Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: US charges Samourai cryptomixer founders for laundering $100 million

Featured Deal: A one-year Sam's Club membership is only $14 now

Latest Buyer's Guide: How to setup a VPN on your router: Detailed walkthrough

IIS Vulnerability exploited

Started by kpatel45 , Yesterday, 12:33 AM

Please log in to reply

3 replies to this topic

#1 kpatel45

Members
44 posts
OFFLINE

Local time:08:30 AM

Posted Yesterday, 12:33 AM

Hi all,

I am reaching out following a malware infection discovered on IIS servers. A new file is being found on the servers cachsess.dll in the path c:\windows\system32\inetsrv. This file is quarantined or deleted by Symantec AV upon scanning. However, when the file gets deleted, the app pools on the server get in a STOP state. When trying to restart the app pool, event viewer generates the error ID 2280. It says the infected file is missing to start the App Pool.

The malware is moving across servers. i now have 9 infected servers. Please assist, thanks.

Attached Files

File2.png 237.5KB 0 downloads
File1.png 718.77KB 0 downloads
File3.png 27.77KB 0 downloads
file4.png 29.99KB 0 downloads

Back to top"> Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Oh My!

Adware and Spyware and Malware

Malware Response Instructor
57,428 posts
OFFLINE

Gender:Male
Location:California
Local time:09:30 PM

Posted Yesterday, 08:06 AM

Greetings and :welcome:

back to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:

First, please keep in mind most of us at BleepingComputer volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.
It is important to not run any tools or take any steps other than those I will provide for you.
Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
Please copy and paste all logs into your post unless otherwise requested.
When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
If you do not reply to your topic after 5 days I will assume it has been abandoned and I will close it.

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and let me know.

Thank you for your patience thus far.

Please do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------

Download Farbar Recover Scan Tool for 64 bit systems and note where the file is saved (Desktop, Downloads, etc.) <<< Important
If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
Right click on the icon and select Run as administrator
Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
Click Yes to the disclaimer
Click Scan and allow the program to run
Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
2 Notepad documents should now be open on your desktop.
Please copy and paste the contents of each report in separate reply windows

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

FRST.txt
Addition.txt

Gary

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.
John 6:68-69

Back to top"> Back to top

#3 kpatel45

Topic Starter

Members
44 posts
OFFLINE

Local time:08:30 AM

Posted Yesterday, 12:51 PM

Hi Gary,

trust you are keeping well mate. thanks for reaching out again. Further to my post, I have carried out some more digging and found new things.

1. Active Directory account with domain admin rights was compromised.

2. The compromised account was used to create another domain admin account.

3. Security logs shows multiple changes was done at active directory level. Other admin accounts were used to create processes on domain joint servers.

4. File shares were created on the servers.

5. Malware was downloaded and propagated using the created admin account in 2.

6. I restored infected VMs to a date prior to the infection and a day later, the VM got infected again.

7. Now I have restored a VM to one day before the account creation in 2. I will check tomorrow and give you an update.

Finally, I will run the steps above and post the results tomorrow

Cheers.

