Flushing the DNS Resolver Cache doesn't work

Hi everyone!

I'm running Windows 2000 with Service Pack 4, patched with all the security updates available.

However, when I try accessing some sites, for example, Google, the page doesn't load.  Apparently, the domain resolves to the wrong ip address, and this is only true for this computer on my network.  Other computers who use the same DNS server as I, have no problem resolving the hostname to the correct ip address.

I have traced this problem to the DNS Resolver Cache.  When I run:


I get a long list of hostnames and corresponding ip addresses.  Of one, in particular is this:

     Record Name . . . . . : google.com
     Record Type . . . . . : 1
     Time To Live  . . . . : 31531709
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . :

This is the wrong ip address, as you can figure out.  So I flush the dns resolver cache, with ipconfig/flushdns and I use the command ipconfig/registerdns, but somehow, these records do not get flushed and erased.  They are still there if I call up the contents of the cache with ipconfig/displaydns again.

I have tried stoping the dns resolver service, but to no avail.  I have also tried looking at the event viewer in win2k, but no suspicious warnings or errors seem to stand out.

How do I fix this problem, and erase the dns resolver cache fully?  Or, if that is not the problem, what is the problem then?  I can verify that it is not a problem with the DNS server, as other users using the same dns server, have no problems.  Or even other operating systems on the same machine, for that matter.

Thanks for all your help!
Who is Participating?
oBdAConnect With a Mentor Commented:
Just to make sure I got you right: When you run "ipconfig /flushdns" and immediately afterwards (without trying nslookup or browsing to a webpage or whatever) "ipconfig /displaydns", you already have the "google" entry in there?
After running "ipconfig /flushdns", all that's supposed to be in the cache are the contents of the "hosts" file (including the reverse lookup entries "in-addr.arpa"). The default hosts file contains only one entry, "       localhost".
What I would try next, since it's easy to test: rename the hosts file to hosts.bak. Create a new hosts file, with only one entry       localhost
(tab(s) and/or space(s) inbetween the IP and "localhost"). Change the security settings to deny(!) write access for everyone. Reboot and run ipconfig /displaydns to check if the "google" entry is still there.
Check out your hosts file (no extension) in %SystemRoot%\system32\driver\etc; you'll probably find the google entry there.
But that entry has indeed entered your system by some spyware, so check out chicagoan's link.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

rohan_leaderAuthor Commented:
I've run to this point, 3 different spy-ware detectors, Adaware, Search and Destroy and Net Cop,  I have found "spy-ware" and removed them with the tool that found them.  However, none seem to help.

The DNS Resolver Cache generated by ipconfig/displaydns is the same as ever.

Any other ideas?
rohan_leaderAuthor Commented:
Also, just to note, I have also checked out the hosts file that oBdA pointed out, and inspected it comparing it to an example on the web.  I have concluded that it is fine and is not the cause of the problem.
You might consider uninstalling your modem and network cards... all networking... rebooting and reisntalling
ALso check your running processes and figure out what they all are, a good exercise in any event
Oh, and maybe a stupid question, but for the sake of completeness: do you have your Windows Explorer options set to show file extensions, and to show hidden files?
rohan_leaderAuthor Commented:
I just wanted to clarify the solution.  

Apparently, there was a rogue hosts file in C:\Windows\HELP.  For some reason or another, the google entry was in this hosts file.  I never thought that ipconfig/displaydns would look in this directory for the help file, but for some reason, it did.

A quick find, for the hosts file in the windows directory told me this, and I renamed it, poof, the problem was gone.  Thanks to all who helped.

Indeed, reinstalling would have solved this problem, but its not my computer, so that was not a viable option for me.

No spyware in this one!
Failure to flush DNS cache using:
ipconfig /flushdns

It's 2 things.

#1, apparently the static entries created via the "hosts" file can't be flushed.
If you really want to get rid of them, they have to be removed from the "hosts" file.
Typically, the "hosts" file is used as a simple and highly effective way to prevent connections to spyware / malware / adware.
Setting the (static) IP address of a domain name to (yourself - the "localhost" machine), effectively prevents potential connections via DNS!  (Wouldn't do anything for hard coded IP addresses).

#2, the ipconfig /displaydns appears to have a bug.
It only *PARTIALLY* lists the entries in the DNS resolver cache (about 50?) before abruptly truncating the output.
MS probably never considered there might be ~4,000+ entries (of malware domains) cached there!
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DataDasePath has been modified and hosts has been modified and a file has been created in windows\help

this doesn't happen magically

it's either spyware/adware or a trojan (qhosts, etc.)
rohan_leaderAuthor Commented:
chicagoan.. you are right.  This value is now set to:


I want to change this if possible back to its default value.  What is it?
>Comment from chicagoan
>Date: 11/10/2003 11:48PM EST
>sounds like spyware

>Comment from rohan_leader
>Date: 11/11/2003 01:08PM EST
>I have found "spy-ware" and removed them with the tool that found them.  However, none seem to help
Some utilities work better than others :)

%SystemRoot%\System32\drivers\etc is the default value
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.