DNS being reset
My Server 2003 machine appears to be having it's network card DNS address set to 220.127.116.11 and 18.104.22.168. I know that's google dns but I haven't set the card's dns to that; we use SEGfL / RMs forwarders, 22.214.171.124 and 105. Is it possible that a virus / malware infection could be causing this? Can I monitor this in event viewer; what would be the event ID?
Sounds to me like a botnet attack.
That's a symptom of the TDSS Rootkit.
TDL4 – Top Bot - Securelist
hack hack hack, check your firewall ports & close them down, check your security logs, assume that server has been compromised.
Yes, and I hate to say it, but change your admin password - or at least give it strong consideration.
lots of malware does this too, check for the normal :
startup entrys you do not recognize, unusual services, you could try tea timer from spybot to find out what changes the setting.
check your local users passwords