Norton - Connectivity To This Website Is Not Secure

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Fishhead, Mar 15, 2025.

Page 1 of 4
  1. Fishhead

    Fishhead Private First Class

    This is a problem that I spent some time trying to resolve in the Software Forum, but made no headway.

    I have an old Dell desktop running Windows 8.2.

    Beginning more than a week ago I began having a Norton 360 notice popup informing me that "Connectivity to this Website is not Secure". I have attached a screen shot of the notice.

    I can close the notice, but it will reappear later. Even when the computer is idol, all programs are closed, the notice will reappear.

    I have run Norton full scan and nothing is found wrong. I installed Malwarebytes Firewall Control and set it to block everything and the notice still pops up.

    As far as I know, what ever is causing this is not also causing harm to anything that I am doing. Nothing is being blocked or shut down.

    But I would like to get rid of whatever is the cause.

    I ran Malwarebytes Anti-Malware, Rogue Killer (or whatever it is now called), and Hitman Pro, but once again nothing was found. I tried installing MGTools, but could not stop all of the Windows notices.

    Does anyone have experience with this sort of problem and suggestion on how to solve it?
     

    Attached Files:

    Fishhead, Mar 15, 2025
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings and welcome to the Major Geeks Malware Forum.

    Please do this

    ===================================================

    Farbar Recovery Scan Tool (FRST)

    --------------------
    • Download FRST64 and save the file on your Desktop
    • If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
    • Right click on the icon and select Run as administrator
    • Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
    • Click Yes to the disclaimer
    • Click Scan and allow the program to run
    • When completed, FRST.txt and Addition.txt reports will be saved on the Desktop
    • Please attach the reports to your reply
    ===================================================

    Things I would like to see in your next reply.
    • Attached reports
     
    Oh My!, Mar 15, 2025
    #2
  3. Fishhead

    Fishhead Private First Class

    Thank you. I have attached both files. I did not modify the default options set by the programs.
     

    Attached Files:

    Fishhead, Mar 15, 2025
    #3
  4. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the reports.

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
ExportKey: HKLM\Software\Google\Chrome\Extensions
ExportKey: HKLM\Software\Wow6432node\Google\Chrome\Extensions
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif]
SearchScopes: HKU\S-1-5-21-1971205275-670237270-3699019941-1001 -> DefaultScope {0CA2A7C8-3596-4C4E-959D-B3B575252F74} URL =
SearchScopes: HKU\S-1-5-21-1971205275-670237270-3699019941-1001 -> {0CA2A7C8-3596-4C4E-959D-B3B575252F74} URL =
S2 McAPExe; "C:\Program Files\McAfee\MSC\McAPExe.exe" [X] 
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\SDSDefs\20160713.002\ENG64.SYS [X] 
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\SDSDefs\20160713.002\EX64.SYS [X] 
S3 RimUsb; \SystemRoot\System32\Drivers\RimUsb_AMD64.sys [X] 
S3 vzandnetdiag; \SystemRoot\system32\DRIVERS\lgvzandnetdiag64.sys [X] 
S3 vzandnetmodem; \SystemRoot\system32\DRIVERS\lgvzandnetmdm64.sys [X] 
HKLM-x32\...\Run: [OpwareSE2] => "C:\Program Files (x86)\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" (No File) 
HKLM-x32\...\Run: [OPSE reminder] => "C:\Program Files (x86)\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files (x86)\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini" (No File) 
Task: {AC133D34-D376-43AD-8C79-A1469C98EE9E} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe  /analyze (No File) 
Task: {AEBABBC5-160C-4AF9-9F02-41C6BA2777E3} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe  /submit (No File) 
Task: {447E404B-097F-4CF3-8A52-B8F6B9805A89} - System32\Tasks\Norton Security\Norton Security Error Analyzer => C:\Program Files (x86)\Norton Security\Engine\22.20.2.57\SymErr.exe  /analyze (No File) 
Task: {852C37F8-9FEB-4D83-B590-467811A2377B} - System32\Tasks\Norton Security\Norton Security Error Processor => C:\Program Files (x86)\Norton Security\Engine\22.20.2.57\SymErr.exe  /submit (No File) 
CustomCLSID: HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Peter\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\amd64\FileCoAuthLib64.dll => No File 
CustomCLSID: HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Peter\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\amd64\FileSyncShell64.dll => No File 
CustomCLSID: HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Peter\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\amd64\FileSyncShell64.dll => No File 
CustomCLSID: HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Peter\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\amd64\FileSyncShell64.dll => No File 
CustomCLSID: HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\localserver32 -> C:\Users\Peter\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\FileCoAuth.exe => No File 
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton AntiVirus\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File 
FirewallRules: [{E2E6DFD4-CAA8-4C34-9138-9A5876740646}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File 
FirewallRules: [{FD4CFC8A-1C55-4477-A9D5-8570D8BC354F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File 
FirewallRules: [{12250BB8-F8DC-422E-8061-482732B2614C}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File 
FirewallRules: [{8EBE4A3A-C989-4046-96AE-F5C4E1D68D8D}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File 
FirewallRules: [{07E5DA68-CAC0-447F-B60A-F6CB8B7C2F09}] => (Allow) C:\Users\Peter\AppData\Roaming\Zoom\bin\airhost.exe => No File 
FirewallRules: [{09B5C5CA-6EED-4D00-8191-148AB05A5CA8}] => (Allow) C:\users\peter\downloads\norton_360_online_setup(1).exe => No File 
FirewallRules: [{4969C507-4DFF-460E-9906-5AF0F2CE6C0B}] => (Allow) C:\users\peter\downloads\norton_360_online_setup(1).exe => No File 
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0] 
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • Following automatic reboot monitor your system for Norton pop up warnings
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
    • Norton pop up warnings?
     
    Oh My!, Mar 15, 2025
    #4
  5. Fishhead

    Fishhead Private First Class

    Following running Fix my computer went to an automatic reboot. It occurred quickly and I did not read the messages.

    Below is the fix log:



    Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2025 01
    Ran by Peter (15-03-2025 18:56:45) Run:1
    Running from C:\Users\Peter\Downloads
    Loaded Profiles: Peter
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    ExportKey: HKLM\Software\Google\Chrome\Extensions
    ExportKey: HKLM\Software\Wow6432node\Google\Chrome\Extensions
    CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif]
    CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif]
    SearchScopes: HKU\S-1-5-21-1971205275-670237270-3699019941-1001 -> DefaultScope {0CA2A7C8-3596-4C4E-959D-B3B575252F74} URL =
    SearchScopes: HKU\S-1-5-21-1971205275-670237270-3699019941-1001 -> {0CA2A7C8-3596-4C4E-959D-B3B575252F74} URL =
    S2 McAPExe; "C:\Program Files\McAfee\MSC\McAPExe.exe" [X]
    S3 NAVENG; \??\C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\SDSDefs\20160713.002\ENG64.SYS [X]
    S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security\NortonData\22.5.4.24\Definitions\SDSDefs\20160713.002\EX64.SYS [X]
    S3 RimUsb; \SystemRoot\System32\Drivers\RimUsb_AMD64.sys [X]
    S3 vzandnetdiag; \SystemRoot\system32\DRIVERS\lgvzandnetdiag64.sys [X]
    S3 vzandnetmodem; \SystemRoot\system32\DRIVERS\lgvzandnetmdm64.sys [X]
    HKLM-x32\...\Run: [OpwareSE2] => "C:\Program Files (x86)\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" (No File)
    HKLM-x32\...\Run: [OPSE reminder] => "C:\Program Files (x86)\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files (x86)\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini" (No File)
    Task: {AC133D34-D376-43AD-8C79-A1469C98EE9E} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe /analyze (No File)
    Task: {AEBABBC5-160C-4AF9-9F02-41C6BA2777E3} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe /submit (No File)
    Task: {447E404B-097F-4CF3-8A52-B8F6B9805A89} - System32\Tasks\Norton Security\Norton Security Error Analyzer => C:\Program Files (x86)\Norton Security\Engine\22.20.2.57\SymErr.exe /analyze (No File)
    Task: {852C37F8-9FEB-4D83-B590-467811A2377B} - System32\Tasks\Norton Security\Norton Security Error Processor => C:\Program Files (x86)\Norton Security\Engine\22.20.2.57\SymErr.exe /submit (No File)
    CustomCLSID: HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Peter\AppData\Local\Microsoft\OneDrive\17.3.6998.0830\amd64\FileCoAuthLib64.dll => No File
    CustomCLSID: HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Peter\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\amd64\FileSyncShell64.dll => No File
    CustomCLSID: HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Peter\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\amd64\FileSyncShell64.dll => No File
    CustomCLSID: HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Peter\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\amd64\FileSyncShell64.dll => No File
    CustomCLSID: HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\localserver32 -> C:\Users\Peter\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\FileCoAuth.exe => No File
    BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton AntiVirus\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
    FirewallRules: [{E2E6DFD4-CAA8-4C34-9138-9A5876740646}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
    FirewallRules: [{FD4CFC8A-1C55-4477-A9D5-8570D8BC354F}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
    FirewallRules: [{12250BB8-F8DC-422E-8061-482732B2614C}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
    FirewallRules: [{8EBE4A3A-C989-4046-96AE-F5C4E1D68D8D}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe => No File
    FirewallRules: [{07E5DA68-CAC0-447F-B60A-F6CB8B7C2F09}] => (Allow) C:\Users\Peter\AppData\Roaming\Zoom\bin\airhost.exe => No File
    FirewallRules: [{09B5C5CA-6EED-4D00-8191-148AB05A5CA8}] => (Allow) C:\users\peter\downloads\norton_360_online_setup(1).exe => No File
    FirewallRules: [{4969C507-4DFF-460E-9906-5AF0F2CE6C0B}] => (Allow) C:\users\peter\downloads\norton_360_online_setup(1).exe => No File
    AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
    cmd: sfc /scannow
    cmd: DISM /Online /Cleanup-Image /CheckHealth
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    ================== ExportKey: ===================

