Solved DNS Cache Poisoning - Help please?

Asch · Jul 16, 2012

I don't know what the source is but for over a month my internet connection has been messing up real bad. I have the ESET Smart security 5 trial edition at the moment and it says "DNS cache poisoning attack" The IP that is attacking is "10.0.0.1:53" I am not a computer person, at all. I downloaded and did that RenewMyDNS thing. I am not sure if I had to but here is the log:

RenewMyDNS by DragonMaster Jay
DNS Diagnostics and refresher
Version 0.1.4 - November 2009

Microsoft Windows [Version 6.0.6002]

(((((((((((((((((((( Network and DNS Information ))))))))))))))))))))

Windows IP Configuration

Host Name . . . . . . . . . . . . : Colonel-Laptop
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller
Physical Address. . . . . . . . . : 00-1C-23-AF-41-69
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1390 WLAN Mini-Card
Physical Address. . . . . . . . . : 00-1E-4C-05-8E-8D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::64fa:766c:cd2d:e263%8(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, July 16, 2012 3:01:12 PM
Lease Expires . . . . . . . . . . : Tuesday, July 17, 2012 4:35:36 PM
Default Gateway . . . . . . . . . : 10.0.0.1
DHCP Server . . . . . . . . . . . : 10.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 151002700
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-19-B8-A3-00-1C-23-AF-41-69
DNS Servers . . . . . . . . . . . : 10.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 10:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{9E89B102-30E6-4BFA-85D6-EF1665F3CE94}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

(((((((((((((((((((( DNS-Fake Request Testing and Flush ))))))))))))))))))))

... Requests made were successful

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

(((((((((((((((((((( Speed-test - Ping ))))))))))))))))))))

Pinging yahoo.com [98.139.183.24] with 32 bytes of data:

Reply from 98.139.183.24: bytes=32 time=288ms TTL=46

Request timed out.

Request timed out.

Reply from 98.139.183.24: bytes=32 time=235ms TTL=47

Ping statistics for 98.139.183.24:

Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),

Approximate round trip times in milli-seconds:

Minimum = 235ms, Maximum = 288ms, Average = 261ms

Pinging geekpolice.net [64.202.189.170] with 32 bytes of data:

Reply from 64.202.189.170: bytes=32 time=98ms TTL=117

Reply from 64.202.189.170: bytes=32 time=847ms TTL=117

Reply from 64.202.189.170: bytes=32 time=248ms TTL=117

Request timed out.

Ping statistics for 64.202.189.170:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 98ms, Maximum = 847ms, Average = 397ms

Pinging facebook.com [69.171.229.11] with 32 bytes of data:

Reply from 69.171.229.11: bytes=32 time=260ms TTL=234

Reply from 69.171.229.11: bytes=32 time=383ms TTL=234

Request timed out.

Request timed out.

Ping statistics for 69.171.229.11:

Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),

Approximate round trip times in milli-seconds:

Minimum = 260ms, Maximum = 383ms, Average = 321ms

Ping request could not find host microsoft.com. Please check the name and try again.

********************
EOF

Can someone please assist me?

samuria · Jul 16, 2012

Welcome to the forum. the The IP that is attacking is "10.0.0.1:53 is on your own network its not coming from the internet.

Two things change your dns to 208.67.220.220 & 208.67.222.222

Then lets check if you have any infections if you look below in my signature there is a link to our prework if you can do that and post the logs our security team will check and help you remove any malware

Asch · Jul 16, 2012

Thank you for the welcome. How do I change my DNS to those two numbers? Alright, I shall do the Network test.

samuria · Jul 16, 2012

Its the Prework we need to check if your infected change dns tutor

Asch · Jul 17, 2012

Here is the log from the prework:

Windows IP Configuration

Host Name . . . . . . . . . . . . : Colonel-Laptop
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller
Physical Address. . . . . . . . . : 00-1C-23-AF-41-69
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 1390 WLAN Mini-Card
Physical Address. . . . . . . . . : 00-1E-4C-05-8E-8D
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::64fa:766c:cd2d:e263%8(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, July 16, 2012 6:56:34 PM
Lease Expires . . . . . . . . . . : Tuesday, July 17, 2012 6:56:34 PM
Default Gateway . . . . . . . . . : 10.0.0.1
DHCP Server . . . . . . . . . . . : 10.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 151002700
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-19-B8-A3-00-1C-23-AF-41-69
DNS Servers . . . . . . . . . . . : 10.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 10:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{9E89B102-30E6-4BFA-85D6-EF1665F3CE94}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Pinging 194.119.131.66 with 32 bytes of data:

