migs_k
-
Posts
21 -
Joined
-
Last visited
Posts posted by migs_k
-
-
after logging in using PIN after a restart and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-229674073-691441657-888200982-1001\NgcFirst\ConsecutiveSwitchCount
QuoteTime;Application;Operation;Target;Action;Rule;Additional information
4/14/2021 8:44:57 PM;C:\Windows\System32\svchost.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-229674073-691441657-888200982-1001\NgcFirst\ConsecutiveSwitchCount;allowed;Automatic mode;this came up on ESET HIPS, never seen this popping up before.
after doing some internet search, this came up
https://forum.eset.com/topic/23588-hips-alert-for-host-process/?_fromLogin=1
-
is this a legit eset website? https://www.eset.com.ph/
my aunt purchased eset license and registered using that website, but when trying to login to the hxxp://my.eset.com/ using the same credentials, it wont work.
-
looks like I'm the very first ones to upload these. is it even possible to detect pieces of code that's placed everywhere?
-
theres more inside the rar which is not base64
is ESET capable of cleaning or detecting that sort of thing thats on the youtube video?
-
one of them looks like base64
QuoteeyJwMSI6eyI1MDk4ODAxNDYiOnsicDIiOlt7InAzIjoxNTI2MDUyNzI1LCJwNCI6ODY3NzMxODk0LCJwNSI6MH0seyJwMyI6MTUyNTk2MjkxMiwicDQiOjg2NzczMTg5NCwicDUiOjB9LHsicDMiOjE1MjU4NzYzNTIsInA0Ijo4Njc3MzE4OTQsInA1IjowfSx7InAzIjoxNTE1NTU4NzQyLCJwNCI6MjMzMDI4NDczOCwicDUiOjB9LHsicDMiOjE1MTUzMjgzMzMsInA0IjoyMzMwMjg0NzM4LCJwNSI6MH0seyJwMyI6MTUxMzc2MDQ5OCwicDQiOjMwNjgyMzc1NjcsInA1IjowfSx7InAzIjoxNTExNzUwMDg5LCJwNCI6MzgxNDAyNjY3OSwicDUiOjB9LHsicDMiOjE1MTEyNjAzNjYsInA0IjozODE0MDI2Njc5LCJwNSI6MH1dfSwiMTI3NDQ2NTkwIjp7InAyIjpbeyJwMyI6MTUxNjQxMjEzNSwicDQiOjMxOTI2MDYzMDgsInA1IjowfSx7InAzIjoxNTEzNjY1MzAyLCJwNCI6MzE5MjYwNjMwOCwicDUiOjB9XX19fQ==
just my flying suspicious because I saw this YouTube video https://www.youtube.com/watch?v=mhOWdH2zwMk where the malware source code is placed in whatever places
EDIT: ok yeah, decoded it and its something may be part of a source code for something
Quote{"p1":{"509880146":{"p2":[{"p3":1526052725,"p4":867731894,"p5":0},{"p3":1525962912,"p4":867731894,"p5":0},{"p3":1525876352,"p4":867731894,"p5":0},{"p3":1515558742,"p4":2330284738,"p5":0},{"p3":1515328333,"p4":2330284738,"p5":0},{"p3":1513760498,"p4":3068237567,"p5":0},{"p3":1511750089,"p4":3814026679,"p5":0},{"p3":1511260366,"p4":3814026679,"p5":0}]},"127446590":{"p2":[{"p3":1516412135,"p4":3192606308,"p5":0},{"p3":1513665302,"p4":3192606308,"p5":0}]}}}
-
Yeah, i guess im gonna need that consultation
A lot has happened since my last reply
-
these record happened when I was already logged on and during that time I was on a google meet session
also, I don't access my PC through PIN, I use Microsoft pass
-
also to me this is an unresolved issue
Quotecan I ask what these are? they automatically ran without me knowing
Time;Application;Operation;Target;Action;Rule;Additional information
2/19/2021 5:05:06 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\DestructiveResetInProgress;allowed;Automatic mode;
2/19/2021 5:05:07 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\TpmClearRecoveryInProgress;allowed;Automatic mode;
2/19/2021 5:05:09 PM;C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87BDED91-3F10-4383-B8C1-26886F49F141}\LocalServer32;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AarSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AarSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BcastDVRUserService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BcastDVRUserService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CaptureService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CaptureService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cbdhsvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cbdhsvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ConsentUxUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ConsentUxUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CredentialEnrollmentManagerUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CredentialEnrollmentManagerUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationBrokerSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationBrokerSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicePickerUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicePickerUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicesFlowUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicesFlowUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MessagingService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MessagingService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OneSyncSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OneSyncSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PrintWorkflowUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PrintWorkflowUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UdkUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UdkUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\svchost.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\NgcFirst\ConsecutiveSwitchCount;allowed;Automatic mode;
2/19/2021 5:05:53 PM;C:\Windows\System32\ctfmon.exe;Modify startup settings;HKEY_USERS\S-1-5-21-2775152818-1588230348-2558996214-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internat.exe;allowed;Automatic mode;2/19/2021 5:05:06 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\DestructiveResetInProgress;allowed;Automatic mode;
after doing google search
D6886603-9D2F-4EB2-B667-1971041FA96B = PINso im going to assume someone logged in via my PC's PIN
did a "DestructiveResetInProgress" and "TpmClearRecoveryInProgress" whatever this means
-
ive also sent some sort of .exe s to eset
they are CR_xxxxx/setup.exe
the x are random number / charsthese things keep popping up from HIPS from time to time targeting my browsers
I couldnt obtain all of them, as soon as it gets reported by eset's HIPS I try to go the location of that .exe and its not there
anyway, do you how to disable safe boot without logging into windows and without a windows 10 physical disc?
