[quick question about WdNisSvc]

is it normal for services.exe to stop Microsoft Defender Antivirus Network Inspection Service from time to time?
 

[is this legit? NgcFirst\ConsecutiveSwitchCount]

after logging in using PIN after a restart and 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-229674073-691441657-888200982-1001\NgcFirst\ConsecutiveSwitchCount

Quote

Time;Application;Operation;Target;Action;Rule;Additional information
4/14/2021 8:44:57 PM;C:\Windows\System32\svchost.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-229674073-691441657-888200982-1001\NgcFirst\ConsecutiveSwitchCount;allowed;Automatic mode;

 

this came up on ESET HIPS, never seen this popping up before.

after doing some internet search, this came up

https://forum.eset.com/topic/23588-hips-alert-for-host-process/?_fromLogin=1

 

[is this eset site legit?]

is this a legit eset website? https://www.eset.com.ph/

my aunt purchased eset license and registered using that website, but when trying to login to the hxxp://my.eset.com/ using the same credentials, it wont work.

 

https://www.scamvoid.net/check/eset.com.ph/

[can anyone check what's inside these files I found in Program Data? pls, ty]

looks like I'm the very first ones to upload these. is it even possible to detect pieces of code that's placed everywhere?

[can anyone check what's inside these files I found in Program Data? pls, ty]

theres more inside the rar which is not base64

 

is ESET capable of cleaning or detecting that sort of thing thats on the youtube video?

[can anyone check what's inside these files I found in Program Data? pls, ty]

one of them looks like base64

Quote

eyJwMSI6eyI1MDk4ODAxNDYiOnsicDIiOlt7InAzIjoxNTI2MDUyNzI1LCJwNCI6ODY3NzMxODk0LCJwNSI6MH0seyJwMyI6MTUyNTk2MjkxMiwicDQiOjg2NzczMTg5NCwicDUiOjB9LHsicDMiOjE1MjU4NzYzNTIsInA0Ijo4Njc3MzE4OTQsInA1IjowfSx7InAzIjoxNTE1NTU4NzQyLCJwNCI6MjMzMDI4NDczOCwicDUiOjB9LHsicDMiOjE1MTUzMjgzMzMsInA0IjoyMzMwMjg0NzM4LCJwNSI6MH0seyJwMyI6MTUxMzc2MDQ5OCwicDQiOjMwNjgyMzc1NjcsInA1IjowfSx7InAzIjoxNTExNzUwMDg5LCJwNCI6MzgxNDAyNjY3OSwicDUiOjB9LHsicDMiOjE1MTEyNjAzNjYsInA0IjozODE0MDI2Njc5LCJwNSI6MH1dfSwiMTI3NDQ2NTkwIjp7InAyIjpbeyJwMyI6MTUxNjQxMjEzNSwicDQiOjMxOTI2MDYzMDgsInA1IjowfSx7InAzIjoxNTEzNjY1MzAyLCJwNCI6MzE5MjYwNjMwOCwicDUiOjB9XX19fQ==

 

just my flying suspicious because I saw this YouTube video https://www.youtube.com/watch?v=mhOWdH2zwMk where the malware source code is placed in whatever places 

 

EDIT: ok yeah, decoded it and its something may be part of a source code for something

Quote

{"p1":{"509880146":{"p2":[{"p3":1526052725,"p4":867731894,"p5":0},{"p3":1525962912,"p4":867731894,"p5":0},{"p3":1525876352,"p4":867731894,"p5":0},{"p3":1515558742,"p4":2330284738,"p5":0},{"p3":1515328333,"p4":2330284738,"p5":0},{"p3":1513760498,"p4":3068237567,"p5":0},{"p3":1511750089,"p4":3814026679,"p5":0},{"p3":1511260366,"p4":3814026679,"p5":0}]},"127446590":{"p2":[{"p3":1516412135,"p4":3192606308,"p5":0},{"p3":1513665302,"p4":3192606308,"p5":0}]}}}

 

 

[can I ask where to locate these windows "updates"]

Yeah, i guess im gonna need that consultation

 