    [HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions]
    [HKLM\Software\Google\Chrome\Extensions\ihcjicgdanjaechkgeegckofjjedodee]
    "update_url"="https://clients2.google.com/service/update2/crx"
    [HKLM\Software\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif]
    "update_url"="https://clients2.google.com/service/update2/crx"

    === End of ExportKey ===
    ================== ExportKey: ===================

    [HKEY_LOCAL_MACHINE\Software\Wow6432node\Google\Chrome\Extensions]
    [HKLM\Software\Wow6432node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj]
    "update_url"="https://clients2.google.com/service/update2/crx"
    [HKLM\Software\Wow6432node\Google\Chrome\Extensions\ihcjicgdanjaechkgeegckofjjedodee]
    "update_url"="https://clients2.google.com/service/update2/crx"
    [HKLM\Software\Wow6432node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif]
    "update_url"="https://clients2.google.com/service/update2/crx"
    "ref_count"="1"

    === End of ExportKey ===
    HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => removed successfully
    HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => removed successfully
    "HKU\S-1-5-21-1971205275-670237270-3699019941-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
    HKU\S-1-5-21-1971205275-670237270-3699019941-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0CA2A7C8-3596-4C4E-959D-B3B575252F74} => removed successfully
    HKLM\System\CurrentControlSet\Services\McAPExe => removed successfully
    McAPExe => service removed successfully
    HKLM\System\CurrentControlSet\Services\NAVENG => removed successfully
    NAVENG => service removed successfully
    HKLM\System\CurrentControlSet\Services\NAVEX15 => removed successfully
    NAVEX15 => service removed successfully
    HKLM\System\CurrentControlSet\Services\RimUsb => removed successfully
    RimUsb => service removed successfully
    HKLM\System\CurrentControlSet\Services\vzandnetdiag => removed successfully
    vzandnetdiag => service removed successfully
    HKLM\System\CurrentControlSet\Services\vzandnetmodem => removed successfully
    vzandnetmodem => service removed successfully
    "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\OpwareSE2" => removed successfully
    "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\OPSE reminder" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AC133D34-D376-43AD-8C79-A1469C98EE9E}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC133D34-D376-43AD-8C79-A1469C98EE9E}" => removed successfully
    C:\Windows\System32\Tasks\Norton Identity Safe\Norton Error Analyzer => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Norton Identity Safe\Norton Error Analyzer" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AEBABBC5-160C-4AF9-9F02-41C6BA2777E3}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AEBABBC5-160C-4AF9-9F02-41C6BA2777E3}" => removed successfully
    C:\Windows\System32\Tasks\Norton Identity Safe\Norton Error Processor => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Norton Identity Safe\Norton Error Processor" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{447E404B-097F-4CF3-8A52-B8F6B9805A89}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{447E404B-097F-4CF3-8A52-B8F6B9805A89}" => removed successfully
    C:\Windows\System32\Tasks\Norton Security\Norton Security Error Analyzer => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Norton Security\Norton Security Error Analyzer" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{852C37F8-9FEB-4D83-B590-467811A2377B}" => removed successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{852C37F8-9FEB-4D83-B590-467811A2377B}" => removed successfully
    C:\Windows\System32\Tasks\Norton Security\Norton Security Error Processor => moved successfully
    "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Norton Security\Norton Security Error Processor" => removed successfully
    HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5} => removed successfully
    HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} => removed successfully
    HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C} => removed successfully
    HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} => removed successfully
    HKU\S-1-5-21-1971205275-670237270-3699019941-1001_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2} => removed successfully
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} => removed successfully
    HKLM\Software\Wow6432Node\Classes\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E2E6DFD4-CAA8-4C34-9138-9A5876740646}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FD4CFC8A-1C55-4477-A9D5-8570D8BC354F}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{12250BB8-F8DC-422E-8061-482732B2614C}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8EBE4A3A-C989-4046-96AE-F5C4E1D68D8D}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{07E5DA68-CAC0-447F-B60A-F6CB8B7C2F09}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{09B5C5CA-6EED-4D00-8191-148AB05A5CA8}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4969C507-4DFF-460E-9906-5AF0F2CE6C0B}" => removed successfully
    C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`27hfm" ADS removed successfully

    ========= sfc /scannow =========



    Beginning system scan. This process will take some time.



    Beginning verification phase of system scan.




    Windows Resource Protection could not perform the requested operation.



    ========= End of CMD: =========


    ========= DISM /Online /Cleanup-Image /CheckHealth =========

    0

    ========= End of CMD: =========



    The system needed a reboot.

    ==== End of Fixlog 18:57:27 ====
     

    Attached Files:

    Fishhead, Mar 15, 2025
    #5
  6. Oh My!

    Oh My! Malware Expert Staff Member

    I am ending for the evening but let me know if you get any pop ups. I removed 2 Chrome extensions and I want to see if those might have been the source of the problem.
     
    Oh My!, Mar 15, 2025
    #6
  7. Fishhead

    Fishhead Private First Class

    I was feeling pretty good that perhaps this had all come to an end. But the popup notice appeared once again.

    Now while I ran the frst scan, I had Norton notifications turned off. I do not know if that would have influenced the result. Once the fix run was complete I turn the notifications back on to see if the fix had worked. I do not know whether the scan would have produced something different with the notification switch on.

    Bottom line I still have a problem.
     
    Fishhead, Mar 15, 2025
    #7
  8. Fishhead

    Fishhead Private First Class

    I ran the scan with the notifications allowed switch on and a popup notification on the screen. I am attaching both files here. If this is not an issue then disregard.

    But I hope that you have additional suggestions.

    Thank you.
     

    Attached Files:

    Fishhead, Mar 15, 2025
    #8
  9. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings.

    Norton notification settings don't change anything.

    • Launch Chrome
    • Copy and paste chrome://settings/help into the address bar and hit Enter
    • Let me know if you have Version 109 or another version
     
    Oh My!, Mar 16, 2025
    #9
  10. Fishhead

    Fishhead Private First Class

    I have version 109. I do not use Chrome often. Firefox is my usual browers.
     
    Fishhead, Mar 16, 2025
    #10
  11. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the information.

    The issue is not malware related but rather related to running Windows 8.1 and using an older version of Chrome (109).

    The pop up is referencing an old Certificate that was once valid but is now expired. The updated version of the Certificate was automatically applied to newer versions of Chrome. This version is not applicable to Chrome Version 109, which is the latest version supporting Windows 8.1.

    As I am sure you are already aware, continuing with Windows 8.1 brings with it security risks. Beyond the operating system being vulnerable, the inability to update other programs, as in this case, can also open the means by which someone can access and/or compromise your computer. There is no evidence the security vulnerability identified by Norton has been breached, only that the avenue through which a breach could occur exists.

    The question now is how we want to handle it. Here are some options:

    • Uninstall Chrome
    • Live with it
    • Create an exclusion for the site so it will no longer be detected (though the vulnerability will still exist)
    • Disable Safe Web
    • Attempt to identify the specific source within Chrome (extension?) so that we can eliminate it (this may not be possible)

    Let me know your thoughts.
     
    Oh My!, Mar 16, 2025
    #11
  12. Fishhead

    Fishhead Private First Class

    Sorry for the slow response, the power went out here.

    I removed Chrome since I was not using it as a browser anyway. I set Norton back so that I would receive notifications. I rebooted my computer. Everything looked promising and then the power went out.

    The power came back on around 30 minutes ago and the notice has appeared once again. So removing Chrome did not solve the issue. Looking at your list of options, #1 did not work, #2 is not desirable, I would need some help with #3, #4, #5.
     
    Fishhead, Mar 16, 2025
    #12
  13. Fishhead

    Fishhead Private First Class

    But then if uninstalling Chrome did not resolve the problem, Chrome was not the issue and the other options may not work if they also relate to Chrome.
     
    Fishhead, Mar 17, 2025
    #13
  14. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings.

    If you chose uninstall I wanted to do that a special way. We can work around that.

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
Zip: C:\ProgramData\Norton\Antivirus\report
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    • The tool will create a zipped folder on the Desktop with today's date. Please attach it to your reply.
    ===================================================

    Farbar Recovery Scan Tool SearchAll

    --------------------
    • Right click on FRST and select Run as administrator
    • Copy/paste the following in the Search: box
    Code:
    SearchAll: Chrome
    • Click Search Files
    • When completed click OK and a Search.txt document will open on your desktop
    • Please zip and upload the file to GoFile or the file hosting site of your choice and post the download link in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Attached zip file
    • Download link
     
    Oh My!, Mar 17, 2025
    #14
  15. Fishhead

    Fishhead Private First Class

    Attached is is the Fixlog Zip file. Below is the copy and paste Fix results. Finally, at the bottom is a link to download the Search file.