-
not sure about that, after blocking 0x1f4b0.com and restarting its now replaced by 0123movies.com
-
these are some of those "Can not obtain ownership information"
-
Quote
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1204
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:1536 0.0.0.0:0 LISTENING 704
[System]
TCP 0.0.0.0:1537 0.0.0.0:0 LISTENING 900
Can not obtain ownership information
TCP 0.0.0.0:1538 0.0.0.0:0 LISTENING 1756
EventLog
[svchost.exe]
TCP 0.0.0.0:1539 0.0.0.0:0 LISTENING 1608
Schedule
[svchost.exe]
TCP 0.0.0.0:1540 0.0.0.0:0 LISTENING 300
Can not obtain ownership information
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 2288
CDPSvc
[svchost.exe]
TCP 10.102.37.150:139 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 10.102.37.150:2142 82.202.185.211:443 ESTABLISHED 7960
Can not obtain ownership information
TCP 10.102.37.150:2147 82.202.185.211:443 ESTABLISHED 5236
[ksde.exe]
TCP 10.102.37.150:2982 162.159.130.234:443 ESTABLISHED 8792
[Discord.exe]
TCP 10.102.37.150:3144 172.217.194.18:443 ESTABLISHED 8304
[brave.exe]
TCP 10.102.37.150:3203 180.87.4.152:443 CLOSE_WAIT 7960
Can not obtain ownership information
TCP 10.102.37.150:3207 104.18.27.211:443 ESTABLISHED 8304
[brave.exe]
TCP 10.102.37.150:3211 172.67.69.162:443 ESTABLISHED 8304
[brave.exe]
TCP 127.0.0.1:1044 127.0.0.1:1045 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1045 127.0.0.1:1044 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1063 127.0.0.1:1064 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1064 127.0.0.1:1063 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1065 127.0.0.1:1066 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1066 127.0.0.1:1065 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1067 127.0.0.1:1068 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1068 127.0.0.1:1067 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1069 127.0.0.1:1070 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1070 127.0.0.1:1069 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1071 127.0.0.1:1072 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1072 127.0.0.1:1071 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:1146 0.0.0.0:0 LISTENING 12056
[NVIDIA Web Helper.exe]
TCP 127.0.0.1:2140 127.0.0.1:2141 ESTABLISHED 7960
Can not obtain ownership information
TCP 127.0.0.1:2141 127.0.0.1:2140 ESTABLISHED 7960
Can not obtain ownership information
TCP 127.0.0.1:2145 127.0.0.1:2146 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:2146 127.0.0.1:2145 ESTABLISHED 5236
[ksde.exe]
TCP 127.0.0.1:3128 0.0.0.0:0 LISTENING 11104
[System]
TCP 127.0.0.1:3128 127.0.0.1:3129 ESTABLISHED 11104
[System]
TCP 127.0.0.1:3129 127.0.0.1:3128 ESTABLISHED 11104
[System]
TCP 127.0.0.1:3839 127.0.0.1:3840 ESTABLISHED 7960
Can not obtain ownership information
TCP 127.0.0.1:3840 127.0.0.1:3839 ESTABLISHED 7960
Can not obtain ownership information
TCP 127.0.0.1:3843 0.0.0.0:0 LISTENING 7960
Can not obtain ownership information
TCP 127.0.0.1:3847 127.0.0.1:3848 ESTABLISHED 7960
Can not obtain ownership information
TCP 127.0.0.1:3848 127.0.0.1:3847 ESTABLISHED 7960
Can not obtain ownership information
TCP 127.0.0.1:3849 127.0.0.1:3850 ESTABLISHED 7960
Can not obtain ownership information