Back to top"> Back to top

#4 kpatel45

Topic Starter

Members
44 posts
OFFLINE

Local time:08:30 AM

Posted Today, 12:17 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19.04.2024 01
Ran by share-port_sysadmin1 (administrator) on NGP-SVR-FES02 (VMware, Inc. VMware Virtual Platform) (24-04-2024 08:59:11)
Running from C:\Users\share-port_sysadmin1\Desktop\FRST64.exe
Loaded Profiles: portal_farm & share-port_sysadmin1 & Administrator
Platform: Microsoft Windows Server 2016 Standard Version 1607 14393.4583 (X64) Language: English (United States)
Default browser: Chrome
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(explorer.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\InetMgr.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <7>
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\ServerManager.exe
(RuntimeBroker.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\cmd.exe
(services.exe ->) () [File not signed] C:\Windows\System32\CoreEvent.exe
(services.exe ->) (Broadcom Inc -> Broadcom) C:\Program Files\Symantec\SharePoint\Symantec.Sharepoint.SPSSService.exe
(services.exe ->) (Broadcom Inc -> Broadcom) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\sepWscSvc64.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\AppFabric 1.1 for Windows Server\DistributedCacheService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\WSSADMIN.EXE
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\BIN\wsstracing.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <3>
(services.exe ->) (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.) C:\Windows\System32\vm3dservice.exe <3>
(services.exe ->) (Symantec Corporation -> Broadcom) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe <4>
(services.exe ->) (VMware, Inc. -> VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(services.exe ->) (VMware, Inc. -> VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
(services.exe ->) (Zabbix SIA) [File not signed] C:\zabbix\zabbix_agentd.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rdpclip.exe <2>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(winlogon.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\LogonUI.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [DWPersistentQueuedReporting] => C:\Program Files\Common Files\microsoft shared\DW\DWTRIG20.EXE [319976 2022-12-22] (Microsoft Corporation -> Microsoft Corporation)
HKLM\...\Run: [VMware User Process] => C:\Program Files\VMware\VMware Tools\vmtoolsd.exe [108216 2022-02-11] (VMware, Inc. -> VMware, Inc.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Policies\Explorer: [NoAutorun] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall: Restriction <==== ATTENTION
HKLM\...\Policies\system: [legalnoticecaption] Government Online Centre (GOC)
HKLM\...\Policies\system: [legalnoticetext] “This system is owned and operated by GOC. Use is restricted to GOC. Authorised users must comply with the GOC IT Security Policy. Usage is monitored
HKLM\Software\Policies\...\system: [DontDisplayNetworkSelectionUI] 1
HKLM\Software\Policies\...\system: [EnableSmartScreen] 1
HKLM\Software\Policies\...\system: [EnumerateLocalUsers] 0
HKLM\Software\Policies\...\system: [DisableLockScreenAppNotifications] 1
HKLM\Software\Policies\...\system: [BlockDomainPicturePassword] 1
HKU\S-1-5-21-3412390019-1648271104-2333346583-16634\...\MountPoints2: {9de297ba-78a9-11e9-a2c5-806e6f6e6963} - "D:\setup64.exe"
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\124.0.6367.61\Installer\chrmstp.exe [2024-04-23] (Google LLC -> Google LLC)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdmin
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUser
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\Users\Administrator.GOM\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\isys-admin\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_admin1\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_admin2\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin1\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin2\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin4\NTUSER.pol: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {7E604DF2-3590-4511-9233-9FFD31ECB600} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\Windows\explorer.exe [4672136 2021-01-08] (Microsoft Windows -> Microsoft Corporation)
Task: {846CB9E1-A08C-4F35-8263-A24E934C9E53} - System32\Tasks\EOSv3 Scheduler onLogOn => C:\Users\share-port_sysadmin1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe [15145336 2024-04-23] (ESET, spol. s r.o. -> ESET)
Task: {AF6293D4-C9C8-45E1-93A5-0B72D88459B1} - System32\Tasks\EOSv3 Scheduler onTime => C:\Users\share-port_sysadmin1\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe [15145336 2024-04-23] (ESET, spol. s r.o. -> ESET)
Task: {6F05BECE-31E5-4A50-8038-51037000A1FA} - System32\Tasks\GoogleSystem\GoogleUpdater\GoogleUpdaterTaskSystem126.0.6425.0{549AE169-F2D4-42FD-BB85-38F3FBE126E2} => C:\Program Files (x86)\Google\GoogleUpdater\126.0.6425.0\updater.exe [4786464 2024-04-18] (Google LLC -> Google LLC)
Task: {E99D5755-1A32-48A6-9CFC-7AAE7CE9C2E1} - System32\Tasks\Microsoft\Windows\AppFabric\Customer Experience Improvement Program\Consolidator => c:\Program Files\AppFabric 1.1 for Windows Server\CustomerExperienceImprovement.exe [51072 2011-11-29] (Microsoft Corporation -> Microsoft Corporation)
Task: {CB22B03C-7FB1-4611-801B-8F049FD3251D} - System32\Tasks\Microsoft\Windows\EDP\EDP App Launch Task => {35EF4182-F900-4632-B072-8639E4478A61}
Task: {C32D8AF0-5A64-40B3-B95E-AAD5278F9707} - System32\Tasks\Microsoft\Windows\EDP\EDP Auth Task => {35EF4182-F900-4632-B072-8639E4478A61}
Task: {4E6FCEDE-6C79-45D7-A545-90C230463E50} - System32\Tasks\Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate => {FE285C8C-5360-41C1-A700-045501C740DE} C:\Windows\System32\ErrorDetailsUpdate.dll [72704 2021-01-08] (Microsoft Windows -> Microsoft Corporation)
Task: {7316FF11-F947-44BA-83EE-A7CBC9485184} - System32\Tasks\Microsoft\Windows\ErrorDetails\ErrorDetailsUpdate => {9CDA66BE-3271-4723-8D35-DD834C58AD92} C:\Windows\System32\ErrorDetailsUpdate.dll [72704 2021-01-08] (Microsoft Windows -> Microsoft Corporation)
Task: {41600EBB-B4B7-472A-9F58-8AA04A7F8984} - System32\Tasks\Microsoft\Windows\Network Controller\SDN Diagnostics Task => {C8B67F54-D1CB-44BF-9103-A1AB9A9ED8AD} C:\Windows\System32\mscoree.dll [387072 2016-07-16] (Microsoft Windows -> Microsoft Corporation)
Task: {0E26D5B3-12C1-41B2-B007-8D1328464645} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.23110.3-0\MpCmdRun.exe [1608808 2023-11-30] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {806D5CD0-D095-4F7B-8241-E00C04132CE6} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.23110.3-0\MpCmdRun.exe [1608808 2023-11-30] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {7ED8794A-11CC-4860-BDF5-0F9D8F6DD9B9} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.23110.3-0\MpCmdRun.exe [1608808 2023-11-30] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {5000F6AB-3798-43DB-BA2C-0465B19E6F7C} - System32\Tasks\Restart NTA Windows Services => Command(1): NET -> STOP "NTA_PendingReq"