    If I missed anything, please let me know.


    Fix result of Farbar Recovery Scan Tool (x64) Version: 17-03-2025
    Ran by Peter (17-03-2025 08:13:58) Run:2
    Running from C:\Users\Peter\Downloads
    Loaded Profiles: Peter
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    Zip: C:\ProgramData\Norton\Antivirus\report
    End::
    *****************

    ================== Zip: ===================
    C:\ProgramData\Norton\Antivirus\report -> copied successfully to C:\Users\Peter\Desktop\17.03.2025_08.13.58.zip
    =========== Zip: End ===========

    ==== End of Fixlog 08:13:58 ====


    Download link: http://www.trawl.org/Search.zip
     

    Attached Files:

    Fishhead, Mar 17, 2025
    #15
  16. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you.

    Can you confirm the Norton pop up is the exact same thing as the screen shot you posted in your initial post? Oddly, there is no reference to that activity in the Norton report logs.

    Please run this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
2025-03-09 08:52 - 2025-03-09 08:52 _____ C:\Windows\Temp\_norton_
2020-01-21 16:57 - 2020-01-21 16:57 _____ C:\Users\Peter\AppData\Roaming\Thunderbird\Profiles\z7skbtmm.default\storage\permanent\chrome
2022-07-27 19:25 - 2022-07-27 19:25 _____ C:\Users\Peter\AppData\Roaming\Thunderbird\Profiles\0rkdv4uv.default\storage\permanent\chrome
2020-02-11 16:22 - 2020-02-11 16:22 _____ C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\dlv54bdw.default-release\storage\permanent\chrome
2018-01-04 17:51 - 2018-01-04 17:54 _____ C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\chrome
2017-11-28 11:08 - 2017-11-28 11:08 _____ C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\permanent\chrome
2022-09-20 21:18 - 2022-09-20 21:18 _____ C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\hi9hobge.MozillaBackgroundTask-E7CF176E110C211B-backgroundupdate\storage\permanent\chrome
2022-09-20 22:57 - 2022-09-20 22:57 _____ C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\fuexj3k0.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome
2017-04-30 14:09 - 2017-04-30 14:09 ____C C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_323fe862b51944c5e0e3ce848b6a779d8e1d33e3_ed59bbbb_0c34c839
2017-04-29 11:11 - 2017-04-29 11:11 ____C C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4a685883d81721396a75a76a3b70e53c7b4fcd_ed59bbbb_4e78a148
2017-04-29 11:19 - 2017-04-29 11:19 ____C C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4a685883d81721396a75a76a3b70e53c7b4fcd_ed59bbbb_55b791d5
2017-04-04 08:49 - 2017-04-04 08:49 ____C C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4d18be94675af1913f3b7cce5aef7dae5fcee7_df65d7d2_581ca316
2017-04-05 12:39 - 2017-04-05 12:39 ____C C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_b897535571a9da7892d6387c5645a4feb4d1bb6_df65d7d2_4d75b559
2017-01-10 12:27 - 2025-03-13 15:34 _____ C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\chrome.browser
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\chrome.browser
C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\chrome_elf.dll
C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wcchromenativemessaginghost
C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\chrome\userChrome.css
C:\Users\Peter\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\d249d9ddd424b688\Google Chrome.lnk
C:\Users\Peter\AppData\Local\Temp\chrome_installer.log
C:\Users\Peter\AppData\Local\Microsoft\Windows\INetCache\IE\O53GROMS\chromeuninstall3[1].htm
C:\Users\Peter\AppData\Local\Microsoft\Windows\INetCache\IE\8F4EMFAZ\chrome[1].htm
2025-03-16 13:26 - 2025-03-16 13:26 _____ C:\Users\Peter\AppData\Local\Temp\chrome_BITS_9032_278082136
2022-08-10 17:06 - 2022-08-10 17:06 _____ C:\Thunderbird 3\z7skbtmm.default\storage\permanent\chrome
2022-08-10 17:04 - 2022-08-10 17:04 _____ C:\Thunderbird 2\0rkdv4uv.default\storage\permanent\chrome
2024-12-13 08:50 - 2024-12-13 08:50 _____ C:\Program Files (x86)\Mozilla Thunderbird\chrome
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\2115a283_0|""
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\36a3390c_0|""
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_.pdf
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_.html
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_ftp
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_http
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_https
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_.htm
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Leipzig downloads\ChromeSetup.exe
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.198\Installer\setup.exe
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Users\Peter\Downloads\ChromeSetup.exe
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files\Google\Chrome\Application\98.0.4758.102\Installer\setup.exe
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Users\Peter\Downloads\ChromeSetup(1).exe
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files\Google\Chrome\Application\chrome.exe
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files\Google\Chrome\Application\109.0.5414.168\Installer\setup.exe
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files\Google\Chrome\Application\chrome.exe.FriendlyAppName
DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files\Google\Chrome\Application\chrome.exe.ApplicationCompany
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\chrome.exe
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\No Chrome Offer Until
DeleteKey: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Google\Chrome
cmd: sc config sc config trustedinstaller start= auto
cmd: net start trustedinstaller
cmd: sfc /scannow
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Same Norton pop up?
    • Fixlog
     
    Oh My!, Mar 17, 2025
    #16
  17. Fishhead

    Fishhead Private First Class

    The Norton pop up notice that I received last night was the same as before. I have had all norton notification turned off. I turned them off and it just popped up once again,. I am attaching a screen shot.



    Fix result of Farbar Recovery Scan Tool (x64) Version: 17-03-2025
    Ran by Peter (17-03-2025 15:47:01) Run:3
    Running from C:\Users\Peter\Downloads
    Loaded Profiles: Peter
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    SystemRestore: On
    CreateRestorePoint:
    CloseProcesses:
    2025-03-09 08:52 - 2025-03-09 08:52 _____ C:\Windows\Temp\_norton_
    2020-01-21 16:57 - 2020-01-21 16:57 _____ C:\Users\Peter\AppData\Roaming\Thunderbird\Profiles\z7skbtmm.default\storage\permanent\chrome
    2022-07-27 19:25 - 2022-07-27 19:25 _____ C:\Users\Peter\AppData\Roaming\Thunderbird\Profiles\0rkdv4uv.default\storage\permanent\chrome
    2020-02-11 16:22 - 2020-02-11 16:22 _____ C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\dlv54bdw.default-release\storage\permanent\chrome
    2018-01-04 17:51 - 2018-01-04 17:54 _____ C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\chrome
    2017-11-28 11:08 - 2017-11-28 11:08 _____ C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\permanent\chrome
    2022-09-20 21:18 - 2022-09-20 21:18 _____ C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\hi9hobge.MozillaBackgroundTask-E7CF176E110C211B-backgroundupdate\storage\permanent\chrome
    2022-09-20 22:57 - 2022-09-20 22:57 _____ C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\fuexj3k0.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome
    2017-04-30 14:09 - 2017-04-30 14:09 ____C C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_323fe862b51944c5e0e3ce848b6a779d8e1d33e3_ed59bbbb_0c34c839
    2017-04-29 11:11 - 2017-04-29 11:11 ____C C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4a685883d81721396a75a76a3b70e53c7b4fcd_ed59bbbb_4e78a148
    2017-04-29 11:19 - 2017-04-29 11:19 ____C C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4a685883d81721396a75a76a3b70e53c7b4fcd_ed59bbbb_55b791d5
    2017-04-04 08:49 - 2017-04-04 08:49 ____C C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4d18be94675af1913f3b7cce5aef7dae5fcee7_df65d7d2_581ca316
    2017-04-05 12:39 - 2017-04-05 12:39 ____C C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_b897535571a9da7892d6387c5645a4feb4d1bb6_df65d7d2_4d75b559
    2017-01-10 12:27 - 2025-03-13 15:34 _____ C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\chrome.browser
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\chrome.browser
    C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\chrome_elf.dll
    C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wcchromenativemessaginghost
    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\chrome\userChrome.css
    C:\Users\Peter\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\d249d9ddd424b688\Google Chrome.lnk
    C:\Users\Peter\AppData\Local\Temp\chrome_installer.log
    C:\Users\Peter\AppData\Local\Microsoft\Windows\INetCache\IE\O53GROMS\chromeuninstall3[1].htm
    C:\Users\Peter\AppData\Local\Microsoft\Windows\INetCache\IE\8F4EMFAZ\chrome[1].htm
    2025-03-16 13:26 - 2025-03-16 13:26 _____ C:\Users\Peter\AppData\Local\Temp\chrome_BITS_9032_278082136
    2022-08-10 17:06 - 2022-08-10 17:06 _____ C:\Thunderbird 3\z7skbtmm.default\storage\permanent\chrome
    2022-08-10 17:04 - 2022-08-10 17:04 _____ C:\Thunderbird 2\0rkdv4uv.default\storage\permanent\chrome
    2024-12-13 08:50 - 2024-12-13 08:50 _____ C:\Program Files (x86)\Mozilla Thunderbird\chrome
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\2115a283_0|""
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\36a3390c_0|""
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_.pdf
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_.html
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_ftp
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_http
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_https
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts|ChromeHTML_.htm
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Leipzig downloads\ChromeSetup.exe
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.198\Installer\setup.exe
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Users\Peter\Downloads\ChromeSetup.exe
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files\Google\Chrome\Application\98.0.4758.102\Installer\setup.exe
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Users\Peter\Downloads\ChromeSetup(1).exe
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files\Google\Chrome\Application\chrome.exe
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Program Files\Google\Chrome\Application\109.0.5414.168\Installer\setup.exe
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files\Google\Chrome\Application\chrome.exe.FriendlyAppName
    DeleteValue: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache|C:\Program Files\Google\Chrome\Application\chrome.exe.ApplicationCompany
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\chrome.exe
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\No Chrome Offer Until
    DeleteKey: HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Google\Chrome
    cmd: sc config sc config trustedinstaller start= auto
    cmd: net start trustedinstaller
    cmd: sfc /scannow
    End::
    *****************

    SystemRestore: On => completed
    Restore point was successfully created.
    Processes closed successfully.

