Solved

Windows 2003 Server unable to resolve any DNS queries after spyware disinfect

Posted on 2013-01-29
4
429 Views
Last Modified: 2013-02-09
Hello,

I have a Windows 2003 server that has been infected with a DNS hijack malware.  We removed it (ACTION ALERT malware which had a dll hooked into the registry somewhere called pgdns8.dll).  After removing the DLL and MALWARE hook, DNS no longer resolves ANYTHING.  

Does anyone know how to verify that the name resolution side of TCP/IP is linked correctly in the registry?  This seems like something that was intentionally fouled to redirect search engine results etc...and now that we removed it, it's not resolving the most BASIC item, even host file entries.

I have tried "netsh ip int reset log.txt" and "netsh winsock reset" or whatever the winsock command was, and it got me to where the server booted and saw Active Directory (it's a DC running it's own DNS and DNS is listening on the correct IP, AND other workstations can use the DNS server if I connect to it manually, just NOT the TCP/IP stack of the local server).

Ideas?
0
Comment
Question by:jkeegan123
  • 3
4 Comments
 
LVL 18

Expert Comment

by:Netflo
ID: 38833409
Hi,

Please try the following:

1. Ensure you have a full backup of your server, in case you break your own server.
2. Perform a SFC /SCANNOW and have the Windows 2003 CD handy in the drive.
3. Perform a repair of your OS. Plan this out of hours, in case you need to restore the whole server.

Let me know how you get along.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 38833476
Scannow didn't work either, we're doing a swing migration to a temp dc and then a reinstallation of sbs on the existing hardware and a forklift reinstall of the exchange db... Much cleaner than restore from backup since the backup files were infected still. Jeff Middleton at sbsmigration.Com lays out the process extremely well.
0
 
LVL 5

Accepted Solution

by:
jkeegan123 earned 0 total points
ID: 38851739
Solution ended up being an OS reload, we were unable to get TCP/IP to communicate with DNS after removal of the spyware...reinstalling the spyware was the only thing that was able to get DNS resolution to resume, even with Microsoft PSS on the line.  

Reloading the OS using a SWING migration as a placeholder for Active Directory during the disaster recovery made restore a LOT easier...a new install of SBS, promote off of an existing DC, reinstall SBS, restore Exchange DB and data and NOT restore the registry, AD etc...from the backup which would result in the restoration of some of the issues that they server originally had.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 38870808
This was the only solution that worked.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Learn about cloud computing and its benefits for small business owners.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question