Questions

Suddenly cannot open ANY Microsoft related website

Tags:
+
0 Votes
Locked

Suddenly cannot open ANY Microsoft related website

ACGPHX
A client recently had a power outage (not sure if its related) and after a reboot everything was tested and working as it should until someone tried to open www.msn.com. Assuming it was isolated I went to town on that system without any success. Only after I spent 30 minutes trying to fix that workstation did I start getting calls from others in the domain that they too couldnt open microsoft websites.

Google, Yahoo, and other sites open just fine. But when I attempt to go to the MSN, microsoft.com, or windows update the browser hangs until I'm given a DNS error.This happens on all systems including the file servers.

Initailly I thought it could be the Qwest modem or the Netopia router. I've rebooted both without resolving the issue.I've restarted and flushed the server's DNS without any change. I also restarted the server.

I'm kind of stumped on this one. Any help would be appreciated.
  • +
    0 Votes
    ThumbsUp2

    Best download, install and run MalwareBytes and Spybot Search and Destroy while in safe mode on each of these systems. They're all infected.

    You may need to do the downloading from another computer off the domain somewhere, then transport to the infected computers. You may even need to rename the downloaded files before attempting to install because some of these critters are smart enough to block installation of certain file names.

    Most of all, disconnect the network cable from each of the computers and get them ALL disinfected before reconnecting any of the cables. The critter you have is network aware and will reinfect any cleaned computer before you get rid of it from a dirty computer.

    +
    0 Votes
    ACGPHX

    I'll plug my laptop into the network on monday and see if I can get to MS sites. If not I'll isolate one of the systems monday and try out this solution.

    I'm leaning more toward the DNS in the Qwest modem being damaged from the power outage. If my laptop doesn't get to MS (already running malwarebytes in it)then I know its the modem. If it does I have 26 systems to visit. I'll keep you posted on how it works out. Thanks!

    +
    0 Votes
    OldER Mycroft

    Because less than a second after you plug your laptop into the network, your laptop will become infected (dormantly).

    By the time you notice that your laptop cannot connect to any M$ sites, you'll then have to think of which OTHER computer you can use to download the disinfection needed, AND then add your laptop to the list of machines needing full Safe Mode scans.

    You MUST be downloading the MBAM from an uninfected machine.

    Then you can transfer the renamed MBAM to a similarly uninfected USB thumb drive, then from there to each unconnected (still infected) machine.

    If your laptop does get to a M$ site, and you assume the 26 network machines must have a DNS problem after all, how confident will you be that you have cured the entire problem for the next minutes or hours or days? After all, not all the network stopped connecting to M$ sites all at the same time.

    I advise you download the installer WITHOUT risking infecting the laptop by blindly connecting it to a potentially infected network, just to prove a point. Otherwise you'll have 27 machines to uninfect, not 26.

    +
    0 Votes
    ACGPHX

    Thanks for the concern. I'd hardly be worth my pay if I were so reckless.

    My laptop isn't part of that domain. It is uninfected and it has had MalwareBytes installed in it for quite some time (and is up to date).

    Actually ALL the systems did start showing the problem right after the power outage. If it were not that way I wouldn't strongly suspect DNS (be it in the server or the ISPs modem).

    +
    0 Votes
    ThumbsUp2

    ... if the power outage had anything at all to do with it, the problem web sites would be random. Electrical charges don't just target MS web sites.

    Where you've already found that it's primarily MS web sites such as Windows Update, etc..., that are affected and you can get to other web sites, THAT is not random. It's on purpose. And, since this is one of the symptoms of several if the nasty critters which abound, you best just assume they're all infected and take precautions to get them off the network while you work on them.

    +
    0 Votes
    ACGPHX

    But it could very well be corrupt DNS in the Qwest modem. It wouldn't be the first time.

    Although I can't be on premisis over the weekend I can run RDP to all of the workstations. I ran Malwarebytes on 3 workstations and on the fileserver. I know its pointless if theres a wandering malware on my network, but I figured it would give me some indication until it was reinfected.

    The workstations, all of which had malwarebytes lodaed previously, had no malware on them at all. The fileserver on the other hand had serauth1.dll and serauth2.dll installed (which Malwarebytes quaranteeded and deleted). I'm rebooting the server now. I'm curious to see if these files return.

    In any event I should now how to plan my Monday morning.

    +
    0 Votes
    Dumphrey

    or is it just forwarding dns from your isp? Flushing the dns resolver cache will rid you of any corrupt dns data. You need to do this on all workstations and your primary dns server. But I agree with Tu2 that there is a high probability of a virus of some sort.

    +
    0 Votes
    ACGPHX

    ..on the network than I already do for a while. The Qwest modem is setup as a bridge.Its only respnsability is to sync up with Qwest's network. The internal DNS for the network runs off of my server. Naturally there is hardware between the Qwest modem and the fileserver.