    "C:\Windows\Temp\_norton_" Folder move:

    Could not move "C:\Windows\Temp\_norton_" => Scheduled to move on reboot.


    "C:\Users\Peter\AppData\Roaming\Thunderbird\Profiles\z7skbtmm.default\storage\permanent\chrome" Folder move:

    C:\Users\Peter\AppData\Roaming\Thunderbird\Profiles\z7skbtmm.default\storage\permanent\chrome => moved successfully

    "C:\Users\Peter\AppData\Roaming\Thunderbird\Profiles\0rkdv4uv.default\storage\permanent\chrome" Folder move:

    C:\Users\Peter\AppData\Roaming\Thunderbird\Profiles\0rkdv4uv.default\storage\permanent\chrome => moved successfully

    "C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\dlv54bdw.default-release\storage\permanent\chrome" Folder move:

    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\dlv54bdw.default-release\storage\permanent\chrome => moved successfully

    "C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\chrome" Folder move:

    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\chrome => moved successfully

    "C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\permanent\chrome" Folder move:

    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\storage\permanent\chrome => moved successfully

    "C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\hi9hobge.MozillaBackgroundTask-E7CF176E110C211B-backgroundupdate\storage\permanent\chrome" Folder move:

    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\hi9hobge.MozillaBackgroundTask-E7CF176E110C211B-backgroundupdate\storage\permanent\chrome => moved successfully

    "C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\fuexj3k0.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome" Folder move:

    C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\fuexj3k0.MozillaBackgroundTask-308046B0AF4A39CB-backgroundupdate\storage\permanent\chrome => moved successfully

    "C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_323fe862b51944c5e0e3ce848b6a779d8e1d33e3_ed59bbbb_0c34c839" Folder move:

    C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_323fe862b51944c5e0e3ce848b6a779d8e1d33e3_ed59bbbb_0c34c839 => moved successfully

    "C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4a685883d81721396a75a76a3b70e53c7b4fcd_ed59bbbb_4e78a148" Folder move:

    C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4a685883d81721396a75a76a3b70e53c7b4fcd_ed59bbbb_4e78a148 => moved successfully

    "C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4a685883d81721396a75a76a3b70e53c7b4fcd_ed59bbbb_55b791d5" Folder move:

    C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4a685883d81721396a75a76a3b70e53c7b4fcd_ed59bbbb_55b791d5 => moved successfully

    "C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4d18be94675af1913f3b7cce5aef7dae5fcee7_df65d7d2_581ca316" Folder move:

    C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_4d18be94675af1913f3b7cce5aef7dae5fcee7_df65d7d2_581ca316 => moved successfully

    "C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_b897535571a9da7892d6387c5645a4feb4d1bb6_df65d7d2_4d75b559" Folder move:

    C:\Users\Peter\AppData\Local\Microsoft\Windows\WER\ReportArchive\Critical_chrome.exe_b897535571a9da7892d6387c5645a4feb4d1bb6_df65d7d2_4d75b559 => moved successfully

    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn" Folder move:

    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn => moved successfully
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\chrome.browser => moved successfully
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\chrome.browser => moved successfully
    C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\chrome_elf.dll => moved successfully
    C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wcchromenativemessaginghost => moved successfully
    "C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\d4ko8pzl.default-1511892438926\chrome\userChrome.css" => not found
    C:\Users\Peter\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\d249d9ddd424b688\Google Chrome.lnk => moved successfully
    C:\Users\Peter\AppData\Local\Temp\chrome_installer.log => moved successfully
    C:\Users\Peter\AppData\Local\Microsoft\Windows\INetCache\IE\O53GROMS\chromeuninstall3[1].htm => moved successfully
    C:\Users\Peter\AppData\Local\Microsoft\Windows\INetCache\IE\8F4EMFAZ\chrome[1].htm => moved successfully

    "C:\Users\Peter\AppData\Local\Temp\chrome_BITS_9032_278082136" Folder move:

    C:\Users\Peter\AppData\Local\Temp\chrome_BITS_9032_278082136 => moved successfully

    "C:\Thunderbird 3\z7skbtmm.default\storage\permanent\chrome" Folder move:

    C:\Thunderbird 3\z7skbtmm.default\storage\permanent\chrome => moved successfully

    "C:\Thunderbird 2\0rkdv4uv.default\storage\permanent\chrome" Folder move:

    C:\Thunderbird 2\0rkdv4uv.default\storage\permanent\chrome => moved successfully

    "C:\Program Files (x86)\Mozilla Thunderbird\chrome" Folder move:

    C:\Program Files (x86)\Mozilla Thunderbird\chrome => moved successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\2115a283_0\\" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\36a3390c_0\\" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\\ChromeHTML_.pdf" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\\ChromeHTML_.html" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\\ChromeHTML_ftp" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\\ChromeHTML_http" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\\ChromeHTML_https" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\\ChromeHTML_.htm" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\\C:\Leipzig downloads\ChromeSetup.exe" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\\C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\\C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.198\Installer\setup.exe" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\\C:\Users\Peter\Downloads\ChromeSetup.exe" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\\C:\Program Files\Google\Chrome\Application\98.0.4758.102\Installer\setup.exe" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\\C:\Users\Peter\Downloads\ChromeSetup(1).exe" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\\C:\Program Files\Google\Chrome\Application\chrome.exe" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\\C:\Program Files\Google\Chrome\Application\109.0.5414.168\Installer\setup.exe" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\Program Files\Google\Chrome\Application\chrome.exe.FriendlyAppName" => removed successfully
    "HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\Program Files\Google\Chrome\Application\chrome.exe.ApplicationCompany" => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\chrome.exe => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\No Chrome Offer Until => removed successfully
    HKEY_USERS\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Google\Chrome => removed successfully

    ========= sc config sc config trustedinstaller start= auto =========

    DESCRIPTION:
    Modifies a service entry in the registry and Service Database.
    USAGE:
    sc <server> config [service name] <option1> <option2>...

    OPTIONS:
    NOTE: The option name includes the equal sign.
    A space is required between the equal sign and the value.
    type= <own|share|interact|kernel|filesys|rec|adapt>
    start= <boot|system|auto|demand|disabled|delayed-auto>
    error= <normal|severe|critical|ignore>
    binPath= <BinaryPathName to the .exe file>
    group= <LoadOrderGroup>
    tag= <yes|no>
    depend= <Dependencies(separated by / (forward slash))>
    obj= <AccountName|ObjectName>
    DisplayName= <display name>
    password= <password>


    ========= End of CMD: =========


    ========= net start trustedinstaller =========

    The requested service has already been started.

    More help is available by typing NET HELPMSG 2182.



    ========= End of CMD: =========


    ========= sfc /scannow =========



    Beginning system scan. This process will take some time.



    Beginning verification phase of system scan.




    Windows Resource Protection could not perform the requested operation.



    ========= End of CMD: =========
     

    Attached Files:

    Fishhead, Mar 17, 2025
    #17
  18. Oh My!

    Oh My! Malware Expert Staff Member

    On the Norton pop up click on See details and take another screen shot.
     
    Oh My!, Mar 17, 2025
    #18
  19. Fishhead

    Fishhead Private First Class

    Attached.
     

    Attached Files:

    Fishhead, Mar 17, 2025
    #19
  20. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the confirmation.

    Please do this.

    ===================================================

    TCPLogView by Nirsoft

    --------------------

    • Download TCPLogView for 64 Bit computers and save it to your Desktop
    • Unzip the folder onto your Desktop
    • Right click on the TcpLogView Application icon and select Run as administrator
    • Monitor the log until you see the Norton pop up
    • Click File then Save All Items
    • Click View, then HTML Report - All Items
    • When a Firefox page with the information appears, in the upper right hand corner of the browser window click File, Save Page As... and save the file on your Desktop as TCPView
    • Zip and attach the report to your reply
    ===================================================

    Things I would like to see in your next reply.
    • Attached zip file
     
    Oh My!, Mar 17, 2025
    #20
  21. Fishhead

    Fishhead Private First Class

    I followed your instruction. The popup appeared and I clicked File and Save All Items. A window appeared and wanted a file name. I typed in tcpt-save and hit OK. I went to View, I could see HTML Report but it was grayed out and I could not click on it.

    I am going to reboot and try once again.
     
