DoS attack = ISP saying its on my side. Help? [OTL + MBAM + MBR logs]

[essexboy]

I can see no indication of that at the moment .. So I will now search for hidden drivers/files

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[polonus]

No bot it is all coming from this server. Do you see any connection here? http://myip.ms/info/whois/67.227.200.203/k/2854431429/website/www.thebuddyforum.com

polonus

[essexboy]

Would that tie in with steam somehow ?

[OliPicard]

Hi Essexboy, From steam's side nope, they run there own servers on valve.net and also CDN is done by limelight. I am alittle worried running combofix as ive seen it can cause peoples machines to go alittle odd and has been pulled from bleepingcomputer due to being infected.

[OliPicard]

Just had a new DoS attack

Code: [Select]

62.75.178.11:5202 https://stat.ripe.net/62.75.178.11#tabId=at-a-glance

[essexboy]

It was pulled about three weeks ago and the bad copy deleted.  The current version is OK

[polonus]

That is unrelated to the traffic you experience. And essexboy certainly knows what he is doing. He is the best qualified remover we have here and he is instructor at G2G as well. You cannot get better removal assistance on the Interwebs, believe me!
I am just into website code and IP analysis, and seen loads and loads of issues. That is my specialty. So I think out aloud  on an experience basis. Essexboy must drag that baddie out. Trust us, we get to it, we'd find the little b*gger!

pol

PS Just initiate the test you find here: https://www.grc.com/dns/dns.htm (because av and firewall do not protect)
Give me the results of your DNS Nameserver Spoofability Test

D

[OliPicard]

Find the combofix log attached.

[OliPicard]

Also  Polonus, Did that DNS test came back with
Anti-Spoofing Safety: Excellent

Also did the sheildUP test too, THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

[OliPicard]

Ive also PM'd Polonus the results from sheildsup. Seems to look good from here. As for combofix, the log above provides details, I was wondering after we remove whatevers causing this can we uninstall combofix?

Thanks

[OliPicard]

Should also attach the quarantined-files txt (below.)

[OliPicard]

In addition my connection has been attacked again by

Code: [Select]

62.75.178.11:5202 (Port Scan UDP) same as previous however has commited a UDP Port scan.


[essexboy]

Aye once you are happy all tools will be removed

OK so far I have seen no signs of malware, webshield is not reporting any outgoing - can you confirm that

What effect is this having on your system, as I am wondering whether they may just be probing attacks

Could you confirm it is just Commodo reporting this ?

Then download wireshark and see if there are any unknown outgoings http://www.wireshark.org/download.html

[OliPicard]

Hi Essexboy,

Code: [Select]

The only suspious connections are coming from in and out are 23.62.53.50:80 & 173.194.67.94:443 & 173.194.34.151:443 & 173.194.66.106:443 & 173.194.34.111:443 &  173.194.78.95:443 & 196.0.6.150:443 & 173.194.42.15:443 & 173.194.66.95:443 & 173.194.34.130

Code: [Select]

Blocked items 224.0.0.252 IGMP>browser

[OliPicard]

Running wireshark as we speak.