Reply from 194.119.131.66: bytes=32 time=126ms TTL=46

Reply from 194.119.131.66: bytes=32 time=127ms TTL=46

Reply from 194.119.131.66: bytes=32 time=136ms TTL=46

Reply from 194.119.131.66: bytes=32 time=127ms TTL=46

Ping statistics for 194.119.131.66:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 126ms, Maximum = 136ms, Average = 129ms

Pinging plus.net [212.159.8.2] with 32 bytes of data:

Request timed out.

Reply from 212.159.8.2: bytes=32 time=161ms TTL=238

Reply from 212.159.8.2: bytes=32 time=137ms TTL=238

Reply from 212.159.8.2: bytes=32 time=139ms TTL=238

Ping statistics for 212.159.8.2:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 137ms, Maximum = 161ms, Average = 145ms

Tracing route to cns1.uk.vianw.net [194.119.131.66]

over a maximum of 30 hops:

1 * <1 ms 2 ms 10.0.0.1

2 11 ms * * my.firewall [192.168.69.1]

3 21 ms 21 ms 42 ms 10.53.128.1

4 38 ms 29 ms * ten0-0-0-7.orld35-ser2.bhn.net [72.31.195.96]

5 45 ms 25 ms * ten0-9-0-5.orld71-car2.bhn.net [97.69.193.46]

6 31 ms 32 ms 41 ms hun0-7-0-0.orld71-cbr3.bhn.net [72.31.193.24]

7 34 ms 31 ms 34 ms ae-3-10.cr1.atl20.tbone.rr.com [66.109.6.104]

8 37 ms 45 ms 39 ms 107.14.19.36

9 48 ms 33 ms 39 ms ae-1-0.pr0.atl20.tbone.rr.com [66.109.6.177]

10 38 ms * 49 ms TenGigabitEthernet9-2.ar1.ATL2.gblx.net [64.212.108.69]

11 124 ms 117 ms 121 ms 204.245.36.118

12 134 ms 120 ms 120 ms ten1-0-0-t6-cr1.router.uk.clara.net [195.8.86.205]

13 119 ms 119 ms 117 ms g5-1-t6-ar12.router.uk.clara.net [195.157.0.241]

14 134 ms 133 ms 135 ms cns1.uk.vianw.net [194.119.131.66]

Trace complete.

These Windows services are started:

Adobe Acrobat Update Service
Apple Mobile Device
Application Experience
Ati External Event Utility
Background Intelligent Transfer Service
Base Filtering Engine
Bonjour Service
CNG Key Isolation
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
Dell Wireless WLAN Tray Service
Desktop Window Manager Session Manager
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Diagnostic System Host
Distributed Link Tracking Client
DNS Client
ESET Service
Extensible Authentication Protocol
Function Discovery Resource Publication
Group Policy Client
HP CUE DeviceDiscovery Service
hpqcxs08
IKE and AuthIP IPsec Keying Modules
IP Helper
iPod Service
IPsec Policy Agent
KtmRm for Distributed Transaction Coordinator
Multimedia Class Scheduler
Net Driver HPZ12
Network Connections
Network List Service
Network Location Awareness
Network Store Interface Service
Plug and Play
Pml Driver HPZ12
Portable Device Enumerator Service
Print Spooler
Program Compatibility Assistant Service
ReadyBoost
Remote Access Connection Manager
Remote Procedure Call (RPC)
Roxio Hard Drive Watcher 9
RoxMediaDB9
SeaPort
Secondary Logon
Secure Socket Tunneling Protocol Service
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SigmaTel Audio Service
Skype C2C Service
Software Licensing
SSDP Discovery
Superfetch
System Event Notification Service
Tablet PC Input Service
Task Scheduler
TCP/IP NetBIOS Helper
TeamViewer 3
Telephony
Terminal Services
Themes
UPnP Device Host
User Profile Service
WebClient
Windows Audio
Windows Audio Endpoint Builder
Windows Defender
Windows Driver Foundation - User-mode Driver Framework
Windows Error Reporting Service
Windows Event Log
Windows Firewall
Windows Font Cache Service
Windows Image Acquisition (WIA)
Windows Live ID Sign-in Assistant
Windows Management Instrumentation
Windows Media Player Network Sharing Service
Windows Search
Windows Time
Windows Update
WinHTTP Web Proxy Auto-Discovery Service
WLAN AutoConfig
Workstation
XAudioService

