Jump to content

Recommended Posts

Hi,

My DNS Cache is being poisoned and everytime I flush the resolver cache the list comes back.

I recently downloaded a rogue program called Error Fix as it had a "McAfree SECURED" sign in McAfee's SiteAdvisor so I thought it was safe.

I removed Error Fix using Malwarebytes' Anti-Malware after that.

Also, my cousin had recently came to my house and surf porn sites while I was out. (Before Error Fix was installed)

Here's the link to my previous forum post:

http://forums.malwarebytes.org/index.php?showtopic=83284

Here is the list of suspected malicious websites in my DNS Cache:

I have also attached the following logs - ARK & Attach.

(More Information Below)

www.rrepubblica.it

www.rootago.com

www.powereuroprime.net

porno-codec.com

www.porndatez.info

panda-hq.com

www.online-new--daily.org

flirttipps.de

www.ocslab.com

mydailyaap28.com

moviedownloadworld.com

mountfab.ru

megapornix.com

malvorlagen.de

luxbonuscasinos.net

www.klitepro.com

keratomir.biz

jede-frau-abschleppen.de

hugeporn4u.net

www.xxokoriq.com

www.webslots2009.com

virgiio.it

virdgilio.it

www.sitestickets.net

theoffice.downloads-free.us

www.theveganprince.com

truth-is-out-there.org

tuttoavolonta.com

www.upgrade-soft-ware-now.com

vazanvl.cn

vidaaccess.net

viewimageonline.com

www.websoft.codedriver.com

winlivechat.com

www-free-tunes.com

xpasswordmanager.com

yim-stop.com

www.yohovff.cn

zxlinks.com

4repubblica.it

www.5iscali.it

www.tuttograatis.it

www.theworldaccordingtoash.com

smart-antivirus2008buy.com

sexmultis.info

www.searchfromyourbrowser.net

www.paraisotam.com

www.paginegialler.it

p2p-paradies.com

liberok.it

www.lehrstellen-infos.de

internet-optimizer.com

www.pruefung.beginnen.net

www.plibero.it

mydailyaap01.com

www.mediaactivex.com

www.malware-scanner.com

directpharmbase.com

digitword.com

www.corrieref.it

casinokingdice.net

bluestateing.com

blackcodec.com

adsonwww.com

adsextend.net

tattoo-motive2008.de

tabnoland.ru

suopereva.it

www.smutgates.com

www.searchdom.net

katawerb.it

kaquvytpe.com

jhzjyj.bigwww.com

frrari.it

www.flwview.com

flwsolution.com

dice-game.net

www.coqayen.cn

coldbut.ru

www.ace-webmaster.com

88vcd.com

www.1-domains.registrations.com

worldvegasplay.net

winddefender-2009.com

thosebread.ru

spywarestrike.com

spycut.com

referate-finden.com

httpwwwads.com

www.harddrevvagt.com

www.errari.it

www.e--online--daily.com

topneighbor.com

casinobonny.net

antivirus-2008-pro.com

www.antispywarexp.com

antispyware2008.name

buhartes.info

win-vip-club.net

wimapat.cn

ujporn7.info

ujnsex.info

topsitez.us

spyaxesupport.com

sgrunt.biz

sexy18.cc

qaz-codec.net

codec.net

www.onj2me.info

www.oemsoftwareshop.net

newlife-labjolla.com

meshalynn.com

www.meine-wunderbare-katze.com

www.mega-adult.com

libdero.it

lib4ro.it

kayaweb.it

formatmpeg.com

vwdqwnmwk.cn

www.findsparkling.org

clubcasinobonus.net

www.bigcodecadult2008.com

baptogbyog.com

antispywork.com

www.accessvid.net

7939.com

edgestorm.net

500sex.info

3xclipsonline.com

www.sexy-models.net

www.yohovff.cn

wim-stop.com

xpasswordmanager.com

sitestickets.net

slifporn.info

When I try to run GMER in Normal Mode or Safe Mode the Blue Screen Of Death (BSOD) came out so I couldn't run it.

