DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]

[OliPicard]

certainly! (heres one from the scan last night.)

[OliPicard]

Hi Essexboy
since last posting we have had an additional attack
In addaition we have had an additional attack

Code: [Select]

84.93.233.34:44300 x2


[essexboy]

The IP's resolve to virtually all parts of the globe with a preponderance of them being European

I would like to reset various net items next, this one may take a few minutes to run 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Files
Netsh firewall reset /c
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c
netsh winsock reset catalog /c
netsh int ip reset /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[OliPicard]

Hi, While running the test the following error occured.

Code: [Select]

failed to create cmd.bat.
now its stuck on killing processes (its been like it for 10 mins. not sure if thats normal.)

[polonus]

Hi essexboy,

The so-called IP attacks or repeated requests could have come from bitcoint dot org, like bitcointalk dot org etc. : http://myip.ms/info/whois/109.201.133.65/k/4080771760/website/bitcointalk.org
Does this ring some bell with the OP?

polonus

[OliPicard]

Hi polonus I dont use bitcoins however i do use p2ping with steam downloads however these are delivered over limelight networks.

I decided to Quit the application after the cmd.bat wouldnt be created during the OTL (it went into a locked up mode.) so i exited the application and went back in, copied and pasted everything EB posted (on the newest post) and it went smooth without issues!
Please find attached the new results. Ive also seen OTL has created 2 new folders in _OTL (under root) i was wondering do i move the files back to there original places? (the ones which are being moved to a root folder.)


In addition find attached the requested log from the latest scan.

[OliPicard]

Also to keep you updated ive discovered additonal ip's also attacking. (see below)

Code: [Select]

107.20.145.76:443 x3 dropbox (we dont not use dropbox so found this weird.) in addition it seems to be tired to an EC2 VM https://stat.ripe.net/107.20.145.76#tabId=at-a-glance AMAZON-02 - Amazon.com, Inc.
31.13.64.23:443 x2 (facebook ireland)
23.61.255.57:80 AKAMAI-ASN1 - Akamai International B.V.
173.194.34.111:443 Google
50.19.81.238:443 (Another Amazon EC2 Instance)



[essexboy]

Dropbox may have been the images I use in my posts as that is where I stuff them all

:OTL
@Alternate Data Stream - 994 bytes -> C:\Users\Oliver\AppData\Local\Temp:X02gGPI7EmhUVHobjK4u6XhMubHP

Did you run this first OTL fix as the ads is very suspect

[OliPicard]

Dropbox may have been the images I use in my posts as that is where I stuff them all

:OTL
@Alternate Data Stream - 994 bytes -> C:\Users\Oliver\AppData\Local\Temp:X02gGPI7EmhUVHobjK4u6XhMubHP

Did you run this first OTL fix as the ads is very suspect

Hey Essexboy, i didnt run the first test because i thought it may not work with the newer test you sent me. Should i copy everything in or just the :OTL @Alternate Data Stream ?

In addition the following IP has also sent out a DoS

Code: [Select]

67.227.200.203:80 (from the bot website another IP address thought.
Previously attacked at 11:54:30 AM same port.


[polonus]

Hi OliPicard,

Yes we must look for some mining backdoor malware variant, like Bitminer or Graybird like suspicious riskware, because of this Virginia Ashburn IP, also known from W32/BitCoinMiner.A, namely IP 50.19.81.238 that you also mention...

polonus

[OliPicard]

Ok, Glad we are on the case of figuring this out polonus! Now its trying to figure out the removal. Also @Essexboy should i run the datastream one using the OTL with everything you have posted previously.

Thanks
Oliver

[OliPicard]

Ive ran a OTL scan with the new scan as requested by Essexboy

In addition ive rebooted then ran a Quickscan, have included both extras and OTL log.

[OliPicard]

Have also just had another attack. Upon looking into this IP it seems connected to another IP which sent a simular request a couple of hours ago.

Code: [Select]

178.33.61.70:80 Seems to be related to 67.227.200.203:80 which attacked at 03:28:29 PM 

[polonus]

It keeps doing that because something is blocking this bot restarter program's authentication - could be either av or firewall...

pol

[OliPicard]

Strangely enough we dont have a bot setup, this could be a malware/botnet? I think we both discovered it might be related to W32/Downloader.F.gen!Eldorado (alternative name dorkbot)