tman555 0 Posted August 25, 2023 Share Posted August 25, 2023 Can you help me understand what SysInspector reports? SysInspector-DESKTOP-IS5390N-230825-160313.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted August 25, 2023 Administrators Share Posted August 25, 2023 Please elaborate more on your request. ESET is not installed but Bitdefender's and Malwarebytes' drivers are loaded. Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25, 2023 Author Share Posted August 25, 2023 Bitdefender is not installed. I was trying Malwarebytes and is not helping. I had to uninstall ESET to avoid conflicts. I'm afraid my Windows registry is not ok because I've been facing an hacker attack with udp flooding too. Sfc /scannow successfully repaired corrupted files but I had to enable manually Trusted Installer as automatic. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 25, 2023 Share Posted August 25, 2023 31 minutes ago, tman555 said: I'm afraid my Windows registry is not ok because I've been facing an hacker attack with udp flooding too. UDP flooding is a DDoS targeted attack usually performed against servers. Check your gateway/router's firewall log for evidence of such an attack. Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25, 2023 Author Share Posted August 25, 2023 Yes, here it is...against my IP Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 25, 2023 Share Posted August 25, 2023 1 minute ago, tman555 said: Yes, here it is...against my IP Looks like the router blocked the attack successfully. However the firewall log entry doesn't make sense to me since the destination IP address is 151.50.153.26? Your router might be hacked and has been enrolled as part of a botnet. Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25, 2023 Author Share Posted August 25, 2023 (edited) That was my VPN temporary IP...I have tried so many times to reset the router and change things but I would have to set the firewall rules listing all the IP sources I find every single time and block them. So you confirm me that reported attacks are those which had been blocked, thank you. Edited August 25, 2023 by tman555 Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25, 2023 Author Share Posted August 25, 2023 Again Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25, 2023 Author Share Posted August 25, 2023 2023-08-25 18:02:25, Info CSI 000001e4 Warning: Overlap: Directory \??\C:\Program Files (x86)\ is owned twice or has its security set twice Original owner: Microsoft-Windows-shell32, version 10.0.19041.3393, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} New owner: Microsoft-Windows-shell32, version 10.0.19041.3393, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35} Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 25, 2023 Share Posted August 25, 2023 My advice is to uninstall MBAM or at the very least, disable its real-time protection. Then install Eset Internet Security or Smart Security Premium. Finally, monitor what network connections are being blocked by the Eset firewall, IDS, etc.. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 25, 2023 Share Posted August 25, 2023 Here's a web site that lists routers with vulnerabilities: https://modemly.com/m1/pulse . If your router is shown to contain vulnerabilities, the latest firmware update to remove the vulnerability must be applied or the router replaced. Link to comment Share on other sites More sharing options...
tman555 0 Posted August 25, 2023 Author Share Posted August 25, 2023 Ok, anyway what does "impossible to open [4]" in the report does it mean? Is it normal? ntuser.dat and catroot2 are listed like this... Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 25, 2023 Share Posted August 25, 2023 (edited) 18 hours ago, tman555 said: what does "impossible to open [4]" in the report does it mean? Is it normal? Yes, it it normal. It means that Windows had a lock on the file and it can't be accessed by Eset. 23 hours ago, tman555 said: That was my VPN temporary IP As far as UDP flooding router log entry, the source IP is 45.155.19.88. This appears to be a legit ISP/telecom, UAB Linama. If I were to take the log entry at face value, it is this ISP/telecom that is performing the UDP flood attack against your VPN provider using your router as a middle-man source. -EDIT- It appears this UAB Linama has subsidiaries in Italy. If this happens to be your ISP, it appears it is trying to bust your VPN connection via UDP flooding. If this is the case, you will have to ask them why they are performing this activity. Edited August 26, 2023 by itman Link to comment Share on other sites More sharing options...