Task: {5000F6AB-3798-43DB-BA2C-0465B19E6F7C} - System32\Tasks\Restart NTA Windows Services => Command(2): TIMEOUT -> /T 3
Task: {5000F6AB-3798-43DB-BA2C-0465B19E6F7C} - System32\Tasks\Restart NTA Windows Services => Command(3): NET -> START "NTA_PendingReq"
Task: {5000F6AB-3798-43DB-BA2C-0465B19E6F7C} - System32\Tasks\Restart NTA Windows Services => Command(4): TIMEOUT -> /T 3
Task: {5000F6AB-3798-43DB-BA2C-0465B19E6F7C} - System32\Tasks\Restart NTA Windows Services => Command(5): NET -> STOP "NTA_ReservedReq"
Task: {5000F6AB-3798-43DB-BA2C-0465B19E6F7C} - System32\Tasks\Restart NTA Windows Services => Command(6): TIMEOUT -> /T 3
Task: {5000F6AB-3798-43DB-BA2C-0465B19E6F7C} - System32\Tasks\Restart NTA Windows Services => Command(7): NET -> START "NTA_ReservedReq"
Task: {7C61AF25-3E1E-48F6-A79E-9F665B5CECFB} - System32\Tasks\Symantec Endpoint Protection\Symantec Endpoint Protection Autofix => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\symerr.exe [102312 2023-06-21] (Symantec Corporation -> Broadcom)
Task: {BAB53DE6-0C50-418F-9022-5A1125ED0696} - System32\Tasks\Symantec Endpoint Protection\Symantec Endpoint Protection Error Analyzer => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\symerr.exe [102312 2023-06-21] (Symantec Corporation -> Broadcom)
Task: {874DE405-5F97-4C69-BEA7-A09F6D7BBB86} - System32\Tasks\Symantec Endpoint Protection\Symantec Endpoint Protection Error Processor => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\symerr.exe [102312 2023-06-21] (Symantec Corporation -> Broadcom)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <==== ATTENTION (Restriction - ProxySettings)
ProxyServer: [S-1-5-21-3412390019-1648271104-2333346583-16634] => 192.168.66.1:8783
ProxyServer: [S-1-5-21-3412390019-1648271104-2333346583-500] => 192.168.66.1:8783
ProxyEnable: [S-1-5-21-4095144978-818792502-2840952194-500] => Proxy is enabled.
ProxyServer: [S-1-5-21-4095144978-818792502-2840952194-500] => 192.168.66.1:8783
Winsock: Catalog9 12 C:\Windows\SysWOW64\vsocklib.dll [26512 2022-01-23] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
Winsock: Catalog9 13 C:\Windows\SysWOW64\vsocklib.dll [26512 2022-01-23] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
Winsock: Catalog9-x64 12 C:\Windows\system32\vsocklib.dll [31120 2022-01-23] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
Winsock: Catalog9-x64 13 C:\Windows\system32\vsocklib.dll [31120 2022-01-23] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{ba617648-4189-46e8-bc2b-ee038810a4aa}: [NameServer] 192.168.2.40
Tcpip\..\Interfaces\{efa6faab-4250-4900-b7ec-ccdc9f095a86}: [NameServer] 192.168.2.40,192.168.2.41
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.0,255.255.255.0,192.168.33.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.2.0,255.255.255.0,192.168.33.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.12.0,255.255.255.0,192.168.33.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.14.0,255.255.255.0,192.168.33.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.69.0,255.255.255.0,192.168.33.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.70.0,255.255.255.0,192.168.33.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [202.123.27.104,255.255.255.255,192.168.33.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.5.0,255.255.255.0,192.168.33.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.6.88,255.255.255.255,192.168.33.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.6.0,255.255.255.0,192.168.33.1,1]
PersistentRoutes: There are 16 PersistentRoutes.