    Fishhead, Mar 17, 2025
    #21
  22. Oh My!

    Oh My! Malware Expert Staff Member

    Sorry there is an additional step you might need to take. Highlighted in red.

    ===================================================

    TCPLogView by Nirsoft

    --------------------

    • Download TCPLogView for 64 Bit computers and save it to your Desktop
    • Unzip the folder onto your Desktop
    • Right click on the TcpLogView Application icon and select Run as administrator
    • Monitor the log until you see the Norton pop up
    • Click Edit, then Select All
    • Click File then Save All Items
    • Click View, then HTML Report - All Items
    • When a Firefox page with the information appears, in the upper right hand corner of the browser window click File, Save Page As... and save the file on your Desktop as TCPView
    • Zip and attach the report to your reply
     
    Oh My!, Mar 17, 2025
    #22
  23. Fishhead

    Fishhead Private First Class

    Thnaks, the additional step made it work.
     

    Attached Files:

    Fishhead, Mar 17, 2025
    #23
  24. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you.

    I will need some time to evaluate. I will post back tomorrow.
     
    Oh My!, Mar 17, 2025
    #24
  25. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for your patience.

    I think I have identified the clue but I will need to have some time to evaluate and test how to obtain additional information leading to the source of the issue. As this process may be complicated I want to determine the most user friendly way for our next step.
     
    Oh My!, Mar 18, 2025
    #25
  26. Fishhead

    Fishhead Private First Class

    Thank you.
     
    Fishhead, Mar 18, 2025
    #26
  27. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you again for your patience.

    Please do this.

    ===================================================

    Process Monitor Utilizing Customized Import Configuration File

    --------------------
    • Download Process Monitor and save it to your Desktop
    • Download Fishhead.pmc and save it to your Desktop
    • Right click on ProcMon and select Run as administrator
    • Hit the Ctrl + E keys at the same time to stop capturing events
    • Hit the Ctrl + X keys at the same time to clear the display
    • Click File, then Import Configuration...
    • Double click on the Fishhead.pmc file
    • On the bottom left hand corner of the Process Monitor screen confirm it says No events (capture disabled)
    • Hit the Ctrl + E keys at the same time to start capturing events (capture disabled should disappear)
    • Allow Process Monitor to continue running until the Norton pop up appears
    • When an event occurs hit the Ctrl + E keys at the same time to stop capturing events
    • Click File, Save, and save the file onto your Desktop using the default file name
    • Please zip and upload the file to GoFile or the file hosting site of your choice and post the download link in your reply.
    ===================================================

    Things I would like to see in your next reply.
    • Download link
     
    Oh My!, Mar 18, 2025
    #27
  28. Fishhead

    Fishhead Private First Class

    Fishhead, Mar 18, 2025
    #28
  29. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the report.

    I will be reviewing it tomorrow morning when my brain is a bit more awake....

    Gary
     
    Oh My!, Mar 18, 2025
    #29
  30. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for allowing me some time.

    Code:
    Microsoft Office Home and Business 2013
    This is the culprit and makes sense since the program is 12 years old.

    Let's see if we can do something about the pop up. Please do this.

    ===================================================

    TaskSchedulerView by Nirsoft

    --------------
    • Download TaskSchedulerView 64 bit and save it to your Desktop
    • Right click on the folder, select Extract All... and extract the folder onto your Desktop
    • Right click on the TaskschedulerView application icon and select Run as administrator
    • Once the window is populated click Edit, then Select All
    • Click View, then HTML Report - All Items
    • When your browser opens click File, Save Page As... and save the file onto your Desktop with the default name
    • Please zip and attach the file to your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Attached file
     
    Oh My!, Mar 19, 2025
    #30
  31. Fishhead

    Fishhead Private First Class

    Attached
     

    Attached Files:

    Fishhead, Mar 19, 2025
    #31
  32. Oh My!

    Oh My! Malware Expert Staff Member

    Please do this.

    ===================================================

    TaskSchedulerView by Nirsoft - Disabling Tasks

    --------------

    • Right click on the TaskschedulerView application icon and select Run as administrator
    • Individually right click on the below entries and select Disable Selected Items each time
    Office Automatic Updates
    Office ClickToRun Service Monitor
    • Reboot your computer
    ===================================================

    Modifying Service State and Startup Type

    --------------------

    • Click Start, type services.msc then hit Enter
    • Locate and right click on Microsoft Office Click-to-Run Service and select Properties
    • Under Service status click Stop
    • To the right of Startup type: click the down arrow and change it to Disabled
    • Click Apply then OK
    • Close all open windows, reboot your computer, and monitor for Norton pop ups
    ===================================================

    Things I would like to see in your next reply.
    • Results?
     
    Oh My!, Mar 19, 2025
    #32
  33. Fishhead

    Fishhead Private First Class

    I completed the tasks, but the notification still is popping up. Attached.
     

    Attached Files:

    Fishhead, Mar 19, 2025
    #33
  34. Oh My!

    Oh My! Malware Expert Staff Member

    At what point after booting does it appear?
     
    Oh My!, Mar 19, 2025
    #34
  35. Fishhead

    Fishhead Private First Class

    I did not time it, but I would guess that it was 30-40 minutes.
     
    Fishhead, Mar 19, 2025
    #35
  36. Oh My!

    Oh My! Malware Expert Staff Member

    This is a tough one.

    The first thing I would like is for you to launch Firefox without extensions and monitor it to see if you receive the pop up. If you do, continue on with the Process Monitor/Fixlist instructions as explained below.

    I would like you to set up FRST as detailed below and have it ready to just click Fix.
    Run Process Monitor again and when the pop up appears click Fix.
    Upload the file and provide the download link like you did here. Copy and paste the contents of the Fixlog report in your reply.

    ===================================================

    Running Firefox in Browser Safe Mode

    --------------------
    • Close any open Firefox windows
    • Hold down the Shift Key and launch Firefox
    • Click Open
    • Monitor the browser and if the pop up appears continue with the next steps
    ===================================================

    Farbar Recovery Scan Tool - Run Fix Using Attached File

    --------------------
    • Download the attached file and save it in the same location as FRST.exe (example, Desktop, USB device) <<< Important
    • Right click on FRST and select Run as administrator
    • Wait for the pop up to appear
    • Immediately after the pop up appears click Fix
    • The tool will create a log on the desktop called Fixlog.txt
    • Copy and paste the contents of the report in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Firefox Safe Mode results
    • Download link
    • Fixlog
     

    Attached Files:

    Oh My!, Mar 19, 2025
    #36
  37. Fishhead

    Fishhead Private First Class

    You wrote "Download the attached file and save it in the same location as FRST.exe (example, Desktop, USB device) <<< Important". I do not see an attached file. I am I confusing myself?

    Also, something new has occurred several times. In Firefox when I go to select a bookmark, or logging into an account, once while typing an email. The number 5 repeats itself in a long string of fives. It just did it when typing this message and I had to erase them. Weird.
     
    Fishhead, Mar 19, 2025
    #37
  38. Oh My!

    Oh My! Malware Expert Staff Member

    Sorry about the file, it is now attached to the previous post.

    That may be a keyboard issue. When that happens open Notepad and see if you experience the same issue.

    Do you use any of the below?

    MSN Food & Drink -> C:\Program Files\WindowsApps\Microsoft.BingFoodAndDrink_3.0.4.336_x64__8wekyb3d8bbwe [2015-07-14] (Microsoft Corporation) [MS Ad]
    MSN Health & Fitness -> C:\Program Files\WindowsApps\Microsoft.BingHealthAndFitness_3.0.4.336_x64__8wekyb3d8bbwe [2015-07-14] (Microsoft Corporation) [MS Ad]
    MSN Money -> C:\Program Files\WindowsApps\Microsoft.BingFinance_3.0.4.344_x64__8wekyb3d8bbwe [2016-04-27] (Microsoft Corporation) [MS Ad]
    MSN News -> C:\Program Files\WindowsApps\Microsoft.BingNews_3.0.4.344_x64__8wekyb3d8bbwe [2016-04-27] (Microsoft Corporation) [MS Ad]
    MSN Sports -> C:\Program Files\WindowsApps\Microsoft.BingSports_3.0.4.345_x64__8wekyb3d8bbwe [2016-04-29] (Microsoft Corporation) [MS Ad]
    MSN Travel -> C:\Program Files\WindowsApps\Microsoft.BingTravel_3.0.4.336_x64__8wekyb3d8bbwe [2015-07-14] (Microsoft Corporation) [MS Ad]
    MSN Weather -> C:\Program Files\WindowsApps\Microsoft.BingWeather_3.0.4.350_x64__8wekyb3d8bbwe [2016-11-23] (Microsoft Corporation) [MS Ad]
     
    Oh My!, Mar 20, 2025
    #38
  39. Fishhead

    Fishhead Private First Class

    I do not use anything on MSN.
     
    Fishhead, Mar 20, 2025
    #39
  40. Oh My!

    Oh My! Malware Expert Staff Member

    This is in addition to my previous instructions to complete.

    Follow the instructions under Windows 8.1 and 8 and uninstall the following:

    MSN Food & Drink
    MSN Health & Fitness
    MSN Money
    MSN News
    MSN Sports
    MSN Travel
    MSN Weather
     
    Oh My!, Mar 20, 2025
    #40
  41. Fishhead

    Fishhead Private First Class

    First, the number 5 repeating itself was related to my keyboard. I notice the 5 key was lower than the others. I push it down and now it does not bounce back at all.