TCP 127.0.0.1:3850 127.0.0.1:3849 ESTABLISHED 7960
Can not obtain ownership information
TCP 127.0.0.1:6463 0.0.0.0:0 LISTENING 9576
[Discord.exe]
TCP 127.0.0.1:43227 0.0.0.0:0 LISTENING 2028
Can not obtain ownership information
TCP 192.168.176.123:1073 193.56.255.62:443 ESTABLISHED 5236
[ksde.exe]
TCP 192.168.176.123:1074 193.56.255.62:443 ESTABLISHED 5236
[ksde.exe]
TCP 192.168.176.123:1075 193.56.255.62:443 ESTABLISHED 5236
[ksde.exe]
TCP 192.168.176.123:1076 193.56.255.62:443 ESTABLISHED 5236
[ksde.exe]
TCP 192.168.176.123:1077 193.56.255.62:443 ESTABLISHED 5236
[ksde.exe]
TCP 192.168.176.123:1078 193.56.255.62:443 ESTABLISHED 5236
[ksde.exe]
TCP 192.168.176.123:1079 193.56.255.62:443 ESTABLISHED 5236
[ksde.exe]
TCP 192.168.176.123:1080 193.56.255.62:443 ESTABLISHED 5236
[ksde.exe]
TCP 192.168.176.123:1081 193.56.255.62:443 ESTABLISHED 5236
[ksde.exe]
TCP 192.168.176.123:1082 193.56.255.62:443 ESTABLISHED 5236
[ksde.exe]
TCP [::]:135 [::]:0 LISTENING 1204
RpcSs
[svchost.exe]
TCP [::]:445 [::]:0 LISTENING 4
Can not obtain ownership information
TCP [::]:1536 [::]:0 LISTENING 704
[System]
TCP [::]:1537 [::]:0 LISTENING 900
Can not obtain ownership information
TCP [::]:1538 [::]:0 LISTENING 1756
EventLog
[svchost.exe]
TCP [::]:1539 [::]:0 LISTENING 1608
Schedule
[svchost.exe]
TCP [::]:1540 [::]:0 LISTENING 300
Can not obtain ownership information
UDP 0.0.0.0:67 *:* 7960
Can not obtain ownership information
UDP 0.0.0.0:500 *:* 3572
IKEEXT
[svchost.exe]
UDP 0.0.0.0:1900 *:* 7960
Can not obtain ownership information
UDP 0.0.0.0:4500 *:* 3572
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5050 *:* 2288
CDPSvc
[svchost.exe]
UDP 0.0.0.0:5353 *:* 6740
[brave.exe]
UDP 0.0.0.0:5353 *:* 8304
[brave.exe]
UDP 0.0.0.0:5353 *:* 8304
[brave.exe]
UDP 0.0.0.0:5353 *:* 8304
[brave.exe]
UDP 0.0.0.0:5353 *:* 6740
[brave.exe]
UDP 0.0.0.0:5353 *:* 8304
[brave.exe]
UDP 0.0.0.0:5353 *:* 2408
Dnscache
[svchost.exe]
UDP 0.0.0.0:5353 *:* 8304
[brave.exe]
UDP 0.0.0.0:5353 *:* 8304
[brave.exe]
UDP 0.0.0.0:5353 *:* 6740
[brave.exe]
UDP 0.0.0.0:5353 *:* 6740
[brave.exe]
UDP 0.0.0.0:5353 *:* 7960
Can not obtain ownership information
UDP 0.0.0.0:5353 *:* 8304
[brave.exe]
UDP 0.0.0.0:5353 *:* 8304
[brave.exe]
UDP 0.0.0.0:5355 *:* 2408
Dnscache
[svchost.exe]
UDP 0.0.0.0:53709 *:* 2060
Can not obtain ownership information
UDP 0.0.0.0:58096 *:* 2060
Can not obtain ownership information
UDP 0.0.0.0:58307 *:* 2060
Can not obtain ownership information
UDP 0.0.0.0:63933 *:* 7960
Can not obtain ownership information
UDP 10.102.37.150:137 *:* 4
Can not obtain ownership information
UDP 10.102.37.150:138 *:* 4
Can not obtain ownership information
UDP 10.102.37.150:2177 *:* 7236
QWAVE
[svchost.exe]
UDP 127.0.0.1:10010 *:* 12056
[NVIDIA Web Helper.exe]
UDP 127.0.0.1:50747 *:* 7960
Can not obtain ownership information
UDP 127.0.0.1:51235 *:* 7148
[nvcontainer.exe]
UDP 127.0.0.1:52983 *:* 2060
Can not obtain ownership information
UDP 127.0.0.1:61333 *:* 4212
iphlpsvc
[svchost.exe]
UDP 127.0.0.1:63923 *:* 7960
Can not obtain ownership information
UDP 127.0.0.1:63924 *:* 7960
Can not obtain ownership information
UDP 192.168.176.123:1900 *:* 7960
Can not obtain ownership information
UDP 192.168.176.123:2177 *:* 7236
QWAVE
[svchost.exe]
UDP 192.168.176.123:5353 *:* 7960