Chrome:
=======
CHR Profile: C:\Users\share-port_sysadmin1\AppData\Local\Google\Chrome\User Data\Default [2024-04-24]
CHR Extension: (Slides) - C:\Users\share-port_sysadmin1\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2019-10-08]
CHR Extension: (Docs) - C:\Users\share-port_sysadmin1\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2019-10-08]
CHR Extension: (Google Drive) - C:\Users\share-port_sysadmin1\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2020-12-11]
CHR Extension: (YouTube) - C:\Users\share-port_sysadmin1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2019-10-08]
CHR Extension: (Sheets) - C:\Users\share-port_sysadmin1\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2019-10-08]
CHR Extension: (Google Docs Offline) - C:\Users\share-port_sysadmin1\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2020-12-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\share-port_sysadmin1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2024-03-24]
CHR Extension: (Gmail) - C:\Users\share-port_sysadmin1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2020-12-11]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AppFabricCachingService; c:\Program Files\AppFabric 1.1 for Windows Server\DistributedCacheService.exe [16240 2011-11-29] (Microsoft Corporation -> Microsoft Corporation)
R2 CoreEvent; C:\Windows\System32\CoreEvent.exe [269312 2016-07-16] () [File not signed]
S4 DCLauncher16; C:\Program Files\Microsoft Office Servers\16.0\Bin\Microsoft.Office.Server.Conversions.Launcher.exe [79776 2022-12-22] (Microsoft Corporation -> Microsoft Corporation)
S4 DCLoadBalancer16; C:\Program Files\Microsoft Office Servers\16.0\Bin\Microsoft.Office.Server.Conversions.LoadBalancer.exe [38304 2022-12-22] (Microsoft Corporation -> Microsoft Corporation)
S2 GoogleUpdaterInternalService126.0.6425.0; C:\Program Files (x86)\Google\GoogleUpdater\126.0.6425.0\updater.exe [4786464 2024-04-18] (Google LLC -> Google LLC)
S2 GoogleUpdaterService126.0.6425.0; C:\Program Files (x86)\Google\GoogleUpdater\126.0.6425.0\updater.exe [4786464 2024-04-18] (Google LLC -> Google LLC)
S3 NTA_PendingReq; C:\FRCISERVICE\WindowsService\WindowsService_NTAPending\Debug\WindowsService_NTAPending.exe [64000 2023-11-29] () [File not signed]
S3 NTA_ReservedReq; C:\FRCISERVICE\WindowsService\WindowsService_NTAReserved\Debug\WindowsService_Reserved.exe [60416 2023-12-06] () [File not signed]
S4 OSearch16; C:\Program Files\Microsoft Office Servers\16.0\Bin\mssearch.exe [293336 2022-12-22] (Microsoft Corporation -> Microsoft Corporation)
S4 ProjectCalcService16; C:\Program Files\Microsoft Office Servers\16.0\Bin\Microsoft.Office.Project.Server.Calculation.exe [30488 2018-09-24] (Microsoft Corporation -> Microsoft Corporation)
S4 ProjectEventService16; C:\Program Files\Microsoft Office Servers\16.0\Bin\Microsoft.Office.Project.Server.Eventing.exe [35608 2018-09-24] (Microsoft Corporation -> Microsoft Corporation)
S4 ProjectQueueService16; C:\Program Files\Microsoft Office Servers\16.0\Bin\Microsoft.Office.Project.Server.Queuing.exe [69400 2018-09-24] (Microsoft Corporation -> Microsoft Corporation)
S4 SepLpsService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe [190664 2023-06-21] (Symantec Corporation -> Broadcom)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe [190664 2023-06-21] (Symantec Corporation -> Broadcom)
R2 SepScanService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\bin64\ccSvcHst.exe [190664 2023-06-21] (Symantec Corporation -> Broadcom)
R2 sepWscSvc; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\sepWscSvc64.exe [1398888 2023-06-21] (Broadcom Inc -> Broadcom)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe [173256 2023-06-21] (Symantec Corporation -> Broadcom)
R2 SPAdminV4; C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\BIN\WSSADMIN.EXE [27424 2018-09-24] (Microsoft Corporation -> Microsoft Corporation)
S4 SPInsights; C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\BIN\OfficeDataLoader\Microsoft.Office.BigData.DataLoader.exe [78616 2018-09-13] (Microsoft Corporation -> Microsoft Corporation.)
S4 SPSearchHostController; C:\Program Files\Microsoft Office Servers\16.0\Search\HostController\hostcontrollerservice.exe [46160 2018-09-24] (Microsoft Corporation -> Microsoft Corporation)
S2 SPTimerV4; C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\BIN\OWSTIMER.EXE [81848 2022-12-22] (Microsoft Corporation -> Microsoft Corporation)
R2 SPTraceV4; C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\BIN\wsstracing.exe [141096 2018-09-24] (Microsoft Corporation -> Microsoft Corporation)
S4 SPUserCodeV4; C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\UserCode\SPUCHostService.exe [155200 2022-12-22] (Microsoft Corporation -> Microsoft Corporation)
S3 SPWriterV4; C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\BIN\SPWRITER.EXE [52208 2022-12-22] (Microsoft Corporation -> Microsoft Corporation)
R2 SymantecSharePointScan; C:\Program Files\Symantec\SharePoint\Symantec.Sharepoint.SPSSService.exe [204088 2021-11-15] (Broadcom Inc -> Broadcom)
R2 VGAuthService; C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe [155320 2022-02-11] (VMware, Inc. -> VMware, Inc.)
R2 vm3dservice; C:\Windows\system32\vm3dservice.exe [634768 2022-02-11] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
R2 vm3dservice; C:\Windows\SysWOW64\vm3dservice.exe [634768 2022-02-11] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\NisSrv.exe [3174840 2023-11-30] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23110.3-0\MsMpEng.exe [133592 2023-11-30] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 Zabbix Agent; c:\zabbix\zabbix_agentd.exe [800256 2018-10-11] (Zabbix SIA) [File not signed]