The command completed successfully.

Microsoft Windows [Version 6.0.6002]

MTU MediaSenseState Bytes In Bytes Out Interface
------ --------------- --------- --------- -------------
4294967295 1 0 474437 Loopback Pseudo-Interface 1
1500 1 2190752 770398 Wireless Network Connection
1500 5 0 0 Local Area Connection

===========================================================================
Interface List
12 ...00 1c 23 af 41 69 ...... Broadcom 440x 10/100 Integrated Controller
8 ...00 1e 4c 05 8e 8d ...... Dell Wireless 1390 WLAN Mini-Card
1 ........................... Software Loopback Interface 1
15 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
14 ...00 00 00 00 00 00 00 e0 isatap.{9E89B102-30E6-4BFA-85D6-EF1665F3CE94}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.3 30
10.0.0.0 255.255.255.0 On-link 10.0.0.3 286
10.0.0.3 255.255.255.255 On-link 10.0.0.3 286
10.0.0.255 255.255.255.255 On-link 10.0.0.3 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.3 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.3 286
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
8 286 fe80::/64 On-link
8 286 fe80::64fa:766c:cd2d:e263/128
On-link
1 306 ff00::/8 On-link
8 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Local Area Connection:
Node IpAddress: [0.0.0.0] Scope Id: []

No Connections

Wireless Network Connection:
Node IpAddress: [10.0.0.3] Scope Id: []

NetBIOS Connection Table

Local Name State In/Out Remote Host Input Output

----------------------------------------------------------------------------

COLONEL-LAPTOP <00> Connecting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCui.exe -hide
PCMService REG_SZ "C:\Program Files\Dell\MediaDirect\PCMService.exe"
Broadcom Wireless Manager UI REG_SZ C:\Windows\system32\WLTRAY.exe
Apoint REG_SZ C:\Program Files\DellTPad\Apoint.exe
ISUSPM Startup REG_SZ C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
ISUSScheduler REG_SZ "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
(Default) REG_SZ
RoxWatchTray REG_SZ "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
TrialReset REG_SZ C:\Windows\regx32.exe
ssrolksys REG_SZ rundll32.exe "effggd.dll",DllRegisterServer
AppleSyncNotifier REG_SZ C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
BCSSync REG_SZ "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
HP Software Update REG_SZ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Adobe ARM REG_SZ "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
SunJavaUpdateSched REG_SZ "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
APSDaemon REG_SZ "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
iTunesHelper REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task REG_SZ "C:\Program Files\QuickTime\QTTask.exe" -atboottime
SigmatelSysTrayApp REG_SZ sttray.exe
egui REG_SZ "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sidebar REG_SZ C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
StartCCC REG_SZ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
(Default) REG_SZ
MsnMsgr REG_SZ "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
ISUSPM REG_SZ "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
ehTray.exe REG_SZ C:\Windows\ehome\ehTray.exe
nodenable REG_SZ C:\Program Files\eset\nodenable.exe /s
Google Update REG_SZ "C:\Users\Colonel Stinkmeaner\AppData\Local\Google\Update\GoogleUpdate.exe" /c
fcbyvvsys REG_SZ rundll32.exe "effggd.dll",DllRegisterServer
MobileDocuments REG_SZ C:\Program Files\Common Files\Apple\Internet Services\ubd.exe

Microsoft Windows [Version 6.0.6002]

Belahzur · Jul 17, 2012

There is definitely an infection there.

Please run through the Prework; link below.

Asch · Jul 17, 2012

I have uploaded two files. The OTL and the extras.

Shall I still change my DNS?

