Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.



Windows 7: Detected DNS cache poisoning attack.

14 Nov 2011   #1

Windows 7 Ultimate 64bit SP1
 
 
Detected DNS cache poisoning attack.

My Eset Smart Security 5 alert me with this message.

Detected DNS cache poisoning attack

Remote IP address:
xxx.xxx.xx.xxx <---<Numbers here.

What exactly is this for?

My System SpecsSystem Spec
.

14 Nov 2011   #2

Microsoft Windows 8.1 Pro 64-bit
 
 

"Run an Anti spyware program such as Spyware Terminator to clean your system from any malware", as suggested by one person.

I would suggest instead that you install malwarebytes to remove malware. Also, Microsoft Security Essentials is my favorite Antivirus, but I don't know very much about Eset Smart Security (why didn't it remove the problem? It only notifies you of it? Kinda lame isn't it?). DO NOT uninstall an antivirus through the control panel (if that is what you want to do). Rather, download an antivirus removal tool so that you do not corrupt anything in your system.

However, Eset recommends this method of uninstallation of antivirus software: How do I uninstall or reinstall ESET Smart Security/ESET NOD32 Antivirus? (4.x) - ESET Knowledgebase
My System SpecsSystem Spec
14 Nov 2011   #3

Windows 7 Pro 64
 
 

My System SpecsSystem Spec
.


14 Nov 2011   #4

Microsoft Windows 8.1 Pro 64-bit
 
 

Is this a networked or a home computer?
My System SpecsSystem Spec
14 Nov 2011   #5
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Flush the DNS cache and restore MS's Hosts file ...
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0


Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Now run a full scan with Eset and let me know if it still detects a DNS cache poisoning.
My System SpecsSystem Spec
15 Nov 2011   #6

Windows 7 & Windows Vista Ultimate
 
 

Definitely follow Jacee's instructions.

See World's stealthiest rootkit pushes DNS hijacking trojan The Register for additional information.
Quote:
End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.
My System SpecsSystem Spec
15 Nov 2011   #7

Windows 7 Ultimate 64bit SP1
 
 

Quote   Quote: Originally Posted by Jacee View Post
Flush the DNS cache and restore MS's Hosts file ...
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0


Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Now run a full scan with Eset and let me know if it still detects a DNS cache poisoning.
Quote   Quote: Originally Posted by Corrine View Post
Definitely follow Jacee's instructions.

See World's stealthiest rootkit pushes DNS hijacking trojan • The Register for additional information.
Quote:
End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.
I followed Jacee's instructions.

Everything is fine now.

The command from Jacee is

I keep it for future usage.

Thank you Ladies!!
My System SpecsSystem Spec
15 Nov 2011   #8

Microsoft Windows 8.1 Pro 64-bit
 
 

I agree, very nice. Expert opinion nailed the problem exactly. Thats why we should all go to university
My System SpecsSystem Spec
15 Nov 2011   #9

Windows 7 Home Premium x64 SP1
 
 

Following the advice from both Jacee and Corrine is a very wise thing to do!
My System SpecsSystem Spec
20 Feb 2012   #10

Windows Vista Home Premium SP2 64-bit
 
 

Hello - I know this is an old thread, but this is exactly the problem I am having - except I think it is seeing my own IP address? It is the same IP address every time - I only just installed ESET Smart Security yesterday - it is updated and has run a scan with no detection.

I have done the above "flush.bat" instructions and the computer rebooted ok, and as soon as I opened a web page I got the same error as the OP: Detected DNS cache poisoning attack - with my own IP.

I ran Malware Bytes and got this report:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 6.0.6002 Service Pack 2

21/02/2012 11:09:13 AM
mbam-log-2012-02-21 (11-09-13).txt

Scan type: Quick Scan
Objects scanned: 41351
Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
My System SpecsSystem Spec
Reply

 Detected DNS cache poisoning attack.





Thread Tools



Similar help and support threads for2: Detected DNS cache poisoning attack.
Thread Forum
DNS cache poisoning attack shutting down my internet and keep on comin System Security
DDoS Attack, Changed IPs Still Under Attack System Security
bitmap poisoning+ idk Network & Sharing
Identical IP Address, DNS Cache and TCP Flooding Attack Network & Sharing
ARP cache poisoning attack System Security
Solved Port Scanning attack detected on ESET System Security
Detected port scanning attack? System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:19 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33