Undetectable Spyware or Pi-Hole bug?

Ah, I see. Yes, I'm aware of that.

But I really think it's a glitch in the pi-hole and not actual malware (or implanted mining software).

1 Like

Here you go:

pi@raspberrypi:~ $ pihole -v
  Pi-hole version is v3.2.1 (Latest: v3.2.1)
  AdminLTE version is v3.2.1 (Latest: v3.2.1)
  FTL version is v2.13.2 (Latest: v2.13.2)

pi@raspberrypi:~ $ cat /etc/dnsmasq.d/01-pihole.conf
# Pi-hole: A black hole for Internet advertisements
# (c) 2015, 2016 by Jacob Salmela
# Network-wide ad blocking via your Raspberry Pi
# http://pi-hole.net
# dnsmasq config for Pi-hole
# Pi-hole is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.

#                                                                             #
#                      /etc/pihole/setupVars.conf                             #
#                                                                             #
#                        OR IN /etc/dnsmasq.conf                              #







pi@raspberrypi:~ $

Does my post, above, shed any light on this issue?

Sorry, I was away from Discourse for a few days. It looks like you're clear of the previous hostname issue. Can you find the log lines in /var/log/pihole.log where dnsmasq resolves those domains?

No worries. I'm not one to complain about free tech support on free software!

Do I just 'cat' that file and look for the domains at issue and copy/post the results here?

You can run pihole -t or tail -F /var/log/pihole.log to follow the log as it's written to. More info here:

I pulled the old 4GB microSD card and installed Raspbian and pihole on a brand new 32GB microSD card. Still seeing primewire and 123netflix every 2 mins.

Pulled 32GB card, reformatted, flushed DNS, cleared cookies and everything else from all browsers. Installed Raspbian and pihole. Still seeing primewire and 123netflix every 2 mins.

Here is the log info:
Feb 4 00:12:00 dnsmasq[9095]: query[A] primewire.ag from
Feb 4 00:12:00 dnsmasq[9095]: cached primewire.ag is
Feb 4 00:12:00 dnsmasq[9095]: cached primewire.ag is
Feb 4 00:12:00 dnsmasq[9095]: query[A] 123netflix.com from
Feb 4 00:12:00 dnsmasq[9095]: cached 123netflix.com is
Feb 4 00:12:00 dnsmasq[9095]: cached 123netflix.com is

I'm really at a loss right now. :tired_face:

If it helps, I have an Asus RT-N66U Router with stock firmware. LAN DNS set to my pihole's IP address.
WAN DNS Server1 set to pihole's IP address and DNS Server2 set to

Win7 PC that continues to access primewire and 123netflix every 2 mins has a static IP address, hardwired ethernet cable to my router and adapter IPv4 Preferred DNS Server set to the pihole's IP address.

EDIT: I noticed the log time is 5 hours ahead. My PCs are set to the correct date, time and timezone. Checked it with browsers on 2 different computers. Odd.

EDIT 2: Fixed the time issue by going into 'sudo raspi-config' and setting the proper timezone.

I'm not sure what might be causing the PC to access those domains so often, but I think there are tools to find which programs are making DNS requests on Windows.

Might/looks be some infection on your pc.
Just add the domains to the blacklist and clean your pc.

That's where I started 2 weeks ago. But I tried it again and made some headway.

I kept track of when the Pi-Hole showed access to the two domains from my PC every 2 minutes.

Ran Process Monitor (to show Network Activity) and Wireshark both as Admin. Opened Windows Powershell as Admin and typed:

tasklist /svc /fi "imagename eq svchost.exe"

Then I waited and clicked enter on the command exactly when my PC was accessing those 2 domains.

Checked Wireshark for the same time and found the packets being sent to the pi-hole to check the DNS of those two domains.

Double clicked the packets and scrolled down to find the Source Port numbers:
57098 and 65208

Switched to Process Monitor and located the processes captured during the same time that was using those same Source Port numbers.

Double clicked and now I had:

  • the PID (1576),
  • the Path (C:\Windows\system32),
  • the Command Line parameters (-k NetworkService) and
  • the process name (svchost.exe)

Unfortunately, it’s the ubiquitous svchost.exe

Switch to Windows Powershell and checked out the results from when I ran the tasklist command.
PS C:\Users\MyPC> tasklist /svc /fi "imagename eq svchost.exe"

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1576 CryptSvc, Dnscache, LanmanWorkstation,

Now I have the Services behind svchost.exe.

