Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Flushing/Clearing DNS cache


  • Please log in to reply
13 replies to this topic

#1 DFringe

DFringe

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 02 August 2010 - 02:49 AM

We've had some malware issues that are now coming back clear (whether they are clear is still a cause for concern). Problem is my server (running 2003) is hanging on the most basic system functions, start menu, opening 'my computer' really basic things. If left well alone it runs the apps I need it to run but when trying to navigate anywhere on the server I get terrible hanging which sometimes forces a restart (which isn't ideal with the server)

I'm trying to clean the server to the best of my abililty. When I use ipconfig/displaydns there are quite a few entries in the displayed results that don't/won't clear as and when I flushdns as an administrator.

Also the CPU usage is going through the roof on some processes although it still hangs when the CPU usage is down to 4 or 5%\

I can still use the server for our work processes (we're a commercial printing company and the server drives our main rip through 6 sub apps sat on a partioned drive G:)

Just wondering if someone could work through any process that might be able to help

Thanks in advance

BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:47 AM

Posted 03 August 2010 - 07:40 AM

Can you tell us if your 2003 server is also a DNS server?

Are you on a Domain Network setup?

Can you give the details of "IPCONFIG / ALL" please?
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#3 DFringe

DFringe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 04 August 2010 - 05:53 AM

The 2003 Server isn't a DNS server for US. It's the current platform that runs a RIP and it's applications (we're a print company). It runs on Server 2003 because some people using the RIP/Workflow system do want to use it as a DNS Server to be able to control the apps from different locations which is why the american company use a server platform. (we dont btw) Our hands are tied in the platform we HAVE to use because of the third party software.

ipconfig/ALL data:

Microsoft Windows [Version 5.2.3790]
© Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig/all

Windows IP Configuration

Host Name . . . . . . . . . . . . : RAMPAGESERVER
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-04-23-C7-70-76
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.14
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Marvell Yukon 88E8050 PCI-E ASF Gigabit E
thernet Controller #2
Physical Address. . . . . . . . . : 00-04-23-C7-70-77



A previous Employee (no longer at the company) had installed spybot which has been writing entries to the hosts file for two year and even though it's been uninstalled the entries remained in the hosts file. I've used a windows fixit to revert the hosts file to it's default (whilst retaining a copy of the original hosts file) which seems to have turned the hosts file into a hosts.OLD file and not replaced it with a new one. When i try to ipconfig/displaydns it now tells me 'can't display dns revolver cache'.

I've run all malware software and online virus scanners, eset and trend house call (we can't run server based antivirus on advice from the RIP creators as it's intrusive, as was spybot which is why i've uninstalled it) and they've come back clean. I've also run CCleaner with advanced setting to clear DNS cache and wipe free space on the C: and it's helped with the hanging i've been getting a little.

We're also running cobian backup which creates a volume shadow copy and i've noticed that the svchost.exe is memory heavy and i've been reading a lot about memory leaks when using volume shadow copy.

I don't know if this might also be causing a problem but I HAVE to make copies of the Drives overnight.

Sorry if the info's a bit fractured and there's a lot of different symptoms and a lot of this info points towards Malware at some point or other but i'm coming up clean and so are my logs (hijackthis etc).

I feel like it's beating me.

#4 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:47 AM

Posted 04 August 2010 - 07:22 AM

Ok. One more question.

If you click start, run and type "services.msc" ( without the quotes ) do you see "DNS SERVER" in the list of services?

Also, can you tell me the full name of the computer. ( right click my computer click on properties. Click on the Computer Name Tab. )

The only thing I'm looking for is if "Full Computer Name" has something similar to: Server.yourbusiness.local or server.yourbusiness.com or something similar.

This will let me know if your computer is a domain controller or not.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#5 DFringe

DFringe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 05 August 2010 - 05:17 AM

services.msc shows up DNS Client not DNS Server.

'Full computer name' is RAMPAGESERVER.

#6 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:47 AM

Posted 05 August 2010 - 07:48 AM

Has a utility such as CCleaner been run or any other "Registry cleaner" been run on this machine?
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#7 DFringe

DFringe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 06 August 2010 - 04:07 AM

I've run CCleaner as mentioned in the previous reply with advanced setting to clear DNS cache and wipe free space on the C: and it's helped with the hanging i've been getting a little but i'm still getting it a bit.

I'm running daily scans with online virus scanners and anti malware and they're coming up clean, my hijack this logs are clean yet i'm still getting some redirects to DNS entries in the old hosts log in Firefox. Not every time I open firefox but certainly some of the time.

It's really annoying.

I just want to clean out the DNS cache and view it to check it only hosts the localhost. It lets me open the hosts file in notepad and lets me delete all rogue entries but won't allow me to re save it.

#8 coxchris

coxchris

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atwater
  • Local time:11:47 PM

Posted 06 August 2010 - 04:33 PM

This reply post has procedures that will restart the computer/server. Please be advice I have some sever knowledge. If this sever is on high demand than please disregard this post. I only intended to share suggestions

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click to run as Administrator. Your computer will reboot itself.

