Solved Detected DNS cache poisoning attack.

My Eset Smart Security 5 alert me with this message.

Detected DNS cache poisoning attack

Remote IP address:
xxx.xxx.xx.xxx <---<Numbers here.

What exactly is this for?

"Run an Anti spyware program such as Spyware Terminator to clean your system from any malware", as suggested by one person.

I would suggest instead that you install malwarebytes to remove malware. Also, Microsoft Security Essentials is my favorite Antivirus, but I don't know very much about Eset Smart Security (why didn't it remove the problem? It only notifies you of it? Kinda lame isn't it?). DO NOT uninstall an antivirus through the control panel (if that is what you want to do). Rather, download an antivirus removal tool so that you do not corrupt anything in your system.

However, Eset recommends this method of uninstallation of antivirus software: How do I uninstall or reinstall ESET Smart Security/ESET NOD32 Antivirus? (4.x) - ESET Knowledgebase

Is this a networked or a home computer?

Flush the DNS cache and restore MS's Hosts file ...
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Now run a full scan with Eset and let me know if it still detects a DNS cache poisoning.

Definitely follow Jacee's instructions.

See World's stealthiest rootkit pushes DNS hijacking trojan • The Register for additional information.

End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.

Click to expand...

Jacee said:

Flush the DNS cache and restore MS's Hosts file ...
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Now run a full scan with Eset and let me know if it still detects a DNS cache poisoning.

Click to expand...

Corrine said:

Definitely follow Jacee's instructions.

See World's stealthiest rootkit pushes DNS hijacking trojan • The Register for additional information.

End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.

Click to expand...

Click to expand...

I followed Jacee's instructions.

Everything is fine now.

The command from Jacee is

I keep it for future usage.

Thank you Ladies!!

I agree, very nice. Expert opinion nailed the problem exactly. Thats why we should all go to university

Following the advice from both Jacee and Corrine is a very wise thing to do!

Hello - I know this is an old thread, but this is exactly the problem I am having - except I think it is seeing my own IP address? It is the same IP address every time - I only just installed ESET Smart Security yesterday - it is updated and has run a scan with no detection.

I have done the above "flush.bat" instructions and the computer rebooted ok, and as soon as I opened a web page I got the same error as the OP: Detected DNS cache poisoning attack - with my own IP.

I ran Malware Bytes and got this report:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 6.0.6002 Service Pack 2

21/02/2012 11:09:13 AM
mbam-log-2012-02-21 (11-09-13).txt

Scan type: Quick Scan
Objects scanned: 41351
Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

One small note

Jacee said:

Flush the DNS cache and restore MS's Hosts file ...
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Now run a full scan with Eset and let me know if it still detects a DNS cache poisoning.

Click to expand...

One small item to be aware of:
If you follow Jacee's advice above, & run that batch file, be advised that if you're using a static IP, you will be left unable to connect to any sites--until you go back into the settings for your network adaptor & re-enter your chosen static settings.
Just sayin....

@ weensyweb ... you're running an outdated version of Malwarebytes. The latest version is 1.60.1

Hello all,

I know this is thread was up quite awhile already, but I'm having the same problem at the moment.


I tried running the .bat file Jacee mentioned, I am still getting the DNS attack message

I ran Malwarebytes full scan for problems, nothing.

I even tried asking the ESET technical support (useless btw), they gave me instructions to HIDE the message instead of trying to help me ELIMINATE the problem.

I've also tried the DNS Flush (one of the solution i found on ESET's website)

Can anyone here help me out?? Much appreciated

Jacee said:

Flush the DNS cache and restore MS's Hosts file ...
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Now run a full scan with Eset and let me know if it still detects a DNS cache poisoning.

Click to expand...

Yikes! Ran this and several of my programs seem to have disappeared!!!! Am trying a system restore, but am NOT a happy camper right now

ESET Reporting DNS cache poising attack

As typical in forums there is often a mix of good and bad information. May I suggest the following URL as a first step in solving this issue:

< DNS Cache Poisoning Attack - ESET Knowledgebase >

Is is not a good idea to run a second antivirus/antispyware program on a system with an already installed security program. They will conflict. For example, just look at at a previous posting on this forum. MalwareBytes was installed and ended up detecting, quarantining and deleting an essential component (EKRN.exe) of the ESET program. That did not solve the problem but created one!

Thread Carefully,

Northernwolf