Can not obtain ownership information
UDP 192.168.176.123:51495 *:* 7960
Can not obtain ownership information
UDP 192.168.176.123:51496 *:* 7960
Can not obtain ownership information
UDP [::]:500 *:* 3572
IKEEXT
[svchost.exe]
UDP [::]:4500 *:* 3572
IKEEXT
[svchost.exe]
UDP [::]:5353 *:* 8304
[brave.exe]
UDP [::]:5353 *:* 2408
Dnscache
[svchost.exe]
UDP [::]:5353 *:* 6740
[brave.exe]
UDP [::]:5353 *:* 8304
[brave.exe]
UDP [::]:5353 *:* 8304
[brave.exe]
UDP [::]:5353 *:* 6740
[brave.exe]
UDP [::]:5353 *:* 8304
[brave.exe]
UDP [::]:5355 *:* 2408
Dnscache
[svchost.exe]
UDP [fe80::2016:5d80:4c51:aa93%6]:2177 *:* 7236
QWAVE
[svchost.exe]
UDP [fe80::6993:e4bb:5af1:f881%12]:2177 *:* 7236
QWAVE
[svchost.exe]ive added the 127.0.0.1 0x1f4b0.com to hosts and it returned back to 0.0.0.0, but still this shows in eset
what are suppose to be the default connections / ports of these things
should I block ports 15xx?
is my system services hijacked?
-
what about this?
-
theres also an unknown user S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv
and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc
im the only user on this device
WdNisDrv
also stops running from time to time
-
can anyone tell me what these are??
Quote2018-08-12 16:46:34.411, Info [Environment::Initialize] Start...
2018-08-12 16:46:34.411, Info [Environment::Initialize] wstrStartDeployTime = 2018-08-12 16:46:34:408
2018-08-12 16:46:34.411, Info [Environment::Initialize] wstrSystemDrive = C:
2018-08-12 16:46:34.411, Info [Environment::Initialize] wstrTargetNewOSDrive = C:
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrLogPath = C:\$GetCurrent\Logs
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrLogFileFullPath = C:\$GetCurrent\Logs\downlevel_2018_08_12_16_46_34_410.log
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrTempPath = \$GetCurrent
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrTempFolder = C:\$GetCurrent
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrTenSTempPath =
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrTenSTempFolder =
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrReportPath = C:\$GetCurrent\downlevel_2018_08_12_16_46_34_410.rpt
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrExecutablePath = C:\Windows10Upgrade
2018-08-12 16:46:35.411, Info [Environment::Initialize] Exe name = Windows10UpgraderApp.exe
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrSystemTempFolder = C:\Users\Asus\AppData\Local\Temp
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrTempMedia = C:\$GetCurrent\media
2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrSafeOSFolder = C:\$GetCurrent\SafeOS
2018-08-12 16:46:35.412, Info [Environment::Initialize] wstrcV = lkmGbIx8e0Cr4ziT.999
2018-08-12 16:46:35.412, Warning [WMIHelper::GetHardwareId] CoInitializeSecurity failed, Error = 0x80010119
2018-08-12 16:46:35.536, Info [WMIHelper::GetRegMachineId] Open an existing reg key HKLM\SOFTWARE\Microsoft\SQMClient.
2018-08-12 16:46:35.536, Info [Environment::Initialize] Machine Id is: {2C9DC76A-19D2-4199-B941-9D98B96BE2E9}
2018-08-12 16:46:35.536, Info [Environment::Initialize] Device Id is: 0a62a4c6365927abfa389d453ce1147662fbb673
2018-08-12 16:46:35.536, Info [OSVersion::Init] >= 6.2, Use Rtl function to detect OS version ...
