Windows 2000 viruses and security

[buksida]

A bit of a strange problem this one, we have an old fileserver running Windows 2000 Server at the office, however the software we need has been written to run with IE6 (yeah I know its a bad idea) so we can't upgrade it or install any service packs.

Now this machine has become infected and I need to find some form of security for it - Symantec AV detects and cleans the viruses but they instantly return. Two files called msudp32.exe and ms18_word.exe are the infected ones, there are probably more.

I've tried malware scanners and fix tools but these things just keep coming back through the security holes in the software. I wanted to install a firewall on it but Comodo and Zonealarm only offer XP/Vista versions.

Any suggestions would be appreciated (formatting is not an option and we cant upgrade it either as our antiquated software will not function).

[Niclo Iste]

From what I'm reading this is a Trojan downloader that is part of malware. My first questions are: Have you installed, updated, and run malwarebytes? My second would be have you tried Combofix? The only other thing I could possibly think of is trying Trend Micros Sysclean. Just remember to do the cleaning in safe mode.

[slgrieb]

I'd schedule some down time for the machine so you can connect the drive to a machine running a full set of removal tools and scan it from there.

[Niclo Iste]

Since slgrieb suggested the slaving of it and scanning I'd agree. My first inclination was that too but I thought I was being too rash.

[geoscomp]

After you get it clean, you can get an archived version of ZoneAlarm that will work with W2K here:
http://www.oldapps.com/zonealarm.php

[buksida]

Thanks for the replies. I've tried malwarebytes but it crashed on install. I've run Housecall from Trend Micro and it cleans it but the following day they're all back again, specifically this msudp32.exe. Combofix told me the OS was incompatible.

Not a bad idea to pop the disk out and scan in a clean machine too.

Thanks for the ZA link, I'll install that once its clean and hope it keeps them out.

[buksida]

Quick update on this as it managed to infect our entire network of XP machines (barring a couple). Symantec AV is a waste of space as it failed to prevent or clean this infection however malwarebytes did the trick. Its just a shame there isn't a W2K version.

My only choice is to pull the disk out but I can't shut the machine down until the weekend - in the meantime it continues to get hammered by these little bast@#$ds, the latest being msconfigs.exe and sexpants.exe.

[buksida]

The saga continues, all else failed so I setup a temporary backup file server and IIS for them to use and proceeded to take the hard disk out of the primary server today.

Problem: its a SCSI disk so I cant simply pop into into another machine for a scan.

I have updated to the latest service pack for 2K (4) and installed Zonealarm 6.5 but yet they come (ZA does tell me whats going on now though).

Any further suggestions on cleaning this badboy greatly appreciated.

Edit: Update - Malwarebytes finally managed to install and clean out most of the crap, ZA blocked the nasties from accessing the net also, a few scans and re-boots and it seems to be clean for now. The problem now is the trojan has filled the C drive up and I don't know where it's put the files or what they are. Is there anyway to find out or is there any handy file utility I can run on it to show me files added by date or files by size instead of the traditional tree view?