two problems were caught and stopped by Panda's network based virus software.

So, there you have it.  It's a tough one.  Been through all manner of Experts Exchange posts and what feels like 10,000 different scanning sessions and it's still there.  

HELP!  Relieve this burden from me all ye Experts so wise.  

Save me from a total system rebuild (though by now we would have been better off had we done that).

Question by:chowpok
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
LVL 38

Expert Comment

ID: 12051127
1. Make sure that your virus definition file is up-to-date.

2. Disable System Restore , then scan all files

3. Following the instructions to delete the value from the registry:

also have a look at "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder":

LVL 12

Expert Comment

ID: 12052832
When you are attempting to remove this.
You should disconnect all your computers from the Internet, and from each other -
physically: make sure your network cable is unplugged.
Go through removal procedures on each computer, probably in safe mode.
If the workstations on your network are running Win XP - disable XP's built-in Firewall
and install a third party firewall (Sygate, ZoneAlarm, Agnitum Outpost, are free) -
XP's built-in firewall is virtually useless at dealing with outbound traffic.
Install a firewall on your workstations no matter what OS their running.
AS yuzh noted above: disable system restore - and make sure
the option to show all files and folders is enabled.
Download and run a2 Anti-Trojan (it's free), update it before you run it:
(it has an option to "destroy" files, which I've had some success with).
Make sure after you have performed removal procedures that you clean out ALL
temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
Also, make sure you empty your "Recycle Bin".
When you're searching a computer for suspicious files, make sure you pay attention to prefetch, dllcache, and
all temp folders - some of these things like to hide in these places - but, search the entire computer.
Let us know.

Good luck!

Expert Comment

ID: 12061827
try using avast anti virus its free, powerful customizable and requires low resources. Ive used it for years and up to now no virus problems check my pc with norton no problems
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 12343109
Sorry for the delay in getting back to all of you on this.

Splitting the points is fine with me.  You guys did give it a good try and I appreciate your help.  In fact, cleaning out temp files and such recommended by rossfingal may have eliminated some other problems we were having.  But ultimately, we tracked down the problem discussed here ourselves:

The file is called "SYGATE.EXE".  It cloaks itself as a protected operating system file.  To find it we had to uncheck "Hide protected operating system files" under Windows Explorer/Tools/Options/View, then perform a search starting at C: and include all sub-folders.  We found it located in the folder C:\Recycler.

Getting rid of this thing was a tremendous pain in the bootocks, a point of pride for its creator I'm sure.  Deleting the registry entries mentioned in my original posting (point 5 above) for Sygate did not correct it.  You could actually watch the virus re-write the entries that we had just deleted moments before from the registry.  

No virus scanner we tried ever detected it, including AVAST recommended above.  We tried just about every scanner on the market.

After deleting the file and its attendant registry entries, the system stopped DOS'ing our network and all network shares were restored.  We are now back in business, but at a somewhat compromised state.

After fixing the Sygate problem, we then downloaded and ran the "Microsoft Baseline Security Analyzer 1.2.1".  It found all manner of holes that the normal Windows Update doesn't find.  Apparently, the virus has a facility to fool Windows Update into thinking all certain critical patches have already been installed.

We changed from McAfee NetShield to Symantec Corporate Edition (for our entire network) since NetShield let this stuff through in the first place.  Each day Symantec finds and deletes numerous copies of Netsky variants B, C, D, P and an occasional Beagle.J and W with a MyDoom.M ever so often.  All of these are found in the C:\WINNT\TEMP folder.  And yes, we have run all the Symantec worm removal tools in both safe and normal modes and these things still show up.  

Now, we're just waiting for good day to totally wipe this system and start over.

Again, thanks for all of your help.  Hopefully, this will help someone else out there who may run across the same problem.
LVL 38

Expert Comment

ID: 12343712
I think it should be PAQ and refund.



PS: Symentec Antivirus Corprate Edition 8.x can handle the virus.
LVL 12

Accepted Solution

rossfingal earned 2000 total points
ID: 12345782

I agree with yuzh.


Author Comment

ID: 12347203
That's a big 10-4 there good buddies!


Author Comment

ID: 12348713
Just to clarify:  No scanner we tried removed the Sygate.exe virus, including Symantec Corporate 9.  We could only find it manually.  

We did not try Symantec version 8.x.

Expert Comment

ID: 12691971
We have the same issue and are having trouble deleting the files winupdate.exe and sygate.exe in the c:\windows\system32 folder. Even in safe mode we cannot set the attributes to -h (after finding them as system OS files) so we can delete them. Everytime we remove all entries from the registry they reappear within minutes.

How do you delete these files?

As of today, Symantec don't have anything on sygate.exe


Author Comment

ID: 12692074
My guess is that you may not be finding all instances of the virus(es).  Our Sygate.exe was hiding out in the Recycler.  

Make sure that you search for the suspect files starting at the root of C and the root of any other logical drives you have on the system.  

Also, IT IS CRITICAL that you have the following settings applied to Windows Explorer before you start searching -- Under Tools/Folder Options/View:

   - Select "Show hidden files and folders"
   - UNSELECT "Hide protected operating system files"

These settings will allow you to see everything once you start searching.

You may also need to stop the process for Sygate.exe before the system will permit deletion.

NOTE:  We never changed any file attributes.  Once we set Windows Explorer properly, the stinking varmint finally revealed itself.

The moment we deleted Sygate from the Recycler folder, the registry stopped being re-written and all was well.  There was much rejoicing!

Hope you will be able to rejoice soon too.

Good Luck!

Expert Comment

ID: 12692920
Thanks for that...worked well and was able to delete the file sygate.exe etc. Removed all entries from the registry, temp folders and recycle bin

Then also ran the Cleanup v312 program as advised and rebooted. Wthin about 15mins, sygate was back. FYI...

1. we are installing XP critical updates and latest patches PRE sp2.
2. critical updates on Win2000 with sp4.
3. At the firewall we have blocked 135, 4444 and 888 inbound and outbound...any others you suggest?

Do you think that because there are some infected computers on the network they attempt to re-infect when they detect the PC is back online?

Should we inspect and deal with every computer offline (unplugged from the network)?

Would changing passwords on all computers stop this thing?

I know these are a lot of questions....just wanting to get a precise handle on how you dealt with this problem?



Author Comment

ID: 12693182
I guess it could spread over the network, though we did not experience this problem.  On the other hand, I think you are wise to isolate any machine from the network you think might be infected.  

Make sure you run the Microsoft Baseline Security Analyzer on your server.  It's a super-duper Windows Update that runs locally on your machine instead of over the internet.  You'll find it here:

Some of these viruses fool Windows Update into thinking you have installed patches when in fact you have not.  They're very sneaky.  The Security Analyzer is not fooled.  We discovered numerous patches that were NOT installed, despite the fact that WE RAN Windows Update more times than I care to count.

So, these are the next steps I would take are:

1.  Download the Security Analyzer.
2.  Disconnect your server from the network.  We pulled the cable (made an "air gap") on ours just to make sure.
3.  Get rid of Sygate.exe again.
4.  Wait a few minutes and see if it comes back.  If it does, keep looking for it.  It's still on your local system somewhere.  You can rule out infection from another machine because the server is disconnected.  
5.  Run the Security Analyzer and patch as indicated.  Of course, to get the patches you're going to need to connect to the Internet.  Would be best if you could do this without other, possibly infected, machines on your network muddying up the waters.  

Once you've got the server cleaned up, you can use the Security Analyzer to scan other machines on your network.  It's very handy.


Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Change your it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question