Multiple tcp port scan, flooding and icmp redirect attacks from different IPs

Status
Not open for further replies.
I've seen that an IP from which I received a tcp port scan attack (209.211.0.7) at 4:21:51 PM is by CenturyLinks (Lumen) and they have told me to call 8002441111 to have the real IP address without a warrant, can this be true?
 
I'm trying to start a scan by prompt run as administrator since the scan is being stopped early after start by something with force
1699813480942.png
 
These after uninstalling Kaspersky and restarting the pc 2 times, it is not normal and Trusted Apps only of Windows Defender value is 0
 

Attachments

Hello and welcome to the Security Arena, at Sysnative Forums.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.


====================

First, some questions:

Do you need Advanced_IP_Scanner?
Do you need Security Task Manager?

You have some items in your Downloads folder, I wonder why:

2023-11-10 20:36 - 2023-11-12 19:56 - 000000000 ____D C:\Users\x_emo\Downloads\xtajit
2023-11-10 20:35 - 2023-11-10 20:35 - 000425008 _____ C:\Users\x_emo\Downloads\xtajit.zip
2023-11-10 20:35 - 2023-11-10 20:35 - 000425008 _____ C:\Users\x_emo\Downloads\xtajit (1).zip
2023-11-10 18:20 - 2023-11-12 19:56 - 000000000 ____D C:\Users\x_emo\Downloads\wow64
2023-11-10 18:20 - 2023-11-10 18:21 - 000000000 ____D C:\Users\x_emo\Downloads\wow64win
2023-11-10 18:14 - 2023-11-12 19:56 - 000000000 ____D C:\Users\x_emo\Downloads\wowarmhw
2023-11-09 19:23 - 2023-11-09 19:23 - 000011248 _____ C:\Users\x_emo\Downloads\wow64cpu.zip
 
Sorry man, thank you. I've clean installed Windows 10 but something keeps going wrong, maybe there is a rootkit. I didn't need those and they aren't in my pc anymore. The dlls were there because Autoruns says "file not found" to them, even now. I'm doing multiple scans with MB, Msert and WD. Msert says there are 7 files infected but I swera in the end it will say it's evrything fine as previously.
 
Hello.

Please do not perform scans without me asking this first.

Moving on:


1. Remove an Edge extension

Remove Kaspersky Protection from your Edge extensions.