    The first thing I did was to flush the server DNS. I didn't have acccess to the client site to reset the Qwest modem until this morning. I was very happy ot hear that a node 200 miles away using a Cable provider was not having any issues at all.

    Its a never ending battle. But at least for now the client is up and running with only 30 minutes of downtime. As stated previously I'll keep an even closer eye on things for the next week or two.

    +
    0 Votes
    ACGPHX

    Thank you both for your help. I'm sure the information you offered will come in handy at some point and will help many others searching the web.

    As I suspected the trouble was the Qwest modems DNS. I went to the site called the remote nodes to the WAN and found they still had access to MSN, Windows Update, and other MS sites. Depending on the site the ISP they use for the 24/7 VPN connection varies.

    Once I knew they could still surf freely I was even more convinced that this was a DNS issue. I hit reset on the Qwest modem. I connected the modem to my laptop and put in the settings. Less than 15 minutes later everyone was up and accessing the web completely.

    Relieved it wasn't a 20+ hour project (the server alone took 11 hours to scan completely with malwarebytes). Especially at the beginning of a clients work week.

    +
    0 Votes
    Jacky Howe

    as there have been a lot of references to it as beming a possible cause.

    How to change the PPPoE MTU size in Windows XP

    http://support.microsoft.com/kb/283165

    +
    0 Votes
    ACGPHX

    I saw this too. But I'm curious how the MTU size could have whigged out after a simple power outage? Besides the servers are Windows 2003 and they do it as well. I'll keep it in my arsenel just in case.

    Incidentally I couldn't download Malwarebytes from CNet or the MalwareBytes website from any workstation or any server earlier.

    I have a strong suspicion that this is the Qwest modem (our ISP).

    Thanks for the pointer. It is appreciated.

    +
    0 Votes
    Jacky Howe

    You may have to download MBAM and the Updates from another System and copy them via USB.
    Download Malwarebytes Anti-Malware, install it and update it.

    <a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

    If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    <a href="http://malwarebytes.gt500.org/mbam-rules.exe" target="_blank"><u>mbam-rules</u></a>

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe.

    +
    0 Votes
    OldER Mycroft

    Got lightly sneered at.

    http://techrepublic.com.com/5208-1035-0.html?forumID=101&threadID=305518&messageID=3044994

    Y'see the bloke's got a perfect way in, using his 'armoured laptop', apparently....

    +
    0 Votes

    LOL

    Jacky Howe

    how did I miss that. We will find out in time what the problem is.

    +
    0 Votes
    ACGPHX

    I wasn't trying to come off arrogant or smug in my response. But it just doesn't feel like malware to me when I consider the circumstance. If this were a network wide malware infection any of the malwarebytes scans I ran should have revealed the malware. It was a futile gesture on my part, I admit, but it would pretty much prove that the culprit is Malware even though the systems would certainly be reinfected immediately after I rebooted them. None were infected and the server where I removed the serauth1.dll and serauth2.dll did not become reinfected after I rebooted and rescanned it.

    The MTU is something I saw and considered. But the question here is how did it change to begin with? There was no new service pack applied, hardware added, or browser upgrade? Will I try this? Probably, but after I reset the modem and reload its settings and the problem is still there.

    This is why I keep coming back to my Modem. I could be wrong. You could be right. Thats why I came here to post. I need alternatives in case my deduction is inaccurate.

    If I came off ungrateful for your suggestion please know that it wasn't intentional.

    My laptop isn't bulletproof, magical, or ironclad but it is well defended with a variety of tools loaded for the specific purpose of troubleshooting. If it get infected I would be surprised but not alarmed.

    +
    0 Votes
    ThumbsUp2

    ... some of these critters can NOT be detected while running scans in normal mode. They're cloaked. They're capable of blocking access to the MS Update web site. They're capable of blocking access to the MalwareBytes web site. They're capable of doing a lot of things you've already described as having happened.

    The only way to get accurate scans is doing so while in Safe Mode (disconnected from the network) and doing lots of different types of scans with various tools. One program will find something and clean it while in Safe Mode, so you reboot to Safe Mode and scan with another tool, which finds something else, reboot to Safe Mode, scan with another, etc..., etc..., etc. You keep scanning with all the tools and rebooting to Safe Mode to scan again until all scans from all tools come up clean in Safe Mode. You then reboot to normal mode and do it all over again.

    +
    0 Votes
    Jacky Howe

    an infection from the server it is highly possible that it has infected the workstations. Sounds like you have a job ahead of you.

    +
    0 Votes
    maximgamble

    if you go onto your router settings, you should find a security section-the microsoft main URL might be blocked in here. if not, non microsoft operating systems like linux or Wii System Menu tend to have trouble connecting to Microsoft Websites.