A lot has happened since my last reply

[can I ask where to locate these windows "updates"]

these record happened when I was already logged on and during that time I was on a google meet session

also, I don't access my PC through PIN, I use Microsoft pass

[can I ask where to locate these windows "updates"]

also to me this is an unresolved issue
 

Quote

can I ask what these are? they automatically ran without me knowing

Time;Application;Operation;Target;Action;Rule;Additional information
2/19/2021 5:05:06 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\DestructiveResetInProgress;allowed;Automatic mode;
2/19/2021 5:05:07 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\TpmClearRecoveryInProgress;allowed;Automatic mode;
2/19/2021 5:05:09 PM;C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87BDED91-3F10-4383-B8C1-26886F49F141}\LocalServer32;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AarSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AarSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BcastDVRUserService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BcastDVRUserService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CaptureService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CaptureService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cbdhsvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cbdhsvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ConsentUxUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ConsentUxUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CredentialEnrollmentManagerUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CredentialEnrollmentManagerUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationBrokerSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationBrokerSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicePickerUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicePickerUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicesFlowUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicesFlowUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MessagingService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MessagingService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OneSyncSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OneSyncSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PrintWorkflowUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PrintWorkflowUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UdkUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UdkUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\svchost.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\NgcFirst\ConsecutiveSwitchCount;allowed;Automatic mode;
2/19/2021 5:05:53 PM;C:\Windows\System32\ctfmon.exe;Modify startup settings;HKEY_USERS\S-1-5-21-2775152818-1588230348-2558996214-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internat.exe;allowed;Automatic mode;

 

2/19/2021 5:05:06 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\DestructiveResetInProgress;allowed;Automatic mode;

 

after doing google search 
D6886603-9D2F-4EB2-B667-1971041FA96B = PIN

so im going to assume someone logged in via my PC's PIN

did a "DestructiveResetInProgress" and "TpmClearRecoveryInProgress" whatever this means

 

[can I ask where to locate these windows "updates"]

ive also sent some sort of .exe s to eset

they are CR_xxxxx/setup.exe
the x are random number / chars

 

these things keep popping up from HIPS from time to time targeting my browsers

 

I couldnt obtain all of them, as soon as it gets reported by eset's HIPS I try to go the location of that .exe and its not there

anyway, do you how to disable safe boot without logging into windows and without a windows 10 physical disc?

[can I ask where to locate these windows "updates"]

not sure about that, after blocking 0x1f4b0.com and restarting its now replaced by 0123movies.com

[can I ask where to locate these windows "updates"]

these are some of those "Can not obtain ownership information"

[can I ask where to locate these windows "updates"]

