Posted 14 March 2009 - 11:20 AM
Recently removed various malware from 3 LAN PCs. They did not exhibit this behavior previously. No 2 had the same or even similar malware. Each PC has 2 network interface cards. One connects to a router in gateway mode and is DHCP enabled, the second connects to a LAN fileserver running Windows Server 2003 with a static IP. There are 10 PCs on the LAN, all running XP Pro. 7 still work fine, however the 3 that had malware removed will only access the Internet when the LAN connection is disabled. I ran Wireshark and saw that when the LAN is enabled. the DNS requests from those three are broadcast on the subnet as 192.168.1.255 instead of the DNS server IP. When the LAN is disabled, they correctly request name resolution from the DNS server.