Then I went into the Registry and found the Registry Entries for each of the 4 Services and that gave me the DLL files and the file paths. They’re all under %SystemRoot%\System32:

CryptSvc = cryptsvc.dll
Dnscache = dnsapi.dll
LanmanWorkstation = wkssvc.dll
NlaSvc = nlasvc.dll

Ran system filechecker with command

sfc /scannow
Windows Resource Protection did not find any integrity violations.

Scanned each file with MalwareBytes and Avira.
Nothing found.

Decided to check each service’s Display Name and Description:
CryptSvc = Cryptographic Services = Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Dnscache = DNS Client = The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.

LanmanWorkstation = Server = Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

NlaSvc = Network Location Awareness = Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Now I'm stumped. Do I stop each service and see if it stops access? Or bypass Pi-Hole and see if my PC is still accessing these domains every minute?


Unless your wimdows install is complicated ....jank in the dvd or usb key and re-install your pc.
Thats much faster.
Unless you like troubleshooting.

At this point, I need to find the issue and resolve it. It's a matter of pride. Never been beaten by a computer issue in the past, though this is one of the toughest I've encountered.

Going to try a clean boot on the PC and see if that helps.


have fun, but as far as this forum concerend this ticket should be closed.

Sounds a bit harsh.
Sounds like those commercial companies that treat you like a number :smiley:
My opinion, if it can contribute to others finding an answer, it can stay open indefinitely.

1 Like

Matter of opinion.
He/she has received the answer: machine is compromised. Has nothing to do with pihole anymore.
Personaly I would not even risk booting this machine on the network without a re-image.
I see the challenge, but its'a waste of time.


I'm still not convinced the PC is compromised. Main reason is that my PC only does a DNS check on the two domains with the Pi-Hole. It does not seem to be sending packets to those domains. I filter Wireshark using the “ip ==” for the IP addresses of those sites (,, and and nothing shows up.

So I'm not ruling anything out yet.

Tried using msconfig to run a clean boot of my PC by disabling everything except the Microsoft services. Upon reboot, my PC was not checking those two domains (primewire and 123netflix).

I didn’t see anything unusual in my services but might be something in there causing this issue.

Those domains are streaming sites. Perhaps a browser tab/bookmark to those sites that is performing DNS pre-fetching? Browser add-on perhaps? Utorrent? I see you say it loads before opening a browser, so if you have chrome, that can start on log-in. I doubt it's the Raspberry Pi, unless you have kodi/plex/insert video streaming service here installed on it.

You can't use the MAC address in the pcap to identify the source; it re-writes itself after every hop, so if the pihole is the last stop, you'll see the pi's MAC and not the originating device, especially on DNS replies.

The reason you see the pihole's IP address when using wireshark on your PC is because it's likely sending the DNS reply to your PC. You will not see a DNS request from the pihole going outbound to the internet on your PC's interface, only PC to Pihole, and Pihole to PC.

Sharing the pcap or an image of the pcap would help.

I'm thinking it's some sort of browser DNS pre-fetch but I'm damned if I can find it. I tried completely re-setting all my browsers but I kept the bookmarks. Maybe I need to wipe the bookmarks and see what happens.

The packets from Wireshark are just DNS checks. I've filtered the Wireshark for the IP addresses of each domain and nothing shows up. I can post the packet details from Wireshark if you think it would be helpful. Just need to figure out how to post them and to confirm there is nothing personal in there, such as my home IP address.

I was a little iffy suggesting browser pre-fetch if the browser isn't open. Maybe chrome, but not fully sure. I think a screenshot of wireshark showing port 53 traffic would be good to see. That way you can redact your public IP, though I don't think it would be visible from your PC. It will only see direct connections from your PC to pi-hole and back, and connections from PC to your gateway, which is likely your NAT'ed router. Assuming you aren't in promiscuous mode. :slight_smile:

These tell you how to disable pre-fetch.

I'm also curious to ask what software you got in your startup? It seems calling svchost for a DNS lookup is working as advertised, if it's trying to reach out to certificate authorities and what not. So what invoked that and started it all? I am not sure if procmon can show you what fires up svchost, maybe examine the child processes of the CryptSvc, Dnscache, LanmanWorkstation, NlaSvc dll's. I'm still in the camp of some software beaconing out from your rig to those domains. But I want to know what software that is. :slight_smile:

Thanks but I was able to find the culprit. It was MalwareBytes! The 2 domains were in the whitelist and that made the software DNS check them every 2 minutes.

So problem solved. The pi-hole was instrumental in discovering this issue but was not the cause. And my PC was not compromised. Just buggy anti-malware software.