    +
    0 Votes
    ACGPHX

    I just went to the modem and reset it to the factory defaults and re-entered the settings. I have it all documented so it wasn't much at all to do this. I'll playmother hen on this domain for a while. Hopefully the modems DNS was the entire matter.

    If not I might be able to buy enough time to get closer to the weekend when its more convieient for the client to go without their computers.

  • +
    0 Votes
    ThumbsUp2

    Best download, install and run MalwareBytes and Spybot Search and Destroy while in safe mode on each of these systems. They're all infected.

    You may need to do the downloading from another computer off the domain somewhere, then transport to the infected computers. You may even need to rename the downloaded files before attempting to install because some of these critters are smart enough to block installation of certain file names.

    Most of all, disconnect the network cable from each of the computers and get them ALL disinfected before reconnecting any of the cables. The critter you have is network aware and will reinfect any cleaned computer before you get rid of it from a dirty computer.

    +
    0 Votes
    ACGPHX

    I'll plug my laptop into the network on monday and see if I can get to MS sites. If not I'll isolate one of the systems monday and try out this solution.

    I'm leaning more toward the DNS in the Qwest modem being damaged from the power outage. If my laptop doesn't get to MS (already running malwarebytes in it)then I know its the modem. If it does I have 26 systems to visit. I'll keep you posted on how it works out. Thanks!

    +
    0 Votes
    OldER Mycroft

    Because less than a second after you plug your laptop into the network, your laptop will become infected (dormantly).

    By the time you notice that your laptop cannot connect to any M$ sites, you'll then have to think of which OTHER computer you can use to download the disinfection needed, AND then add your laptop to the list of machines needing full Safe Mode scans.

    You MUST be downloading the MBAM from an uninfected machine.

    Then you can transfer the renamed MBAM to a similarly uninfected USB thumb drive, then from there to each unconnected (still infected) machine.

    If your laptop does get to a M$ site, and you assume the 26 network machines must have a DNS problem after all, how confident will you be that you have cured the entire problem for the next minutes or hours or days? After all, not all the network stopped connecting to M$ sites all at the same time.

    I advise you download the installer WITHOUT risking infecting the laptop by blindly connecting it to a potentially infected network, just to prove a point. Otherwise you'll have 27 machines to uninfect, not 26.

    +
    0 Votes
    ACGPHX

    Thanks for the concern. I'd hardly be worth my pay if I were so reckless.

    My laptop isn't part of that domain. It is uninfected and it has had MalwareBytes installed in it for quite some time (and is up to date).

    Actually ALL the systems did start showing the problem right after the power outage. If it were not that way I wouldn't strongly suspect DNS (be it in the server or the ISPs modem).

    +
    0 Votes
    ThumbsUp2

    ... if the power outage had anything at all to do with it, the problem web sites would be random. Electrical charges don't just target MS web sites.

    Where you've already found that it's primarily MS web sites such as Windows Update, etc..., that are affected and you can get to other web sites, THAT is not random. It's on purpose. And, since this is one of the symptoms of several if the nasty critters which abound, you best just assume they're all infected and take precautions to get them off the network while you work on them.

    +
    0 Votes
    ACGPHX

    But it could very well be corrupt DNS in the Qwest modem. It wouldn't be the first time.

    Although I can't be on premisis over the weekend I can run RDP to all of the workstations. I ran Malwarebytes on 3 workstations and on the fileserver. I know its pointless if theres a wandering malware on my network, but I figured it would give me some indication until it was reinfected.

    The workstations, all of which had malwarebytes lodaed previously, had no malware on them at all. The fileserver on the other hand had serauth1.dll and serauth2.dll installed (which Malwarebytes quaranteeded and deleted). I'm rebooting the server now. I'm curious to see if these files return.

    In any event I should now how to plan my Monday morning.

    +
    0 Votes
    Dumphrey

    or is it just forwarding dns from your isp? Flushing the dns resolver cache will rid you of any corrupt dns data. You need to do this on all workstations and your primary dns server. But I agree with Tu2 that there is a high probability of a virus of some sort.

    +
    0 Votes
    ACGPHX

    ..on the network than I already do for a while. The Qwest modem is setup as a bridge.Its only respnsability is to sync up with Qwest's network. The internal DNS for the network runs off of my server. Naturally there is hardware between the Qwest modem and the fileserver.

    The first thing I did was to flush the server DNS. I didn't have acccess to the client site to reset the Qwest modem until this morning. I was very happy ot hear that a node 200 miles away using a Cable provider was not having any issues at all.

    Its a never ending battle. But at least for now the client is up and running with only 30 minutes of downtime. As stated previously I'll keep an even closer eye on things for the next week or two.

