Name resolution issue

  • Thread starter Thread starter Preston
  • Start date Start date
P

Preston

I have a Win2K server runing active directory, with DNS
for internal use only. I am not resolving internet names,
those are being forwarded to our ISP's DNS server.
Recently we were unable to connect to www.msn.com, all
other domain names could be resolved. This only happens
periodically and can be solved if the win2k server is
restarted. When this happens the users get the
standard "Page cannot be displayed" message in IE. But
the server gets redirected to www.yeah.com.

I realize this is probably a redirection from some
spyware, but neither Adaware nor Spy Bot Search and
Destroy have resolved the issue. I have also searched the
registry for any unusual entries or redirections, but
can't seem to find any.

This has my whole network screwed up because we have to
reboot the server, sometimes 5 times a day. The work
around I have given the users is to use www.msn.com's IP
address directly in the address bar of IE and that works.

Anyone have any Ideas?

thanks
 
Sound to me like you have a host a record in your dns that
is tring to resolve www.msn.com into a different ip
address. Either that or a prt record could have the same
effect. I would check your server for a virus, if the
problem comes back after a few minutes after a restart,
this is a good indication of a virus. But defintly check
your host a and ptr records.

HTH
DJ
 
I have a Win2K server runing active directory, with DNS
for internal use only. I am not resolving internet names,
those are being forwarded to our ISP's DNS server.
Recently we were unable to connect to www.msn.com, all
other domain names could be resolved. This only happens
periodically and can be solved if the win2k server is
restarted. When this happens the users get the
standard "Page cannot be displayed" message in IE. But
the server gets redirected to www.yeah.com.

I realize this is probably a redirection from some
spyware, but neither Adaware nor Spy Bot Search and
Destroy have resolved the issue. I have also searched the
registry for any unusual entries or redirections, but
can't seem to find any.

This has my whole network screwed up because we have to
reboot the server, sometimes 5 times a day. The work
around I have given the users is to use www.msn.com's IP
address directly in the address bar of IE and that works.
Click to expand...

Sounds like your DNS is getting hijacked or a hosts file is getting
written to your system.

Jeff
 
In
Preston said:
I have a Win2K server runing active directory, with DNS
for internal use only. I am not resolving internet names,
those are being forwarded to our ISP's DNS server.
Recently we were unable to connect to www.msn.com, all
other domain names could be resolved. This only happens
periodically and can be solved if the win2k server is
restarted. When this happens the users get the
standard "Page cannot be displayed" message in IE. But
the server gets redirected to www.yeah.com.

I realize this is probably a redirection from some
spyware, but neither Adaware nor Spy Bot Search and
Destroy have resolved the issue. I have also searched the
registry for any unusual entries or redirections, but
can't seem to find any.

This has my whole network screwed up because we have to
reboot the server, sometimes 5 times a day. The work
around I have given the users is to use www.msn.com's IP
address directly in the address bar of IE and that works.

Anyone have any Ideas?

thanks
Click to expand...

In addition to the other responses, suggest to run an AV scan and look for
the QHOST virus. That will populate a bunch of wrong stuff in your HOSTS
file.

You can check what is in your DNS local cache by typing in:
ipconfig /displaydns.

If a boatload of stuff shows up, well, there you have it, a good indication
that it's a virus or some sort of hijacked stuff installed such as a trojan
or adware stuff. I've seen that happen going to some rogue website where an
ActiveX object loaded the HOSTS file with a bunch of crap. Run Adaware 6.0
to clean up ad software. Run an antitrojan detector, such as Pest Patrol, to
remove any known trojans. These are usually NOT found by AV software.

If you goto www.symantec.com or www.mcafee.com, and look up that virus, it
will show you a reg entry where the virus (if it is it) changes the default
location of the HOSTS file. Look in that location and check it out.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top