    I will delete the MSN programs.

    Yes the notification popup when Firefox is opened in Safe Mode.

    http://www.trawl.org/Logfile.zip


    Fix result of Farbar Recovery Scan Tool (x64) Version: 18-03-2025
    Ran by Peter (20-03-2025 07:54:24) Run:4
    Running from C:\Users\Peter\Downloads
    Loaded Profiles: Peter
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    cmd: tasklist /v
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
    HKU\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2017-07-18] (Microsoft Corporation -> Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-07-13] (Microsoft Corporation -> Microsoft Corporation)
    cmd: sc query ClickToRunSvc
    *****************


    ========= tasklist /v =========


    Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
    ========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
    System Idle Process 0 Services 0 4 K Unknown NT AUTHORITY\SYSTEM 8:25:52 N/A
    System 4 Services 0 5,176 K Unknown N/A 0:02:01 N/A
    smss.exe 412 Services 0 1,096 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    csrss.exe 656 Services 0 5,048 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    wininit.exe 728 Services 0 4,588 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    services.exe 796 Services 0 7,636 K Unknown NT AUTHORITY\SYSTEM 0:00:02 N/A
    lsass.exe 804 Services 0 16,364 K Unknown NT AUTHORITY\SYSTEM 0:00:05 N/A
    svchost.exe 904 Services 0 11,616 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    svchost.exe 948 Services 0 9,308 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:03 N/A
    svchost.exe 320 Services 0 22,496 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:03 N/A
    svchost.exe 352 Services 0 49,520 K Unknown NT AUTHORITY\SYSTEM 0:02:01 N/A
    AvDump.exe 468 Services 0 7,660 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
    wsc_proxy.exe 864 Services 0 10,736 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    svchost.exe 452 Services 0 18,376 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:02 N/A
    svchost.exe 1056 Services 0 110,368 K Unknown NT AUTHORITY\SYSTEM 0:03:02 N/A
    RtkAudioService64.exe 1136 Services 0 5,192 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    svchost.exe 1228 Services 0 18,740 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:03 N/A
    NortonSvc.exe 1448 Services 0 234,868 K Unknown NT AUTHORITY\SYSTEM 0:01:12 N/A
    nllToolsSvc.exe 1616 Services 0 92,604 K Unknown NT AUTHORITY\SYSTEM 0:00:23 N/A
    spoolsv.exe 1744 Services 0 13,856 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    svchost.exe 1784 Services 0 27,088 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:09 N/A
    afwServ.exe 1216 Services 0 22,532 K Unknown NT AUTHORITY\SYSTEM 0:00:04 N/A
    armsvc.exe 1444 Services 0 11,600 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    AERTSr64.exe 2128 Services 0 2,620 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    AppleMobileDeviceService. 2144 Services 0 10,472 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
    AdminService.exe 2292 Services 0 5,556 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    mDNSResponder.exe 2316 Services 0 5,200 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    svchost.exe 2336 Services 0 10,440 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    HeciServer.exe 2376 Services 0 5,660 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    dasHost.exe 2388 Services 0 10,908 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
    VpnSvc.exe 2484 Services 0 37,868 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
    w3dbsmgr.exe 2604 Services 0 42,100 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    wfcs.exe 2948 Services 0 37,220 K Unknown NT AUTHORITY\SYSTEM 0:00:11 N/A
    svchost.exe 3560 Services 0 10,636 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
    svchost.exe 3744 Services 0 5,064 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
    aswEngSrv.exe 4364 Services 0 217,304 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:33 N/A
    aswidsagent.exe 1288 Services 0 44,664 K Unknown NT AUTHORITY\SYSTEM 0:00:13 N/A
    DFSSvc.exe 6928 Services 0 62,404 K Unknown NT AUTHORITY\SYSTEM 0:00:01 N/A
    IAStorDataMgrSvc.exe 6412 Services 0 47,148 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    jhi_service.exe 6996 Services 0 4,756 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    LMS.exe 6356 Services 0 10,592 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    MDLCSvc.exe 6668 Services 0 49,548 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    RichVideo.exe 4240 Services 0 4,968 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    SearchIndexer.exe 1908 Services 0 27,464 K Unknown NT AUTHORITY\SYSTEM 0:00:06 N/A
    csrss.exe 6476 Console 3 33,956 K Running NT AUTHORITY\SYSTEM 0:00:04 N/A
    winlogon.exe 7344 Console 3 5,840 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    dwm.exe 7348 Console 3 25,040 K Running Window Manager\DWM-3 0:00:09 DWM Notification Window
    explorer.exe 7824 Console 3 140,828 K Running Office\Peter 0:00:39 N/A
    RAVBg64.exe 6980 Console 3 10,852 K Running NT AUTHORITY\SYSTEM 0:00:00 Realtek HD Audio Background Process for Vista
    RAVBg64.exe 6464 Console 3 10,384 K Running NT AUTHORITY\SYSTEM 0:00:00 Realtek HD Audio Background Process for Vista
    taskhostex.exe 3968 Console 3 11,864 K Running Office\Peter 0:00:00 Task Host Window
    DFS.Common.Agent.exe 6672 Console 3 24,164 K Running Office\Peter 0:00:00 C:\Program Files\Dell\Dell Foundation Services\DFS.Common.Agent.exe
    conhost.exe 7876 Console 3 4,380 K Unknown Office\Peter 0:00:00 N/A
    BtvStack.exe 3900 Console 3 23,980 K Running Office\Peter 0:00:00 N/A
    ActivateDesktop.exe 32 Console 3 5,336 K Running Office\Peter 0:00:00 N/A
    hkcmd.exe 2068 Console 3 6,588 K Running Office\Peter 0:00:00 N/A
    igfxsrvc.exe 5552 Console 3 7,564 K Running Office\Peter 0:00:00 OleMainThreadWndName
    igfxpers.exe 3412 Console 3 6,968 K Running Office\Peter 0:00:00 PersistWndName
    wfcUI.exe 5608 Console 3 45,772 K Running Office\Peter 0:00:00 N/A
    NortonUI.exe 7616 Console 3 44,184 K Running Office\Peter 0:00:15 Norton 360
    CLMLSvc_P2G8.exe 5392 Console 3 532 K Running Office\Peter 0:00:00 GDI+ Window
    unsecapp.exe 3104 Services 0 5,048 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    IAStorIcon.exe 3164 Console 3 28,000 K Running Office\Peter 0:00:00 N/A
    NortonUI.exe 7836 Console 3 43,112 K Unknown Office\Peter 0:00:00 N/A
    NortonUI.exe 2224 Console 3 38,540 K Unknown Office\Peter 0:00:00 N/A
    AdobeCollabSync.exe 3628 Console 3 64 K Running Office\Peter 0:00:00 A
    AdobeCollabSync.exe 4184 Console 3 2,728 K Unknown Office\Peter 0:00:00 N/A
    NortonUI.exe 9300 Console 3 30,212 K Unknown Office\Peter 0:00:00 N/A
    firefox.exe 8648 Console 3 290,608 K Running Office\Peter 0:00:08 Mozilla Firefox
    firefox.exe 9640 Console 3 16,076 K Unknown Office\Peter 0:00:00 N/A
    firefox.exe 3340 Console 3 35,588 K Not Responding Office\Peter 0:00:00 OleMainThreadWndName
    firefox.exe 9000 Console 3 38,888 K Not Responding Office\Peter 0:00:00 OleMainThreadWndName
    firefox.exe 8700 Console 3 50,652 K Not Responding Office\Peter 0:00:00 OleMainThreadWndName
    firefox.exe 9748 Console 3 32,752 K Not Responding Office\Peter 0:00:00 OleMainThreadWndName
    firefox.exe 9760 Console 3 32,776 K Not Responding Office\Peter 0:00:00 OleMainThreadWndName
    firefox.exe 7116 Console 3 32,864 K Not Responding Office\Peter 0:00:00 OleMainThreadWndName
    FRST64.exe 764 Console 3 37,552 K Running Office\Peter 0:00:00 Farbar Recovery Scan Tool (x64) Version: 18-03-2025
    NortonUI.exe 9156 Console 3 114,644 K Unknown Office\Peter 0:00:01 N/A
    taskhost.exe 724 Console 3 6,212 K Running Office\Peter 0:00:00 Task Host Window
    CompatTelRunner.exe 4076 Services 0 3,652 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    svchost.exe 9176 Services 0 2,936 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    WmiPrvSE.exe 10120 Services 0 7,620 K Unknown NT AUTHORITY\NETWORK SERVICE 0:00:00 N/A
    mscorsvw.exe 10016 Services 0 8,412 K Unknown NT AUTHORITY\SYSTEM 0:00:08 N/A
    audiodg.exe 8528 Services 0 12,992 K Unknown NT AUTHORITY\LOCAL SERVICE 0:00:00 N/A
    Procmon.exe 6360 Console 3 19,488 K Unknown Office\Peter 0:00:00 N/A
    Procmon64.exe 8236 Console 3 26,552 K Running Office\Peter 0:00:02 Process Monitor - Sysinternals: www.sysinternals.com
    WmiPrvSE.exe 8368 Services 0 6,916 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    SearchProtocolHost.exe 9920 Services 0 9,664 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    SearchFilterHost.exe 9940 Services 0 6,600 K Unknown NT AUTHORITY\SYSTEM 0:00:00 N/A
    cmd.exe 9076 Console 3 5,064 K Running Office\Peter 0:00:00 C:\Windows\system32\cmd.exe
    conhost.exe 6664 Console 3 5,108 K Unknown Office\Peter 0:00:00 N/A
    tasklist.exe 9740 Console 3 7,844 K Unknown Office\Peter 0:00:00 N/A


