very odd DNS behavior with XP

Hi all. I've asked this before and had only two responses, and those were
not able to fix this problem.

My dad's two laptops do this. Here is an ecerpt from the nameserver he is
accessing:

messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.microsoft.com/MX/IN
messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.yahoo.com/MX/IN
messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.intel.com/MX/IN
messages:Sep 16 04:58:06 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.intel.com/MX/IN
messages:Sep 16 04:58:06 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.google.com/MX/IN
messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.microsoft.com/MX/IN
messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.yahoo.com/MX/IN
messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.intel.com/MX/IN
messages:Sep 16 04:58:15 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.google.com/MX/IN
messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.microsoft.com/MX/IN
messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.yahoo.com/MX/IN
messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.intel.com/MX/IN
messages:Sep 16 04:58:25 netxpress_HD1 named[692]:
XX+/192.168.0.4/www.google.com/MX/IN

This goes on continuously. Every ten seconds it looks up MX record for those
four domains.

You never can catch it in netstat. Stop all sorts of services, it doesn't
stop.

I have no more hair to pull out.

192.168.0.4 is his laptop.

Anyone ever hear of this? Most would never see it because they're accessing
an ISP's name server. But here I control that. Its filling the log file, and
I'm afraid that it is part of a keystroke monitoring deal, though it would
appear that whatever it is, it is not getting the answer it wants.

I'm NOT a Windows expert, I know more on the Unix side, but open to
suggestions. This was a fresh install. He's doing SOMETHING that allows
this. It didn't take him long. He does play online games thru Pogo.

GeorgeC
Austin, TX

reply by email to nic at dyb dot com

Thanks!

"George Csahanin" writes:
> Hi all. I've asked this before and had only two responses, and those were
> not able to fix this problem.
>
> My dad's two laptops do this. Here is an ecerpt from the nameserver he is
> accessing:
>
> messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.microsoft.com/MX/IN
> messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.yahoo.com/MX/IN
> messages:Sep 16 04:58:05 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.intel.com/MX/IN
> messages:Sep 16 04:58:06 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.intel.com/MX/IN
> messages:Sep 16 04:58:06 netxpress_HD1 named[692]:
> XX+/192.168.0.4/www.google.com/MX/IN

> This goes on continuously. Every ten seconds it looks up MX record for those
> four domains.
>
> You never can catch it in netstat. Stop all sorts of services, it doesn't
> stop.

Throw wireshark (formerly ethereal) or tcpdump on the network segment
between him and the nameserver and see what it's doing in more
details.

I suspect malware.

> I'm NOT a Windows expert, I know more on the Unix side, but open to
> suggestions. This was a fresh install. He's doing SOMETHING that allows
> this. It didn't take him long. He does play online games thru Pogo.
>
> GeorgeC
> Austin, TX
>
> reply by email to nic at dyb dot com

BCC'd, reluctantly.

The courtesy of following up here with what you ultimately discover
would be good net.karma. Otherwise, I know hippies in Austin who'll
camp out on your lawn and sing acoustic guitar hits of the 70's until
you do. :-)

Best Regards,
--
Todd H.
http://www.toddh.net/

very odd DNS behavior with XP - Microsoft Windows

Thread: very odd DNS behavior with XP

LinkBack

Tools

very odd DNS behavior with XP

Re: very odd DNS behavior with XP