?
Solved

DNS Server Suddenly changed, Windows 7 & 8

Posted on 2014-04-22
13
Medium Priority
?
629 Views
Last Modified: 2014-07-22
We manage several workstations across multiple clients and locations.  Three totally unrelated systems (different networks, different clients, different network hardware, different isps) suddenly lost DNS server settings.  Two of them were blanked out completely, and I had to manually enter DNS server address to restore connectivity.  One changed the DNS server to 8.8.8.8 manually.  I had to change to DHCP lease to restore connectivity.  

3 Example machines
1. Sonicwall Firewall, domain member, DHCP comes from Router, Windows 8 Pro
2. Netgear Router, workgroup member,  DHCP server is netgear, Windows 7
3. Cisco Firewall, domain member,  DHCP server is WIndows 2012 Server, Windows 7

Sounds like malware but all scans come up clean.  Any ideas?
0
Comment
Question by:Jordan Smith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015045
It sounds like you might have spyware.

You might want to run a spyware checker to see if anything is found.

Try www.superantispyware.com

or www.malwarebuytes.com

They both work well for me.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015046
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015060
I ran malware bytes. Came clean one one system, currently running on another.
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015157
All scans have come back clean.  What else could be causing this.  I have an RMM (Labtech) running on all three machines.  Anyone heard of any issues with this?
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40015240
Try seeing if a rootkit is causing the issue. Do a search for TDSKiller. This is a free download. Once the download is done do a scan to see if anything is found.

http://www.bleepingcomputer.com/download/tdsskiller/

When this issue popped up did the routers/DHCP servers still hand out the DNS server addresses in the DHCP lease?

Can you elaborate on what your RMM is doing?
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015258
I'll look into the rootkit scan...

All other systems on the network received correct info from the DHCP server.

RMM is our remote management software, like LogMeIn
It allows remote connection, reports data on the agent, handles MS patch updates.
We also have GFI Vipre AV and HitmanPro Antimalware installed on all agents.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015486
Try the Bit defender Rescue CD. Download the iso, burn a cd/dvd and boot with it. I tried it over the weekend and it's great. it boots into Linux, downloads the anti virus definition files and runs a full scan.

It found some things I was not aware of

http://www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html
0
 
LVL 37

Expert Comment

by:bbao
ID: 40017556
> Three totally unrelated systems

do they belong to the same owner or company? are they sharing the same external DNS? do they need to access each other? anything of the three networks is common?

BTW, better stop installing and running any more malware scanner or cleaner as they are basically a kind of virus (working the same way as virus at the same low/system level), this will possibly cause more troubles for a healthy system.
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40017569
Totally unrelated. Only commonality is gfi vipre and human pro running on all three. Different ISPs. Different companies,
0
 
LVL 37

Expert Comment

by:bbao
ID: 40017619
thanks for the clarification.

in my understanding, one more thing common is that they are all managed by you. :-)

this naturally leads me to speculate something you regularly use possibly causes the issue? such as utilities and/or settings?

moreover, have you checked the "hosts" file? when DNS setting is missing, any non-default content has benn added into the manual DNS file?
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40030685
bbao,

We have no other common utilites running on these system, so I am seriously suspecting my security software GFI Vipre and HitmanPro.  I can't find any chatter online regarding this issue so I have no way to confirm or even support my suspicions.  Has anyone heard of security software messing with DNS settings?  

Hosts file is clean.
0
 
LVL 1

Accepted Solution

by:
Jordan Smith earned 0 total points
ID: 40203071
Talked to Surfright, turns out HitmanPro does this.  Issue resolved.
0
 
LVL 1

Author Closing Comment

by:Jordan Smith
ID: 40211128
Talked to Surfright, turns out HitmanPro does this.  Issue resolved.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question