2. FRST fix

Please do the following to run a FRST fix. First, move the tool directly on to your Desktop.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
AlternateShell:  <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
AV: Kaspersky (Disabled - Up to date) {4F76F112-43EB-40E8-11D8-F7BD1853EA23}
FW: Kaspersky (Disabled) {774D7037-0984-41B0-3A87-5E88E680AD58}
ContextMenuHandlers1: [Kaspersky Premium 21.15] -> {AE81D5A2-A34B-4D93-8DF8-540DBCE48043} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.15\x64\shellex.dll -> No File
ContextMenuHandlers2: [Kaspersky Premium 21.15] -> {AE81D5A2-A34B-4D93-8DF8-540DBCE48043} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.15\x64\shellex.dll -> No File
ContextMenuHandlers4: [Kaspersky Premium 21.15] -> {AE81D5A2-A34B-4D93-8DF8-540DBCE48043} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.15\x64\shellex.dll -> No File
ContextMenuHandlers6: [Kaspersky Premium 21.15] -> {AE81D5A2-A34B-4D93-8DF8-540DBCE48043} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.15\x64\shellex.dll -> No File
2023-11-12 21:01 - 2023-11-12 21:01 - 002319872 _____ () [File not signed] \\?\C:\Users\x_emo\AppData\Local\Temp\361619ba-f431-4d29-a36d-28a4839f4b3d.tmp.node
2023-10-17 14:13 - 2023-10-18 00:23 - 000000000 ____D C:\Users\defaultuser100000
2023-10-17 14:13 - 2023-10-17 14:13 - 000000000 ___SD C:\Users\defaultuser100000\AppData\Roaming\Microsoft\Protect
2023-10-17 14:13 - 2023-10-17 14:13 - 000000000 ____D C:\Users\defaultuser100000\AppData\Roaming\Microsoft\Windows
2023-10-17 14:13 - 2023-10-17 14:13 - 000000000 ____D C:\Users\defaultuser100000\AppData\LocalLow\Intel
2023-10-17 14:13 - 2023-10-17 14:13 - 000000000 ____D C:\Users\defaultuser100000\AppData\Local\ConnectedDevicesPlatform
2023-10-17 14:13 - 2023-09-26 09:34 - 000000000 ____D C:\Users\defaultuser100000\AppData\Roaming\Microsoft\Network
2023-10-17 14:13 - 2023-09-20 07:53 - 000000000 ____D C:\Users\defaultuser100000\AppData\Local\Kaspersky Lab
2023-11-12 16:20 - 2023-11-12 16:20 - 000000210 _____ C:\Users\x_emo\advanced_ip_scanner_MAC.bin
2023-11-12 16:20 - 2023-11-12 16:20 - 000000015 _____ C:\Users\x_emo\advanced_ip_scanner_Comments.bin
2023-11-12 16:20 - 2023-11-12 16:20 - 000000015 _____ C:\Users\x_emo\advanced_ip_scanner_Aliases.bin
2023-11-12 16:18 - 2023-11-12 16:18 - 000001050 _____ C:\Users\Public\Desktop\Advanced IP Scanner.lnk
2023-11-12 16:18 - 2023-11-12 16:18 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced IP Scanner v2
2023-11-12 16:18 - 2023-11-12 16:18 - 000000000 ____D C:\Program Files (x86)\Advanced IP Scanner
2023-11-12 16:17 - 2023-11-12 16:17 - 021050672 _____ (Famatech Corp. ) C:\Users\x_emo\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe
2023-11-10 18:25 - 2023-11-12 19:56 - 000000000 ____D C:\Program Files (x86)\Security Task Manager
2023-11-10 18:20 - 2023-11-12 19:56 - 000000000 ____D C:\Users\x_emo\Downloads\wow64
2023-11-10 18:20 - 2023-11-10 18:21 - 000000000 ____D C:\Users\x_emo\Downloads\wow64win
2023-11-10 18:14 - 2023-11-12 19:56 - 000000000 ____D C:\Users\x_emo\Downloads\wowarmhw
2023-11-09 19:23 - 2023-11-09 19:23 - 000011248 _____ C:\Users\x_emo\Downloads\wow64cpu.zip
2023-11-10 20:36 - 2023-11-12 19:56 - 000000000 ____D C:\Users\x_emo\Downloads\xtajit
2023-11-10 20:35 - 2023-11-10 20:35 - 000425008 _____ C:\Users\x_emo\Downloads\xtajit.zip
2023-11-10 20:35 - 2023-11-10 20:35 - 000425008 _____ C:\Users\x_emo\Downloads\xtajit (1).zip
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AutorunsDisabled => "AlternateShell"="cmd.exe"
RemoveProxy:
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: ipconfig /flushdns
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.


In your next reply please post:
  1. If uninstalling Kasperky extension ran smoothly
  2. The fixlog.txt
 
Hi.

I spent a remarkable amount of time to review your logs here and I prepared a fix for you. Have you read the basic guidelines of this forum at all? I don't think so.

Do you really need assistance or "you just play" with us? "I am stuck with the old logs" ?? Seriously?

And is this the same computer with the one you posted logs when you started this topic?

Anyway. Just letting you know that I won't review the last logs you posted, unless you read the guidelines I posted above and be ready to follow my instructions. Time is valuable for all of us, and I am happy to spend it for people who really respect it.
 
Didn't mean that, I'm sorry you misunderstood...if you look up in the thread there are logs before formatting the pc and after. The pc name is changed because of clean install of Win 10. No kidding.
 
poisonedSYS said:
Didn't mean that, I'm sorry you misunderstood...if you look up in the thread there are logs before formatting the pc and after. The pc name is changed because of clean install of Win 10. No kidding.
Click to expand...

And obviously you let me post a fix and then you attached the fresh logs.

Let's make another try. But this time, do not download/install/scan using this computer. Is this fine with you?
 
Actually there were other logs you missed
poisonedSYS said:
These after uninstalling Kaspersky and restarting the pc 2 times, it is not normal and Trusted Apps only of Windows Defender value is 0
Click to expand...
Anyway I didn't understand, this is my pc, can you help me with this pc?
 
Status
Not open for further replies.
Back
Top