Quote

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1204
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:1536           0.0.0.0:0              LISTENING       704
 [System]
  TCP    0.0.0.0:1537           0.0.0.0:0              LISTENING       900
 Can not obtain ownership information
  TCP    0.0.0.0:1538           0.0.0.0:0              LISTENING       1756
  EventLog
 [svchost.exe]
  TCP    0.0.0.0:1539           0.0.0.0:0              LISTENING       1608
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:1540           0.0.0.0:0              LISTENING       300
 Can not obtain ownership information
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       2288
  CDPSvc
 [svchost.exe]
  TCP    10.102.37.150:139      0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    10.102.37.150:2142     82.202.185.211:443     ESTABLISHED     7960
 Can not obtain ownership information
  TCP    10.102.37.150:2147     82.202.185.211:443     ESTABLISHED     5236
 [ksde.exe]
  TCP    10.102.37.150:2982     162.159.130.234:443    ESTABLISHED     8792
 [Discord.exe]
  TCP    10.102.37.150:3144     172.217.194.18:443     ESTABLISHED     8304
 [brave.exe]
  TCP    10.102.37.150:3203     180.87.4.152:443       CLOSE_WAIT      7960
 Can not obtain ownership information
  TCP    10.102.37.150:3207     104.18.27.211:443      ESTABLISHED     8304
 [brave.exe]
  TCP    10.102.37.150:3211     172.67.69.162:443      ESTABLISHED     8304
 [brave.exe]
  TCP    127.0.0.1:1044         127.0.0.1:1045         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1045         127.0.0.1:1044         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1063         127.0.0.1:1064         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1064         127.0.0.1:1063         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1065         127.0.0.1:1066         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1066         127.0.0.1:1065         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1067         127.0.0.1:1068         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1068         127.0.0.1:1067         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1069         127.0.0.1:1070         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1070         127.0.0.1:1069         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1071         127.0.0.1:1072         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1072         127.0.0.1:1071         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1146         0.0.0.0:0              LISTENING       12056
 [NVIDIA Web Helper.exe]
  TCP    127.0.0.1:2140         127.0.0.1:2141         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:2141         127.0.0.1:2140         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:2145         127.0.0.1:2146         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:2146         127.0.0.1:2145         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:3128         0.0.0.0:0              LISTENING       11104
 [System]
  TCP    127.0.0.1:3128         127.0.0.1:3129         ESTABLISHED     11104
 [System]
  TCP    127.0.0.1:3129         127.0.0.1:3128         ESTABLISHED     11104
 [System]
  TCP    127.0.0.1:3839         127.0.0.1:3840         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:3840         127.0.0.1:3839         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:3843         0.0.0.0:0              LISTENING       7960
 Can not obtain ownership information
  TCP    127.0.0.1:3847         127.0.0.1:3848         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:3848         127.0.0.1:3847         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:3849         127.0.0.1:3850         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:3850         127.0.0.1:3849         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:6463         0.0.0.0:0              LISTENING       9576
 [Discord.exe]
  TCP    127.0.0.1:43227        0.0.0.0:0              LISTENING       2028
 Can not obtain ownership information
  TCP    192.168.176.123:1073   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1074   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1075   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1076   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1077   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1078   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1079   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1080   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1081   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1082   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    [::]:135               [::]:0                 LISTENING       1204
  RpcSs
 [svchost.exe]
  TCP    [::]:445               [::]:0                 LISTENING       4
 Can not obtain ownership information
  TCP    [::]:1536              [::]:0                 LISTENING       704
 [System]
  TCP    [::]:1537              [::]:0                 LISTENING       900
 Can not obtain ownership information
  TCP    [::]:1538              [::]:0                 LISTENING       1756
  EventLog
 [svchost.exe]
  TCP    [::]:1539              [::]:0                 LISTENING       1608
  Schedule
 [svchost.exe]
  TCP    [::]:1540              [::]:0                 LISTENING       300
 Can not obtain ownership information
  UDP    0.0.0.0:67             *:*                                    7960
 Can not obtain ownership information
  UDP    0.0.0.0:500            *:*                                    3572
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:1900           *:*                                    7960
 Can not obtain ownership information
  UDP    0.0.0.0:4500           *:*                                    3572
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5050           *:*                                    2288
  CDPSvc
 [svchost.exe]
  UDP    0.0.0.0:5353           *:*                                    6740
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    6740
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    2408
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    6740
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    6740
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    7960
 Can not obtain ownership information
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5355           *:*                                    2408
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:53709          *:*                                    2060
 Can not obtain ownership information
  UDP    0.0.0.0:58096          *:*                                    2060
 Can not obtain ownership information
  UDP    0.0.0.0:58307          *:*                                    2060
 Can not obtain ownership information
  UDP    0.0.0.0:63933          *:*                                    7960
 Can not obtain ownership information
  UDP    10.102.37.150:137      *:*                                    4
 Can not obtain ownership information
  UDP    10.102.37.150:138      *:*                                    4
 Can not obtain ownership information
  UDP    10.102.37.150:2177     *:*                                    7236
  QWAVE
 [svchost.exe]
  UDP    127.0.0.1:10010        *:*                                    12056
 [NVIDIA Web Helper.exe]
  UDP    127.0.0.1:50747        *:*                                    7960
 Can not obtain ownership information
  UDP    127.0.0.1:51235        *:*                                    7148
 [nvcontainer.exe]
  UDP    127.0.0.1:52983        *:*                                    2060
 Can not obtain ownership information
  UDP    127.0.0.1:61333        *:*                                    4212
  iphlpsvc
 [svchost.exe]
  UDP    127.0.0.1:63923        *:*                                    7960
 Can not obtain ownership information
  UDP    127.0.0.1:63924        *:*                                    7960
 Can not obtain ownership information
  UDP    192.168.176.123:1900   *:*                                    7960
 Can not obtain ownership information
  UDP    192.168.176.123:2177   *:*                                    7236
  QWAVE
 [svchost.exe]
  UDP    192.168.176.123:5353   *:*                                    7960
 Can not obtain ownership information
  UDP    192.168.176.123:51495  *:*                                    7960
 Can not obtain ownership information
  UDP    192.168.176.123:51496  *:*                                    7960
 Can not obtain ownership information
  UDP    [::]:500               *:*                                    3572
  IKEEXT
 [svchost.exe]
  UDP    [::]:4500              *:*                                    3572
  IKEEXT
 [svchost.exe]
  UDP    [::]:5353              *:*                                    8304
 [brave.exe]
  UDP    [::]:5353              *:*                                    2408
  Dnscache
 [svchost.exe]
  UDP    [::]:5353              *:*                                    6740
 [brave.exe]
  UDP    [::]:5353              *:*                                    8304
 [brave.exe]
  UDP    [::]:5353              *:*                                    8304
 [brave.exe]
  UDP    [::]:5353              *:*                                    6740
 [brave.exe]
  UDP    [::]:5353              *:*                                    8304
 [brave.exe]
  UDP    [::]:5355              *:*                                    2408
  Dnscache
 [svchost.exe]
  UDP    [fe80::2016:5d80:4c51:aa93%6]:2177  *:*                                    7236
  QWAVE
 [svchost.exe]
  UDP    [fe80::6993:e4bb:5af1:f881%12]:2177  *:*                                    7236
  QWAVE
 [svchost.exe]