I am able to complete the DDS Scan even though the following message popped out:

I had to keep closing the window because it popped out every few seconds.

I'm using Windows Vista Home Basic just for your information.

Here's the message that popped out.

====================================================================================================================

Windows cannot open this file:

File: PEV.DAT

To open this file, Windows needs to know what program you want to use to open it. Windows can go online to look it up

automatically, or you can manually select from a list of programs that are installed on your computer.

What do you want to do?

( . ) Use the web service to find the correct program

( ) Select a program from a list of installed programs

====================================================================================================================

I have Malwarebytes' Anti-Malware and DDS report only, Trend Micro HiJackThis Log is not needed, but since I have problem running GMER

I use this to replace GMER and for more information to the problem.

Here are the logs:

======================

MBAM

======================

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6360

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

27/4/2011 6:00:28 PM

mbam-log-2011-04-27 (18-00-27).txt

Scan type: Quick scan

Objects scanned: 125317

Time elapsed: 12 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

================

DDS (2 of them)

================

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by User at 22:24:00.96 on Sun 01/05/2011

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_20

Microsoft

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Are you connected through a router currently?

I see you have IOBit software installed; have you seen this?

http://forums.malwarebytes.org/index.php?showtopic=29681

I notice that you are using more than one antivirus program (AVG and avast). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post only DDS.txt in your reply. Please do not put your text in bold.

Link to post
Share on other sites

Hi,

I am using a Dial-up Modem called Mobile Broadband Modem from Huawei. It is a wireless modem that you plug it in like a USB.

And I have used HotSpot Shield from anchorfree for quite a period of time. Hotspot Shield is a VPN Software that changes your IP

address location to the us. I use it to play US Games that are not supported in my country. Whenever I use it, it changes my IP address.

Hotspot Shield has been downloaded for over 5million times and you can find it at

http://download.cnet.com/Hotspot-Shield/

I have uninstalled AVG, and I would like to know if IObit Security 360 Pro is related to the DNS Cache Posioning because that is the only

updated malware program i have.

Here are the logs, and hope you can solve my problem.

MBAM

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6517

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

6/5/2011 11:51:02 AM

mbam-log-2011-05-06 (11-51-02).txt

Scan type: Quick scan

Objects scanned: 157799

Time elapsed: 8 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS.txt

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Acc at 11:56:13.73 on Fri 06/05/2011

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_20

Microsoft

Link to post
Share on other sites

Hi, the scan is done.

I have disabled ZoneAlarm Firewall by right-clicking the tray icon and selecting "Shutdown ZoneAlarm Pro" but the Security Center says that ZoneAlarm Firewall is still turned on.

Also, there are some files in the ComboFix Quarantine (C:\Qoobox), I will post them below.

I have highlighted some of the words for easier reading.

Here are the logs -

ComboFix

ComboFix 11-05-08.04 - user 09/05/2011 18:04:24.1.2 - x86

Microsoft

Link to post
Share on other sites

Hi,

I have uninstalled IObit Security 360, and have flush my dns resolver cache, but the problem still persists.

I have also run a flash scan and full scan using MBAM and they found nothing.

I also get this alert by Malwarebytes' Anti-Malware when watching videos on youtube but I was on trusted sites like Facebook and YouTube -

Blocked access to (222.186.43.145) for 2 times.

Blocked access to (60.173.12.88) for 1 time; and

Blocked access to (60.173.10.28) for 1 time. (While I was doing a Google Search)

Here's the description -

Malwarebytes' Anti-Malware

Successfully blocked access to a potentially malicious website: 222.186.43.145

Type: incoming

Port: 1433

Process: svchost.exe

Malwarebytes' Anti-Malware

Successfully blocked access to a potentially malicious website: 60.173.12.88

Type: incoming

Port: 9415

Process: svchost.exe

And while I was doing a Google Search, this came out.

Malwarebytes' Anti-Malware

Successfully blocked access to a potentially malicious website: 60.173.10.28

Type: incoming

Port: 9415

Process: svchost.exe

And a website blocked by avast! before the 3 blocked by MBAM -

EXPLOIT BLOCKED

avast! Network Shield has blocked a harmful site.

