Solved

Windows 2003 Server Datacenter Edition - Fresh Install w/Norton Corporate Antivirus - Can't connect to windows update, antivirus sites.

Posted on 2009-04-09
3
602 Views
Last Modified: 2013-12-06
I have four Dell PowerEdge 2950 Servers with freshly installed Windows 2003 Server R2 Data Center Edition. I have installed Norton Antivirus Corporate edition on the server and updated the virus definition. I missed running Windows update on them and yesterday got an e-mail from our data center that all these four servers appears to be compromised as they are trying to scan the data center dark IP space. I tried the following:

1. Running the netstat -b command shows the following. Nonw of these IP addresss belong to us:

Proto  Local Address          Foreign Address        State           PID
TCP    Serv01:3325            176.117.30.120:microsoft-ds  SYN_SENT        892
Schedule
[svchost.exe]

TCP    Serv01:1206            58-27-213-86.wateen.net:microsoft-ds  ESTABLISHED     4
[System]

TCP    Serv01:1218            193.108.39.51:microsoft-ds  ESTABLISHED     4
[System]

2. Running Hijack this shows following:

Logfile of HijackThis v1.99.1
Scan saved at 3:48:20 PM, on 4/9/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsupdate.com/
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

As of now, I am not able to open microsoft.com, windowsupdate.com, symantec.com, trendmicro.com. I have tried running windows defender, malwarebytes, superantyspyware and nothing suspiscious was found. Please advise.

Thanks.
0
Comment
Question by:nauman_ahmed
3 Comments
 
LVL 3

Expert Comment

by:overdrive79
ID: 24111196
Try removing Symantec and running Avira, at least to get a second opinion on the anti-virus side of things.  


use the netstat -a -b command to get the PID of the offending process.
0
 
LVL 7

Accepted Solution

by:
Vishnu Kiran,ITIL,HDI SCM,CAPM earned 125 total points
ID: 24111294
Hi Nauman,

It indicates that the system is affected by Conficker infections, for your information there is a variant of the worm that blocks AV programs and Windows Update website.  Please visit the below link and follow the steps to remove the same:


http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24284551.html?sfQueryTermInfo=1+10+2003+antiviru+can%27t+connect+site+updat+window

Regards,
Vishnu.
0
 
LVL 25

Author Comment

by:nauman_ahmed
ID: 24115377
Thanks Surfer :) It was Conficker worm.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Remove and unencrypt files and folders infected with Crypto virus 20 146
Full list of ransomwares to date 6 127
vMware vShield Endpoint 6.0 4 83
Computer has been hijacked? 13 89
To Remove Security Suite for Windows Malware from a Windows XP Machine:  Restart computer in Safe Mode (to do this see http://tinyurl.com/me78p) Login as Administrator Go to My Computer /Tools/ Folder Options/ View/  check mark the selectio…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question