Suspicious burst of dns queries from Windows

Reviewing dns query logs on my home network, I discovered that every afternoon a Windows 7 machine would issue a fast burst of about 1000 dns queries.  The list of domain names queried each day appeared to be the same, and included quite a few porn and foreign sites.

Right away I figured I've got malware on the machine.  I did the following:

• Ran a full Avast scan
• Ran the Microsoft Safety Scanner
• Ran the Windows Defender Offline

Everything came up clean -- no detected problems.

Since the dns burst happened every day, I was trying to figure out how to determine what process on a Windows 7 machine issued a given dns query.  And in the middle of working on that, some google searches pointed out that Avast itself is the culprit.  Arghhhh.

Apparently Avast performs a dns lookup on the top 1000 sites to spot dns hijacking. Of couse, in doing so, Avast creates a highly suspicious traffic signature. Sounds like many people have wasted hours trying to hunt this down, only to find that Avast is the root cause. :(

References:

• https://forum.avast.com/index.php?topic=173791.msg1234165
• https://support.opendns.com/entries/59545000-Heads-up-Excessive-DNS-queries-by-AVAST-2015