tman555 0 Posted August 25 Share Posted August 25 Can you help me understand what SysInspector reports? SysInspector-DESKTOP-IS5390N-230825-160313.zip Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,841 Posted August 25 Administrators Share Posted August 25 Please elaborate more on your request. ESET is not installed but Bitdefender's and Malwarebytes' drivers are loaded. Quote Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25 Author Share Posted August 25 Bitdefender is not installed. I was trying Malwarebytes and is not helping. I had to uninstall ESET to avoid conflicts. I'm afraid my Windows registry is not ok because I've been facing an hacker attack with udp flooding too. Sfc /scannow successfully repaired corrupted files but I had to enable manually Trusted Installer as automatic. Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 25 Share Posted August 25 31 minutes ago, tman555 said: I'm afraid my Windows registry is not ok because I've been facing an hacker attack with udp flooding too. UDP flooding is a DDoS targeted attack usually performed against servers. Check your gateway/router's firewall log for evidence of such an attack. Quote Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25 Author Share Posted August 25 Yes, here it is...against my IP Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 25 Share Posted August 25 1 minute ago, tman555 said: Yes, here it is...against my IP Looks like the router blocked the attack successfully. However the firewall log entry doesn't make sense to me since the destination IP address is 151.50.153.26? Your router might be hacked and has been enrolled as part of a botnet. Quote Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25 Author Share Posted August 25 (edited) That was my VPN temporary IP...I have tried so many times to reset the router and change things but I would have to set the firewall rules listing all the IP sources I find every single time and block them. So you confirm me that reported attacks are those which had been blocked, thank you. Edited August 25 by tman555 Quote Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25 Author Share Posted August 25 Again Quote Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25 Author Share Posted August 25 2023-08-25 18:02:25, Info CSI 000001e4 Warning: Overlap: Directory \??\C:\Program Files (x86)\ is owned twice or has its security set twice Original owner: Microsoft-Windows-shell32, version 10.0.19041.3393, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} New owner: Microsoft-Windows-shell32, version 10.0.19041.3393, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 25 Share Posted August 25 My advice is to uninstall MBAM or at the very least, disable its real-time protection. Then install Eset Internet Security or Smart Security Premium. Finally, monitor what network connections are being blocked by the Eset firewall, IDS, etc.. Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 25 Share Posted August 25 Here's a web site that lists routers with vulnerabilities: https://modemly.com/m1/pulse . If your router is shown to contain vulnerabilities, the latest firmware update to remove the vulnerability must be applied or the router replaced. Quote Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25 Author Share Posted August 25 Ok, anyway what does "impossible to open [4]" in the report does it mean? Is it normal? ntuser.dat and catroot2 are listed like this... Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 25 Share Posted August 25 (edited) 18 hours ago, tman555 said: what does "impossible to open [4]" in the report does it mean? Is it normal? Yes, it it normal. It means that Windows had a lock on the file and it can't be accessed by Eset. 23 hours ago, tman555 said: That was my VPN temporary IP As far as UDP flooding router log entry, the source IP is 45.155.19.88. This appears to be a legit ISP/telecom, UAB Linama. If I were to take the log entry at face value, it is this ISP/telecom that is performing the UDP flood attack against your VPN provider using your router as a middle-man source. -EDIT- It appears this UAB Linama has subsidiaries in Italy. If this happens to be your ISP, it appears it is trying to bust your VPN connection via UDP flooding. If this is the case, you will have to ask them why they are performing this activity. Edited August 26 by itman Quote Link to comment Share on other sites More sharing options...
tman555 0 Posted August 26 Author Share Posted August 26 Ok, anyway ESET has found EFI/CompuTrace.A and I'm pretty sure is a malware (this would explain many things) but I asked to ASUS support to be sure. Can you read Farbar? This is the log: Farbar Service Scanner Version: 30-04-2023 Ran by Emanuele Acquafredda (administrator) on 26-08-2023 at 18:56:15 Running from "C:\Users\Emanuele Acquafredda\Downloads" Microsoft Windows 10 Home (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Attempt to access Google IP returned error. Google IP is unreachable Attempt to access Google.com returned error: Google.com is unreachable Attempt to access Yahoo.com returned error: Yahoo.com is unreachable Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Policy: ======================== Windows Security: ============ wscsvc Service is not running. Checking service configuration: The start type of wscsvc service is OK (Start=Auto). The ImagePath of wscsvc: "%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted -p". The ServiceDll of wscsvc service is OK. Windows Update: ============ UsoSvc Service is not running. Checking service configuration: The start type of UsoSvc service is OK (Start=Auto). The ImagePath of UsoSvc service is OK (ImagePath=%systemroot%\system32\svchost.exe -k netsvcs -p). The ServiceDll of UsoSvc service is OK. dosvc Service is not running. Checking service configuration: The start type of dosvc service is OK (Start=Auto). The ImagePath of dosvc service is OK (ImagePath=%SystemRoot%\System32\svchost.exe -k NetworkService -p). The ServiceDll of dosvc service is OK. Windows Autoupdate Disabled Policy: ============================ ATTENTION!=====> policy restriction on WindowsUpdate: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate Windows Defender: ============== Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => File is digitally signed C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed C:\Windows\System32\Drivers\netbt.sys => File is digitally signed C:\Windows\System32\Drivers\tdx.sys => File is digitally signed C:\Windows\System32\Drivers\afd.sys => File is digitally signed C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed C:\Windows\System32\dnsrslvr.dll => File is digitally signed C:\Windows\System32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\System32\mpssvc.dll => File is digitally signed C:\Windows\System32\bfe.dll => File is digitally signed C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed C:\Windows\System32\SDRSVC.dll => File is digitally signed C:\Windows\System32\vssvc.exe => File is digitally signed C:\Windows\System32\SecurityHealthService.exe => File is digitally signed C:\Windows\System32\wscsvc.dll => File is digitally signed C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed C:\Windows\System32\wuaueng.dll => File is digitally signed C:\Windows\System32\qmgr.dll => File is digitally signed C:\Windows\System32\es.dll => File is digitally signed C:\Windows\System32\cryptsvc.dll => File is digitally signed C:\Windows\System32\usosvc.dll => File is digitally signed C:\Windows\System32\WaaSMedicSvc.dll => File is digitally signed C:\Windows\System32\dosvc.dll => File is digitally signed C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed C:\Windows\System32\ipnathlp.dll => File is digitally signed C:\Windows\System32\iphlpsvc.dll => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed **** End of log **** Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 26 Share Posted August 26 1 hour ago, tman555 said: Ok, anyway ESET has found EFI/CompuTrace.A and I'm pretty sure is a malware If this is an ASUS notebook/laptop, it most likely was installed at the factory. If Computrace was pre-installed by the PC vendor at the factory, in most cases it is not malware. Eset detects it as a PUA. You can exclude the detection per instruction here: https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection. 1 hour ago, tman555 said: Can you read Farbar? This is the log: The only main issue I see in the log is Microsoft Security Center is not running. Running MBAM w/real-time scanning concurrent with Eset in the past might be the reason for this. You can manually start it by accessing its associated service and then manually starting the service. Verify thereafter that the service is running after system startup: Also, Windows Auto Updating service is not running for some reason. Quote Link to comment Share on other sites More sharing options...
itman 1,595 Posted August 26 Share Posted August 26 My final statement in this thread is since it appears your router is blocking UDP flood attacks adequately, I won't be concerned about the activity. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.