Jump to content

ESET SysInspector report

tman555

By tman555
in General Discussion

 Share

Recommended Posts

  • Administrators
Marcos

Marcos 5,090

Posted
  • Administrators
Posted

Please elaborate more on your request. ESET is not installed but Bitdefender's and Malwarebytes' drivers are loaded.

Link to comment
Share on other sites
tman555

tman555 0

Posted
  • Author
Posted

Bitdefender is not installed. I was trying Malwarebytes and is not helping. I had to uninstall ESET to avoid conflicts. I'm afraid my Windows registry is not ok because I've been facing an hacker attack with udp flooding too. Sfc /scannow successfully repaired corrupted files but I had to enable manually Trusted Installer as automatic. 

Link to comment
Share on other sites
itman

itman 1,668

Posted
Posted
31 minutes ago, tman555 said:

I'm afraid my Windows registry is not ok because I've been facing an hacker attack with udp flooding too.

UDP flooding is a DDoS targeted attack usually performed against servers. Check your gateway/router's firewall log for evidence of such an attack.

Link to comment
Share on other sites
itman

itman 1,668

Posted
Posted
1 minute ago, tman555 said:

Yes, here it is...against my IP

Looks like the router blocked the attack successfully. However the firewall log entry doesn't make sense to me since the destination IP address is 151.50.153.26? Your router might be hacked and has been enrolled as part of a botnet.

Link to comment
Share on other sites
tman555

tman555 0

Posted
  • Author
Posted (edited)

That was my VPN temporary IP...I have tried so many times to reset the router and change things but I would have to set the firewall rules listing all the IP sources I find every single time and block them. So you confirm me that reported attacks are those which had been blocked, thank you.

Edited by tman555
Link to comment
Share on other sites
tman555

tman555 0

Posted
  • Author
Posted

2023-08-25 18:02:25, Info                  CSI    000001e4 Warning: Overlap: Directory \??\C:\Program Files (x86)\ is owned twice or has its security set twice
   Original owner: Microsoft-Windows-shell32, version 10.0.19041.3393, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}
   New owner: Microsoft-Windows-shell32, version 10.0.19041.3393, arch Host= amd64 Guest= x86, nonSxS, pkt {l:8 b:31bf3856ad364e35}

Link to comment
Share on other sites
itman

itman 1,668

Posted
Posted

My advice is to uninstall MBAM or at the very least, disable its real-time protection. Then install Eset Internet Security or Smart Security Premium. Finally, monitor what network connections are being blocked by the Eset firewall, IDS, etc..

Link to comment
Share on other sites
tman555

tman555 0

Posted
  • Author
Posted

Ok, anyway what does "impossible to open [4]" in the report does it mean? Is it normal? ntuser.dat and catroot2 are listed like this...

Link to comment
Share on other sites
itman

itman 1,668

Posted
Posted (edited)
18 hours ago, tman555 said:

what does "impossible to open [4]" in the report does it mean? Is it normal?

Yes, it it normal. It means that Windows had a lock on the file and it can't be accessed by Eset.

23 hours ago, tman555 said:

That was my VPN temporary IP

As far as UDP flooding router log entry, the source IP is 45.155.19.88. This appears to be a legit ISP/telecom, UAB Linama. If I were to take the log entry at face value, it is this ISP/telecom that is performing the UDP flood attack against your VPN provider using your router as a middle-man source.

-EDIT- It appears this UAB Linama has subsidiaries in Italy. If this happens to be your ISP, it appears it is trying to bust your VPN connection via UDP flooding. If this is the case, you will have to ask them why they are performing this activity.

Edited by itman
Link to comment
Share on other sites
tman555

tman555 0

Posted
  • Author
Posted

Ok, anyway ESET has found EFI/CompuTrace.A and I'm pretty sure is a malware (this would explain many things) but I asked to ASUS support to be sure.

Can you read Farbar? This is the log:

Farbar Service Scanner Version: 30-04-2023
Ran by Emanuele Acquafredda (administrator) on 26-08-2023 at 18:56:15
Running from "C:\Users\Emanuele Acquafredda\Downloads"
Microsoft Windows 10 Home (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============


Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Google.com is unreachable
Attempt to access Yahoo.com returned error: Yahoo.com is unreachable


Windows Firewall:
=============


Firewall Disabled Policy: 
==================


System Restore:
============


System Restore Policy: 
========================


Windows Security:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK (Start=Auto).
The ImagePath of wscsvc: "%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted -p".
The ServiceDll of wscsvc service is OK.


Windows Update:
============
UsoSvc Service is not running. Checking service configuration:
The start type of UsoSvc service is OK (Start=Auto).
The ImagePath of UsoSvc service is OK (ImagePath=%systemroot%\system32\svchost.exe -k netsvcs -p).
The ServiceDll of UsoSvc service is OK.
dosvc Service is not running. Checking service configuration:
The start type of dosvc service is OK (Start=Auto).
The ImagePath of dosvc service is OK (ImagePath=%SystemRoot%\System32\svchost.exe -k NetworkService -p).
The ServiceDll of dosvc service is OK.


Windows Autoupdate Disabled Policy: 
============================
ATTENTION!=====> policy restriction on WindowsUpdate: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 


Windows Defender:
==============


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\Drivers\netbt.sys => File is digitally signed
C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\afd.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\SecurityHealthService.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Windows\System32\usosvc.dll => File is digitally signed
C:\Windows\System32\WaaSMedicSvc.dll => File is digitally signed
C:\Windows\System32\dosvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

Link to comment
Share on other sites
itman

itman 1,668

Posted
Posted
1 hour ago, tman555 said:

Ok, anyway ESET has found EFI/CompuTrace.A and I'm pretty sure is a malware

If this is an ASUS notebook/laptop, it most likely was installed at the factory. If Computrace was pre-installed by the PC vendor at the factory, in most cases it is not malware.

Eset detects it as a PUA. You can exclude the detection per instruction here: https://support.eset.com/en/kb6567-you-receive-an-eset-uefi-detection.

1 hour ago, tman555 said:

Can you read Farbar? This is the log:

The only main issue I see in the log is Microsoft Security Center is not running.  Running MBAM w/real-time scanning concurrent with Eset in the past might be the reason for this.

You can manually start it by accessing its associated service and then manually starting the service. Verify thereafter that the service is running after system startup:

Eset_WSC.thumb.png.1dae0c8313f0bbe7a309f212915a34a4.png

Also, Windows Auto Updating service is not running for some reason.

Link to comment
Share on other sites
itman

itman 1,668

Posted
Posted

My final statement in this thread is since it appears your router is blocking UDP flood attacks adequately, I won't be concerned about the activity.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...