1

What started today as an inability to get to the internet (but people could get in just fine), morphed to we realized that the DNS Server wasn't working, then we figured out that we had a trojan called DNSHost.exe (spybot.rl I think), and we disabled its service entry and deleted the offending file and all registry keys told to use by the Trend Micro site.

Now, we can get on the internet, but the printer being served by this machine (called server2) cannot be printed to from any client machine on the network.

We get the error "The RPC Server is unavailable".

I'm assuming that this is related to the DNS issue we had earlier, as we were able to print just fine until this fun happiness started this morning.

Anyone have any solid suggestions? Windows Server 2003 R2 SP2, and the client machine are all Windows XP SP2.

Matt Dawdy
  • 429
  • 1
  • 9
  • 19
  • 1
    Look in the system event log for errors related to the RPC server, is the RPC & Print Server services started, etc. Since the server has been compromised there isn't any way to know exactly what happened. In the long run a reinstall would be preferred. Running the System File Checker, http://support.microsoft.com/kb/310747, may help but I would want a full image backup first. – Ed Fries Mar 06 '10 at 00:43
  • Hi Ed -- thanks for the advice. I have verified that both the Print Spooler and RPC services are starting, supposedly fine. What I have also noticed is that from another computer, clicking on "Add Printer" and choosing to browse for one brings up "Microsoft Network" and it immediately shows no options under there. No plus sign, nothing happens when I double click. it's as if you can't browse to find a machine or shares on other machines on the network now. – Matt Dawdy Mar 06 '10 at 04:11
  • 1
    Sorry, same advice: backup to an image, review the event logs for errors and post/deal with them individually. SFC may help but involves risk. There isn't enough info here to go on, there are many reasons RPC may be unavailable: corrupt OS, fw, default shares are gone, etc, etc. The event log is the place to start. Without knowing what the server does, it may be faster to backup the data, document everything, back it up again and wipe and start over. – Ed Fries Mar 06 '10 at 17:11

1 Answers1

1

The "solution" ended up hiring a company to come in and clean the entire network. They came in, unhooked every machine from the network (and the routers and firewall, too), scanned them all with like 10 different virus/spyware scanners, defragged every HD (for good measure), updated every pc to the latest service packs, did the same for the servers, changed every password in the system, reset and reconfigured the routers and firewalls to close every port except the ones needed, setup group policies, made users not admins of their machines, etc.

This took close to 18 hours @ $65 an hour, but now the network and all the machines are screaming fast and no intrusions have been detected.

It's drastic, but this network was in dire need of an overhaul, and the security company gave us a list of all that they found -- 290 trojans on 10 machines, a variety of spyware, the firewall had rules to open specific ports, but someone had added a rule in the last year that opened up all the ports, so they fixed that, too.

I know that security is an ongoing process, but the results so far are actually palpable in how much better things are running.

Matt Dawdy
  • 429
  • 1
  • 9
  • 19