2018-08-12 16:46:35.537, Info [Environment::Initialize] Windows Version: 10.0 (16299),,producttype=1
2018-08-12 16:46:35.537, Info [Environment::Initialize] wstrPostOobeScriptFilename = C:\$GetCurrent\SafeOS\SetupComplete.cmd
2018-08-12 16:46:35.537, Info [Environment::Initialize] wstrRollbackScriptFilename = C:\$GetCurrent\SafeOS\Rollback.cmd
2018-08-12 16:46:35.537, Info [Environment::Initialize] wstrRollbackInformationFilename = C:\$GetCurrent\SafeOS\GetCurrentRollback.ini
2018-08-12 16:46:35.537, Info [Environment::Initialize] wstrWINRESetupPhaseFilename = C:\$GetCurrent\SafeOS\GetCurrentWinRESetup.ini
2018-08-12 16:46:35.537, Info [Environment::Initialize] bLADTest = 0
2018-08-12 16:46:35.537, Info [Environment::Initialize] bIsSetupConfigIniFilePresent = 0
2018-08-12 16:46:35.537, Info [Environment::Initialize] wstrSetupConfigIniFilePath = C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini
2018-08-12 16:46:35.537, Info [Environment::Initialize] Init Telemetry system based on WER APIs
2018-08-12 16:46:35.538, Info [Environment::Initialize] Finished
2018-08-12 16:46:35.538, Warning [GetCurrent_Initialize] This version doesn't verify signature information
2018-08-12 16:46:35.538, Info [MinimalRequirementCheck] hr = 0x0, ResultBits = 0x0
2018-08-12 16:46:35.538, Info [GetCurrent_Initialize] MinimalRequirement Check succeeded! hr = 0x0
2018-08-12 16:46:35.538, Info [GetCurrent_Initialize] Load appraiserxp.dll
2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] Load appraiserxp.dll succeeded! hr = 0x0
2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] Get IsReady function
2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] Get IsReady function succeeded! hr = 0x0
2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] pfnIsReady: 0x53c53960
2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] isPushing: 1
2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] Call Compact check IsReady succeeded! hr = 0x0
2018-08-12 16:46:35.540, Info [GetCurrent_Initialize] Compact Check succeeded! isReady = 1
2018-08-12 16:46:35.548, Info [GetCurrent_SetPartnerPostOOBEScript] Create GetCurrent SafeOS Folder succeeded! hr = 0x0
2018-08-12 16:46:35.551, Info [GetCurrent_SetPartnerPostOOBEScript] Copy partner post oobe script succeeded! dwReturn = 0x1 GetLastError = 0x0
2018-08-12 16:46:35.551, Info [GetCurrent_SetPartnerID] Partner ID is {E52ABFC2-76BB-4908-883F-CA581FDD83F9}
2018-08-12 16:46:35.551, Info [GetCurrent_SetPartnerID] Partner Name is VNL
2018-08-12 16:46:35.552, Info [OSVersion::Init] >= 6.2, Use Rtl function to detect OS version ...
2018-08-12 16:46:35.552, Warning [SystemRequirementCheck::IsUpgradeOptionSupported] Upgrade option type (0x600) is not allowed. But we'll continue. We'll fix this late.
2018-08-12 16:46:35.552, Info [GetCurrent_SetUpgradeOptionType] Upgrade option: 0x600
2018-08-12 16:46:35.552, Info [GetCurrent_SyncDataEx] Start sync with external...
2018-08-12 16:46:35.552, Info [GetCurrent_SyncDataEx] Get wstrExternalId = {} from external.
2018-08-12 16:46:35.552, Info [GetCurrent_SyncDataEx] Get wstrExternalIdDescription = NHV19:<1.4.9200.22532>:<3> from external.
2018-08-12 16:46:35.552, Info [GetCurrent_SyncDataEx] Set Assistant Show Up time = 2018-08-12 16:32:00:991.
2018-08-12 16:46:35.552, Info [GetCurrent_SyncDataEx] Set Download Image Duration = 804 seconds.
2018-08-12 16:46:35.553, Info [GetCurrent_SyncDataEx] Set Restart times during download = 0.
2018-08-12 16:46:35.553, Info [GetCurrent_SyncDataEx] Set wstrDeviceId = 0a62a4c6365927abfa389d453ce1147662fbb673 to external.
2018-08-12 16:46:35.553, Info [GetCurrent_SyncDataEx] Set wstrcV = lkmGbIx8e0Cr4ziT.999 to external.
2018-08-12 16:46:35.553, Info [GetCurrent_SyncDataEx] End sync with external...
2018-08-12 16:46:35.553, Info [GetCurrent_StartDeploy] Check GetCurrent mutex: dwError = 0x529e766f
2018-08-12 16:46:35.553, Info [GetCurrent_StartDeploy] Check Setup360 mutex: dwError = 0x529e766f
2018-08-12 16:46:35.553, Info [GetCurrent_StartDeploy] No other GetCurrentDeploy instance, start deploy ...
2018-08-12 16:46:35.553, Info [DoXPDeployment] wstrSetupSourceFolderOrFile = C:\Windows10Upgrade\17134.112.180619-1212.rs4_release_svc_refresh_CLIENTCONSUMER_RET_x64FRE_en-us.esd
2018-08-12 16:46:35.553, Info [DoXPDeployment] Create action chain ...
