Solved

DNS Server Suddenly changed, Windows 7 & 8

Posted on 2014-04-22
13
590 Views
Last Modified: 2014-07-22
We manage several workstations across multiple clients and locations.  Three totally unrelated systems (different networks, different clients, different network hardware, different isps) suddenly lost DNS server settings.  Two of them were blanked out completely, and I had to manually enter DNS server address to restore connectivity.  One changed the DNS server to 8.8.8.8 manually.  I had to change to DHCP lease to restore connectivity.  

3 Example machines
1. Sonicwall Firewall, domain member, DHCP comes from Router, Windows 8 Pro
2. Netgear Router, workgroup member,  DHCP server is netgear, Windows 7
3. Cisco Firewall, domain member,  DHCP server is WIndows 2012 Server, Windows 7

Sounds like malware but all scans come up clean.  Any ideas?
0
Comment
Question by:Jordan Smith
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015045
It sounds like you might have spyware.

You might want to run a spyware checker to see if anything is found.

Try www.superantispyware.com

or www.malwarebuytes.com

They both work well for me.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015046
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015060
I ran malware bytes. Came clean one one system, currently running on another.
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015157
All scans have come back clean.  What else could be causing this.  I have an RMM (Labtech) running on all three machines.  Anyone heard of any issues with this?
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40015240
Try seeing if a rootkit is causing the issue. Do a search for TDSKiller. This is a free download. Once the download is done do a scan to see if anything is found.

http://www.bleepingcomputer.com/download/tdsskiller/

When this issue popped up did the routers/DHCP servers still hand out the DNS server addresses in the DHCP lease?

Can you elaborate on what your RMM is doing?
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015258
I'll look into the rootkit scan...

All other systems on the network received correct info from the DHCP server.

RMM is our remote management software, like LogMeIn
It allows remote connection, reports data on the agent, handles MS patch updates.
We also have GFI Vipre AV and HitmanPro Antimalware installed on all agents.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015486
Try the Bit defender Rescue CD. Download the iso, burn a cd/dvd and boot with it. I tried it over the weekend and it's great. it boots into Linux, downloads the anti virus definition files and runs a full scan.

It found some things I was not aware of

http://www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40017556
> Three totally unrelated systems

do they belong to the same owner or company? are they sharing the same external DNS? do they need to access each other? anything of the three networks is common?

BTW, better stop installing and running any more malware scanner or cleaner as they are basically a kind of virus (working the same way as virus at the same low/system level), this will possibly cause more troubles for a healthy system.
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40017569
Totally unrelated. Only commonality is gfi vipre and human pro running on all three. Different ISPs. Different companies,
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40017619
thanks for the clarification.

in my understanding, one more thing common is that they are all managed by you. :-)

this naturally leads me to speculate something you regularly use possibly causes the issue? such as utilities and/or settings?

moreover, have you checked the "hosts" file? when DNS setting is missing, any non-default content has benn added into the manual DNS file?
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40030685
bbao,

We have no other common utilites running on these system, so I am seriously suspecting my security software GFI Vipre and HitmanPro.  I can't find any chatter online regarding this issue so I have no way to confirm or even support my suspicions.  Has anyone heard of security software messing with DNS settings?  

Hosts file is clean.
0
 
LVL 1

Accepted Solution

by:
Jordan Smith earned 0 total points
ID: 40203071
Talked to Surfright, turns out HitmanPro does this.  Issue resolved.
0
 
LVL 1

Author Closing Comment

by:Jordan Smith
ID: 40211128
Talked to Surfright, turns out HitmanPro does this.  Issue resolved.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now