Flushing the DNS Resolver Cache doesn't work

Hi everyone!

I'm running Windows 2000 with Service Pack 4, patched with all the security updates available.

However, when I try accessing some sites, for example, Google, the page doesn't load.  Apparently, the domain resolves to the wrong ip address, and this is only true for this computer on my network.  Other computers who use the same DNS server as I, have no problem resolving the hostname to the correct ip address.

I have traced this problem to the DNS Resolver Cache.  When I run:


I get a long list of hostnames and corresponding ip addresses.  Of one, in particular is this:

     Record Name . . . . . : google.com
     Record Type . . . . . : 1
     Time To Live  . . . . : 31531709
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . :

This is the wrong ip address, as you can figure out.  So I flush the dns resolver cache, with ipconfig/flushdns and I use the command ipconfig/registerdns, but somehow, these records do not get flushed and erased.  They are still there if I call up the contents of the cache with ipconfig/displaydns again.

I have tried stoping the dns resolver service, but to no avail.  I have also tried looking at the event viewer in win2k, but no suspicious warnings or errors seem to stand out.

How do I fix this problem, and erase the dns resolver cache fully?  Or, if that is not the problem, what is the problem then?  I can verify that it is not a problem with the DNS server, as other users using the same dns server, have no problems.  Or even other operating systems on the same machine, for that matter.

Thanks for all your help!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Check out your hosts file (no extension) in %SystemRoot%\system32\driver\etc; you'll probably find the google entry there.
But that entry has indeed entered your system by some spyware, so check out chicagoan's link.
rohan_leaderAuthor Commented:
I've run to this point, 3 different spy-ware detectors, Adaware, Search and Destroy and Net Cop,  I have found "spy-ware" and removed them with the tool that found them.  However, none seem to help.

The DNS Resolver Cache generated by ipconfig/displaydns is the same as ever.

Any other ideas?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

rohan_leaderAuthor Commented:
Also, just to note, I have also checked out the hosts file that oBdA pointed out, and inspected it comparing it to an example on the web.  I have concluded that it is fine and is not the cause of the problem.
You might consider uninstalling your modem and network cards... all networking... rebooting and reisntalling
ALso check your running processes and figure out what they all are, a good exercise in any event
Just to make sure I got you right: When you run "ipconfig /flushdns" and immediately afterwards (without trying nslookup or browsing to a webpage or whatever) "ipconfig /displaydns", you already have the "google" entry in there?
After running "ipconfig /flushdns", all that's supposed to be in the cache are the contents of the "hosts" file (including the reverse lookup entries "in-addr.arpa"). The default hosts file contains only one entry, "       localhost".
What I would try next, since it's easy to test: rename the hosts file to hosts.bak. Create a new hosts file, with only one entry       localhost
(tab(s) and/or space(s) inbetween the IP and "localhost"). Change the security settings to deny(!) write access for everyone. Reboot and run ipconfig /displaydns to check if the "google" entry is still there.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Oh, and maybe a stupid question, but for the sake of completeness: do you have your Windows Explorer options set to show file extensions, and to show hidden files?
rohan_leaderAuthor Commented:
I just wanted to clarify the solution.  

Apparently, there was a rogue hosts file in C:\Windows\HELP.  For some reason or another, the google entry was in this hosts file.  I never thought that ipconfig/displaydns would look in this directory for the help file, but for some reason, it did.

A quick find, for the hosts file in the windows directory told me this, and I renamed it, poof, the problem was gone.  Thanks to all who helped.

Indeed, reinstalling would have solved this problem, but its not my computer, so that was not a viable option for me.

No spyware in this one!
Failure to flush DNS cache using:
ipconfig /flushdns

It's 2 things.

#1, apparently the static entries created via the "hosts" file can't be flushed.
If you really want to get rid of them, they have to be removed from the "hosts" file.
Typically, the "hosts" file is used as a simple and highly effective way to prevent connections to spyware / malware / adware.
Setting the (static) IP address of a domain name to (yourself - the "localhost" machine), effectively prevents potential connections via DNS!  (Wouldn't do anything for hard coded IP addresses).

#2, the ipconfig /displaydns appears to have a bug.
It only *PARTIALLY* lists the entries in the DNS resolver cache (about 50?) before abruptly truncating the output.
MS probably never considered there might be ~4,000+ entries (of malware domains) cached there!
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DataDasePath has been modified and hosts has been modified and a file has been created in windows\help

this doesn't happen magically

it's either spyware/adware or a trojan (qhosts, etc.)
rohan_leaderAuthor Commented:
chicagoan.. you are right.  This value is now set to:


I want to change this if possible back to its default value.  What is it?
>Comment from chicagoan
>Date: 11/10/2003 11:48PM EST
>sounds like spyware

>Comment from rohan_leader
>Date: 11/11/2003 01:08PM EST
>I have found "spy-ware" and removed them with the tool that found them.  However, none seem to help
Some utilities work better than others :)

%SystemRoot%\System32\drivers\etc is the default value
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.