Does Spyware change your DNS settings?

Posted on 2005-04-12
Last Modified: 2008-01-09

on two computers recently I've seen....when you type in a website eg. would go (at the bottom
of the screen) searching then etc

They would do this with every error page would then be displayed saying something about DNS error.

Is that spyware at work Secondly, is there an advantage to setting yoru DNS manually instead of just clicking "assign
DNS automatically"
Question by:jetsonx
    LVL 5

    Expert Comment


    lots of spyware will hijack your browser session and route stuff through alternative websites for various reasons (generate revenue for themselves, install other nasty software etc.), but i've not come across any spyware that changes your dns settings, though it really wouldn't surprise me if they did, it could be used by the writers to send you to false or phishing sites.  
    I'd try running Adaware and Spybot to see if that picks anything up, they both have free versions:

    as for your second question-
    You should set your DNS to pickup automatically if you use DHCP - that is where the PC contacts a DHCP server (or your router/cable modem) and is given an IP address and other details it needs to connect to the network/internet etc.

    Setting the DNS manually is fine if you know the address of the DNS servers.  You have to set it manually if you use static IP addresses, if you didn't your PC wouldn't know about any DNS servers to talk to.

    LVL 6

    Expert Comment

    It could be a hijacked host file.  Check C:\WINDOWS\system32\drivers\etc (or c:\windows for windows 98/me) then open the HOST file in notepad The only entry in there should be localhost
    LVL 8

    Assisted Solution

    IE laso has a setting to add .com .org. net to a url if it cant find the dot com. You probaly have a broken TCPI stack. Try to repair your LSP

    that will fix it
    LVL 3

    Assisted Solution

    On it's own, this behaviour doesn't indicate spyware. It happens when IE can't connect to a DNS server, or when it can't connect to the Internet at all.

    If it can't find, e.g., it will assume that you've missed out part of the name, and will start trying different suffixes (, So on a machine with a working Internet connection, if you type, you will eventually get through to,, or something (depending on the order it tries).

    There's a setting in Internet Options that turns this behaviour on and off.

    As to the root cause of the problem, it could a number of things: static IP address missing, DHCP server not responding, incorrect DNS server details, etc. etc. Troubleshoot as any other Internet connection problem (e.g. IPCONFIG).

    As for the second question, my approach is: if it ain't broke, don't fix it. If the automatically assigned DNS servers aren't causing a problem, then leave them automatically assigned. If they're causing a problem, then try manual configuration but put it back to automatic when the problem is solved.

    Accepted Solution

    Please check your HOSTS file entry. You may view the file under c:\windows\system32\drivers\etc directory.
    Generally worms or spywares blocks you from visiting antivirus vendor sites or genrally visited sites such as

    It add entry in HOSTS file such as...

    Remember, before connecting to your DNS server your OS reads HOSTS file entry, if it finds a match it connects to that IP.

    Moreover, I have seen worms doing this kinda act than spywares.

    Cheers :)
    LVL 3

    Expert Comment

    It cannot be the HOSTS file in this example.

    The HOSTS file only changes the IP address that the browser visits. It does not (and cannot) affect the URL displayed in IE. Try it with some settings of your own.

    Author Comment

    bilbus, I think your suggested LSP fix solved the problem. Beluga, yip, it was not the hosts file...ghods I gave you some points because adding the virus producer  in the hosts file seemed to make an update possible,

    Thanks guyz.

    ps: beluga: "There's a setting in Internet Options that turns this behaviour on and off" just for future refernence, where is that setting?
    LVL 3

    Expert Comment

    Turning off the IE setting:

    This is one of those occasions where I've seen it done, but I don't know exactly how. And I'm afraid I use Mozilla rather than IE!

    Having said that, a quick web search shows it *might* be the following setting in TCP/IP properties, and not in IE:;en-us;305553#5

    The above is for XP, but the Windows 2000 settings should be in the same place. In Windows 98, it's in TCP/IP properties -> DNS Configuration -> Domain suffix search order.

    Hope this is of some help! :o)

    Author Comment

    Thanks for that Beluga.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now