Object: 113.39.7.90:135/tcp

Infection: DCOM Exploit

Action: Blocked

And I am using Malwarebytes' PRO Version.

I think the following ip addresses are related to my case.

Can you check the address of the following IP addresses?

It could be a internet IP address or a website address.

And the last time I ran ComboFix, they created a folder in C:\Qoobox. I think that's the place where the Quarantine Files are stored. And inside the Quarantine Folder that are several files. Here's the log in C:\Qoobox -

2011-05-09 10:25:29 . 2011-05-09 10:25:29 478 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{1984D045-52CF-49cd-DB77-08F378FEA4DB}.reg.dat

2011-05-09 10:14:56 . 2011-05-09 10:14:56 5,149 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2011-05-09 09:37:04 . 2011-05-09 10:04:23 133 ----a-w- C:\Qoobox\Quarantine\catchme.log

2011-02-28 10:55:30 . 2011-02-28 10:55:30 694 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\System32\KBL.LOG.vir

ComboFix did not ask for any action whether to delete them or restore.

Just wonder whether it is a virus or something.

Also, can you read this -

http://news.cnet.com/8301-1009_3-9998625-83.html

Is this a DNS Cache Poisoning Test? And is it reliable? There are 2 website to test whether your DNS system is vulnerable.

I have run the test in DNS Operations, Analysis, and Research Center and they found nothing but my problem is not solved, However, I can't find the test in Dan Kaminsky

Website. Dan Kaminsky was the person who discovered DNS Cache Poisoning.

And this -

http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx

They said it was included in Windows Update, but I did not receive it.

I found this on the internet -

http://www.ehow.com/how_6301824_fix-dns-cache-windows-vista.html

The steps are -

1. Open "Start" and type "cmd" in the "Search" box.

2. Press "Enter" to display a DOS prompt.

3. Type "ipconfig /release" and press "Enter," flushing your DNS cache information.

4. Type "ipconfig /renew" and press "Enter," reconfiguring the cache.

But I get the following Errors (3 of them)

No operation can be performed on Local Area Connection* 15 while it has its media disconnected.

No operation can be performed on Wireless Network Connection while it has its media disconnected.

No operation can be performed on Local Area Connection while it has its media disconnected.

And there's one thing that I find it weird.

I ran two full scans, the first one Scanned 315550 objects and the second Scanned 275220 Objects.

I ran as admin for the first one, and normal for the second one, but whether you run it as admin or not, I think it's still the same.

MBAM Flash Scan

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6565

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

13/5/2011 4:40:36 PM

mbam-log-2011-05-13 (16-40-36).txt

Scan type: Flash scan

Objects scanned: 79465

Time elapsed: 1 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

MBAM Full Scan (Before)

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6565

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

13/5/2011 12:53:06 PM

mbam-log-2011-05-13 (12-53-06).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 315550

Time elapsed: 2 hour(s), 13 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

MBAM Full Scan (After)

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6565

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

13/5/2011 6:41:34 PM

mbam-log-2011-05-13 (18-41-33).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 275220

Time elapsed: 2 hour(s), 0 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

- randomperson456

Link to post
Share on other sites

  • Staff

Hi,

2011-05-09 10:25:29 . 2011-05-09 10:25:29 478 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{1984D045-52CF-49cd-DB77-08F378FEA4DB}.reg.dat

2011-05-09 10:14:56 . 2011-05-09 10:14:56 5,149 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2011-05-09 09:37:04 . 2011-05-09 10:04:23 133 ----a-w- C:\Qoobox\Quarantine\catchme.log

2011-02-28 10:55:30 . 2011-02-28 10:55:30 694 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\System32\KBL.LOG.vir

Don't worry about these for now.

Right-click My Computer, click Properties --> Device Manager.

For your network card, right-click it and select Properties. Take a screenshot of the Advanced tab and post it here.

In addition, check to see if there are any firmware updates available for your modem.

Link to post
Share on other sites

Hi, It's done.

