We've been fighting a major virus problem for several days now.
The closest thing we have found that matches our symptoms is a virus found on Sophos called W32/Rbot-II, http://www.sophos.com/virusinfo/analyses/w32rbotii.html
Unfortunately, we have been unsucessful in our attempts to remove this (if it is truly the problem) virus/worm.
Here are the details on our problem:
Windows 2000 Server with Exchange 2003
McAfee Groupshield and Netshield running with latest engine and DAT
All Microsoft critical updates have been installed.
1) IPC$, ADMIN$ shares disappear. When re-shared they disappear after about 2 minutes.
2) Exploring network resources (network neighborhood) causes the error "Server not configured for transactions" for all computers on the network.
3) HTTP traffic on our LAN degrades after about 5 minutes. First style sheets are lost, then entire pages. HOWEVER, Google and MSNSearch will continue to work and no they are not cached pages. In fact, all things Google are available via HTTP.
4) Upon disconnecting the server's network cable, HTTP access is immediately restored to the entire LAN. Plug it back in and traffic stops after about 5 minutes or so.
5) The program "Sygate.exe" is found in the following registry keys:
Whenever these keys are deleted they are restored after about 30 seconds. This happens without closing the registry editor. ALSO, there is no file by the name "sygate.exe" on the server, nor have we ever installed a Sygate firewall.
5) After some time, McAfee NetShield will be disabled. Groupshield is unaffected.
6) Does not appear to be related to our Exchange 2003 software. We have disabled all services related to Exchange, plugged the network cable back into the jack and after about 5 minutes the LAN begins to lose HTTP access. Shares still disappear.
Corrective steps that have failed:
1) Virus scanners: We've run nearly everyone you can think of in both normal and safe modes. We've disabled services for NetShield before running other software. Scanners we have run include Sophos, Panda, Symantec, AVG both online versions and downloaded trial versions.
2) Worm Removal Tools: Have run numerous removal tools with no success.
3) At one point, Panda's online scanner found the virus GAOBOT.GEN and removed it from three files. This corrected the problem UNTIL we rebooted the server. The problem came right back and Panda can no longer find GAOBOT.
4) Adaware does not remove it.
5) From time to time, scanners have found GAOBOT, NETSKY and some others I don't remember the names of.
6) Workstations are periodically probed for the LSASS exploit vulnerability. Also, the I/Frame vulnerability has been tested by something trying to access the server. These two problems were caught and stopped by Panda's network based virus software.
So, there you have it. It's a tough one. Been through all manner of Experts Exchange posts and what feels like 10,000 different scanning sessions and it's still there.
HELP! Relieve this burden from me all ye Experts so wise.
Save me from a total system rebuild (though by now we would have been better off had we done that).