Help Needed indentifying Virus or Trojan

[blubomber]

Hello,

I have a system that i am working on. It is a windows 2000 server with SP4 and it has been infected by something.

Symptoms.... upon booting the computer and having it disconnected from the network, the computer runs fine but there is a rogue process in the task manager. It is a six alpha numeric .exe file. but i changes every time the computer is restarted. Also, when doing a search, the file shows up in the temp directory on the C: drive. Once the computer is plugged into the network, after about 5 minutes or so it becomes slow and eventually locksup and only a hard reboot gets it back.

The computer does have the Trend Micro antivirus enterprise software on it but it cant find anything when doing a scan with updated virus definitions. I have also run Adaware, Spybot and hijackthis but they did not get rid of it. I have been able to do some research but i just cant pinpoint which virus or trojan it is. I believe very strongly that it is taking advantage of a DCOM vulnerability in windows 2000 that has gone unpatched.

So, has anyone run into these symptoms before and know what virus this is?

Oh, one more thing. The file in the temp folder that is created has an icon that looks like a scottish terrior.

Thanks for any help.

[PoonDoggy]

Quote:

Oh, one more thing. The file in the temp folder that is created has an icon that looks like a scottish terrior.

Do you have Win patrol on this computer?

http://answers.google.com/answers/threadview?id=568868

Quote:

- WinPatrol

"WinPatrol uses a heuristic approach to detecting attacks
and violations of your computing environment. Traditional
security programs scan your hard drive searching for
previously identified threats. WinPatrol takes snapshot
of your critical system resources and alerts you to any
changes that may occur without your knowledge."
http://www.winpatrol.com/

This program loads with Windows and sits in the system
tray, offering many features. The most noticeable are
when Scotty, the Scottish Terrier, barks to alert you
that a new program has been added to the Windows Startup
sequence, either in the registry or the Startup Folder.

Since one of the ways that viruses multiply themselves
is to add an entry to Windows Startup, this is a very
valuable program. You can immediately deny any program
from placing a startup entry.

You can also use the program by double-clicking on the
tray icon. Scotty will bark in response, and you'll
have access to several tabs of options, including
viewing Startup Programs, Active Tasks, IE Helpers,
Cookies, and much, much more.

Scotty can also be set to monitor any changes made to
your HOSTS file. Much more on this later.

[blubomber]

No, winpatrol is not loaded on the computer.

Thanks for the reply.

[EvilRick]

You may need to try another scanner like McAfee Stinger since you're software may have been disabled by the virus.

You might also want to try Spy Sweeper

Make sure 'System Restore' is disabled before running either of these. Hell, I'd just turn it off for good really.

[blubomber]

Thanks for the replies. I found out that the little file i was worried about is actually part of the TrendMicro anti virus app. But, it seems the problems i was having have gone away. I ran wireshark for a bit and saw that the server was trying to get to a website. After doing some research i found out that it was a trojan and how to get rid of it. The trojan was a process called w2symtec.exe. So, all is well.

[seatac]

I have that on several of my servers, I have done an extensive search on w2symtec.exe and could not find any info on how to fix it.

Can you please post a little more info on how you fixed it