 

 

ive added the 127.0.0.1 0x1f4b0.com to hosts and it returned back to 0.0.0.0, but still this shows in eset

what are suppose to be the default connections / ports of these things

should I block ports 15xx?

 

is my system services hijacked?

[can I ask where to locate these windows "updates"]

what about this?

 

[can I ask where to locate these windows "updates"]

theres also an unknown user S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv

and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc

im the only user on this device

 

WdNisDrv

also stops running from time to time

[can I ask where to locate these windows "updates"]

can anyone tell me what these are??

 

Quote

2018-08-12 16:46:34.411, Info      [Environment::Initialize] Start...
2018-08-12 16:46:34.411, Info      [Environment::Initialize] wstrStartDeployTime = 2018-08-12 16:46:34:408
2018-08-12 16:46:34.411, Info      [Environment::Initialize] wstrSystemDrive = C:
2018-08-12 16:46:34.411, Info      [Environment::Initialize] wstrTargetNewOSDrive = C:
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrLogPath = C:\$GetCurrent\Logs
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrLogFileFullPath = C:\$GetCurrent\Logs\downlevel_2018_08_12_16_46_34_410.log
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrTempPath = \$GetCurrent
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrTempFolder = C:\$GetCurrent
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrTenSTempPath = 
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrTenSTempFolder = 
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrReportPath = C:\$GetCurrent\downlevel_2018_08_12_16_46_34_410.rpt
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrExecutablePath = C:\Windows10Upgrade
2018-08-12 16:46:35.411, Info      [Environment::Initialize] Exe name = Windows10UpgraderApp.exe
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrSystemTempFolder = C:\Users\Asus\AppData\Local\Temp
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrTempMedia = C:\$GetCurrent\media
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrSafeOSFolder = C:\$GetCurrent\SafeOS
2018-08-12 16:46:35.412, Info      [Environment::Initialize] wstrcV = lkmGbIx8e0Cr4ziT.999
2018-08-12 16:46:35.412, Warning   [WMIHelper::GetHardwareId]  CoInitializeSecurity failed, Error = 0x80010119
2018-08-12 16:46:35.536, Info      [WMIHelper::GetRegMachineId]  Open an existing reg key HKLM\SOFTWARE\Microsoft\SQMClient.
2018-08-12 16:46:35.536, Info      [Environment::Initialize]  Machine Id is: {2C9DC76A-19D2-4199-B941-9D98B96BE2E9}
2018-08-12 16:46:35.536, Info      [Environment::Initialize]  Device Id is: 0a62a4c6365927abfa389d453ce1147662fbb673
2018-08-12 16:46:35.536, Info      [OSVersion::Init]  >= 6.2, Use Rtl function to detect OS version ...
2018-08-12 16:46:35.537, Info      [Environment::Initialize] Windows Version: 10.0 (16299),,producttype=1
2018-08-12 16:46:35.537, Info      [Environment::Initialize] wstrPostOobeScriptFilename = C:\$GetCurrent\SafeOS\SetupComplete.cmd
2018-08-12 16:46:35.537, Info      [Environment::Initialize] wstrRollbackScriptFilename = C:\$GetCurrent\SafeOS\Rollback.cmd
2018-08-12 16:46:35.537, Info      [Environment::Initialize] wstrRollbackInformationFilename = C:\$GetCurrent\SafeOS\GetCurrentRollback.ini
2018-08-12 16:46:35.537, Info      [Environment::Initialize] wstrWINRESetupPhaseFilename = C:\$GetCurrent\SafeOS\GetCurrentWinRESetup.ini
2018-08-12 16:46:35.537, Info      [Environment::Initialize] bLADTest = 0
2018-08-12 16:46:35.537, Info      [Environment::Initialize] bIsSetupConfigIniFilePresent = 0
2018-08-12 16:46:35.537, Info      [Environment::Initialize] wstrSetupConfigIniFilePath = C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini
2018-08-12 16:46:35.537, Info      [Environment::Initialize]  Init Telemetry system based on WER APIs
2018-08-12 16:46:35.538, Info      [Environment::Initialize] Finished
2018-08-12 16:46:35.538, Warning   [GetCurrent_Initialize] This version doesn't verify signature information
2018-08-12 16:46:35.538, Info      [MinimalRequirementCheck] hr = 0x0, ResultBits = 0x0
2018-08-12 16:46:35.538, Info      [GetCurrent_Initialize]  MinimalRequirement Check succeeded! hr = 0x0 
