Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange DNS resolver cache entries. Cannot get rid of them.


  • Please log in to reply
5 replies to this topic

#1 leukoism

leukoism

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 01 March 2010 - 01:14 AM

This has been bugging me for the last few days, and I finally decided to come here and seek some help. Recently while playing with ipconfig I decided to check out my DNS cache for the heck of it. So I do the ipconfig /displaydns and it comes up with all these strange entries. (sorry for the long pic, but there is quite a few entries). To me they appear to be definite spyware/malware/virus laden websites, or maybe worse.

Posted Image


I have done everything I know how to get rid of this, but the entries are always there. I have tried ipconfig /flushdns about 3 dozen times, I have checked my computer for viruses/spyware and nothing is out of the ordinary and my computer runs just fine. I have gone through my firewall rules and no strange programs are present. I have even tried deleting the dnsrslvr.dll and replacing it with a clean file and still comes up with all these weird websites. Although before I replaced it with a new one I was still able to browse the net just fine, I just couldn't check the DNS cache or flush it because it wasn't there. I have checked the DNS resolver cache on my secondary partition of XP and it is perfectly fine, and also on my laptop which doesn't show any strange DNS entries. So it doesn't appear to be from my network. Just on my main XP partition.

Can anybody help with this? I would assume the only reason this is happening is due to some kind of spyware/malware but I am VERY security conscious and have quite a few layers of protection with some of the best software out there. Nothing odd has been going on with my PC, not even any strange connections to the net that I can tell. When my computer is idle and not supposed to be downloading anything (like virus updates or whatever) there is no network traffic at all.

The one other thing I can think to try is deleting the file again and doing a system file check and having XP replace it with a new one (the last new one I tried was from a driver website). But since the other one I tried immediately had those entries in it as well makes me suspect that no matter what copy of dnsrslvr.dll I have it will just automatically have those entries in there for whatever reason.

Any info about my system you guys need just let me know. Cause I really want to resolve this problem (if it is a problem?). And thanks in advance for any help :thumbsup:

Edited by leukoism, 01 March 2010 - 01:16 AM.


BC AdBot (Login to Remove)

 


#2 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:53 AM

Posted 01 March 2010 - 06:58 AM

I believe those are all from your HOSTS file which is normal if you use something like Spybot or the MVPHOSTS file.

Those entries are added to your hosts files to keep your computer from connecting to known bad sites. They are all made so that if you happen to attempt to go to those sites, your computer will be directed to go to 127.0.0.1, which is the local host, as in, you will just be connected to your computer instead of connected to those sites on the internet.

As far as I know, they are there to protect you and are nothing to worry about.

#3 leukoism

leukoism
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 01 March 2010 - 03:40 PM

That's good to hear, thank you for your help! :thumbsup: And yes, I am using Spybot, so if SB does these things it would make sense.

But I would like to double check just to make sure. How can I check my hosts file? Because the fact that this doesn't happen on my second partition of XP makes me wonder, since I use Spybot on that as well.

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:53 AM

Posted 01 March 2010 - 03:44 PM

Because the fact that this doesn't happen on my second partition of XP makes me wonder, since I use Spybot on that as well.



Did you run the immunizer tool on Spy Bot on your other partition? If you haven't then thats why you are not seeing this issue on the other one.

c:\windows\system32\drivers\etc\

double click the hosts file open with notepad.

#5 leukoism

leukoism
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 01 March 2010 - 11:00 PM

Now that I think about it, I do not think I have run the immunization on my second partition. I will go try that now and see if the entries appear there as well. If they do appear after immunization then this is simply Spybots doing and nothing I should worry about.

I just checked my host file and it is completely blank aside from the Microsoft examples and instructions. Heck, I checked all the files in the \etc folder and none of them have these websites in them at all.

I will edit back shortly with my second partition's results.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:53 AM

Posted 01 March 2010 - 11:16 PM

http://www.pdfdownload.org/pdf2html/pdf2ht...&images=yes

The ipconfig /displaydns command displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers.

So, if the web page addresses are safe, you're fine.
My log looks very similar.

Edited by Broni, 01 March 2010 - 11:17 PM.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users