DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]

[OliPicard]

Hi Avasters!,

I recently switched ISPs. Before now ive had little or no DoS or port scans but since switching to a new host ive had over 100 attacks, From all over the place.

My ISP when confronted with these logs told me its my equipment causing the problems. These attacks have been brought the modem down since joining this ISP ive switched IPs multiple times around 30-40 times with only a couple of the ips showing a few DoS attacks.

Code: [Select]

173.236.193.163:80 x2 (Dreamhost)
199.59.163.68:80 x30 (this ones been attacking over a couple of days on different IPs)
81.94.200.139:25565 x1
69.171.235.16:443 x20
213.199.179.144:40044 x1
78.141.179.18:12350 x2

Hopefully someone will know why this is happening. I have ran an MBAM recently with no negative results.
If anyone can help me figure this out that would be wonderful!
Thanks
Oliver

[OliPicard]

Running some background checks on the IP in Lux seems to show that the range is being misused. (ending in .18)

[Pondus]

you can have a malware check ?

follow this guide and attch the logs....not copy and paste.   http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done  the removal experts will be notified and check your logs....

[OliPicard]

Find attached the MBAM log + OTL + MBR


Also can i now uninstall OTL? (i guess its just a running only EXE and only runs when you run the exe.)

In addition MBR left a file called MBR.dat (can i delete this now that the scan is over.)

[Pondus]

not yet, if the removal expert see anything that need to be removed he will use OTL
hewill remove all tools when done...

[OliPicard]

Will they need remote access to the machine or can it be done userside?

Thanks

[Pondus]

Will they need remote access to the machine or can it be done userside?

Thanks

nope....he just give you some instructions
usually he create a fix based on the OTL log, when the fix is run in OTL it instruct OTL to do some comands
if you search some of the topics in this section you can see how Essexboy does it
OBS and he is a trained and certified malware remover....and teacher over at geeks to go forum

[OliPicard]

nope....he just give you some instructions
usually he create a fix based on the OTL log, when the fix is run in OTL it instruct OTL to do some comands
if you search some of the topics in this section you can see how Essexboy does it
OBS and he is a trained and certified malware remover....and teacher over at geeks to go forum

Awesome, Thanks Pondus! I look forward to seeing if anything interesting shows up, Ive had alook myself and ive not seen anything abnormal so hopefully its just this ISP.

[Pondus]

Essexboy is notified, if lucky he is not gone to bed yet,
if he does not show within an hour i guess you have to wait until tomorrow

[OliPicard]

Ah Ok (Thanks for notifying Essexboy ), I look forward to figuring out what the otl logs say, it should be interesting!

[OliPicard]

Ive contacted one of the ip's in question whom responded saying

1) They are not causing the problems.
2) If i paid them they would fix the issue.

I must admit it sounds pretty strange from an company which should be taking this seriously. Ive not reached back out to them.

Oliver

[OliPicard]

Here are some additional IPs which are attacking today.

Code: [Select]

109.201.133.65 x1
67.227.200.203 x1

both attacks on port 80


[essexboy]

Are you on a static IP ?  Or does it change every time you log on ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
@Alternate Data Stream - 994 bytes -> C:\Users\Oliver\AppData\Local\Temp:X02gGPI7EmhUVHobjK4u6XhMubHP

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[OliPicard]

Hi Essexboy,

Yeah we are on a dynamic IP.

Here are some more recent attacks

Code: [Select]

178.217.186.109:7777 x3
111.221.77.143:40015 x2



[essexboy]

There should be an OTL extras text file with the standard OTL one, could you attach that as it will show me your ports