Solved

Windows 2003 Server unable to resolve any DNS queries after spyware disinfect

Posted on 2013-01-29
4
424 Views
Last Modified: 2013-02-09
Hello,

I have a Windows 2003 server that has been infected with a DNS hijack malware.  We removed it (ACTION ALERT malware which had a dll hooked into the registry somewhere called pgdns8.dll).  After removing the DLL and MALWARE hook, DNS no longer resolves ANYTHING.  

Does anyone know how to verify that the name resolution side of TCP/IP is linked correctly in the registry?  This seems like something that was intentionally fouled to redirect search engine results etc...and now that we removed it, it's not resolving the most BASIC item, even host file entries.

I have tried "netsh ip int reset log.txt" and "netsh winsock reset" or whatever the winsock command was, and it got me to where the server booted and saw Active Directory (it's a DC running it's own DNS and DNS is listening on the correct IP, AND other workstations can use the DNS server if I connect to it manually, just NOT the TCP/IP stack of the local server).

Ideas?
0
Comment
Question by:jkeegan123
  • 3
4 Comments
 
LVL 18

Expert Comment

by:Netflo
ID: 38833409
Hi,

Please try the following:

1. Ensure you have a full backup of your server, in case you break your own server.
2. Perform a SFC /SCANNOW and have the Windows 2003 CD handy in the drive.
3. Perform a repair of your OS. Plan this out of hours, in case you need to restore the whole server.

Let me know how you get along.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 38833476
Scannow didn't work either, we're doing a swing migration to a temp dc and then a reinstallation of sbs on the existing hardware and a forklift reinstall of the exchange db... Much cleaner than restore from backup since the backup files were infected still. Jeff Middleton at sbsmigration.Com lays out the process extremely well.
0
 
LVL 5

Accepted Solution

by:
jkeegan123 earned 0 total points
ID: 38851739
Solution ended up being an OS reload, we were unable to get TCP/IP to communicate with DNS after removal of the spyware...reinstalling the spyware was the only thing that was able to get DNS resolution to resume, even with Microsoft PSS on the line.  

Reloading the OS using a SWING migration as a placeholder for Active Directory during the disaster recovery made restore a LOT easier...a new install of SBS, promote off of an existing DC, reinstall SBS, restore Exchange DB and data and NOT restore the registry, AD etc...from the backup which would result in the restoration of some of the issues that they server originally had.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 38870808
This was the only solution that worked.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now