Windows 7: Detected DNS cache poisoning attack.

panais · 14 Nov 2011

My Eset Smart Security 5 alert me with this message.

Detected DNS cache poisoning attack

Remote IP address:
xxx.xxx.xx.xxx <---<Numbers here.

What exactly is this for?

DustSailor · 14 Nov 2011

"Run an Anti spyware program such as Spyware Terminator to clean your system from any malware", as suggested by one person.

I would suggest instead that you install malwarebytes to remove malware. Also, Microsoft Security Essentials is my favorite Antivirus, but I don't know very much about Eset Smart Security (why didn't it remove the problem? It only notifies you of it? Kinda lame isn't it?). DO NOT uninstall an antivirus through the control panel (if that is what you want to do). Rather, download an antivirus removal tool so that you do not corrupt anything in your system.

However, Eset recommends this method of uninstallation of antivirus software: How do I uninstall or reinstall ESET Smart Security/ESET NOD32 Antivirus? (4.x) - ESET Knowledgebase

pinto · 14 Nov 2011

DNS cache poisoning - Wikipedia, the free encyclopedia

DustSailor · 14 Nov 2011

Is this a networked or a home computer?

Jacee · 14 Nov 2011

Flush the DNS cache and restore MS's Hosts file ...
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Now run a full scan with Eset and let me know if it still detects a DNS cache poisoning.

Corrine · 15 Nov 2011

Definitely follow Jacee's instructions.

See World's stealthiest rootkit pushes DNS hijacking trojan • The Register for additional information.

Quote:

End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.

panais · 15 Nov 2011

Quote: Originally Posted by Jacee

Flush the DNS cache and restore MS's Hosts file ...
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Now run a full scan with Eset and let me know if it still detects a DNS cache poisoning.

Quote: Originally Posted by Corrine

Definitely follow Jacee's instructions.

See World's stealthiest rootkit pushes DNS hijacking trojan • The Register for additional information.

Quote:

End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.

I followed Jacee's instructions.

Everything is fine now.

The command from Jacee is

I keep it for future usage.

Thank you Ladies!!

DustSailor · 15 Nov 2011

I agree, very nice. Expert opinion nailed the problem exactly. Thats why we should all go to university

DBone · 15 Nov 2011

Following the advice from both Jacee and Corrine is a very wise thing to do!

weensyweb · 20 Feb 2012

Hello - I know this is an old thread, but this is exactly the problem I am having - except I think it is seeing my own IP address? It is the same IP address every time - I only just installed ESET Smart Security yesterday - it is updated and has run a scan with no detection.

I have done the above "flush.bat" instructions and the computer rebooted ok, and as soon as I opened a web page I got the same error as the OP: Detected DNS cache poisoning attack - with my own IP.

I ran Malware Bytes and got this report:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 6.0.6002 Service Pack 2

21/02/2012 11:09:13 AM
mbam-log-2012-02-21 (11-09-13).txt

Scan type: Quick Scan
Objects scanned: 41351
Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Windows 7: Detected DNS cache poisoning attack.

Detected DNS cache poisoning attack. problems?