2018-08-12 16:46:35.538, Info      [GetCurrent_Initialize] Load appraiserxp.dll
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize]  Load appraiserxp.dll succeeded! hr = 0x0 
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize] Get IsReady function
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize]  Get IsReady function succeeded! hr = 0x0 
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize] pfnIsReady: 0x53c53960
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize] isPushing: 1
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize]  Call Compact check IsReady succeeded! hr = 0x0 
2018-08-12 16:46:35.540, Info      [GetCurrent_Initialize]  Compact Check succeeded! isReady = 1 
2018-08-12 16:46:35.548, Info      [GetCurrent_SetPartnerPostOOBEScript]  Create GetCurrent SafeOS Folder succeeded! hr = 0x0 
2018-08-12 16:46:35.551, Info      [GetCurrent_SetPartnerPostOOBEScript]  Copy partner post oobe script succeeded! dwReturn = 0x1 GetLastError = 0x0 
2018-08-12 16:46:35.551, Info      [GetCurrent_SetPartnerID] Partner ID is {E52ABFC2-76BB-4908-883F-CA581FDD83F9}
2018-08-12 16:46:35.551, Info      [GetCurrent_SetPartnerID] Partner Name is VNL
2018-08-12 16:46:35.552, Info      [OSVersion::Init]  >= 6.2, Use Rtl function to detect OS version ...
2018-08-12 16:46:35.552, Warning   [SystemRequirementCheck::IsUpgradeOptionSupported] Upgrade option type (0x600) is not allowed. But we'll continue. We'll fix this late.
2018-08-12 16:46:35.552, Info      [GetCurrent_SetUpgradeOptionType] Upgrade option: 0x600
2018-08-12 16:46:35.552, Info      [GetCurrent_SyncDataEx] Start sync with external...
2018-08-12 16:46:35.552, Info      [GetCurrent_SyncDataEx] Get wstrExternalId = {} from external.
2018-08-12 16:46:35.552, Info      [GetCurrent_SyncDataEx] Get wstrExternalIdDescription = NHV19:<1.4.9200.22532>:<3> from external.
2018-08-12 16:46:35.552, Info      [GetCurrent_SyncDataEx] Set Assistant Show Up time = 2018-08-12 16:32:00:991.
2018-08-12 16:46:35.552, Info      [GetCurrent_SyncDataEx] Set Download Image Duration = 804 seconds.
2018-08-12 16:46:35.553, Info      [GetCurrent_SyncDataEx] Set Restart times during download = 0.
2018-08-12 16:46:35.553, Info      [GetCurrent_SyncDataEx] Set wstrDeviceId = 0a62a4c6365927abfa389d453ce1147662fbb673 to external.
2018-08-12 16:46:35.553, Info      [GetCurrent_SyncDataEx] Set wstrcV = lkmGbIx8e0Cr4ziT.999 to external.
2018-08-12 16:46:35.553, Info      [GetCurrent_SyncDataEx] End sync with external...
2018-08-12 16:46:35.553, Info      [GetCurrent_StartDeploy] Check GetCurrent mutex: dwError = 0x529e766f 
2018-08-12 16:46:35.553, Info      [GetCurrent_StartDeploy] Check Setup360 mutex: dwError = 0x529e766f 
2018-08-12 16:46:35.553, Info      [GetCurrent_StartDeploy] No other GetCurrentDeploy instance, start deploy ... 
2018-08-12 16:46:35.553, Info      [DoXPDeployment]  wstrSetupSourceFolderOrFile = C:\Windows10Upgrade\17134.112.180619-1212.rs4_release_svc_refresh_CLIENTCONSUMER_RET_x64FRE_en-us.esd
2018-08-12 16:46:35.553, Info      [DoXPDeployment]  Create action chain ...
2018-08-12 16:46:35.553, Info      [DoXPDeployment] Windows Version: 10.0 (16299),,1, 768
2018-08-12 16:46:35.553, Info      [DoXPDeployment] Win 7 and plus, use win 10 setup directly
2018-08-12 16:46:35.553, Info      [DoXPDeployment]  Execute action chain
2018-08-12 16:46:35.553, Info      [XPSetupActionQueue::Execute]  Execute action chains of class XPSAQ<class EntryQueueDelegatorForWin7Later> ...
2018-08-12 16:46:35.553, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class EnableWUNoAutoRebootDelegator> ...
2018-08-12 16:46:35.553, Info      [EnableWUNoAutoRebootDelegator::ExecuteAction]  Can't read WU Auto Reboot Policy, error = 0x2
2018-08-12 16:46:35.558, Info      [EnableWUNoAutoRebootDelegator::ExecuteAction]  Disable WU Auto Reboot in policies succeeded! hr = 0x0 
2018-08-12 16:46:35.558, Info      [WinUtil::RunCommand]  Command Line: gpupdate /force
2018-08-12 16:46:35.666, Info      [WinUtil::RunCommand]  Waiting for process 0xbd8
2018-08-12 16:46:58.895, Info      [WinUtil::RunCommand]  process exited as expected.
2018-08-12 16:46:58.895, Info      [WinUtil::RunCommand]  Process returned: 0x0
