Blocked because of virus

I am having this issue here. My server cannot go into the internet and and mails cannot send out to external email. However, external email can come into my server.

I launch internet explorer and this is what i receive (see attached). I did a full system scan using superantispyware and symantec endpoint v 11. Nothing found. Reset my IE settings but to no avail.

I cannot ping to any external site. eg Google, yahoo etc2

machine: windows server 2008 OS
Application running: Exchange 2010
Who is Participating?
xmlmagicianConnect With a Mentor Commented:
can you ping IP addresses directly
like which the BBC
Can you able to ping the default gateway as well as able to access the internal shares?

Thank you.
moombazAuthor Commented:
i can ping my default lan gateway. i am able to access all LAN files.

However, I cannot ping to my WAN gateway and I cannot ping to any websites.
The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

JamesSenior Cloud Infrastructure EngineerCommented:
Another thing, check the host file to see if it has been edited in any way - C:\windows\system32\drivers\etc\hosts - open this with notepad.

Also, check the internet connection settings - when you browser is open go to > tools > internet options > connections > lan settings > and see if your browser is go through a proxy, if so untick use proxy server.

These are symtoms that are caused by virues.
The two applications listed here are both safe to use on Server 2008. You can retrieve them from any clean workstation/server and save them to USB stick or CD.
(Use the "Save As" function to rename the downloaded files - BEFORE - they touch your system. Some variants of malware recognize some anti-malware files and will corrupt them if you use the regular download.)

Your first step should be to clean out all of the Temp/Junk files picked up by your browser.

Download, install, and run
CCleaner (

Download, install, and run
Malwarebytes (MBAM) (
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.
moombazAuthor Commented:
theres no suspicious processes running.

host file is not tampered.

proxy setting is not enabled because we are not running any proxy server.
i assume that you have checked that firewall ports for the exchange server are open?
moombazAuthor Commented:
Yes.. the firewall ports are open.

I did this:

For the network configuration for the exchange server, I changed the settings to automatically detect settings.
Launch internet explorer and i can browse the internet. internet settings all as per normal.

As soon as I changed back to the static IP for my Exchange, internet cannot be used again.

What is this?
and your dns is working as well
Sudeep SharmaTechnical DesignerCommented:
>>As soon as I changed back to the static IP for my Exchange, internet cannot be used again.

The static IP that you are using, is that Public IP address? Since on LAN you would receive IP address which would be either Class A or Class C IP address and you Internet would be working because you would be going through you Gateway/Firewall.

When you changed the IP address to Static do you change the DNS as well?
When you use DHCP, what DNS server do you get? use IPconfig command on command prompt to know this.

moombazAuthor Commented:
My default IP configuration is

static ip:
DNS: is a forwarder. My whole domain is configured this way. My server is not set directly to configure to my ISP DNS server.

I changed my configuration to

static IP: and it works. The server can now go into the internet.

What can be the problem? I've checked my firewall and the policy rule states all host are allowed to pass through to go to the internet. Changing IP address doesn't make any sense to get the server/PC to have access to the internet when anybody else can also go into the internet within the same subnet.
moombazAuthor Commented:
My DNS is working very fine.
moombazAuthor Commented:
Dear experts,

I've found out the cause of this. My firewall is specifically blocking my specific IP address(exchange server): because there was an Intrusion to the system thus they're blocking that IP to route out to the internet.
thanks alot.
i would have thought that my comment ID:35016348 kinds of answered the question if not pointed to the right directions. If you feel that it was no help it is okay
@moombaz, Did you check the security  log on Symantec to see what type of virus intrusion this was? Finding this information is important as you never once mentioned that it was confirmed to be a ( fill in the ____)virus nor cleaned.

I would also suggest checking your event log for tampering and if you have not scanned with a boot watch rootkit scanner I would suggest you run a scan with MBAM. There is already a link posted by younghv.  Finding out the cause of why your receiving this block is the main reason why I am suggesting these to you. So please give use these results as we would like to see a smile on your face and not a burst blood vain.
moombazAuthor Commented:
It wasn't really the port mapping or port forwarding issue but indeed its the IP address that is blocked by the firewall. Blocked as in once my firewall detects that there is a virus being sent out from a host(as for now it is from my exchange server) it literally put the IP address in its banned list not allowing it to flow out to the internet.


Symantec did not detects any virus. It was my firewall who detects it then not allowing it to pass. Heres the virus details:

File      Facebook
Checksum      N/A
Quarantine Skip      No skip
Virus      W32/Agent.3367!tr
URL      N/A
Carrier End Point      N/A
User      N/A
Group      N/A
Detection Type      Virus
any chance your firewall was a fortinet? im getting the exact same screen and am trying to find the source.
I had the same thing happen to me, I changed my ipaddress and the problem was resolved.
I do have a fortinet firewall and I coudn't find anything from firewall logs
All Courses

From novice to tech pro — start learning today.