Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows 2003 Server Datacenter Edition - Fresh Install w/Norton Corporate Antivirus - Can't connect to windows update, antivirus sites.

Posted on 2009-04-09
3
Medium Priority
?
623 Views
Last Modified: 2013-12-06
I have four Dell PowerEdge 2950 Servers with freshly installed Windows 2003 Server R2 Data Center Edition. I have installed Norton Antivirus Corporate edition on the server and updated the virus definition. I missed running Windows update on them and yesterday got an e-mail from our data center that all these four servers appears to be compromised as they are trying to scan the data center dark IP space. I tried the following:

1. Running the netstat -b command shows the following. Nonw of these IP addresss belong to us:

Proto  Local Address          Foreign Address        State           PID
TCP    Serv01:3325            176.117.30.120:microsoft-ds  SYN_SENT        892
Schedule
[svchost.exe]

TCP    Serv01:1206            58-27-213-86.wateen.net:microsoft-ds  ESTABLISHED     4
[System]

TCP    Serv01:1218            193.108.39.51:microsoft-ds  ESTABLISHED     4
[System]

2. Running Hijack this shows following:

Logfile of HijackThis v1.99.1
Scan saved at 3:48:20 PM, on 4/9/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsupdate.com/
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

As of now, I am not able to open microsoft.com, windowsupdate.com, symantec.com, trendmicro.com. I have tried running windows defender, malwarebytes, superantyspyware and nothing suspiscious was found. Please advise.

Thanks.
0
Comment
Question by:nauman_ahmed
3 Comments
 
LVL 3

Expert Comment

by:overdrive79
ID: 24111196
Try removing Symantec and running Avira, at least to get a second opinion on the anti-virus side of things.  


use the netstat -a -b command to get the PID of the offending process.
0
 
LVL 7

Accepted Solution

by:
Vishnu Kiran earned 500 total points
ID: 24111294
Hi Nauman,

It indicates that the system is affected by Conficker infections, for your information there is a variant of the worm that blocks AV programs and Windows Update website.  Please visit the below link and follow the steps to remove the same:


http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24284551.html?sfQueryTermInfo=1+10+2003+antiviru+can%27t+connect+site+updat+window

Regards,
Vishnu.
0
 
LVL 25

Author Comment

by:nauman_ahmed
ID: 24115377
Thanks Surfer :) It was Conficker worm.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question