Detected DNS cache poisoning attack.

Page 1 of 2 12 LastLast

  1. Posts : 5,405
    Windows 7 Ultimate 64bit SP1
       #1

    Detected DNS cache poisoning attack.


    My Eset Smart Security 5 alert me with this message.

    Detected DNS cache poisoning attack

    Remote IP address:
    xxx.xxx.xx.xxx <---<Numbers here.

    What exactly is this for?
      My Computer


  2. Posts : 2,588
    Microsoft Windows 8.1 Pro 64-bit
       #2

    "Run an Anti spyware program such as Spyware Terminator to clean your system from any malware", as suggested by one person.

    I would suggest instead that you install malwarebytes to remove malware. Also, Microsoft Security Essentials is my favorite Antivirus, but I don't know very much about Eset Smart Security (why didn't it remove the problem? It only notifies you of it? Kinda lame isn't it?). DO NOT uninstall an antivirus through the control panel (if that is what you want to do). Rather, download an antivirus removal tool so that you do not corrupt anything in your system.

    However, Eset recommends this method of uninstallation of antivirus software: How do I uninstall or reinstall ESET Smart Security/ESET NOD32 Antivirus? (4.x) - ESET Knowledgebase
      My Computer


  3. Posts : 16
    Windows 7 Pro 64
       #3
      My Computer


  4. Posts : 2,588
    Microsoft Windows 8.1 Pro 64-bit
       #4

    Is this a networked or a home computer?
      My Computer


  5. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #5

    Flush the DNS cache and restore MS's Hosts file ...
    Copy and paste these lines in Note pad.

    @Echo on
    pushd\windows\system32\drivers\etc
    attrib -h -s -r hosts
    echo 127.0.0.1 localhost>HOSTS
    attrib +r +h +s hosts
    popd
    ipconfig /release
    ipconfig /renew
    ipconfig /flushdns
    netsh winsock reset all
    netsh int ip reset all
    shutdown -r -t 1
    del %0


    Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

    Now run a full scan with Eset and let me know if it still detects a DNS cache poisoning.
      My Computer


  6. Posts : 2,303
    Windows 7 & Windows Vista Ultimate
       #6

    Definitely follow Jacee's instructions.

    See World's stealthiest rootkit pushes DNS hijacking trojan • The Register for additional information.
    End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:

    85.255.112.0 through 85.255.127.255
    67.210.0.0 through 67.210.15.255
    93.188.160.0 through 93.188.167.255
    77.67.83.0 through 77.67.83.255
    213.109.64.0 through 213.109.79.255
    64.28.176.0 through 64.28.191.255

    To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.
      My Computer


  7. Posts : 5,405
    Windows 7 Ultimate 64bit SP1
    Thread Starter
       #7

    Jacee said:
    Flush the DNS cache and restore MS's Hosts file ...
    Copy and paste these lines in Note pad.

    @Echo on
    pushd\windows\system32\drivers\etc
    attrib -h -s -r hosts
    echo 127.0.0.1 localhost>HOSTS
    attrib +r +h +s hosts
    popd
    ipconfig /release
    ipconfig /renew
    ipconfig /flushdns
    netsh winsock reset all
    netsh int ip reset all
    shutdown -r -t 1
    del %0


    Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

    Now run a full scan with Eset and let me know if it still detects a DNS cache poisoning.
    Corrine said:
    Definitely follow Jacee's instructions.

    See World's stealthiest rootkit pushes DNS hijacking trojan • The Register for additional information.
    End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges:

    85.255.112.0 through 85.255.127.255
    67.210.0.0 through 67.210.15.255
    93.188.160.0 through 93.188.167.255
    77.67.83.0 through 77.67.83.255
    213.109.64.0 through 213.109.79.255
    64.28.176.0 through 64.28.191.255

    To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router.
    I followed Jacee's instructions.

    Everything is fine now.

    The command from Jacee is

    I keep it for future usage.

    Thank you Ladies!!
      My Computer


  8. Posts : 2,588
    Microsoft Windows 8.1 Pro 64-bit
       #8

    I agree, very nice. Expert opinion nailed the problem exactly. Thats why we should all go to university :)
      My Computer


  9. Posts : 431
    Windows 7 Home Premium x64 SP1
       #9

    Following the advice from both Jacee and Corrine is a very wise thing to do!
      My Computer


  10. Posts : 1
    Windows Vista Home Premium SP2 64-bit
       #10

    Hello - I know this is an old thread, but this is exactly the problem I am having - except I think it is seeing my own IP address? It is the same IP address every time - I only just installed ESET Smart Security yesterday - it is updated and has run a scan with no detection.

    I have done the above "flush.bat" instructions and the computer rebooted ok, and as soon as I opened a web page I got the same error as the OP: Detected DNS cache poisoning attack - with my own IP.

    I ran Malware Bytes and got this report:

    Malwarebytes' Anti-Malware 1.30
    Database version: 1306
    Windows 6.0.6002 Service Pack 2

    21/02/2012 11:09:13 AM
    mbam-log-2012-02-21 (11-09-13).txt

    Scan type: Quick Scan
    Objects scanned: 41351
    Time elapsed: 2 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:33.
Find Us