Solved

Windows 2003 Server unable to resolve any DNS queries after spyware disinfect

Posted on 2013-01-29
4
426 Views
Last Modified: 2013-02-09
Hello,

I have a Windows 2003 server that has been infected with a DNS hijack malware.  We removed it (ACTION ALERT malware which had a dll hooked into the registry somewhere called pgdns8.dll).  After removing the DLL and MALWARE hook, DNS no longer resolves ANYTHING.  

Does anyone know how to verify that the name resolution side of TCP/IP is linked correctly in the registry?  This seems like something that was intentionally fouled to redirect search engine results etc...and now that we removed it, it's not resolving the most BASIC item, even host file entries.

I have tried "netsh ip int reset log.txt" and "netsh winsock reset" or whatever the winsock command was, and it got me to where the server booted and saw Active Directory (it's a DC running it's own DNS and DNS is listening on the correct IP, AND other workstations can use the DNS server if I connect to it manually, just NOT the TCP/IP stack of the local server).

Ideas?
0
Comment
Question by:jkeegan123
  • 3
4 Comments
 
LVL 18

Expert Comment

by:Netflo
ID: 38833409
Hi,

Please try the following:

1. Ensure you have a full backup of your server, in case you break your own server.
2. Perform a SFC /SCANNOW and have the Windows 2003 CD handy in the drive.
3. Perform a repair of your OS. Plan this out of hours, in case you need to restore the whole server.

Let me know how you get along.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 38833476
Scannow didn't work either, we're doing a swing migration to a temp dc and then a reinstallation of sbs on the existing hardware and a forklift reinstall of the exchange db... Much cleaner than restore from backup since the backup files were infected still. Jeff Middleton at sbsmigration.Com lays out the process extremely well.
0
 
LVL 5

Accepted Solution

by:
jkeegan123 earned 0 total points
ID: 38851739
Solution ended up being an OS reload, we were unable to get TCP/IP to communicate with DNS after removal of the spyware...reinstalling the spyware was the only thing that was able to get DNS resolution to resume, even with Microsoft PSS on the line.  

Reloading the OS using a SWING migration as a placeholder for Active Directory during the disaster recovery made restore a LOT easier...a new install of SBS, promote off of an existing DC, reinstall SBS, restore Exchange DB and data and NOT restore the registry, AD etc...from the backup which would result in the restoration of some of the issues that they server originally had.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 38870808
This was the only solution that worked.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Learn about cloud computing and its benefits for small business owners.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now