On 30 Aug 2006 10:20:34 -0700, "GregG" <e.price***@verizon.net> wrote:

>I'm pulling my hair out on this one. An XP workstation is bringing down
>my home network and keep resetting a DSL router. I really cannot
>rebuild it as it has so much stuff on it.
>
>I do know what is causing this but there is an extensive message
>exchange between an XP workstation and a Domain Controller/DNS/NAT
>server. 2 other workstations are not involved. It's happening almost
>all the time with short intermissions. I shut down all applications and
>stopped all services at XP, which are possible to stop without
>degrading functionality.
>
>Network monitor shows thousands of frames in a minute coming from
>server to workstation. They are all the SAME:
>
>Protocol = HOPOPT - IPv6 Hop-by-Hop Option; Packet ID = 0; Total IP
>Length = 0; Options = No 0.0.0.0  0.0.0.0 IP
>
>At the same time (and this is weird) XP sends thousands of DNS request
>to my DNS server for different internet domains (for thousands of
>different domains I never heard of!!) for Mail Exchange. My DNS in turn
>floods the internet querying provider's DNS and bringing DSL router
>down once in a while. Example:
>
>DNS 0x14AE:Std Qry for wvbr.com. of type Mail Xchg on class INET addr.
>MATRIX 140.120.100.107 IP
>
>I fight this for 3 days. No viruses or spyware is found (scanned with 3
>different applications). Processor at 99% idle. Regmon shows constant
>access of dnscache service and parameters in tcpip service.
>
>Can anyone help?

> I missed the bit in your original post where it appears that at least
> the DNS flood is coming from (or at least through)  XP - all the
> zeroes in the network monitoring results made me think of a hardware
> fault.
>
> I would suggest two approaches:
>
> 1) it looks as if you have tested by substitution all possible
> hardware causes except bad cabling. Try running a new, temporary cable
> between the XP machine and your switch. I frankly don't expect this to
> solve the problem, but network cabling problems can sometimes give
> rise to very strange symptoms indeed.
>
> 2) Boot another OS on the XP machine and see whether the flood
> continues. There are a number of trial versions of different flavours
> of Linux which have come out on computer magazine cover disks and/or
> can be downloaded and burnt to CD-Rs and run from the CD. Assuming
> that your hardware is fairly vanilla, you should be able to access the
> network from the "foreign" OS. If the "foreign" OS can access the
> network and doesn't flood it, I would have to assume that you either
> have a very well hidden piece of malware, or part of your XP network
> stack has been corrupted in a particularly spectacular fashion. If
> that't the case, you are probably going to have to do at least a
> Repair reinstall of XP. If a foreign OS booted and running from a
> clean CD also causes the same behaviour on the network, it has to be
> network hardware-related, or just conceivably something in the MoBo..
>
> On 30 Aug 2006 15:10:27 -0700, "GregG" <e.price***@verizon.net> wrote:
>

On 3 Sep 2006 12:51:45 -0700, "GregG" <e.price***@verizon.net> wrote:

>Peter R. Fletcher wrote:
>> I missed the bit in your original post where it appears that at least
>> the DNS flood is coming from (or at least through)  XP - all the
>> zeroes in the network monitoring results made me think of a hardware
>> fault.
>>
>> I would suggest two approaches:
>>
>> 1) it looks as if you have tested by substitution all possible
>> hardware causes except bad cabling. Try running a new, temporary cable
>> between the XP machine and your switch. I frankly don't expect this to
>> solve the problem, but network cabling problems can sometimes give
>> rise to very strange symptoms indeed.
>>
>> 2) Boot another OS on the XP machine and see whether the flood
>> continues. There are a number of trial versions of different flavours
>> of Linux which have come out on computer magazine cover disks and/or
>> can be downloaded and burnt to CD-Rs and run from the CD. Assuming
>> that your hardware is fairly vanilla, you should be able to access the
>> network from the "foreign" OS. If the "foreign" OS can access the
>> network and doesn't flood it, I would have to assume that you either
>> have a very well hidden piece of malware, or part of your XP network
>> stack has been corrupted in a particularly spectacular fashion. If
>> that't the case, you are probably going to have to do at least a
>> Repair reinstall of XP. If a foreign OS booted and running from a
>> clean CD also causes the same behaviour on the network, it has to be
>> network hardware-related, or just conceivably something in the MoBo..
>>
>> On 30 Aug 2006 15:10:27 -0700, "GregG" <e.price***@verizon.net> wrote:
>>
>
>Thanks Peter for guidelines.
>
>I suspect this indeed was a very well hidden malware. I was hit by a
>virus about 3 weeks ago. Cleaned it (thoroughly I thought according to
>various antivirus/antispyware applications/utilities and personal
>experience with this type of events). But, you never know and
>apparently something was still out there, created a channel bypassing a
>firewall (as in addition to frames I mentioned XP began receiving SMTP
>requests from various external hosts). In any case I still do not know
>what it was but it appears to stop acting once I did XP repair.
>
>A side note. This is probably known but just in case for someone going
>through similar problem - before doing XP repair always disable
>Antivirus software. I remember that from upgrading to XP but failed to
>do it this time while repairing. Had to use a recovery console to
>disable Norton antivirus. Otherwise repair process kept failing
>rebooting the machine in the middle of installation while installing
>drivers.