Solved

DNS Server Suddenly changed, Windows 7 & 8

Posted on 2014-04-22
13
601 Views
Last Modified: 2014-07-22
We manage several workstations across multiple clients and locations.  Three totally unrelated systems (different networks, different clients, different network hardware, different isps) suddenly lost DNS server settings.  Two of them were blanked out completely, and I had to manually enter DNS server address to restore connectivity.  One changed the DNS server to 8.8.8.8 manually.  I had to change to DHCP lease to restore connectivity.  

3 Example machines
1. Sonicwall Firewall, domain member, DHCP comes from Router, Windows 8 Pro
2. Netgear Router, workgroup member,  DHCP server is netgear, Windows 7
3. Cisco Firewall, domain member,  DHCP server is WIndows 2012 Server, Windows 7

Sounds like malware but all scans come up clean.  Any ideas?
0
Comment
Question by:Jordan Smith
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015045
It sounds like you might have spyware.

You might want to run a spyware checker to see if anything is found.

Try www.superantispyware.com

or www.malwarebuytes.com

They both work well for me.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015046
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015060
I ran malware bytes. Came clean one one system, currently running on another.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015157
All scans have come back clean.  What else could be causing this.  I have an RMM (Labtech) running on all three machines.  Anyone heard of any issues with this?
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40015240
Try seeing if a rootkit is causing the issue. Do a search for TDSKiller. This is a free download. Once the download is done do a scan to see if anything is found.

http://www.bleepingcomputer.com/download/tdsskiller/

When this issue popped up did the routers/DHCP servers still hand out the DNS server addresses in the DHCP lease?

Can you elaborate on what your RMM is doing?
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015258
I'll look into the rootkit scan...

All other systems on the network received correct info from the DHCP server.

RMM is our remote management software, like LogMeIn
It allows remote connection, reports data on the agent, handles MS patch updates.
We also have GFI Vipre AV and HitmanPro Antimalware installed on all agents.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015486
Try the Bit defender Rescue CD. Download the iso, burn a cd/dvd and boot with it. I tried it over the weekend and it's great. it boots into Linux, downloads the anti virus definition files and runs a full scan.

It found some things I was not aware of

http://www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html
0
 
LVL 37

Expert Comment

by:bbao
ID: 40017556
> Three totally unrelated systems

do they belong to the same owner or company? are they sharing the same external DNS? do they need to access each other? anything of the three networks is common?

BTW, better stop installing and running any more malware scanner or cleaner as they are basically a kind of virus (working the same way as virus at the same low/system level), this will possibly cause more troubles for a healthy system.
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40017569
Totally unrelated. Only commonality is gfi vipre and human pro running on all three. Different ISPs. Different companies,
0
 
LVL 37

Expert Comment

by:bbao
ID: 40017619
thanks for the clarification.

in my understanding, one more thing common is that they are all managed by you. :-)

this naturally leads me to speculate something you regularly use possibly causes the issue? such as utilities and/or settings?

moreover, have you checked the "hosts" file? when DNS setting is missing, any non-default content has benn added into the manual DNS file?
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40030685
bbao,

We have no other common utilites running on these system, so I am seriously suspecting my security software GFI Vipre and HitmanPro.  I can't find any chatter online regarding this issue so I have no way to confirm or even support my suspicions.  Has anyone heard of security software messing with DNS settings?  

Hosts file is clean.
0
 
LVL 1

Accepted Solution

by:
Jordan Smith earned 0 total points
ID: 40203071
Talked to Surfright, turns out HitmanPro does this.  Issue resolved.
0
 
LVL 1

Author Closing Comment

by:Jordan Smith
ID: 40211128
Talked to Surfright, turns out HitmanPro does this.  Issue resolved.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now