    ========= End of CMD: =========

    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => removed successfully
    HKU\S-1-5-21-1971205275-670237270-3699019941-1001\Software\Microsoft\Internet Explorer\Main\\"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157" => value restored successfully
    HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => removed successfully
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => removed successfully
    HKLM\Software\Wow6432Node\Classes\PROTOCOLS\Handler\osf => removed successfully
    HKLM\Software\Wow6432Node\Classes\CLSID\{D924BDC6-C83A-4BD5-90D0-095128A113D1} => removed successfully
    "HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-07-13] (Microsoft Corporation" => not found
    "FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-07-13] (Microsoft Corporation -> Microsoft Corporation)" => not found

    ========= sc query ClickToRunSvc =========


    SERVICE_NAME: ClickToRunSvc
    TYPE : 10 WIN32_OWN_PROCESS
    STATE : 1 STOPPED
    WIN32_EXIT_CODE : 1077 (0x435)
    SERVICE_EXIT_CODE : 0 (0x0)
    CHECKPOINT : 0x0
    WAIT_HINT : 0x0


    ========= End of CMD: =========


    ==== End of Fixlog 07:54:26 ====
     
    Fishhead, Mar 20, 2025
    #41
  42. Fishhead

    Fishhead Private First Class

    I could not find any of the MSN programs on my computer.
     
    Fishhead, Mar 20, 2025
    #42
  43. Oh My!

    Oh My! Malware Expert Staff Member

    After you have completed the Search instructions I would like you to complete the modified Process Monitor step. It is going to require your constant presence until a pop up occurs.

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool Search

    --------------------
    • Launch FRST
    • Type the following in the Search: box
    Code:
    Microsoft.Bing*
    • Click Search Files button
    • When completed click OK and a Search.txt document will open on your desktop
    • Copy and paste the contents of that document your reply
    ===================================================

    Process Monitor

    --------------------
    • Right click on ProcMon and select Run as administrator
    • Hit the Ctrl + E keys at the same time to stop capturing events
    • Hit the Ctrl + X keys at the same time to clear the display
    • Click Filter, then Reset Filter
    • Hit the Ctrl + E keys at the same time to start capturing events
    • About every 30 seconds, if a pop up has not occured, hit the Ctrl + X keys at the same time to clear the display (logging will continue)
    • Once a pop up appears hit the Ctrl + E keys at the same time to stop capturing events
    • Click File, Save, and save the file onto your Desktop using the default file name
    • Please zip and upload the file to GoFile or the file hosting site of your choice and post the download link in your reply.
    ===================================================

    Things I would like to see in your next reply.
    • Search.txt
    • Download link
     
    Oh My!, Mar 20, 2025
    #43
  44. Fishhead

    Fishhead Private First Class

    Link: http://www.trawl.org/Logfile.zip

    Farbar Recovery Scan Tool (x64) Version: 18-03-2025
    Ran by Peter (20-03-2025 12:42:13)
    Running from C:\Users\Peter\Downloads
    Boot Mode: Normal

    ================== Search Files: "Microsoft.Bing*" =============

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_2016.408.1841.3666_neutral_~_8wekyb3d8bbwe.xml
    [2016-04-27 08:21][2016-04-27 08:21] 000026576 _____ () 4AB262B58398B26B7FFB421BCBCFB5A2 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000754 _____ () 3814965F4B760F8DA665EAA05498BEE1 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000754 _____ () 39A00D310F62CCFB0602FCEB3355AD0E [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.344_x64__8wekyb3d8bbwe.xml
    [2016-04-27 08:21][2016-04-27 08:21] 000031087 _____ () 5FCAA222F70FA09D91760455ABE4E200 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_2015.709.2015.1275_neutral_~_8wekyb3d8bbwe.xml
    [2015-07-14 08:24][2015-07-14 08:24] 000028271 _____ () 18B05CAD26104317383C0672E291BC1E [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000757 _____ () 39D3CDF77741BF98D849C1B2B0A2FBF3 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000757 _____ () 634F2E2F8A62934C9FB169E250DFB447 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.336_x64__8wekyb3d8bbwe.xml
    [2015-07-14 08:25][2015-07-14 08:25] 000030075 _____ () BC3570DA2B31DA29DBE0F2EEE971378D [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_2015.709.2016.264_neutral_~_8wekyb3d8bbwe.xml
    [2015-07-14 08:24][2015-07-14 08:24] 000028214 _____ () 75B5C017EA15E58823A25C101219207A [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000772 _____ () 9F068F181AF7F17B5D99F01C71E6CCC5 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000772 _____ () A7A968E7E1C621E8CFA887CAB381B60C [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.336_x64__8wekyb3d8bbwe.xml
    [2015-07-14 08:24][2015-07-14 08:24] 000030670 _____ () E18EC43DB9B1CAB6B30B0FCF2F9652D1 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_neutral_split.scale-140_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000747 _____ () 543360B7758BD9929D63E00970A5863A [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_neutral_split.scale-180_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000747 _____ () C441FD66FFE4B23D646ECCF8BA232785 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000015314 _____ () 536D03FD79E0CB52FC59711FB81B333A [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2014.830.1811.3840_neutral_~_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000026174 _____ () F57E878530A21629D899015E4C28D81D [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_2016.408.1840.2841_neutral_~_8wekyb3d8bbwe.xml
    [2016-04-27 08:21][2016-04-27 08:21] 000026255 _____ () 2648C18C5F31A28955CFF1D577D897E4 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.213_neutral_split.scale-140_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000744 _____ () 3C5924F7BAC8529E885C2F4C63848BEE [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.213_neutral_split.scale-180_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000744 _____ () EF2CC3133890D9C513316439E4ABD6F0 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.344_x64__8wekyb3d8bbwe.xml
    [2016-04-27 08:21][2016-04-27 08:21] 000032206 _____ () 1B568B0C611B4E831386D0D682D7F46F [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_2016.427.112.4030_neutral_~_8wekyb3d8bbwe.xml
    [2016-04-29 08:55][2016-04-29 08:55] 000026670 _____ () E07AE6137846C37985A08EE9B320D696 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000750 _____ () 445C3FF47FEA1CC93744A9DC0FF98F53 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000750 _____ () 756DEA8A34C3227CACB4E6DA4B94A4F8 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.345_x64__8wekyb3d8bbwe.xml
    [2016-04-29 08:55][2016-04-29 08:55] 000074420 _____ () 2941EC5ADB9B4EB74FD1B464F582629D [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_2015.709.2019.1414_neutral_~_8wekyb3d8bbwe.xml
    [2015-07-14 08:24][2015-07-14 08:24] 000027687 _____ () ABE894D92198C9F802DD1C0DA32FD0B7 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000746 _____ () 5A52F4791DED612D32142750B75EBB3F [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000746 _____ () 2D1079A6FC6E0A624B6BF146926176D1 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.336_x64__8wekyb3d8bbwe.xml
    [2015-07-14 08:24][2015-07-14 08:24] 000038186 _____ () C3CFE110F781082F09046E4D0C2E8E89 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_2016.1014.23.3280_neutral_~_8wekyb3d8bbwe.xml
    [2016-11-22 22:07][2016-11-22 22:07] 000026778 _____ () 61F98A748048D27AA0FF284655C91E48 [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.214_neutral_split.scale-140_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000747 _____ () 2E3EAE39FB242883E0CE04F99A2D380A [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.214_neutral_split.scale-180_8wekyb3d8bbwe.xml
    [2015-05-22 02:32][2015-05-22 02:32] 000000747 _____ () ECEAB5EDE5A4DD59CECA254065565BDF [File not signed]

    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.350_x64__8wekyb3d8bbwe.xml
    [2016-11-22 22:07][2016-11-22 22:07] 000025348 _____ () CEA9D527CBD564F8646689EEEB28F7FA [File not signed]

    C:\Program Files\WindowsApps\Microsoft.BingWeather_3.0.4.350_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    [2016-11-22 22:07][2016-11-22 22:07] 000280064 _____ () 502AEC0BE4F5CCDDF2ECB61F280AC3E8 [File not signed]

    C:\Program Files\WindowsApps\Microsoft.BingTravel_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    [2015-07-14 08:24][2015-07-14 08:24] 000280064 _____ () 6BA2CEB07CA186E5E5AC06A26C683B2E [File not signed]

    C:\Program Files\WindowsApps\Microsoft.BingSports_3.0.4.345_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    [2016-04-29 08:55][2016-04-29 08:55] 000280064 _____ () A9214AAA9158A94A7581A3548A48AEF5 [File not signed]

    C:\Program Files\WindowsApps\Microsoft.BingNews_3.0.4.344_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    [2016-04-27 08:21][2016-04-27 08:21] 000280064 _____ () 1715E30DB83497D0BF520B5298CFA858 [File not signed]

