Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 2003 Server Datacenter Edition - Fresh Install w/Norton Corporate Antivirus - Can't connect to windows update, antivirus sites.

Posted on 2009-04-09
3
Medium Priority
?
619 Views
Last Modified: 2013-12-06
I have four Dell PowerEdge 2950 Servers with freshly installed Windows 2003 Server R2 Data Center Edition. I have installed Norton Antivirus Corporate edition on the server and updated the virus definition. I missed running Windows update on them and yesterday got an e-mail from our data center that all these four servers appears to be compromised as they are trying to scan the data center dark IP space. I tried the following:

1. Running the netstat -b command shows the following. Nonw of these IP addresss belong to us:

Proto  Local Address          Foreign Address        State           PID
TCP    Serv01:3325            176.117.30.120:microsoft-ds  SYN_SENT        892
Schedule
[svchost.exe]

TCP    Serv01:1206            58-27-213-86.wateen.net:microsoft-ds  ESTABLISHED     4
[System]

TCP    Serv01:1218            193.108.39.51:microsoft-ds  ESTABLISHED     4
[System]

2. Running Hijack this shows following:

Logfile of HijackThis v1.99.1
Scan saved at 3:48:20 PM, on 4/9/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsupdate.com/
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

As of now, I am not able to open microsoft.com, windowsupdate.com, symantec.com, trendmicro.com. I have tried running windows defender, malwarebytes, superantyspyware and nothing suspiscious was found. Please advise.

Thanks.
0
Comment
Question by:nauman_ahmed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Expert Comment

by:overdrive79
ID: 24111196
Try removing Symantec and running Avira, at least to get a second opinion on the anti-virus side of things.  


use the netstat -a -b command to get the PID of the offending process.
0
 
LVL 7

Accepted Solution

by:
Vishnu Kiran earned 500 total points
ID: 24111294
Hi Nauman,

It indicates that the system is affected by Conficker infections, for your information there is a variant of the worm that blocks AV programs and Windows Update website.  Please visit the below link and follow the steps to remove the same:


http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24284551.html?sfQueryTermInfo=1+10+2003+antiviru+can%27t+connect+site+updat+window

Regards,
Vishnu.
0
 
LVL 25

Author Comment

by:nauman_ahmed
ID: 24115377
Thanks Surfer :) It was Conficker worm.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question