2018-08-12 16:46:58.895, Info      [EnableWUNoAutoRebootDelegator::ExecuteAction]  Update the Goup Policy forcely succeeded! hr = 0x0 
2018-08-12 16:46:58.906, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 16:46:58.906, Info      [XPSetupActionQueue::Execute]  Execute action chains of class XPSAQ<class StartWUDelegator> ...
2018-08-12 16:46:58.906, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class StartWUServiceDelegator> ...
2018-08-12 16:46:58.907, Info      [StartWUServiceDelegator::TryStartService]  Open SC Manager succeeded! m_hSCManager = 0x6878300 GetLastError = 0x0 
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  SC Manager Handle: 0x6878300
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Open Service succeeded! m_hWUService = 0x6878030 GetLastError = 0x0 
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Service Handle: 0x6878030
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  QUERY_SERVICE_CONFIG size: 256
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Query service config succeeded! fSuccess = 0x1 GetLastError = 0x0 
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Start type: 0x3
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Query service status succeeded! fSuccess = 0x1 GetLastError = 0x0 
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Current status: 0x1
2018-08-12 16:46:58.910, Info      [StartWUServiceDelegator::TryStartService]  Start service succeeded! fSuccess = 0x1 GetLastError = 0x0 
2018-08-12 16:46:58.910, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 16:46:58.910, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class ConfigWUPolicyDelegator> ...
2018-08-12 16:46:58.922, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 16:46:58.923, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class DecryptEsdFileDelegator> ...
2018-08-12 16:46:59.244, Info      [DecryptEsdFileDelegator::ExecuteAction]  Create temporary folder: C:\$GetCurrent\media
2018-08-12 16:46:59.245, Info      [DecryptEsdFileDelegator::ExecuteAction]  Create temporary folder succeeded! hr = 0x0 
2018-08-12 16:46:59.245, Info      [DecryptEsdFileDelegator::ExecuteAction]  Invoke function : RestoreESDLayout()...
2018-08-12 16:47:00.318, Warning   [EsdDecryptCallbackFunc]  Progress Flag File is not set, set is as default [progress.ini]
2018-08-12 17:12:59.710, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class DeleteSourceSetupDelegator> ...
2018-08-12 17:13:04.726, Info      [DeleteSourceSetupDelegator::ExecuteAction]  Target architecture : amd64
2018-08-12 17:13:04.726, Info      [DeleteSourceSetupDelegator::ExecuteAction] bIsDataOnlyMigration : 0 bTargetArchIsAmd64 : 1 bCurrentArchIsAmd64 : 1
2018-08-12 17:13:04.726, Info      [DeleteSourceSetupDelegator::ExecuteAction]  Delete legacy setup binary to force setup360 run : C:\$GetCurrent\media\sources\setup.exe
2018-08-12 17:13:04.727, Info      [DeleteSourceSetupDelegator::ExecuteAction]  Delete legacy setup binary succeeded! hr = 0x0 
2018-08-12 17:13:04.727, Info      [XPSetupActionQueue::Execute]  Execute action chains of class XPSAQ<class RollbackPrepDelegator> ...
2018-08-12 17:13:04.727, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class SaveRollbackInformationDelegator> ...
2018-08-12 17:13:04.727, Info      [SaveRollbackInformationDelegator::ExecuteAction]  Ensure SafeOS folder: C:\$GetCurrent\SafeOS
2018-08-12 17:13:04.727, Info      [SaveRollbackInformationDelegator::ExecuteAction]  Create SafeOS folder succeeded! hr = 0x0 
2018-08-12 17:13:07.807, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class DeployGetCurrentOOBEDelegator> ...
2018-08-12 17:13:10.595, Info      [CopyFileDelegator::ExecuteAction]  Copy file: C:\Windows10Upgrade\GetCurrentOOBE.dll -> C:\$GetCurrent\SafeOS\GetCurrentOOBE.dll 
2018-08-12 17:13:24.998, Info      [CopyFileDelegator::ExecuteAction]  CopyFileDelegator::ExecuteAction succeeded! fSuccess = 0x1 GetLastError = 0x0 
2018-08-12 17:13:24.998, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class CreatePreOobeScriptDelegator> ...
2018-08-12 17:13:24.998, Info      [CreatePreOobeScriptDelegator::ExecuteAction]  Output filename: C:\$GetCurrent\SafeOS\preoobe.cmd
