Solved

pc has virus - shutting down dhcp service on server

Posted on 2010-11-23
6
833 Views
Last Modified: 2013-11-22
Hi there, I have a pc on a network that was infected with something - virus or spyware on it. What this system is doing is shutting down the DHCP service on the server. When I check the IP of the workstation, it shows 10.10.11.2 for an IP address, subnet 255.255.255.252, dhcp server 10.10.11.1. Our network IP scheme is 192.168.0.xxx.

 I've cleaned it and the virus scanners found the following and removed them;
Trojan.vundo
Trojan.dropper

After removing the viruses and doing another scan with MalwareBytes and AVG, the system was showing clean.
I also ran "netsh int ip reset resetlog.txt" which set the IP info back to the way that it is supposed to be

During this time, the server DHCP service shut down again with the same message. I have since formatted the pc. Obviously, I didn't find the issue on the pc but I would still like to know what might have been causing this. I can't find any information from anyone else with a similar problem

Thanks
0
Comment
Question by:johnbowden
6 Comments
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34198846
It sounds like the PC had a ghost DHCP server setup on it. Too late to run some test :(
0
 
LVL 26

Expert Comment

by:akahan
ID: 34198873
What do you mean by, "What this system is doing is shutting down the DHCP service on the server"?

If the DHCP service on the server were shut down, and this system were still trying to get an address through DHCP, it wouldn't get one in the 10.10.X.X range, it would be in the 269.X.X.X range.

Maybe you could explain a little more clearly what you think is going on, and why you think that this machine is shutting down the DHCP service on the server (rather than, for example, the server itself being infected with something.)

0
 

Author Comment

by:johnbowden
ID: 34198989
This is one of the lines in the error log.

1st log entry
The DHCP/BINL service on this computer running Windows Server 2003 for Small Business Server has encountered another server on this network with  IP Address, 10.10.11.1, belonging to the domain: .

2nd log entry
The DHCP/BINL service on this computer is shutting down.  See the previous event log messages for reasons.

when I was going through the registry on the pc, I saved the following;
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{C6F00191-0EA5-4458-B753-70A2CC685AD2}\Parameters\Tcpip]
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"SubnetMask"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00
"DefaultGateway"=hex(7):00,00
"DhcpIPAddress"="10.10.11.2"
"DhcpSubnetMask"="255.255.255.252"
"DhcpServer"="10.10.11.1"
"Lease"=dword:00000078
"LeaseObtainedTime"=dword:4cead26e
"T1"=dword:4cead2aa
"T2"=dword:4cead2d7
"LeaseTerminatesTime"=dword:4cead2e6
"DhcpSubnetMaskOpt"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,\
  00,35,00,35,00,2e,00,32,00,35,00,32,00,00,00,00,00
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 26

Expert Comment

by:akahan
ID: 34199240
On the formerly infected machine, do
Start / Run /services.msc

This will bring up the services window.

Find the service called "EnableDHCP".
Right click on it, and select Properties.  Under "startup type," select "disabled".  Press the "Apply" button.
Then, under "Service Status," press the Stop button.

Reboot machine, see if problem is fixed.

0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 34199333
Since you rebuilt the PC are you having the issue anymore? If not then I would have to say that it had a DHCP server on it.
0
 

Accepted Solution

by:
BizTekConnection earned 125 total points
ID: 34200647
I don't think there is any way to determine what the Vundo trojan pulled down to that box that was running as a DHCP server.  SBS2003 will disable its DHCP server service if it sees another DHCP server on the same physical network as it, so that explains why the SBS kept shutting down its DHCP server when it saw the DHCP on the infected machine.  Since you formatted the infected machine as a solution, without some kind of backup to load and scrutinize I think this is best chalked up to "SBS2003 behaving normally when seeing another DHCP server, and a wicked trojan introducing another DHCP server to the mix."
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
We got ransomware on the server fileserver 2012 17 140
turbotax on windows 10 71
HP PC Hardware Diagnostics UEFI 11 118
Problem with configuring nic with powershell 5 62
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now