After Trojan virus from Windows 2000 server, want to see what data was accessed

Posted on 2004-11-03
Last Modified: 2010-04-14

Just finished removing a trojan virus from a Windows 2000 server on our network it was sending out 40 Mbs to the Internet.

My question is how do I find out what data was being sent, where it was being sent to and what user was used to do this. Other than re-enabling the virus and using a sniffer to track it, what are some options to explore?

The previous Admin did not enable logging for the Event Viewer.

Question by:twhite25
    LVL 27

    Expert Comment

    by:Asta Cu
    Many Viruscan Providers, such as McAfee and others, have a process where you can send a safely ZIPped file to them for analysis and advice.  McAfee has the Avant and I've used this process, they've been helpful and helps add fixes for future definition files updates.  I'd sure be reluctant to re-initiate anything directly.  Might scan system for some log related files to the processed used to find/remove it.  Which program and version installed?

    Author Comment

    Virus Scan software is Symantec Corporate Edition version 8.1, the virus from what I can determine is the RBOT.RY WORM.
    LVL 27

    Accepted Solution

    Checked McAfee site; wonder if it's related here... was cited in one of their Regional Virus maps as a potential variant.
    LVL 27

    Expert Comment

    by:Asta Cu
    Sorry that I could not provide you with "A" level results which you not only deserve to get, but we all strive to deliver.  Can I help you further here to obtain your goal?


    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now