pc has virus - shutting down dhcp service on server
Hi there, I have a pc on a network that was infected with something - virus or spyware on it. What this system is doing is shutting down the DHCP service on the server. When I check the IP of the workstation, it shows 10.10.11.2 for an IP address, subnet 255.255.255.252, dhcp server 10.10.11.1. Our network IP scheme is 192.168.0.xxx.
I've cleaned it and the virus scanners found the following and removed them;
Trojan.vundo
Trojan.dropper
After removing the viruses and doing another scan with MalwareBytes and AVG, the system was showing clean.
I also ran "netsh int ip reset resetlog.txt" which set the IP info back to the way that it is supposed to be
During this time, the server DHCP service shut down again with the same message. I have since formatted the pc. Obviously, I didn't find the issue on the pc but I would still like to know what might have been causing this. I can't find any information from anyone else with a similar problem
Thanks
I've cleaned it and the virus scanners found the following and removed them;
Trojan.vundo
Trojan.dropper
After removing the viruses and doing another scan with MalwareBytes and AVG, the system was showing clean.
I also ran "netsh int ip reset resetlog.txt" which set the IP info back to the way that it is supposed to be
During this time, the server DHCP service shut down again with the same message. I have since formatted the pc. Obviously, I didn't find the issue on the pc but I would still like to know what might have been causing this. I can't find any information from anyone else with a similar problem
Thanks
ShareefHuddle
It sounds like the PC had a ghost DHCP server setup on it. Too late to run some test :(
What do you mean by, "What this system is doing is shutting down the DHCP service on the server"?
If the DHCP service on the server were shut down, and this system were still trying to get an address through DHCP, it wouldn't get one in the 10.10.X.X range, it would be in the 269.X.X.X range.
Maybe you could explain a little more clearly what you think is going on, and why you think that this machine is shutting down the DHCP service on the server (rather than, for example, the server itself being infected with something.)
If the DHCP service on the server were shut down, and this system were still trying to get an address through DHCP, it wouldn't get one in the 10.10.X.X range, it would be in the 269.X.X.X range.
Maybe you could explain a little more clearly what you think is going on, and why you think that this machine is shutting down the DHCP service on the server (rather than, for example, the server itself being infected with something.)
ASKER
This is one of the lines in the error log.
1st log entry
The DHCP/BINL service on this computer running Windows Server 2003 for Small Business Server has encountered another server on this network with IP Address, 10.10.11.1, belonging to the domain: .
2nd log entry
The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons.
when I was going through the registry on the pc, I saved the following;
[HKEY_LOCAL_MACHINE\SYSTEM
"EnableDHCP"=dword:0000000
"IPAddress"=hex(7):30,00,2
"SubnetMask"=hex(7):30,00,
"DefaultGateway"=hex(7):00
"DhcpIPAddress"="10.10.11.
"DhcpSubnetMask"="255.255.
"DhcpServer"="10.10.11.1"
"Lease"=dword:00000078
"LeaseObtainedTime"=dword:
"T1"=dword:4cead2aa
"T2"=dword:4cead2d7
"LeaseTerminatesTime"=dwor
"DhcpSubnetMaskOpt"=hex(7)
00,35,00,35,00,2e,00,32,00
1st log entry
The DHCP/BINL service on this computer running Windows Server 2003 for Small Business Server has encountered another server on this network with IP Address, 10.10.11.1, belonging to the domain: .
2nd log entry
The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons.
when I was going through the registry on the pc, I saved the following;
[HKEY_LOCAL_MACHINE\SYSTEM
"EnableDHCP"=dword:0000000
"IPAddress"=hex(7):30,00,2
"SubnetMask"=hex(7):30,00,
"DefaultGateway"=hex(7):00
"DhcpIPAddress"="10.10.11.
"DhcpSubnetMask"="255.255.
"DhcpServer"="10.10.11.1"
"Lease"=dword:00000078
"LeaseObtainedTime"=dword:
"T1"=dword:4cead2aa
"T2"=dword:4cead2d7
"LeaseTerminatesTime"=dwor
"DhcpSubnetMaskOpt"=hex(7)
00,35,00,35,00,2e,00,32,00
On the formerly infected machine, do
Start / Run /services.msc
This will bring up the services window.
Find the service called "EnableDHCP".
Right click on it, and select Properties. Under "startup type," select "disabled". Press the "Apply" button.
Then, under "Service Status," press the Stop button.
Reboot machine, see if problem is fixed.
Start / Run /services.msc
This will bring up the services window.
Find the service called "EnableDHCP".
Right click on it, and select Properties. Under "startup type," select "disabled". Press the "Apply" button.
Then, under "Service Status," press the Stop button.
Reboot machine, see if problem is fixed.
Since you rebuilt the PC are you having the issue anymore? If not then I would have to say that it had a DHCP server on it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.