DNS cache poisoning attack shutting down my internet and keep on comin

[Krembo]

Hi,
It has been a long time since this errors started,It is disappearing when I flushing my DNS, but it always comes back and annoys..
I have Eset SmartSecurity 5 and when this attack comes I get a meesage like this:
"
Detected DNS cache poisoning attack
IP:.....
"
When this is happening I can't browse the web (using Chrome) because I always get this message about "DNS problem"

Everytime it is showing up again Im using two programs to flush it, one is this Eset DNS Flush:
DNS Cache Poisoning Attack - ESET Knowledgebase
and the second one is some batch file some guy named Jacee wrote here:
http://www.sevenforums.com/system-security/197311-detected-dns-cache-poisoning-attack.html

I'm tired of this but I know nothing about solving it.. Any ideas? thanks..

ps. i have one of the IP that is showing up in those messages if it helps

 

[VistaKing]

Krembo welcome to SevenForums

Lets try disabling the ESET firewall and enable the Windows 7 firewall . You might be having some false positives

• Open ESET Smart Security
  
• Press the F5 key on your keyboard to access the Advanced setup window.
  
• In the Advanced setup tree to the left, expand Network Personal firewall and click System integration.
  
• Select Personal firewall is completely disabled from the System integration drop-down menu.

:ar: To enable Windows 7 Firewall

• http://www.sevenforums.com/tutorials/522-windows-firewall-turn-off.html

Also run a malwarebytes scan

Malwarebytes

Download Link :ar: MalwareBytes

When the installation is done uncheck Enable free trial of Malwarebytes (see image below )

Update the definitions and do a full scan

:ar: On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.
:ar: If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
:ar: The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
:ar: When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
:ar: Click OK to close the message box and continue with the removal process.
:ar: Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
:ar: Make sure that everything is checked, and click Remove Selected.
:ar: When removal is completed, a log report will open in Notepad.
:ar: The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
:ar: Copy and paste the contents of that report in your next reply and exit MBAM.

 

[Krembo]

Krembo welcome to SevenForums
.....

Hi, and thank you for your answer.
I canceled the ESET's firewall , the Windows Firewall was already on.

I've noticed that the same IPs which were shown in those cache poisoning attack messages are the same ones shown under the DNS IPv4 tab inside the network connection status. I cant really tell what is it called in English because my whole system is in Hebrew, I saw that by click on the network small icon on the dashboard, then right click on the network im connected with, ->Status, then ->Details.., and then under the DNS Server of IPv4..

The scan seems to find nothing, except for those PPR weird windows files. all the other are just files meant to crack apps such as keygens , cracks etc.
-------------------------------------------------------------------------
Log:
Malwarebytes Anti-Malware 1.75.0.1300
Malwarebytes : Free anti-malware download

Database version: v2013.07.07.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
user :: USER-PC [administrator]

07/07/2013 14:53:10
mbam-log-2013-07-07 (14-53-10).txt

Scan type: Full scan (C:\|G:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 645388
Time elapsed: 1 hour(s), 29 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Windows\SysWOW64\28463 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463 (Keylogger.Ardamax) -> Quarantined and deleted successfully.

Files Detected: 39
C:\Users\user\Downloads\I_D_M_6.12.25.rar (PUP.Hacktool.Patcher) -> No action taken.
G:\Square Enix\Sleeping Dogs\buddha.dll (Malware.Gen.SKR) -> No action taken.
G:\osx\OS X Mountain Lion 10.8.2 VMware Image\VMware Unlocker - Hardware Virtualization Bypasser\vmware-vmx-patch.exe (RiskWare.Tool.CK) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\I_D_M_6.12.25.rar (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\Patch\internet.download.manager.v6.08-patch.exe (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\Patch\internet.download.manager.v6.08-patch.rar (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\Internet Download Manager 6.05B8 by sexh\IDM B8 and crack - by sexh.rar (Trojan.Ardamax) -> No action taken.
J:\תוכנות\VMware.Workstation.v9.0.0.812388.Incl.Keymaker-ZWT\keygen.exe (Riskware.Tool.CK) -> No action taken.
C:\Program Files (x86)\Internet Download Manager\internet.download.manager.v6.08-patch.exe (PUP.Hacktool.Patcher) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Sony\Vegas Pro 11.0\keygen DI v2.0\Keygen.exe (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\ESET PureFix v2.02.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\IDM B8 and crack - by sexh.rar (Trojan.Ardamax) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\Vegas_Pro_2011.rar.crdownload (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\eset_nod32-5.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\keygen.DI.v2.0..rar (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\rpc412_setup.exe (PAssword.Tool) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\הפריצה רשמית ולכל החיים בגירסא חדשה לנוד32 גירסא 5.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.001 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.002 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.005 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.006 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.007 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.001 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.002 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.005 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.006 (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.006 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.007 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.007 (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
G:\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\backup\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\backup\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
J:\Portable תקין\Device Doctor 1.0\Data\Native\STUBEXE\@PROGRAMFILES@\Internet Explorer\iexplore.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.
J:\Portable תקין\Device Doctor 1.0\Data\Virtual\STUBEXE\@PROGRAMFILES@\Device Doctor\1.0.0.1\DeviceDoctor.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{E942257D-7E83-485C-886F-EF5B12C3FA67}\RP103\A0023471.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.

(end)
---------------------------------------------------------

 

[VistaKing]

Run Farbar Recovery Scan Tool

32-bit Version OS Farbar Recovery Scan Tool <==== Download Link

Drag the FRST.exe from the Downloads folder to your Desktop

Right click on FRST.exe and choose

When the tool opens click Yes on the disclaimer window .

Press Scan button.