    C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Client.Graph.dll
    [2014-11-20 21:25][2014-11-20 21:25] 002364928 _____ () A63384A0177F37617CE1A8F82D81904A [File not signed]

    C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Client.Graph.winmd
    [2014-11-20 21:25][2014-11-20 21:25] 000042496 _____ () B2829F11BDBCC437703CCFB7057C8FCD [File not signed]

    C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Platform.Logging.ClientWinRT.dll
    [2014-11-20 21:25][2014-11-20 21:25] 000165888 _____ () 3210688EA7AA3B06ABE862379FA78E27 [File not signed]

    C:\Program Files\WindowsApps\Microsoft.BingHealthAndFitness_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    [2015-07-14 08:24][2015-07-14 08:24] 000280064 _____ () 6BA2CEB07CA186E5E5AC06A26C683B2E [File not signed]

    C:\Program Files\WindowsApps\Microsoft.BingFoodAndDrink_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    [2015-07-14 08:24][2015-07-14 08:24] 000280064 _____ () 6BA2CEB07CA186E5E5AC06A26C683B2E [File not signed]

    C:\Program Files\WindowsApps\Microsoft.BingFinance_3.0.4.344_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    [2016-04-27 08:21][2016-04-27 08:21] 000280064 _____ () 1715E30DB83497D0BF520B5298CFA858 [File not signed]


    ====== End of Search ======
     
    Fishhead, Mar 20, 2025
    #44
  45. Oh My!

    Oh My! Malware Expert Staff Member

    I am not sure what happened but Process Monitor did not capture the pop up activity. Any ideas?

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
SystemRestore: On
CreateRestorePoint:
CloseProcesses:
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_2016.408.1841.3666_neutral_~_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.344_x64__8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_2015.709.2015.1275_neutral_~_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.336_x64__8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_2015.709.2016.264_neutral_~_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.336_x64__8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_neutral_split.scale-140_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_neutral_split.scale-180_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2014.830.1811.3840_neutral_~_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_2016.408.1840.2841_neutral_~_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.213_neutral_split.scale-140_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.213_neutral_split.scale-180_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.344_x64__8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_2016.427.112.4030_neutral_~_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.345_x64__8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_2015.709.2019.1414_neutral_~_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.336_x64__8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_2016.1014.23.3280_neutral_~_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.214_neutral_split.scale-140_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.214_neutral_split.scale-180_8wekyb3d8bbwe.xml
C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.350_x64__8wekyb3d8bbwe.xml
C:\Program Files\WindowsApps\Microsoft.BingWeather_3.0.4.350_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
C:\Program Files\WindowsApps\Microsoft.BingTravel_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
C:\Program Files\WindowsApps\Microsoft.BingSports_3.0.4.345_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
C:\Program Files\WindowsApps\Microsoft.BingNews_3.0.4.344_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Client.Graph.dll
C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Client.Graph.winmd
C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Platform.Logging.ClientWinRT.dll
C:\Program Files\WindowsApps\Microsoft.BingHealthAndFitness_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
C:\Program Files\WindowsApps\Microsoft.BingFoodAndDrink_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
C:\Program Files\WindowsApps\Microsoft.BingFinance_3.0.4.344_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
     
    Oh My!, Mar 20, 2025
    #45
  46. Fishhead

    Fishhead Private First Class

    On your Process Monitor question I can run once again and see if it works better.




    Fix result of Farbar Recovery Scan Tool (x64) Version: 18-03-2025
    Ran by Peter (20-03-2025 14:20:14) Run:5
    Running from C:\Users\Peter\Downloads
    Loaded Profiles: Peter
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    SystemRestore: On
    CreateRestorePoint:
    CloseProcesses:
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_2016.408.1841.3666_neutral_~_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.344_x64__8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_2015.709.2015.1275_neutral_~_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.336_x64__8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_2015.709.2016.264_neutral_~_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.336_x64__8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_neutral_split.scale-140_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_neutral_split.scale-180_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2014.830.1811.3840_neutral_~_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_2016.408.1840.2841_neutral_~_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.213_neutral_split.scale-140_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.213_neutral_split.scale-180_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.344_x64__8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_2016.427.112.4030_neutral_~_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.345_x64__8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_2015.709.2019.1414_neutral_~_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.336_x64__8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_2016.1014.23.3280_neutral_~_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.214_neutral_split.scale-140_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.214_neutral_split.scale-180_8wekyb3d8bbwe.xml
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.350_x64__8wekyb3d8bbwe.xml
    C:\Program Files\WindowsApps\Microsoft.BingWeather_3.0.4.350_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    C:\Program Files\WindowsApps\Microsoft.BingTravel_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    C:\Program Files\WindowsApps\Microsoft.BingSports_3.0.4.345_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    C:\Program Files\WindowsApps\Microsoft.BingNews_3.0.4.344_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Client.Graph.dll
    C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Client.Graph.winmd
    C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Platform.Logging.ClientWinRT.dll
    C:\Program Files\WindowsApps\Microsoft.BingHealthAndFitness_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    C:\Program Files\WindowsApps\Microsoft.BingFoodAndDrink_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    C:\Program Files\WindowsApps\Microsoft.BingFinance_3.0.4.344_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd
    End::

    Click Fix
    *****************

    SystemRestore: On => completed
    Restore point was successfully created.
    Processes closed successfully.
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_2016.408.1841.3666_neutral_~_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFinance_3.0.4.344_x64__8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_2015.709.2015.1275_neutral_~_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingFoodAndDrink_3.0.4.336_x64__8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_2015.709.2016.264_neutral_~_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingHealthAndFitness_3.0.4.336_x64__8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_neutral_split.scale-140_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_neutral_split.scale-180_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingMaps_2014.830.1811.3840_neutral_~_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_2016.408.1840.2841_neutral_~_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.213_neutral_split.scale-140_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.213_neutral_split.scale-180_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingNews_3.0.4.344_x64__8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_2016.427.112.4030_neutral_~_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingSports_3.0.4.345_x64__8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_2015.709.2019.1414_neutral_~_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.212_neutral_split.scale-140_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.212_neutral_split.scale-180_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingTravel_3.0.4.336_x64__8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_2016.1014.23.3280_neutral_~_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.214_neutral_split.scale-140_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.214_neutral_split.scale-180_8wekyb3d8bbwe.xml => moved successfully
    C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.BingWeather_3.0.4.350_x64__8wekyb3d8bbwe.xml => moved successfully
    C:\Program Files\WindowsApps\Microsoft.BingWeather_3.0.4.350_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd => moved successfully
    C:\Program Files\WindowsApps\Microsoft.BingTravel_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd => moved successfully
    C:\Program Files\WindowsApps\Microsoft.BingSports_3.0.4.345_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd => moved successfully
    C:\Program Files\WindowsApps\Microsoft.BingNews_3.0.4.344_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd => moved successfully
    C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Client.Graph.dll => moved successfully
    C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Client.Graph.winmd => moved successfully
    C:\Program Files\WindowsApps\Microsoft.BingMaps_2.1.3230.2048_x64__8wekyb3d8bbwe\Microsoft.Bing.Platform.Logging.ClientWinRT.dll => moved successfully
    C:\Program Files\WindowsApps\Microsoft.BingHealthAndFitness_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd => moved successfully
    C:\Program Files\WindowsApps\Microsoft.BingFoodAndDrink_3.0.4.336_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd => moved successfully
    C:\Program Files\WindowsApps\Microsoft.BingFinance_3.0.4.344_x64__8wekyb3d8bbwe\Microsoft.Bing.AppEx.Telemetry.winmd => moved successfully


    The system needed a reboot.

    ==== End of Fixlog 14:20:32 ====
     
    Fishhead, Mar 20, 2025
    #46
  47. Oh My!

    Oh My! Malware Expert Staff Member

    OK, thanks.

    You might want to wait to make sure you are still receiving the pop ups. I am wondering if they were related to what we just removed.
     
    Oh My!, Mar 20, 2025
    #47
  48. Fishhead

    Fishhead Private First Class

    Right now I have Norton blocking notifications. I turn them back on and see what happens. If I receive a popup I will run ProcMon once again and send you the link.

    If I do not receive any popups, I will let you know, but that may take waiting long enough to draw the conclusion that the popup are gone.
     
    Fishhead, Mar 20, 2025
    #48
  49. Fishhead

    Fishhead Private First Class

    Fishhead, Mar 20, 2025
    #49
  50. Oh My!

    Oh My! Malware Expert Staff Member

    We are still not getting the information.

    Please do this.

    ===================================================

    Farbar Recovery Scan Tool Registry Search

    --------------------

    • Right click on FRST64 and select Run as administrator
    • Type the following in the Search Field
    Code:
    Microsoft.BingFinance*;Microsoft.BingFoodAndDrink*;Microsoft.BingHealthAndFitness*;Microsoft.BingMaps*;Microsoft.BingNews*;Microsoft.BingSports*;Microsoft.BingTravel*;Microsoft.BingWeather*
    • Click the Search Registry button
    • A SearchReg.txt document will be saved in the same location as FRST64
    • Copy and paste the contents of that document your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • SearchReg.txt
     
    Oh My!, Mar 20, 2025
    #50
Page 1 of 4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds