Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: DNS cache poisoning attack shutting down my internet and keep on comin


07 Jul 2013   #1

Windows 7 64bit
 
 
DNS cache poisoning attack shutting down my internet and keep on comin

Hi,
It has been a long time since this errors started,It is disappearing when I flushing my DNS, but it always comes back and annoys..
I have Eset SmartSecurity 5 and when this attack comes I get a meesage like this:
"
Detected DNS cache poisoning attack
IP:.....
"
When this is happening I can't browse the web (using Chrome) because I always get this message about "DNS problem"

Everytime it is showing up again Im using two programs to flush it, one is this Eset DNS Flush:
DNS Cache Poisoning Attack - ESET Knowledgebase
and the second one is some batch file some guy named Jacee wrote here:
Detected DNS cache poisoning attack.

I'm tired of this but I know nothing about solving it.. Any ideas? thanks..

ps. i have one of the IP that is showing up in those messages if it helps


My System SpecsSystem Spec
.

07 Jul 2013   #2

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Krembo welcome to SevenForums

Lets try disabling the ESET firewall and enable the Windows 7 firewall . You might be having some false positives
  • Open ESET Smart Security
  • Press the F5 key on your keyboard to access the Advanced setup window.
  • In the Advanced setup tree to the left, expand Network Personal firewall and click System integration.
  • Select Personal firewall is completely disabled from the System integration drop-down menu.

To enable Windows 7 Firewall

Also run a malwarebytes scan

Malwarebytes

Download Link MalwareBytes

When the installation is done uncheck Enable free trial of Malwarebytes (see image below )



Update the definitions and do a full scan

On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
My System SpecsSystem Spec
07 Jul 2013   #3

Windows 7 64bit
 
 

Quote   Quote: Originally Posted by VistaKing View Post
Krembo welcome to SevenForums
.....
Hi, and thank you for your answer.
I canceled the ESET's firewall , the Windows Firewall was already on.

I've noticed that the same IPs which were shown in those cache poisoning attack messages are the same ones shown under the DNS IPv4 tab inside the network connection status. I cant really tell what is it called in English because my whole system is in Hebrew, I saw that by click on the network small icon on the dashboard, then right click on the network im connected with, ->Status, then ->Details.., and then under the DNS Server of IPv4..

The scan seems to find nothing, except for those PPR weird windows files. all the other are just files meant to crack apps such as keygens , cracks etc.
-------------------------------------------------------------------------
Log:
Malwarebytes Anti-Malware 1.75.0.1300
Malwarebytes : Free anti-malware download

Database version: v2013.07.07.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
user :: USER-PC [administrator]

07/07/2013 14:53:10
mbam-log-2013-07-07 (14-53-10).txt

Scan type: Full scan (C:\|G:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 645388
Time elapsed: 1 hour(s), 29 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Windows\SysWOW64\28463 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463 (Keylogger.Ardamax) -> Quarantined and deleted successfully.

Files Detected: 39
C:\Users\user\Downloads\I_D_M_6.12.25.rar (PUP.Hacktool.Patcher) -> No action taken.
G:\Square Enix\Sleeping Dogs\buddha.dll (Malware.Gen.SKR) -> No action taken.
G:\osx\OS X Mountain Lion 10.8.2 VMware Image\VMware Unlocker - Hardware Virtualization Bypasser\vmware-vmx-patch.exe (RiskWare.Tool.CK) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\I_D_M_6.12.25.rar (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\Patch\internet.download.manager.v6.08-patch.exe (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\Patch\internet.download.manager.v6.08-patch.rar (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\Internet Download Manager 6.05B8 by sexh\IDM B8 and crack - by sexh.rar (Trojan.Ardamax) -> No action taken.
J:\תוכנות\VMware.Workstation.v9.0.0.812388.Incl.Keymaker-ZWT\keygen.exe (Riskware.Tool.CK) -> No action taken.
C:\Program Files (x86)\Internet Download Manager\internet.download.manager.v6.08-patch.exe (PUP.Hacktool.Patcher) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Sony\Vegas Pro 11.0\keygen DI v2.0\Keygen.exe (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\ESET PureFix v2.02.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\IDM B8 and crack - by sexh.rar (Trojan.Ardamax) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\Vegas_Pro_2011.rar.crdownload (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\eset_nod32-5.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\keygen.DI.v2.0..rar (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\rpc412_setup.exe (PAssword.Tool) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\הפריצה רשמית ולכל החיים בגירסא חדשה לנוד32 גירסא 5.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.001 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.002 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.005 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.006 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.007 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.001 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.002 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.005 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.006 (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.006 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.007 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.007 (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
G:\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\backup\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\backup\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
J:\Portable תקין\Device Doctor 1.0\Data\Native\STUBEXE\@PROGRAMFILES@\Internet Explorer\iexplore.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.
J:\Portable תקין\Device Doctor 1.0\Data\Virtual\STUBEXE\@PROGRAMFILES@\Device Doctor\1.0.0.1\DeviceDoctor.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{E942257D-7E83-485C-886F-EF5B12C3FA67}\RP103\A0023471.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.

(end)
---------------------------------------------------------
My System SpecsSystem Spec
.


07 Jul 2013   #4

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Run Farbar Recovery Scan Tool


32-bit Version OS Farbar Recovery Scan Tool <==== Download Link

Drag the FRST.exe from the Downloads folder to your Desktop

Right click on FRST.exe and choose

When the tool opens click Yes on the disclaimer window .

Press Scan button.


Please upload both logs in your reply.(FRST.txt and Addition.txt)

FRST.txt and Addition.txt will be on the Desktop

Upload a File
Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .
My System SpecsSystem Spec
07 Jul 2013   #5

Windows 7 Home Premium
 
 

Krembo,

Quote:
... all the other are just files meant to crack apps
The above comment is rather amusing.

Keygens, cracks and serials violate copyright and ownership of software. They are used to get programs for free that one should pay for. It is known as software piracy, which is equivalent to stealing. It is essentially the same as if one figured out a way to break into the neighbor's auto and take it.

Also note that companies of the legal software can track illegal copies, and make them stop working.
And, if by any chance, you are attending a school, and are using an illegal copy of a program, be aware that if the school finds out, you may get suspended or even expelled. A school that knowingly allows students to use illegal software is implicated in the crime as well, and a legal software company has the right to pursue legal action against the school.

It is strongly recommended that you remove any keygen, crack or serial from your system, particularly if you wish to continue receiving support. Piracy is not supported.
My System SpecsSystem Spec
07 Jul 2013   #6

Windows 7 64bit
 
 

Quote   Quote: Originally Posted by VistaKing View Post
Run Farbar Recovery Scan Tool


32-bit Version OS Farbar Recovery Scan Tool <==== Download Link

Drag the FRST.exe from the Downloads folder to your Desktop

Right click on FRST.exe and choose

When the tool opens click Yes on the disclaimer window .

Press Scan button.


Please upload both logs in your reply.(FRST.txt and Addition.txt)

FRST.txt and Addition.txt will be on the Desktop

Upload a File
Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .
Files attached. downloaded the 64bit version


Attached Files
File Type: txt FRST.txt (33.6 KB, 2 views)
File Type: txt Addition.txt (20.3 KB, 1 views)
My System SpecsSystem Spec
07 Jul 2013   #7

Windows 7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Krembo View Post
Quote   Quote: Originally Posted by VistaKing View Post
Krembo welcome to SevenForums
.....
Hi, and thank you for your answer.
I canceled the ESET's firewall , the Windows Firewall was already on.

I've noticed that the same IPs which were shown in those cache poisoning attack messages are the same ones shown under the DNS IPv4 tab inside the network connection status. I cant really tell what is it called in English because my whole system is in Hebrew, I saw that by click on the network small icon on the dashboard, then right click on the network im connected with, ->Status, then ->Details.., and then under the DNS Server of IPv4..

The scan seems to find nothing, except for those PPR weird windows files. all the other are just files meant to crack apps such as keygens , cracks etc.
-------------------------------------------------------------------------
Log:
Malwarebytes Anti-Malware 1.75.0.1300
Malwarebytes : Free anti-malware download

Database version: v2013.07.07.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
user :: USER-PC [administrator]

07/07/2013 14:53:10
mbam-log-2013-07-07 (14-53-10).txt

Scan type: Full scan (C:\|G:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 645388
Time elapsed: 1 hour(s), 29 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Windows\SysWOW64\28463 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463 (Keylogger.Ardamax) -> Quarantined and deleted successfully.

Files Detected: 39
C:\Users\user\Downloads\I_D_M_6.12.25.rar (PUP.Hacktool.Patcher) -> No action taken.
G:\Square Enix\Sleeping Dogs\buddha.dll (Malware.Gen.SKR) -> No action taken.
G:\osx\OS X Mountain Lion 10.8.2 VMware Image\VMware Unlocker - Hardware Virtualization Bypasser\vmware-vmx-patch.exe (RiskWare.Tool.CK) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\I_D_M_6.12.25.rar (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\Patch\internet.download.manager.v6.08-patch.exe (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\Patch\internet.download.manager.v6.08-patch.rar (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\Internet Download Manager 6.05B8 by sexh\IDM B8 and crack - by sexh.rar (Trojan.Ardamax) -> No action taken.
J:\תוכנות\VMware.Workstation.v9.0.0.812388.Incl.Keymaker-ZWT\keygen.exe (Riskware.Tool.CK) -> No action taken.
C:\Program Files (x86)\Internet Download Manager\internet.download.manager.v6.08-patch.exe (PUP.Hacktool.Patcher) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Sony\Vegas Pro 11.0\keygen DI v2.0\Keygen.exe (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\ESET PureFix v2.02.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\IDM B8 and crack - by sexh.rar (Trojan.Ardamax) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\Vegas_Pro_2011.rar.crdownload (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\eset_nod32-5.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\keygen.DI.v2.0..rar (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\rpc412_setup.exe (PAssword.Tool) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\הפריצה רשמית ולכל החיים בגירסא חדשה לנוד32 גירסא 5.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.001 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.002 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.005 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.006 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.007 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.001 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.002 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.005 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.006 (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.006 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.007 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.007 (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
G:\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\backup\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\backup\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
J:\Portable תקין\Device Doctor 1.0\Data\Native\STUBEXE\@PROGRAMFILES@\Internet Explorer\iexplore.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.
J:\Portable תקין\Device Doctor 1.0\Data\Virtual\STUBEXE\@PROGRAMFILES@\Device Doctor\1.0.0.1\DeviceDoctor.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{E942257D-7E83-485C-886F-EF5B12C3FA67}\RP103\A0023471.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.

(end)
---------------------------------------------------------
O M F G!!!
My System SpecsSystem Spec
07 Jul 2013   #8

Windows 7 Home Premium
 
 

Yep...they're just files meant to crack apps.
Incredible attitude.
My System SpecsSystem Spec
07 Jul 2013   #9

Windows 7 Home Premium 64bit
 
 

I dread to think how his PC runs because so many of these "crack" files are piggy backed!

Andy
My System SpecsSystem Spec
Reply

 DNS cache poisoning attack shutting down my internet and keep on comin




Thread Tools



Similar help and support threads for2: DNS cache poisoning attack shutting down my internet and keep on comin
Thread Forum
Solved Detected DNS cache poisoning attack. System Security
ARP cache poisoning attack System Security
Solved How do I enable my DNS Cache and my DHCP? I am having internet issues. Network & Sharing
New ransomware attack blocks Internet access System Security
New ransomware attack blocks Internet access System Security
New attack fells Internet Explorer. Security News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:50 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33