2018-08-12 17:13:31.054, Info      [CreatePreOobeScriptDelegator::ExecuteAction]  Open preoobe.cmd succeeded! fout = 0x1 
2018-08-12 17:13:33.556, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class CreatePostOobeScriptDelegator> ...
2018-08-12 17:13:33.556, Info      [CreatePostOobeScriptDelegator::ExecuteAction]  Output filename: C:\$GetCurrent\SafeOS\SetupComplete.cmd
2018-08-12 17:13:33.557, Info      [CreatePostOobeScriptDelegator::ExecuteAction]  Open SetupComplete.cmd succeeded! fout = 0x1 
2018-08-12 17:13:33.562, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class ConfigRollbackRunDelegator> ...
2018-08-12 17:13:37.028, Info      [ConfigRollbackRunDelegator::ExecuteAction]  Open an existing reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
2018-08-12 17:13:37.028, Info      [ConfigRollbackRunDelegator::ExecuteAction]  Update Registry Value, Path=SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, !GetCurrentRollback="C:\Windows10Upgrade\GetCurrentRollback.exe" "progress.ini" "C:" "NHV19:<1.4.9200.22532>:<3>"
2018-08-12 17:13:37.028, Info      [ConfigRollbackRunDelegator::ExecuteAction]  Update Registry Value succeeded! hr = 0x0 
2018-08-12 17:13:37.028, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 17:13:37.028, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class RunSetupForWin7LaterDelegator> ...
2018-08-12 17:13:37.028, Info      [GenerateClientId]  >= 6.2, Use Rtl function to detect OS version ...
2018-08-12 17:13:37.028, Warning   [WinUtil::IsPrivacySettingsComplete] WUA: Failed to check if Privacy Settings complete. Assuming incomplete. Error: [0x80070002]
2018-08-12 17:13:37.029, Info      [WinUtil::IsPrivacySettingsComplete] WUA: IsPrivacySettingsComplete: [FALSE]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: EditionID Value [CoreSingleLanguage]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA bIsDeviceManaged from EditionId: [FALSE]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: Could not get NV Domain. [0x80070002]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from NV Domain: [FALSE]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: Could not get ProductCode. [0x80070002]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from ProductCode: [FALSE]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: Could not get UseWUServer value. [0x80070002]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from UseWUServer: [FALSE]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: Could not get ShowPrivacySettingsUI value. [0x80070002]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from ShowPrivacySettingsUI: [FALSE]
2018-08-12 17:13:37.029, Info      [RunSetupForWin7LaterDelegator::ExecuteAction]  Command Line: C:\$GetCurrent\media\setup.exe /migchoice upgrade /showoobe none /quiet /Compat IgnoreWarning /eula accept /noreboot /postoobe C:\$GetCurrent\SafeOS\SetupComplete.cmd /CorrelationVector lkmGbIx8e0Cr4ziT.999 /ClientId Win10UA:VNL:NHV19:<1.4.9200.22532>:<3>:{}:[10.0.16299]:[2] /DynamicUpdate Enable /telemetry enable /UpdateMedia Decline /SkipSummary
2018-08-12 17:13:37.029, Info      [WinUtil::RunCommand]  Command Line: C:\$GetCurrent\media\setup.exe /migchoice upgrade /showoobe none /quiet /Compat IgnoreWarning /eula accept /noreboot /postoobe C:\$GetCurrent\SafeOS\SetupComplete.cmd /CorrelationVector lkmGbIx8e0Cr4ziT.999 /ClientId Win10UA:VNL:NHV19:<1.4.9200.22532>:<3>:{}:[10.0.16299]:[2] /DynamicUpdate Enable /telemetry enable /UpdateMedia Decline /SkipSummary
2018-08-12 17:14:12.877, Info      [WinUtil::RunCommand]  Waiting for process 0x1794
2018-08-12 23:46:16.129, Info      [WinUtil::RunCommand]  process exited as expected.
2018-08-12 23:46:16.228, Info      [WinUtil::RunCommand]  Process returned: 0x0
2018-08-12 23:46:16.229, Info      [RunSetupForWin7LaterDelegator::ExecuteAction]  Run Setup.exe succeeded! hr = 0x0 
2018-08-12 23:46:16.240, Info      [RunSetupForWin7LaterDelegator::ExecuteAction]  Setup execution result succeeded! (HRESULT)dwExitCode = 0x0 
2018-08-12 23:46:16.478, Info      [XPSetupActionQueue::Execute]  Execute action chains of class XPSAQ<class EnvScanDelegator> ...
2018-08-12 23:46:16.493, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class RunOnceCheckDelegator> ...
