DNS Hijacking?

Dell / Poweredge 2600
May 14, 2009 at 10:08:25
Specs: Windows XP
Dell Poweredge 2600
Windows 2000 Server SP4
Functioning as PDC / DNS / AD server

Monitoring my firewall, I have noticed that my PDC/DNS/AD server was periodically making connections to strange destinations such as :


I created entries in c:\winnt\system32\drivers\etc\hosts redirecting those destinations to which stops the connections to those addresses as I would expect, but for each one that I block it seems every few days my server attempts to connect to a new one. I am concerned that I may have a DNS hijacking situation.

Under the DNS applet > Forward Lookup Zones > mydomain.com I see :

Expected entries I see all of the computers in my domain with their respective IP addresses which I would expect :


also entries such as these :

(same as parent folder) Host PDC server
(same as parent folder) Host Database server
(same as parent folder) Host My external IP address

and two questionable entries :

(same as parent folder) Host An unknown IP address
(same as parent folder) Host An unknown IP address

If I delete these two unknown entries, they appear by themselves again in a few minutes.

Can anyone offer advice or insight?

See More: DNS Hijacking?

Report •

May 14, 2009 at 16:44:02
Can you please post your AVZ log:

1) To create the logfile, please firstly download AVZ by clicking HERE(http://www.z-oleg.com/avz4.zip). Please save this file to your desktop or "My Documents" folder.
2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open
If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Attach that file to your post

Report •
Related Solutions

Ask Question