Question : Malware on Windows 2000 Application Server prevents other network nodes from accessing Internet

Last week I experienced a very strange phenomenon when upgrading a network infrastructure.

The customer currently has a single Windows 2000 Application / Active Directory Server that serves a couple older scheduling and patient tracking information apps. These apps will be phased out in the next few weeks, but until that time it needs to be kept up and running.

Before he was fired, the previous IT Admin admitted that the server 'had viruses.' My initial examination of this ancient Dell PowerEdge Beast confirmed this, it performs mostly normally but there are sure signs of exploitation, i.e. a HiJack This! Log File from a few months ago and Internet Exploder pop-ups after local login. The pop-ups don't go anywhere though, for this server can't route to the gateway. Read on.

Last week was a big step towards their new infrastructure, I updated the IP Scheme to a simple 192.168.1.x /24 and physically cabled all nodes to a new group switch. DHCP and DNS is now handled by a Windows 2008 Server instead of the router. Internet access is pretty embarrassing, they have a home DSL connection shared through a simple Router / Access Point that provides about 24kbps speeds. Ouch! A T1 circuit is in the works.

Here's the strange part, I only figured this last portion out after too many hours of hardware troubleshooting and experimentation: "Something" on the Windows 2000 Server causes other nodes plugged into the same switch to be denied Internet Access. I've physically brought the Windows 2000 Server to my home network, and the same thing happens. There is a rogue service, Malware, Virus, RootKit, who knows - that is fired up when Windows Networking Starts on this box - even in Safe Mode - that immediately makes the Default Gateway (192.168.1.1) unpingable, and unrouteable to itself and other nodes in the same switch.

Over the weekend I tried several Linux and other A/V Cleaners - most did not work due to the fact that I have SCSI CD-ROM, but I was able to get my hands on an Avast BART PE 2009 disc and fire that up this afternoon. I'm hoping that when I check on it tomorrow morning I will have some tangible scanning results.

The Server does have two Intel 10/100 Series NICs, I tried using the other one today, but no difference. I promise that I have checked that the NIC does not have anything more than normal TCP/IP Settings.

Normally I wouldn't bother trying to fix Servers that are compromised. It's not worth the time. In this case however, it has to be fixed.

Finally - here's my question: Does anyone have any idea what this could be? Ever experienced anything like it? Any ideas on getting around it?

Much appreciated.

Jason

Answer : Malware on Windows 2000 Application Server prevents other network nodes from accessing Internet

Why is it so slow? I know there is no SLA on DSL services; but that is very slow. Have you called their support to see what speeds you "should" be seeing? Sounds like the server isn't really part of the equation on speed. Certainly, you want to get rid of the walware; but it appears from what you've said that it's isolated.

Random Solutions

remote deploy a war file

FTP is open - how to close??

Run program remotly using a unix script

IIS and Domian Admin Account

GSM Modem With Phone

0x80072F78 Error using Windows Update

superscope vs regular scope

Top 5 Best Practices when using FTP - Pulling and Pushing Data files

What do I need to install on my server to use it as an internet server for web pages created with ASP.Net 3.5?

ConsoleOne remote view/control