Solved

Windows 2003 Server unable to resolve any DNS queries after spyware disinfect

Posted on 2013-01-29
4
430 Views
Last Modified: 2013-02-09
Hello,

I have a Windows 2003 server that has been infected with a DNS hijack malware.  We removed it (ACTION ALERT malware which had a dll hooked into the registry somewhere called pgdns8.dll).  After removing the DLL and MALWARE hook, DNS no longer resolves ANYTHING.  

Does anyone know how to verify that the name resolution side of TCP/IP is linked correctly in the registry?  This seems like something that was intentionally fouled to redirect search engine results etc...and now that we removed it, it's not resolving the most BASIC item, even host file entries.

I have tried "netsh ip int reset log.txt" and "netsh winsock reset" or whatever the winsock command was, and it got me to where the server booted and saw Active Directory (it's a DC running it's own DNS and DNS is listening on the correct IP, AND other workstations can use the DNS server if I connect to it manually, just NOT the TCP/IP stack of the local server).

Ideas?
0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 18

Expert Comment

by:Netflo
ID: 38833409
Hi,

Please try the following:

1. Ensure you have a full backup of your server, in case you break your own server.
2. Perform a SFC /SCANNOW and have the Windows 2003 CD handy in the drive.
3. Perform a repair of your OS. Plan this out of hours, in case you need to restore the whole server.

Let me know how you get along.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 38833476
Scannow didn't work either, we're doing a swing migration to a temp dc and then a reinstallation of sbs on the existing hardware and a forklift reinstall of the exchange db... Much cleaner than restore from backup since the backup files were infected still. Jeff Middleton at sbsmigration.Com lays out the process extremely well.
0
 
LVL 5

Accepted Solution

by:
jkeegan123 earned 0 total points
ID: 38851739
Solution ended up being an OS reload, we were unable to get TCP/IP to communicate with DNS after removal of the spyware...reinstalling the spyware was the only thing that was able to get DNS resolution to resume, even with Microsoft PSS on the line.  

Reloading the OS using a SWING migration as a placeholder for Active Directory during the disaster recovery made restore a LOT easier...a new install of SBS, promote off of an existing DC, reinstall SBS, restore Exchange DB and data and NOT restore the registry, AD etc...from the backup which would result in the restoration of some of the issues that they server originally had.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 38870808
This was the only solution that worked.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question