2018-08-12 16:46:35.553, Info [DoXPDeployment] Windows Version: 10.0 (16299),,1, 768
2018-08-12 16:46:35.553, Info [DoXPDeployment] Win 7 and plus, use win 10 setup directly
2018-08-12 16:46:35.553, Info [DoXPDeployment] Execute action chain
2018-08-12 16:46:35.553, Info [XPSetupActionQueue::Execute] Execute action chains of class XPSAQ<class EntryQueueDelegatorForWin7Later> ...
2018-08-12 16:46:35.553, Info [XPSetupAction::Execute] Execute action of class XPSA<class EnableWUNoAutoRebootDelegator> ...
2018-08-12 16:46:35.553, Info [EnableWUNoAutoRebootDelegator::ExecuteAction] Can't read WU Auto Reboot Policy, error = 0x2
2018-08-12 16:46:35.558, Info [EnableWUNoAutoRebootDelegator::ExecuteAction] Disable WU Auto Reboot in policies succeeded! hr = 0x0
2018-08-12 16:46:35.558, Info [WinUtil::RunCommand] Command Line: gpupdate /force
2018-08-12 16:46:35.666, Info [WinUtil::RunCommand] Waiting for process 0xbd8
2018-08-12 16:46:58.895, Info [WinUtil::RunCommand] process exited as expected.
2018-08-12 16:46:58.895, Info [WinUtil::RunCommand] Process returned: 0x0
2018-08-12 16:46:58.895, Info [EnableWUNoAutoRebootDelegator::ExecuteAction] Update the Goup Policy forcely succeeded! hr = 0x0
2018-08-12 16:46:58.906, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0
2018-08-12 16:46:58.906, Info [XPSetupActionQueue::Execute] Execute action chains of class XPSAQ<class StartWUDelegator> ...
2018-08-12 16:46:58.906, Info [XPSetupAction::Execute] Execute action of class XPSA<class StartWUServiceDelegator> ...
2018-08-12 16:46:58.907, Info [StartWUServiceDelegator::TryStartService] Open SC Manager succeeded! m_hSCManager = 0x6878300 GetLastError = 0x0
2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] SC Manager Handle: 0x6878300
2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Open Service succeeded! m_hWUService = 0x6878030 GetLastError = 0x0
2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Service Handle: 0x6878030
2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] QUERY_SERVICE_CONFIG size: 256
2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Query service config succeeded! fSuccess = 0x1 GetLastError = 0x0
2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Start type: 0x3
2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Query service status succeeded! fSuccess = 0x1 GetLastError = 0x0
2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Current status: 0x1
2018-08-12 16:46:58.910, Info [StartWUServiceDelegator::TryStartService] Start service succeeded! fSuccess = 0x1 GetLastError = 0x0
2018-08-12 16:46:58.910, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0
2018-08-12 16:46:58.910, Info [XPSetupAction::Execute] Execute action of class XPSA<class ConfigWUPolicyDelegator> ...
2018-08-12 16:46:58.922, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0
2018-08-12 16:46:58.923, Info [XPSetupAction::Execute] Execute action of class XPSA<class DecryptEsdFileDelegator> ...
2018-08-12 16:46:59.244, Info [DecryptEsdFileDelegator::ExecuteAction] Create temporary folder: C:\$GetCurrent\media
2018-08-12 16:46:59.245, Info [DecryptEsdFileDelegator::ExecuteAction] Create temporary folder succeeded! hr = 0x0
2018-08-12 16:46:59.245, Info [DecryptEsdFileDelegator::ExecuteAction] Invoke function : RestoreESDLayout()...
2018-08-12 16:47:00.318, Warning [EsdDecryptCallbackFunc] Progress Flag File is not set, set is as default [progress.ini]
2018-08-12 17:12:59.710, Info [XPSetupAction::Execute] Execute action of class XPSA<class DeleteSourceSetupDelegator> ...
2018-08-12 17:13:04.726, Info [DeleteSourceSetupDelegator::ExecuteAction] Target architecture : amd64
2018-08-12 17:13:04.726, Info [DeleteSourceSetupDelegator::ExecuteAction] bIsDataOnlyMigration : 0 bTargetArchIsAmd64 : 1 bCurrentArchIsAmd64 : 1
2018-08-12 17:13:04.726, Info [DeleteSourceSetupDelegator::ExecuteAction] Delete legacy setup binary to force setup360 run : C:\$GetCurrent\media\sources\setup.exe
2018-08-12 17:13:04.727, Info [DeleteSourceSetupDelegator::ExecuteAction] Delete legacy setup binary succeeded! hr = 0x0
2018-08-12 17:13:04.727, Info [XPSetupActionQueue::Execute] Execute action chains of class XPSAQ<class RollbackPrepDelegator> ...
2018-08-12 17:13:04.727, Info [XPSetupAction::Execute] Execute action of class XPSA<class SaveRollbackInformationDelegator> ...