2018-08-12 23:46:16.722, Info      [RunOnceCheckDelegator::ExecuteAction] The Rollback Runonce is already set properly
2018-08-12 23:46:16.722, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 23:46:16.722, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class UpdateEnvScanTelemetryDelegator> ...
2018-08-12 23:46:16.953, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 23:46:16.953, Info      [DoXPDeployment]  Destroy action chain
2018-08-12 23:46:16.953, Info      [XPSetupActionQueue::DisassemblyChildActions]  Disassembly child actions of class XPSAQ<class EntryQueueDelegatorForWin7Later> ...
2018-08-12 23:46:16.953, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSAQ<class EnvScanDelegator> ...
2018-08-12 23:46:16.953, Info      [XPSetupActionQueue::DisassemblyChildActions]  Disassembly child actions of class XPSAQ<class EnvScanDelegator> ...
2018-08-12 23:46:16.953, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class UpdateEnvScanTelemetryDelegator> ...
2018-08-12 23:46:16.998, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class RunOnceCheckDelegator> ...
2018-08-12 23:46:16.998, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class RunSetupForWin7LaterDelegator> ...
2018-08-12 23:46:16.998, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSAQ<class RollbackPrepDelegator> ...
2018-08-12 23:46:16.998, Info      [XPSetupActionQueue::DisassemblyChildActions]  Disassembly child actions of class XPSAQ<class RollbackPrepDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class ConfigRollbackRunDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class CreatePostOobeScriptDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class CreatePreOobeScriptDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class DeployGetCurrentOOBEDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class SaveRollbackInformationDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class DeleteSourceSetupDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class DecryptEsdFileDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSAQ<class StartWUDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Disassembly child actions of class XPSAQ<class StartWUDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class ConfigWUPolicyDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class StartWUServiceDelegator> ...
2018-08-12 23:46:17.551, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class EnableWUNoAutoRebootDelegator> ...
2018-08-12 23:46:17.552, Info      [EnableWUNoAutoRebootDelegator::~EnableWUNoAutoRebootDelegator] Restore WU No Auto Reboot setting HRESULT = 0x0
2018-08-12 23:46:17.552, Info      [DoXPDeployment]  Finished hr = 0x0
2018-08-12 23:46:17.553, Info      [TelemetryUpgrade::CanSendTelemetry]  Telemetry allowed on Win10 and above.
 

 

[can I ask where to locate these windows "updates"]

scratch this

Quote

also today, I found in my recycle bin files ive deleted long ago, these files all of them deleted at the same time of 5:08, and their original location deleted is on microsoft/windows/recent

 

[can I ask where to locate these windows "updates"]

dunno, something definitely suspicious is going on

I just discovered in my documents 2 exported bookmark htmls that the contents contain selectively private stuff and not just talking about porn (although it was included)

 

also today, I found in my recycle bin files ive deleted long ago, these files all of them deleted at the same time of 5:08, and their original location deleted is on microsoft/windows/recent

[can I ask where to locate these windows "updates"]

even though it has 5335 attached to it?

[can I ask where to locate these windows "updates"]

what about these services? no results on googling

i cant disable it, all it says parameter incorrect

[can I ask where to locate these windows "updates"]

  

22 hours ago, migs_k said:

I got notified of these updates just 2-3 days ago even though I already have those updates (current version of my windows is 20h2) 

especially the one I'm suspicious of it the critical update as I have that since January 

 where can I locate these "updates", because I want to send it for inspection, get to see what's inside of it.

 

ty