nauman_ahmed
asked on
Windows 2003 Server Datacenter Edition - Fresh Install w/Norton Corporate Antivirus - Can't connect to windows update, antivirus sites.
I have four Dell PowerEdge 2950 Servers with freshly installed Windows 2003 Server R2 Data Center Edition. I have installed Norton Antivirus Corporate edition on the server and updated the virus definition. I missed running Windows update on them and yesterday got an e-mail from our data center that all these four servers appears to be compromised as they are trying to scan the data center dark IP space. I tried the following:
1. Running the netstat -b command shows the following. Nonw of these IP addresss belong to us:
Proto Local Address Foreign Address State PID
TCP Serv01:3325 176.117.30.120:microsoft-d s SYN_SENT 892
Schedule
[svchost.exe]
TCP Serv01:1206 58-27-213-86.wateen.net:mi crosoft-ds ESTABLISHED 4
[System]
TCP Serv01:1218 193.108.39.51:microsoft-ds ESTABLISHED 4
[System]
2. Running Hijack this shows following:
Logfile of HijackThis v1.99.1
Scan saved at 3:48:20 PM, on 4/9/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\rdpcli p.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexe c.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hijackthis\HijackThis.e xe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = res://shdoclc.dll/softAdmi n.htm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = res://shdoclc.dll/softAdmi n.htm
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://www.windowsupdate.com/
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsnt fy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog on.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\Rtvscan.exe
As of now, I am not able to open microsoft.com, windowsupdate.com, symantec.com, trendmicro.com. I have tried running windows defender, malwarebytes, superantyspyware and nothing suspiscious was found. Please advise.
Thanks.
1. Running the netstat -b command shows the following. Nonw of these IP addresss belong to us:
Proto Local Address Foreign Address State PID
TCP Serv01:3325 176.117.30.120:microsoft-d
Schedule
[svchost.exe]
TCP Serv01:1206 58-27-213-86.wateen.net:mi
[System]
TCP Serv01:1218 193.108.39.51:microsoft-ds
[System]
2. Running Hijack this shows following:
Logfile of HijackThis v1.99.1
Scan saved at 3:48:20 PM, on 4/9/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec_Client_Secu
C:\Program Files\Symantec_Client_Secu
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\rdpcli
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hijackthis\HijackThis.e
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMAN
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsnt
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLog
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Secu
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Secu
As of now, I am not able to open microsoft.com, windowsupdate.com, symantec.com, trendmicro.com. I have tried running windows defender, malwarebytes, superantyspyware and nothing suspiscious was found. Please advise.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Surfer :) It was Conficker worm.
use the netstat -a -b command to get the PID of the offending process.