Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 2003 Server unable to resolve any DNS queries after spyware disinfect

Posted on 2013-01-29
4
Medium Priority
?
432 Views
Last Modified: 2013-02-09
Hello,

I have a Windows 2003 server that has been infected with a DNS hijack malware.  We removed it (ACTION ALERT malware which had a dll hooked into the registry somewhere called pgdns8.dll).  After removing the DLL and MALWARE hook, DNS no longer resolves ANYTHING.  

Does anyone know how to verify that the name resolution side of TCP/IP is linked correctly in the registry?  This seems like something that was intentionally fouled to redirect search engine results etc...and now that we removed it, it's not resolving the most BASIC item, even host file entries.

I have tried "netsh ip int reset log.txt" and "netsh winsock reset" or whatever the winsock command was, and it got me to where the server booted and saw Active Directory (it's a DC running it's own DNS and DNS is listening on the correct IP, AND other workstations can use the DNS server if I connect to it manually, just NOT the TCP/IP stack of the local server).

Ideas?
0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 18

Expert Comment

by:Netflo
ID: 38833409
Hi,

Please try the following:

1. Ensure you have a full backup of your server, in case you break your own server.
2. Perform a SFC /SCANNOW and have the Windows 2003 CD handy in the drive.
3. Perform a repair of your OS. Plan this out of hours, in case you need to restore the whole server.

Let me know how you get along.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 38833476
Scannow didn't work either, we're doing a swing migration to a temp dc and then a reinstallation of sbs on the existing hardware and a forklift reinstall of the exchange db... Much cleaner than restore from backup since the backup files were infected still. Jeff Middleton at sbsmigration.Com lays out the process extremely well.
0
 
LVL 5

Accepted Solution

by:
jkeegan123 earned 0 total points
ID: 38851739
Solution ended up being an OS reload, we were unable to get TCP/IP to communicate with DNS after removal of the spyware...reinstalling the spyware was the only thing that was able to get DNS resolution to resume, even with Microsoft PSS on the line.  

Reloading the OS using a SWING migration as a placeholder for Active Directory during the disaster recovery made restore a LOT easier...a new install of SBS, promote off of an existing DC, reinstall SBS, restore Exchange DB and data and NOT restore the registry, AD etc...from the backup which would result in the restoration of some of the issues that they server originally had.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 38870808
This was the only solution that worked.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question