It resets the hosts file, releases and renews ip address, performs flushdns, resets winsock catalogs and restarts your pc.

From a old topic I posted. The information in the batch file is from Jacee a Mal ware Removal Instructor on here.

see it that helps you reset your host file. if this does download this application http://www.javacoolsoftware.com/spywareblaster.html SpywareBlaster is a program that prevents unauthorize data entry's from the hosts files. you will need to updated it once installed and enable protection and updated it periodically.

AA in Computer Networking Technology

BS in Information Technology 

Comptia A+, Project+, L+

Renewable:  N+,S+

CIW Web Design Specialist, JavaScript Specialist,  Database Design Specialist 

LPIC-1, SUSE 


#9 DFringe

DFringe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 09 August 2010 - 07:44 AM

Thanks Chris

That's helped out a lot. It's flushed the DNS out to local host only. Just had to re apply a manual IP as it flushes the IP address too but that's no problem.

What I can't understand though is i'm STILL getting redirects in both Firefox and IE8 browsers to either a new 'google' website or still to some of the rogue DNS entries in the previous hosts file!!

I've shown up clean on scans for nearly a week. Hijack this file SEEMS to be ok too.

I'm stumped.

#10 coxchris

coxchris

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atwater
  • Local time:11:47 PM

Posted 09 August 2010 - 08:46 AM

I've used a windows fixit to revert the hosts file to it's default (whilst retaining a copy of the original hosts file) which seems to have turned the hosts file into a hosts.OLD file and not replaced it with a new one. When i try to ipconfig/displaydns it now tells me 'can't display dns revolver cache'.

You can replace hosts.old into the C:\windows\system32\drivers\etc just delete the the rouge host file and put hosts.old in to that directory and rename it to Host

Manually

AA in Computer Networking Technology

BS in Information Technology 

Comptia A+, Project+, L+

Renewable:  N+,S+

CIW Web Design Specialist, JavaScript Specialist,  Database Design Specialist 

LPIC-1, SUSE 


#11 DFringe

DFringe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 10 August 2010 - 04:38 AM

Chris

when i used your method to successfully flush the dns it created a new hosts file with the local host in the etc folder so i've just removed the hosts.old file and it's SEEMS to have stopped redirections.

Thanks very much for your help. I'm STILL getting quite a bit of hanging.

Just an after thought. I'm using Cobian Backup which creates a volume shadow copy overnight when it backs up. Do you think this could possibly be causing a memory leak which in turn could cause the hanging as it's worse when we start work in the morning then seems to stabilise throughout the day.

#12 coxchris

coxchris

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atwater
  • Local time:11:47 PM

Posted 11 August 2010 - 01:19 PM

Hello There, My uncle is technician in backup data so he is expert at backing up.

How much ram is in the system?

Do you have any AV software on this server or it just strictly for backing up.

Just an after thought. I'm using Cobian Backup which creates a volume shadow copy overnight when it backs up. Do you think this could possibly be causing a memory leak which in turn could cause the hanging as it's worse when we start work in the morning then seems to stabilise throughout the day.

To answer your question above we think that it could definitely be possible or conflicting with your active protection of your av. If you have a Anti virus

Keep a eye on your free memory when at idling to determine if you have memory leaks.

Most Windows based have (of memory)
2-4GB
8GB for mssql servers

Hope this help.

AA in Computer Networking Technology

BS in Information Technology 

Comptia A+, Project+, L+

Renewable:  N+,S+

CIW Web Design Specialist, JavaScript Specialist,  Database Design Specialist 

LPIC-1, SUSE 


#13 DFringe

DFringe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 12 August 2010 - 03:59 AM

I don't run any antivirus actually on the server and in realtime. Again it's intrusive with the software we run on the server. We used to run WinClam free antivirus as it wasn't intrusive but the virus data base was awful and they stopped supporting server 2003. I use online scanner daily. ESET online and Trend Housecall along with Malwarebytes but all of these scans are not realtime and aren't intrusive when not being performed.

I've installed extra RAM so we're operating 4gb in working RAM.

The CPU usage is can be quite excessive when idling with large spikes jumping from 4/5% to over 80/100% at times. Also the 'svchost.exe' files can get very memory heavy when the application are active but then remain holding a lot of memory usage even when the apps are idle.

Don't get me wrong, the improvement since following some instruction on here has been massive but i'm trying to clean it up as much as is possible.

Since flusing the dns and getting a new hosts file which contains the local host only. When flushed and then displayed in the command line i get the following entry along with the local host. I can't identify it. any ideas?


1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 347683
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost


localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1
Time To Live . . . . : 347683
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1

Once again. Thanks for all the help so far.

#14 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:47 AM

Posted 12 August 2010 - 07:51 AM

1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 347683
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost


This is the normal "Reverse Lookup Record". This record is referenced when the server it looking for itself. ( e.g. Who is 127.0.0.1. Answer: localhost )

localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1
Time To Live . . . . : 347683
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1


This is the normal "Forward Lookup Record". This is referenced when the server is looking for an IP address. ( e.g. Who is localhost. Answer: 127.0.0.1 )

Hope this sheds a little light.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users