Loss of DNS ability from workstations after a run of MsiInstaller and NtServicePack events.

Posted on 2009-04-21
Last Modified: 2013-12-23
It appears we were hit with something that caused a number of our machines to lose the ability to connect to our domain, resolve external host names and browse the internet.  In looking in the Event logs each of the affected workstations shows a series of MsiInstaller messages in the Application log (Event IDs 11728 and 1019) for each product that had been installed via MsiInstaller and a series of NtServicePack (Event ID 4382) messages in the System log stating that various MS updates have been removed.  These two series of events took place at the same time.  Following on the heels of these events are a DHCP (Event ID 1003) warning that the IP address can not be renewed (for our DHCP clients) and also a NETLOGON (Event ID 5719) error that no domain controller is available for this domain.  Has anyone seen this before?  Is this a virus or malware attack?  All the workstations are running XP Pro and all servers are W2K3.  Thank for anyhelp in advance.
Question by:WPAOG-ISD
    LVL 11

    Expert Comment

    by:Zuhir Elgmati

    Author Comment

    Just a clarification on the Event log entries. In actuality very few of the events refer to the removal or uninstallation of actual products.  Almost every one refers to a MS patch or update.  One machine has 37 KB?????? updates removed.

    Accepted Solution

    Turns out this was actually a full network and remediation scan that ran in reverse.  Instead of identifying missing patches and updates and then installing them this routine rolled back all installed patches and updates that were in our missing check list.  In so doing in whacked the TCP/IP stack on all machines effected and also disrupted DHCP, DNS and domain replication on our domain controllers.  There is a setting in GFI LANGuard that allows roll backs which we accidently set.  We're still not sure how.  The recover was fairly simple.  We used GFI LANGuard to re-push the patches and updates to the workstations.  For those we could not access we download all this missing patches to a thumb drive and applied them from there.  The servers were another story.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    This article is in response to a question ( here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now