Please upload both logs in your reply.(FRST.txt and Addition.txt)

:note: FRST.txt and Addition.txt will be on the Desktop :note:

Upload a File
Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .

 

[cottonball]

Krembo,

... all the other are just files meant to crack apps

The above comment is rather amusing.

:warn: Keygens, cracks and serials violate copyright and ownership of software. They are used to get programs for free that one should pay for. It is known as software piracy, which is equivalent to stealing. It is essentially the same as if one figured out a way to break into the neighbor's auto and take it.

Also note that companies of the legal software can track illegal copies, and make them stop working.
And, if by any chance, you are attending a school, and are using an illegal copy of a program, be aware that if the school finds out, you may get suspended or even expelled. A school that knowingly allows students to use illegal software is implicated in the crime as well, and a legal software company has the right to pursue legal action against the school.

It is strongly recommended that you remove any keygen, crack or serial from your system, particularly if you wish to continue receiving support. Piracy is not supported. :warn:

 

[Krembo]

Run Farbar Recovery Scan Tool

32-bit Version OS Farbar Recovery Scan Tool <==== Download Link

Drag the FRST.exe from the Downloads folder to your Desktop

Right click on FRST.exe and choose

When the tool opens click Yes on the disclaimer window .

Press Scan button.


Please upload both logs in your reply.(FRST.txt and Addition.txt)

:note: FRST.txt and Addition.txt will be on the Desktop :note:

Upload a File
Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .

Files attached. downloaded the 64bit version

 

[keebsuk]

Krembo welcome to SevenForums
.....

Hi, and thank you for your answer.
I canceled the ESET's firewall , the Windows Firewall was already on.

I've noticed that the same IPs which were shown in those cache poisoning attack messages are the same ones shown under the DNS IPv4 tab inside the network connection status. I cant really tell what is it called in English because my whole system is in Hebrew, I saw that by click on the network small icon on the dashboard, then right click on the network im connected with, ->Status, then ->Details.., and then under the DNS Server of IPv4..

The scan seems to find nothing, except for those PPR weird windows files. all the other are just files meant to crack apps such as keygens , cracks etc.
-------------------------------------------------------------------------
Log:
Malwarebytes Anti-Malware 1.75.0.1300
Malwarebytes : Free anti-malware download

Database version: v2013.07.07.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
user :: USER-PC [administrator]

07/07/2013 14:53:10
mbam-log-2013-07-07 (14-53-10).txt

Scan type: Full scan (C:\|G:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 645388
Time elapsed: 1 hour(s), 29 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Windows\SysWOW64\28463 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463 (Keylogger.Ardamax) -> Quarantined and deleted successfully.

Files Detected: 39
C:\Users\user\Downloads\I_D_M_6.12.25.rar (PUP.Hacktool.Patcher) -> No action taken.
G:\Square Enix\Sleeping Dogs\buddha.dll (Malware.Gen.SKR) -> No action taken.
G:\osx\OS X Mountain Lion 10.8.2 VMware Image\VMware Unlocker - Hardware Virtualization Bypasser\vmware-vmx-patch.exe (RiskWare.Tool.CK) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\I_D_M_6.12.25.rar (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\Patch\internet.download.manager.v6.08-patch.exe (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\IDM 6.12.25\Patch\internet.download.manager.v6.08-patch.rar (PUP.Hacktool.Patcher) -> No action taken.
J:\תוכנות\Internet Download Manager\Internet Download Manager 6.05B8 by sexh\IDM B8 and crack - by sexh.rar (Trojan.Ardamax) -> No action taken.
J:\תוכנות\VMware.Workstation.v9.0.0.812388.Incl.Keymaker-ZWT\keygen.exe (Riskware.Tool.CK) -> No action taken.
C:\Program Files (x86)\Internet Download Manager\internet.download.manager.v6.08-patch.exe (PUP.Hacktool.Patcher) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Sony\Vegas Pro 11.0\keygen DI v2.0\Keygen.exe (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\ESET PureFix v2.02.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\IDM B8 and crack - by sexh.rar (Trojan.Ardamax) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\Vegas_Pro_2011.rar.crdownload (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\eset_nod32-5.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\keygen.DI.v2.0..rar (RiskWare.Tool.HCK) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\rpc412_setup.exe (PAssword.Tool) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\הפריצה רשמית ולכל החיים בגירסא חדשה לנוד32 גירסא 5.rar (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.001 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.002 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.005 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.006 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\28463\PRTT.007 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.001 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.002 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.005 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.006 (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.006 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.007 (Keylogger.Ardamax) -> Quarantined and deleted successfully.
C:\Windows\System32\28463\PRTT.007 (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
G:\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\backup\Documents\RemoveWAT20\RemoveWAT20\R-WAT.txt (HackTool.Wpakill) -> Quarantined and deleted successfully.
G:\backup\Documents\RemoveWAT20\RemoveWAT20\RemoveWAT.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
J:\Portable תקין\Device Doctor 1.0\Data\Native\STUBEXE\@PROGRAMFILES@\Internet Explorer\iexplore.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.
J:\Portable תקין\Device Doctor 1.0\Data\Virtual\STUBEXE\@PROGRAMFILES@\Device Doctor\1.0.0.1\DeviceDoctor.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.
J:\System Volume Information\_restore{E942257D-7E83-485C-886F-EF5B12C3FA67}\RP103\A0023471.exe (Backdoor.PoisonIvy) -> Quarantined and deleted successfully.

(end)
---------------------------------------------------------

O M F G!!!:roflmao:

 

[cottonball]

Yep...they're just files meant to crack apps.
Incredible attitude.

 

[keebsuk]

I dread to think how his PC runs because so many of these "crack" files are piggy backed!

Andy