Solved

DNS Server Suddenly changed, Windows 7 & 8

Posted on 2014-04-22
13
593 Views
Last Modified: 2014-07-22
We manage several workstations across multiple clients and locations.  Three totally unrelated systems (different networks, different clients, different network hardware, different isps) suddenly lost DNS server settings.  Two of them were blanked out completely, and I had to manually enter DNS server address to restore connectivity.  One changed the DNS server to 8.8.8.8 manually.  I had to change to DHCP lease to restore connectivity.  

3 Example machines
1. Sonicwall Firewall, domain member, DHCP comes from Router, Windows 8 Pro
2. Netgear Router, workgroup member,  DHCP server is netgear, Windows 7
3. Cisco Firewall, domain member,  DHCP server is WIndows 2012 Server, Windows 7

Sounds like malware but all scans come up clean.  Any ideas?
0
Comment
Question by:Jordan Smith
  • 7
  • 3
  • 2
  • +1
13 Comments
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015045
It sounds like you might have spyware.

You might want to run a spyware checker to see if anything is found.

Try www.superantispyware.com

or www.malwarebuytes.com

They both work well for me.
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015046
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015060
I ran malware bytes. Came clean one one system, currently running on another.
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015157
All scans have come back clean.  What else could be causing this.  I have an RMM (Labtech) running on all three machines.  Anyone heard of any issues with this?
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40015240
Try seeing if a rootkit is causing the issue. Do a search for TDSKiller. This is a free download. Once the download is done do a scan to see if anything is found.

http://www.bleepingcomputer.com/download/tdsskiller/

When this issue popped up did the routers/DHCP servers still hand out the DNS server addresses in the DHCP lease?

Can you elaborate on what your RMM is doing?
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40015258
I'll look into the rootkit scan...

All other systems on the network received correct info from the DHCP server.

RMM is our remote management software, like LogMeIn
It allows remote connection, reports data on the agent, handles MS patch updates.
We also have GFI Vipre AV and HitmanPro Antimalware installed on all agents.
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 40015486
Try the Bit defender Rescue CD. Download the iso, burn a cd/dvd and boot with it. I tried it over the weekend and it's great. it boots into Linux, downloads the anti virus definition files and runs a full scan.

It found some things I was not aware of

http://www.bitdefender.com/support/how-to-create-a-bitdefender-rescue-cd-627.html
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40017556
> Three totally unrelated systems

do they belong to the same owner or company? are they sharing the same external DNS? do they need to access each other? anything of the three networks is common?

BTW, better stop installing and running any more malware scanner or cleaner as they are basically a kind of virus (working the same way as virus at the same low/system level), this will possibly cause more troubles for a healthy system.
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40017569
Totally unrelated. Only commonality is gfi vipre and human pro running on all three. Different ISPs. Different companies,
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40017619
thanks for the clarification.

in my understanding, one more thing common is that they are all managed by you. :-)

this naturally leads me to speculate something you regularly use possibly causes the issue? such as utilities and/or settings?

moreover, have you checked the "hosts" file? when DNS setting is missing, any non-default content has benn added into the manual DNS file?
0
 
LVL 1

Author Comment

by:Jordan Smith
ID: 40030685
bbao,

We have no other common utilites running on these system, so I am seriously suspecting my security software GFI Vipre and HitmanPro.  I can't find any chatter online regarding this issue so I have no way to confirm or even support my suspicions.  Has anyone heard of security software messing with DNS settings?  

Hosts file is clean.
0
 
LVL 1

Accepted Solution

by:
Jordan Smith earned 0 total points
ID: 40203071
Talked to Surfright, turns out HitmanPro does this.  Issue resolved.
0
 
LVL 1

Author Closing Comment

by:Jordan Smith
ID: 40211128
Talked to Surfright, turns out HitmanPro does this.  Issue resolved.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now