Belahzur · Jul 17, 2012

Hello.
Nah don't bother with that, wont help much. The incoming IP is likely another bot with the same infection attempting to send instructions to yours.

Please run OTL.exe.
Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:OTL
O2 - BHO: (Reg Error: Value error.) - {7C109800-A5D5-438F-9640-18D17E168B88} - Reg Error: Value error. File not found
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Internet Service) - {51D81DD5-55B7-497F-95DB-D356429BB54E} - Reg Error: Value error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - Reg Error: Value error. File not found
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [ssrolksys] rundll32.exe "effggd.dll",DllRegisterServer File not found
O4 - HKLM..\Run: [TrialReset] C:\Windows\regx32.exe File not found
O4 - HKCU..\Run: []  File not found
O4 - HKCU..\Run: [fcbyvvsys] rundll32.exe "effggd.dll",DllRegisterServer File not found
Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

Click the red Run Fix button.

A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Asch · Jul 17, 2012

Contents of the Fix log:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C109800-A5D5-438F-9640-18D17E168B88}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{9D425283-D487-4337-BAB6-AB8354A81457} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{51D81DD5-55B7-497F-95DB-D356429BB54E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9D425283-D487-4337-BAB6-AB8354A81457} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ssrolksys deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\TrialReset deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\fcbyvvsys deleted successfully.

OTL by OldTimer - Version 3.2.54.0 log created on 07162012_194618

Belahzur · Jul 17, 2012

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Asch · Jul 17, 2012

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.16.12

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Colonel Stinkmeaner :: COLONEL-LAPTOP [administrator]

Protection: Enabled

7/16/2012 8:39:51 PM
mbam-log-2012-07-16 (20-39-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 228876
Time elapsed: 16 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302} (Search.Hijacker) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034A523-D068-4BE8-A284-9DF278BE776E} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKCR\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.securewebinfo.com (Trojan.Zlob) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.safetyincludes.com (Trojan.Zlob) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow|*.securemanaging.com (Trojan.Zlob) -> Data: -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Colonel Stinkmeaner\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.

(end)

Asch · Jul 17, 2012

This will resolve the DNS poisoning cache or whatever was attacked my DNS? Or is there more?

ESET is still saying "detected DNS cache poisoning attack"

7/16/2012:

Source - 10.0.0.1:53

Target - 10.0.0.3:59606

The list goes on in the log files of ESET but the source remains the same but the target is different
in every report.

I.E - 10.0.0.3:54028
10.0.0.3:55917
10.0.0.3:59606
10.0.0.3:52581

What exactly are these IP's? I am so confused and am no coumpter person, haha.

There are a bunch more, too.

Belahzur · Jul 17, 2012

Hello.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here

Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.

When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Asch · Jul 17, 2012

It didn't work when I tried to input that command into the search box. Should I just run combofix?

Asch · Jul 17, 2012

Here is the content from the combo fix.

Log in or Join Us

Solved DNS Cache Poisoning - Help please?

Asch Bronze Member

samuria Network Specialist

Asch Bronze Member

Google Advertisement

samuria Network Specialist

Asch Bronze Member

Belahzur Freedom Fighter

Asch Bronze Member

Attached Files:

OTL.Txt

Extras.Txt

Belahzur Freedom Fighter

Asch Bronze Member

Belahzur Freedom Fighter

Asch Bronze Member

Asch Bronze Member

Belahzur Freedom Fighter

Asch Bronze Member

Asch Bronze Member

Attached Files:

commylog.txt

DNS Cache Poisoning - Help please?

Log in or Join Us

Solved DNS Cache Poisoning - Help please?

Asch Bronze Member

samuria Network Specialist

Asch Bronze Member

Google Advertisement

samuria Network Specialist

Asch Bronze Member

Belahzur Freedom Fighter

Asch Bronze Member

Attached Files:

OTL.Txt

Extras.Txt

Belahzur Freedom Fighter

Asch Bronze Member

Belahzur Freedom Fighter

Asch Bronze Member

Asch Bronze Member

Belahzur Freedom Fighter

Asch Bronze Member

Asch Bronze Member

Attached Files:

commylog.txt

DNS Cache Poisoning - Help please?

Useful Searches