All of them are updated including the ports.

I use Huawei Mobile Connect to Connect to the Internet located in Ports (COM & LPT)

However, there is no advanced tab in HUAWEI Mobile Connect.

I think I only use the ports to access the internet.

Here are the screenshots -

Atheros AR5007 802.11b/g WiFi Adapter

1.jpg

Realtek RTL8139/810x Family Fast Ethernet NIC

2.jpg

- randomperson456

Link to post
Share on other sites

Hi, I have done what you asked me to do and the problem still perists.

I went to Start -> Run and typed "netsh winsock reset"

4.jpg

And when it's done, this message popped out and closed after 3 seconds.

After that, I restarted the computer.

5.jpg

The problem is when i flush the dns resolver cache and type ipconfig /displaydns the list returns to the state before it was flushed or newly accessed again. I also tried ipconfig /release but it dosen't help.

I have include an GIF Animated Image of my DNS Cache attached at the end of this post.

You can check what's inside my dns resolver cache -

I also typed netsh winsock reset in Command Prompt with administrator rights and I was also able to reset but that dosen't help.

3.jpg

- randomperson456

Animated GIF Image of DNS Resolver Cache

post-78746-0-61161900-1306063950.gif

Link to post
Share on other sites

Hi, Some of the websites in the HOSTS file were added by me, some were added by Spybot when installed and some copied from the MVPS Hosts File by WinHelp2002 directly from the website.

Information about DNS Cache Poisoning

en.wikipedia.org/wiki/DNS_cache_poisoning

(Read to understand more)

I'm not sure whether my DNS Cache is poisoned, but I've not been redirected to another site when I visit www.paypal.com

I'm not sure for other online banking websites. Some people said if you're being re-directed when visiting a Online Banking Website your DNS Cache is poisoned.

I suspected that my DNS Cache is poisoned because there are still websites in the cache even when I flush the DNS Cache and none of the internet explorers window are open.

I think it is the best way for you to check everything in my hosts file, I have attached it below.

- randomperson456

HOSTS File

Hosts.txt

Link to post
Share on other sites

  • Staff

Hi,

Essentially:

Your DNS cache is not poisoned.

Look at the movie of you scrolling through your cmd.exe; all of those entries point to 127.0.0.1. The same entries are in your HOSTS file. Your DNS cache isn't poisoned; instead, you're being protected.

That's why you aren't being redirected; you're neither infected nor poisoned.

Link to post
Share on other sites

Hi, thanks for telling me and sorry for all the trouble. :mellow:

I have 2 more questions -

1. There may be some registry keys added by Error Fix and will it harm my computer if it isn't infected?

2. What should I do with the quarantined files in C:\Qoobox?

ComboFix Quarantined Files Log

(C:\Qoobox)

2011-05-09 10:25:29 . 2011-05-09 10:25:29 478 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{1984D045-52CF-49cd-DB77-08F378FEA4DB}.reg.dat

2011-05-09 10:14:56 . 2011-05-09 10:14:56 5,149 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2011-05-09 09:37:04 . 2011-05-09 10:04:23 133 ----a-w- C:\Qoobox\Quarantine\catchme.log

2011-02-28 10:55:30 . 2011-02-28 10:55:30 694 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\System32\KBL.LOG.vir

Link to post
Share on other sites

  • Staff

Hi,

1. There may be some registry keys added by Error Fix and will it harm my computer if it isn't infected?

Which Keys are you referring to?

For ComboFix:

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Restart your computer.

Link to post
Share on other sites

Hi,

Which Keys are you referring to?

Error Fix added some of the registry keys for the program to work. Will my computer be infected even when the registry keys added by Error Fix are not infected?

For ComboFix:

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Will it remove the threats in the Quarantine?

- randomperson456

Link to post
Share on other sites

  • Staff

Hi,

Orphaned Registry Keys can't really do any harm (unless they're in an essential part of Windows, though this is not the case here).

It's likely that the Error Fix Keys have already been removed by MBAM or another program.

Yes, the uninstall command will remove everything in ComboFix's quarantine.

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.