IE cannot open any Microsoft or Antivirus websites

[spartacus321]

Hi all,

Here's my situation. I have a server running 2003 Small Biz Edition. It was freshly installed recently, without any latest updates. Another company ran an Internet line for us, connected it and left it connected over the weekend when they were instructed to leave it disconnect. So the server was basically online without update AV or updated Windows.

I can access the internet to load pages such as google, yahoo etc. without any problems, but if I try to access windows update, any microsoft site, or any antivirus company's website, I immediately get Page Cannot be Displayed.

Same thing with firefox, the same pages that load in IE works, those that dont in IE dont in Firefox.

I have Symantec Corp. Edition setup but it can't update because it says no Internet Connection is present.

My inclination is that this is a virus of some sort... any ideas?


Moved from Software For Windows to Security.

AnandTech Moderator
mechBgon

 

[masteryoda34]

Check the hosts file.

 

[sswingle]

Definitely virus/spyware. I saw this on a clients system recently. The hosts file was un-altered. Found out that the virus was changing the DNS servers. I fixed it by changing the DNS to a known good server, (or 4.2.2.1). After doing that, windows update and AV programs where able to connect again. IIRC, Malwarebytes was able to remove the infection.

 

[Sam25]

Agreed, run a full system scan with Malwarebytes.

 

[spartacus321]

Thanks for the responses. Will be heading to this client tomorrow and will give the Malwarebytes a shot. Noticed the supported OS's don't list 2003 Server as an option but I will still try it anyways.

 

[RebateMonger]

SBS 2003 doesn't install Windows Firewall unless you have two NICs. What was in front of the SBS server (router, firewall, etc)? An unconfigured (no port forwwarding) home-level router (using NAT) would normally keep things from getting in on their own.

Have you considered that an infection might come from INSIDE the network?

 

[spartacus321]

Initially the server had only 1 NIC but shortly after someone came in and added a 2nd NIC for internet access, coming thru from a DSL modem.

Previous to this only 1 other computer on the network had Internet access, so i'm guessing that was the entry point.

Don't know if a freshly installed server without updates or antivirus dated aug. 2008 could contract a virus just by being connected to the net without any surfing being done so i'm guessing it's the other user's pc that caused the problem.

 

[RebateMonger]

Just in case....I wanted to make it clear that my "two NIC" reference meant running the SBS "Connect to the Internet" Wizard and telling it to make use of two NICs - one for Internet access and the second for Local Area Network access. In this mode, all client PCs connect to the LAN NIC, which acts as the DHCP, DNS, and Default Gateway for all of the client PCs (using a switch attached to the LAN NIC).

When in this mode, SBS 2003 offers the opportunity to turn on Windows Firewall.

If the SBS Server actually has been hit by malware, I'd reformat and re-install SBS. Especially at this point, when applications and lots of AD stuff haven't been installed.

 

[mechBgon]

Also, to reiterate what has already been said, throw a router in there if you haven't done so already. While you're at it, confirm that Universal Plug 'n Play (UPnP) and wireless features are disabled on the router, and give the router a strong password for its admin login. If necessary, you can forward ports through the router on an as-needed basis.

 

[thegisguy]

Ran into the Same problem on my brothers computer. Virus changed his DNS server. SuperAntiSpyware took care of it.

 

[n0cmonkey]

Ouch. Nuke all machines and start over. Afterwards change all passwords typed into the machines, and cancel all credit cards used...

Malicious DNS servers are nasty. OpenDNS as a forwarder of a dns server using malwaredomains.com's list of bad domains along with a firewall blocking emergingthreat's bad ip list is a handy setup.

 

[RebateMonger]

Originally posted by: n0cmonkey
Malicious DNS servers are nasty. OpenDNS as a forwarder of a dns server using malwaredomains.com's list of bad domains along with a firewall blocking emergingthreat's bad ip list is a handy setup.

Yeah, I had a client with a laptop that got hit with, among other things, a DNS redirector. It's not that easy for most people to catch because things MOSTLY work. It was immediately obvious in this case because the laptop was on a Domain and was supposed to be looking at the internal DNS Server for name resolution. That Russian DNS server didn't know anything about the internal office network, so internal name queries all failed.

Fake DNS servers are soooo dangerous. You never know where they are going to direct you. You type in http://bankofamerica.com and it sends you to a fake Russian clone site. You type in http://google.com and it sends you to Google.

 

[insect9]

Text

Conficker also makes several configuration changes so that it runs every time Windows starts. Specifically it adds itself as a service and also adds a registry value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. It also terminates various services which should be re-enabled and more information is available here. Similarly, Worm:Win32/Conficker.B attempts to terminate any process which has a name which seems to indicate that it is an antivirus program or other security software. It also blocks access to the web sites of many antivirus and security vendors and to Windows Update. This worm takes some additional steps and our encyclopedia entry includes more details.

 

[blackangst1]

Originally posted by: dhcloud
Text

Conficker also makes several configuration changes so that it runs every time Windows starts. Specifically it adds itself as a service and also adds a registry value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. It also terminates various services which should be re-enabled and more information is available here. Similarly, Worm:Win32/Conficker.B attempts to terminate any process which has a name which seems to indicate that it is an antivirus program or other security software. It also blocks access to the web sites of many antivirus and security vendors and to Windows Update. This worm takes some additional steps and our encyclopedia entry includes more details.

You beat me to it