tman555 0 Posted August 26, 2023 Author Share Posted August 26, 2023 Ok, anyway ESET has found EFI/CompuTrace.A and I'm pretty sure is a malware (this would explain many things) but I asked to ASUS support to be sure. Can you read Farbar? This is the log: Farbar Service Scanner Version: 30-04-2023 Ran by Emanuele Acquafredda (administrator) on 26-08-2023 at 18:56:15 Running from "C:\Users\Emanuele Acquafredda\Downloads" Microsoft Windows 10 Home (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Attempt to access Google IP returned error. Google IP is unreachable Attempt to access Google.com returned error: Google.com is unreachable Attempt to access Yahoo.com returned error: Yahoo.com is unreachable Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Policy: ======================== Windows Security: ============ wscsvc Service is not running. Checking service configuration: The start type of wscsvc service is OK (Start=Auto). The ImagePath of wscsvc: "%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted -p". The ServiceDll of wscsvc service is OK. Windows Update: ============ UsoSvc Service is not running. Checking service configuration: The start type of UsoSvc service is OK (Start=Auto). The ImagePath of UsoSvc service is OK (ImagePath=%systemroot%\system32\svchost.exe -k netsvcs -p). The ServiceDll of UsoSvc service is OK. dosvc Service is not running. Checking service configuration: The start type of dosvc service is OK (Start=Auto). The ImagePath of dosvc service is OK (ImagePath=%SystemRoot%\System32\svchost.exe -k NetworkService -p). The ServiceDll of dosvc service is OK. Windows Autoupdate Disabled Policy: ============================ ATTENTION!=====> policy restriction on WindowsUpdate: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate Windows Defender: ============== Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => File is digitally signed C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed C:\Windows\System32\Drivers\netbt.sys => File is digitally signed C:\Windows\System32\Drivers\tdx.sys => File is digitally signed C:\Windows\System32\Drivers\afd.sys => File is digitally signed C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed C:\Windows\System32\dnsrslvr.dll => File is digitally signed C:\Windows\System32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\System32\mpssvc.dll => File is digitally signed C:\Windows\System32\bfe.dll => File is digitally signed C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed C:\Windows\System32\SDRSVC.dll => File is digitally signed C:\Windows\System32\vssvc.exe => File is digitally signed C:\Windows\System32\SecurityHealthService.exe => File is digitally signed C:\Windows\System32\wscsvc.dll => File is digitally signed C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed C:\Windows\System32\wuaueng.dll => File is digitally signed C:\Windows\System32\qmgr.dll => File is digitally signed C:\Windows\System32\es.dll => File is digitally signed C:\Windows\System32\cryptsvc.dll => File is digitally signed C:\Windows\System32\usosvc.dll => File is digitally signed C:\Windows\System32\WaaSMedicSvc.dll => File is digitally signed C:\Windows\System32\dosvc.dll => File is digitally signed C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed C:\Windows\System32\ipnathlp.dll => File is digitally signed C:\Windows\System32\iphlpsvc.dll => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed **** End of log **** Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 26, 2023 Share Posted August 26, 2023 1 hour ago, tman555 said: Ok, anyway ESET has found EFI/CompuTrace.A and I'm pretty sure is a malware If this is an ASUS notebook/laptop, it most likely was installed at the factory. If Computrace was pre-installed by the PC vendor at the factory, in most cases it is not malware. Eset detects it as a PUA. You can exclude the detection per instruction here: https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection. 1 hour ago, tman555 said: Can you read Farbar? This is the log: The only main issue I see in the log is Microsoft Security Center is not running. Running MBAM w/real-time scanning concurrent with Eset in the past might be the reason for this. You can manually start it by accessing its associated service and then manually starting the service. Verify thereafter that the service is running after system startup: Also, Windows Auto Updating service is not running for some reason. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 26, 2023 Share Posted August 26, 2023 My final statement in this thread is since it appears your router is blocking UDP flood attacks adequately, I won't be concerned about the activity. Link to comment Share on other sites More sharing options...
Recommended Posts