Link to home
Start Free TrialLog in
Avatar of nauman_ahmed
nauman_ahmedFlag for United States of America

asked on

Windows 2003 Server Datacenter Edition - Fresh Install w/Norton Corporate Antivirus - Can't connect to windows update, antivirus sites.

I have four Dell PowerEdge 2950 Servers with freshly installed Windows 2003 Server R2 Data Center Edition. I have installed Norton Antivirus Corporate edition on the server and updated the virus definition. I missed running Windows update on them and yesterday got an e-mail from our data center that all these four servers appears to be compromised as they are trying to scan the data center dark IP space. I tried the following:

1. Running the netstat -b command shows the following. Nonw of these IP addresss belong to us:

Proto  Local Address          Foreign Address        State           PID
TCP    Serv01:3325            176.117.30.120:microsoft-ds  SYN_SENT        892
Schedule
[svchost.exe]

TCP    Serv01:1206            58-27-213-86.wateen.net:microsoft-ds  ESTABLISHED     4
[System]

TCP    Serv01:1218            193.108.39.51:microsoft-ds  ESTABLISHED     4
[System]

2. Running Hijack this shows following:

Logfile of HijackThis v1.99.1
Scan saved at 3:48:20 PM, on 4/9/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsupdate.com/
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

As of now, I am not able to open microsoft.com, windowsupdate.com, symantec.com, trendmicro.com. I have tried running windows defender, malwarebytes, superantyspyware and nothing suspiscious was found. Please advise.

Thanks.
Avatar of overdrive79
overdrive79
Flag of United States of America image
Try removing Symantec and running Avira, at least to get a second opinion on the anti-virus side of things.  


use the netstat -a -b command to get the PID of the offending process.
ASKER CERTIFIED SOLUTION
Avatar of Vishnu Kiran
Vishnu Kiran
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nauman_ahmed
nauman_ahmed
Flag of United States of America image

ASKER

Thanks Surfer :) It was Conficker worm.