I'm stumped on this one and reaching out for any help. I have 3 computers running Windows 7 that are randomly having one entry in their DNS Cache changed. It just happens to be the entry for their POP email server. The domain name is secure.emailsrvr.com, which is a RackSpace hosted POP server. The DNS cache last week was showing an IP for Network Solutions. Today the DNS Cache showed an IP that is registered to Apple. A simple DNS flush fixes the problem, but it always comes back several times each day. The hosts file only contains one record and it is used for a local file server. They do not have a local DNS server and were using their ISP's DNS servers. I have since changed their DNS to OpenDNS. I have ran Malwarebytes scans and Microsoft Security Essential scans and found nothing. The router is a basic LinkSys wireless router with current firmware running on it. I don't see anything out of the ordinary in their startup items or anything else suspicious running. They used to have the problem on other computer but their previous IT guy fixed them (they don't know what he did and apparently he didn't know either because he was unable to fix these three computer and now here I am).
Any ideas on where else to look for this? I did run hijack this and can attach the log if needed. I also have exported the DNS Cache before and after performing the DNS flush.
Thanks in advance,