2018-08-12 17:13:04.727, Info [SaveRollbackInformationDelegator::ExecuteAction] Ensure SafeOS folder: C:\$GetCurrent\SafeOS
2018-08-12 17:13:04.727, Info [SaveRollbackInformationDelegator::ExecuteAction] Create SafeOS folder succeeded! hr = 0x0
2018-08-12 17:13:07.807, Info [XPSetupAction::Execute] Execute action of class XPSA<class DeployGetCurrentOOBEDelegator> ...
2018-08-12 17:13:10.595, Info [CopyFileDelegator::ExecuteAction] Copy file: C:\Windows10Upgrade\GetCurrentOOBE.dll -> C:\$GetCurrent\SafeOS\GetCurrentOOBE.dll
2018-08-12 17:13:24.998, Info [CopyFileDelegator::ExecuteAction] CopyFileDelegator::ExecuteAction succeeded! fSuccess = 0x1 GetLastError = 0x0
2018-08-12 17:13:24.998, Info [XPSetupAction::Execute] Execute action of class XPSA<class CreatePreOobeScriptDelegator> ...
2018-08-12 17:13:24.998, Info [CreatePreOobeScriptDelegator::ExecuteAction] Output filename: C:\$GetCurrent\SafeOS\preoobe.cmd
2018-08-12 17:13:31.054, Info [CreatePreOobeScriptDelegator::ExecuteAction] Open preoobe.cmd succeeded! fout = 0x1
2018-08-12 17:13:33.556, Info [XPSetupAction::Execute] Execute action of class XPSA<class CreatePostOobeScriptDelegator> ...
2018-08-12 17:13:33.556, Info [CreatePostOobeScriptDelegator::ExecuteAction] Output filename: C:\$GetCurrent\SafeOS\SetupComplete.cmd
2018-08-12 17:13:33.557, Info [CreatePostOobeScriptDelegator::ExecuteAction] Open SetupComplete.cmd succeeded! fout = 0x1
2018-08-12 17:13:33.562, Info [XPSetupAction::Execute] Execute action of class XPSA<class ConfigRollbackRunDelegator> ...
2018-08-12 17:13:37.028, Info [ConfigRollbackRunDelegator::ExecuteAction] Open an existing reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
2018-08-12 17:13:37.028, Info [ConfigRollbackRunDelegator::ExecuteAction] Update Registry Value, Path=SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, !GetCurrentRollback="C:\Windows10Upgrade\GetCurrentRollback.exe" "progress.ini" "C:" "NHV19:<1.4.9200.22532>:<3>"
2018-08-12 17:13:37.028, Info [ConfigRollbackRunDelegator::ExecuteAction] Update Registry Value succeeded! hr = 0x0
2018-08-12 17:13:37.028, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0
2018-08-12 17:13:37.028, Info [XPSetupAction::Execute] Execute action of class XPSA<class RunSetupForWin7LaterDelegator> ...
2018-08-12 17:13:37.028, Info [GenerateClientId] >= 6.2, Use Rtl function to detect OS version ...
2018-08-12 17:13:37.028, Warning [WinUtil::IsPrivacySettingsComplete] WUA: Failed to check if Privacy Settings complete. Assuming incomplete. Error: [0x80070002]
2018-08-12 17:13:37.029, Info [WinUtil::IsPrivacySettingsComplete] WUA: IsPrivacySettingsComplete: [FALSE]
2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: EditionID Value [CoreSingleLanguage]
2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA bIsDeviceManaged from EditionId: [FALSE]
2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: Could not get NV Domain. [0x80070002]
2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from NV Domain: [FALSE]
2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: Could not get ProductCode. [0x80070002]
2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from ProductCode: [FALSE]
2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: Could not get UseWUServer value. [0x80070002]
2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from UseWUServer: [FALSE]
2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: Could not get ShowPrivacySettingsUI value. [0x80070002]
2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from ShowPrivacySettingsUI: [FALSE]
2018-08-12 17:13:37.029, Info [RunSetupForWin7LaterDelegator::ExecuteAction] Command Line: C:\$GetCurrent\media\setup.exe /migchoice upgrade /showoobe none /quiet /Compat IgnoreWarning /eula accept /noreboot /postoobe C:\$GetCurrent\SafeOS\SetupComplete.cmd /CorrelationVector lkmGbIx8e0Cr4ziT.999 /ClientId Win10UA:VNL:NHV19:<1.4.9200.22532>:<3>:{}:[10.0.16299]:[2] /DynamicUpdate Enable /telemetry enable /UpdateMedia Decline /SkipSummary
2018-08-12 17:13:37.029, Info [WinUtil::RunCommand] Command Line: C:\$GetCurrent\media\setup.exe /migchoice upgrade /showoobe none /quiet /Compat IgnoreWarning /eula accept /noreboot /postoobe C:\$GetCurrent\SafeOS\SetupComplete.cmd /CorrelationVector lkmGbIx8e0Cr4ziT.999 /ClientId Win10UA:VNL:NHV19:<1.4.9200.22532>:<3>:{}:[10.0.16299]:[2] /DynamicUpdate Enable /telemetry enable /UpdateMedia Decline /SkipSummary
2018-08-12 17:14:12.877, Info [WinUtil::RunCommand] Waiting for process 0x1794
2018-08-12 23:46:16.129, Info [WinUtil::RunCommand] process exited as expected.