    +
    0 Votes
    ACGPHX

    Thank you both for your help. I'm sure the information you offered will come in handy at some point and will help many others searching the web.

    As I suspected the trouble was the Qwest modems DNS. I went to the site called the remote nodes to the WAN and found they still had access to MSN, Windows Update, and other MS sites. Depending on the site the ISP they use for the 24/7 VPN connection varies.

    Once I knew they could still surf freely I was even more convinced that this was a DNS issue. I hit reset on the Qwest modem. I connected the modem to my laptop and put in the settings. Less than 15 minutes later everyone was up and accessing the web completely.

    Relieved it wasn't a 20+ hour project (the server alone took 11 hours to scan completely with malwarebytes). Especially at the beginning of a clients work week.

    +
    0 Votes
    Jacky Howe

    as there have been a lot of references to it as beming a possible cause.

    How to change the PPPoE MTU size in Windows XP

    http://support.microsoft.com/kb/283165

    +
    0 Votes
    ACGPHX

    I saw this too. But I'm curious how the MTU size could have whigged out after a simple power outage? Besides the servers are Windows 2003 and they do it as well. I'll keep it in my arsenel just in case.

    Incidentally I couldn't download Malwarebytes from CNet or the MalwareBytes website from any workstation or any server earlier.

    I have a strong suspicion that this is the Qwest modem (our ISP).

    Thanks for the pointer. It is appreciated.

    +
    0 Votes
    Jacky Howe

    You may have to download MBAM and the Updates from another System and copy them via USB.
    Download Malwarebytes Anti-Malware, install it and update it.

    <a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

    If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    <a href="http://malwarebytes.gt500.org/mbam-rules.exe" target="_blank"><u>mbam-rules</u></a>

    With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe.

    +
    0 Votes
    OldER Mycroft

    Got lightly sneered at.

    http://techrepublic.com.com/5208-1035-0.html?forumID=101&threadID=305518&messageID=3044994

    Y'see the bloke's got a perfect way in, using his 'armoured laptop', apparently....

    +
    0 Votes

    LOL

    Jacky Howe

    how did I miss that. We will find out in time what the problem is.

    +
    0 Votes
    ACGPHX

    I wasn't trying to come off arrogant or smug in my response. But it just doesn't feel like malware to me when I consider the circumstance. If this were a network wide malware infection any of the malwarebytes scans I ran should have revealed the malware. It was a futile gesture on my part, I admit, but it would pretty much prove that the culprit is Malware even though the systems would certainly be reinfected immediately after I rebooted them. None were infected and the server where I removed the serauth1.dll and serauth2.dll did not become reinfected after I rebooted and rescanned it.

    The MTU is something I saw and considered. But the question here is how did it change to begin with? There was no new service pack applied, hardware added, or browser upgrade? Will I try this? Probably, but after I reset the modem and reload its settings and the problem is still there.

    This is why I keep coming back to my Modem. I could be wrong. You could be right. Thats why I came here to post. I need alternatives in case my deduction is inaccurate.

    If I came off ungrateful for your suggestion please know that it wasn't intentional.

    My laptop isn't bulletproof, magical, or ironclad but it is well defended with a variety of tools loaded for the specific purpose of troubleshooting. If it get infected I would be surprised but not alarmed.

    +
    0 Votes
    ThumbsUp2

    ... some of these critters can NOT be detected while running scans in normal mode. They're cloaked. They're capable of blocking access to the MS Update web site. They're capable of blocking access to the MalwareBytes web site. They're capable of doing a lot of things you've already described as having happened.

    The only way to get accurate scans is doing so while in Safe Mode (disconnected from the network) and doing lots of different types of scans with various tools. One program will find something and clean it while in Safe Mode, so you reboot to Safe Mode and scan with another tool, which finds something else, reboot to Safe Mode, scan with another, etc..., etc..., etc. You keep scanning with all the tools and rebooting to Safe Mode to scan again until all scans from all tools come up clean in Safe Mode. You then reboot to normal mode and do it all over again.

    +
    0 Votes
    Jacky Howe

    an infection from the server it is highly possible that it has infected the workstations. Sounds like you have a job ahead of you.

    +
    0 Votes
    maximgamble

    if you go onto your router settings, you should find a security section-the microsoft main URL might be blocked in here. if not, non microsoft operating systems like linux or Wii System Menu tend to have trouble connecting to Microsoft Websites.

    +
    0 Votes
    ACGPHX

    I just went to the modem and reset it to the factory defaults and re-entered the settings. I have it all documented so it wasn't much at all to do this. I'll playmother hen on this domain for a while. Hopefully the modems DNS was the entire matter.

    If not I might be able to buy enough time to get closer to the weekend when its more convieient for the client to go without their computers.