2018-08-12 23:46:16.228, Info [WinUtil::RunCommand] Process returned: 0x0
2018-08-12 23:46:16.229, Info [RunSetupForWin7LaterDelegator::ExecuteAction] Run Setup.exe succeeded! hr = 0x0
2018-08-12 23:46:16.240, Info [RunSetupForWin7LaterDelegator::ExecuteAction] Setup execution result succeeded! (HRESULT)dwExitCode = 0x0
2018-08-12 23:46:16.478, Info [XPSetupActionQueue::Execute] Execute action chains of class XPSAQ<class EnvScanDelegator> ...
2018-08-12 23:46:16.493, Info [XPSetupAction::Execute] Execute action of class XPSA<class RunOnceCheckDelegator> ...
2018-08-12 23:46:16.722, Info [RunOnceCheckDelegator::ExecuteAction] The Rollback Runonce is already set properly
2018-08-12 23:46:16.722, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0
2018-08-12 23:46:16.722, Info [XPSetupAction::Execute] Execute action of class XPSA<class UpdateEnvScanTelemetryDelegator> ...
2018-08-12 23:46:16.953, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0
2018-08-12 23:46:16.953, Info [DoXPDeployment] Destroy action chain
2018-08-12 23:46:16.953, Info [XPSetupActionQueue::DisassemblyChildActions] Disassembly child actions of class XPSAQ<class EntryQueueDelegatorForWin7Later> ...
2018-08-12 23:46:16.953, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSAQ<class EnvScanDelegator> ...
2018-08-12 23:46:16.953, Info [XPSetupActionQueue::DisassemblyChildActions] Disassembly child actions of class XPSAQ<class EnvScanDelegator> ...
2018-08-12 23:46:16.953, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class UpdateEnvScanTelemetryDelegator> ...
2018-08-12 23:46:16.998, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class RunOnceCheckDelegator> ...
2018-08-12 23:46:16.998, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class RunSetupForWin7LaterDelegator> ...
2018-08-12 23:46:16.998, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSAQ<class RollbackPrepDelegator> ...
2018-08-12 23:46:16.998, Info [XPSetupActionQueue::DisassemblyChildActions] Disassembly child actions of class XPSAQ<class RollbackPrepDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class ConfigRollbackRunDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class CreatePostOobeScriptDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class CreatePreOobeScriptDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class DeployGetCurrentOOBEDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class SaveRollbackInformationDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class DeleteSourceSetupDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class DecryptEsdFileDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSAQ<class StartWUDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Disassembly child actions of class XPSAQ<class StartWUDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class ConfigWUPolicyDelegator> ...
2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class StartWUServiceDelegator> ...
2018-08-12 23:46:17.551, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class EnableWUNoAutoRebootDelegator> ...
2018-08-12 23:46:17.552, Info [EnableWUNoAutoRebootDelegator::~EnableWUNoAutoRebootDelegator] Restore WU No Auto Reboot setting HRESULT = 0x0
2018-08-12 23:46:17.552, Info [DoXPDeployment] Finished hr = 0x0
2018-08-12 23:46:17.553, Info [TelemetryUpgrade::CanSendTelemetry] Telemetry allowed on Win10 and above.
-
scratch this
Quotealso today, I found in my recycle bin files ive deleted long ago, these files all of them deleted at the same time of 5:08, and their original location deleted is on microsoft/windows/recent -
dunno, something definitely suspicious is going on
I just discovered in my documents 2 exported bookmark htmls that the contents contain selectively private stuff and not just talking about porn (although it was included)
also today, I found in my recycle bin files ive deleted long ago, these files all of them deleted at the same time of 5:08, and their original location deleted is on microsoft/windows/recent
-
even though it has 5335 attached to it?
-
-
22 hours ago, migs_k said:
where can I locate these "updates", because I want to send it for inspection, get to see what's inside of it.
ty
quick question about WdNisSvc
in General Discussion
Posted
is it normal for services.exe to stop Microsoft Defender Antivirus Network Inspection Service from time to time?