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 bcmfn; C:\Windows\System32\drivers\bcmfn.sys [9728 2016-07-16] (Microsoft Windows -> Windows ® Win 7 DDK provider)
R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\Definitions\BASHDefs\20240422.001\BHDrvx64.sys [1706512 2023-10-31] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 ccSettings_{6B7A2D6B-C77F-4C11-8B70-2CD28AD687A6}; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\ccSetx64.sys [200168 2023-06-21] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [527832 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [159720 2024-03-24] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 SRTSP; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\SymPlatform\SRTSP64.SYS [996432 2023-06-21] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\SRTSPX64.SYS [44112 2023-06-21] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R0 SymEFASI; C:\Windows\System32\drivers\symefasi\0705020.03C\symefasi64.sys [2167304 2023-06-21] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S0 SymELAM; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\SymELAM.sys [27136 2023-06-21] (Microsoft Windows Early Launch Anti-malware Publisher -> Broadcom)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [100832 2023-06-21] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 SymEvnt; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\SymPlatform\SymEvnt.sys [951264 2023-09-06] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\Ironx64.SYS [297992 2023-06-21] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 vm3dmp; C:\Windows\system32\DRIVERS\vm3dmp.sys [314768 2022-02-11] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
S3 vm3dmp-debug; C:\Windows\system32\DRIVERS\vm3dmp-debug.sys [446864 2022-02-11] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
S3 vm3dmp-stats; C:\Windows\system32\DRIVERS\vm3dmp-stats.sys [354192 2022-02-11] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
R3 vm3dmp_loader; C:\Windows\system32\DRIVERS\vm3dmp_loader.sys [29584 2022-02-11] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
R0 vmci; C:\Windows\System32\drivers\vmci.sys [104888 2022-01-23] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
R2 VMMemCtl; C:\Windows\system32\DRIVERS\vmmemctl.sys [27536 2022-02-11] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
R3 vmmouse; C:\Windows\System32\drivers\vmmouse.sys [19856 2022-02-11] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
R3 vmxnet3ndis6; C:\Windows\System32\drivers\vmxnet3.sys [99248 2022-02-11] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
R0 vsock; C:\Windows\System32\DRIVERS\vsock.sys [88976 2022-01-23] (Microsoft Windows Hardware Compatibility Publisher -> VMware, Inc.)
S3 WdBoot; C:\Windows\system32\drivers\wd\WdBoot.sys [55856 2023-11-30] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\wd\WdFilter.sys [594304 2023-11-30] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [105856 2023-11-30] (Microsoft Windows -> Microsoft Corporation)
U3 SymNetS; [X]
S3 vwifibus; \SystemRoot\System32\drivers\vwifibus.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2024-04-24 08:59 - 2024-04-24 08:59 - 000024796 _____ C:\Users\share-port_sysadmin1\Desktop\FRST.txt
2024-04-24 08:58 - 2024-04-24 08:59 - 000000000 ____D C:\FRST
2024-04-24 08:58 - 2024-04-24 08:58 - 002394112 _____ (Farbar) C:\Users\share-port_sysadmin1\Downloads\FRST64.exe
2024-04-24 08:58 - 2024-04-24 08:58 - 002394112 _____ (Farbar) C:\Users\share-port_sysadmin1\Desktop\FRST64.exe
2024-04-24 08:56 - 2024-04-24 08:56 - 000001610 _____ C:\Users\share-port_sysadmin1\Documents\eset_cleanup_24042024-0856.txt
2024-04-23 15:39 - 2024-04-23 15:39 - 000003894 _____ C:\Windows\system32\Tasks\EOSv3 Scheduler onLogOn
2024-04-23 15:39 - 2024-04-23 15:39 - 000003452 _____ C:\Windows\system32\Tasks\EOSv3 Scheduler onTime
2024-04-23 15:39 - 2024-04-23 15:39 - 000000698 _____ C:\Users\share-port_sysadmin1\Documents\eset_cleanup_23042024-1540.txt
2024-04-23 13:43 - 2024-04-23 13:53 - 000000000 ____D C:\Users\share-port_sysadmin1\AppData\Local\CrashDumps
2024-04-23 13:34 - 2024-04-23 15:39 - 000001397 _____ C:\Users\share-port_sysadmin1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk
2024-04-23 13:34 - 2024-04-23 15:39 - 000001291 _____ C:\Users\share-port_sysadmin1\Desktop\ESET Online Scanner.lnk
2024-04-23 13:34 - 2024-04-23 13:48 - 000001291 _____ C:\Users\share-port_sysadmin1\Desktop\esetonlinescanner.lnk
2024-04-23 13:34 - 2024-04-23 13:34 - 008389496 _____ (ESET) C:\Users\share-port_sysadmin1\Downloads\esetonlinescanner.exe
2024-04-23 13:34 - 2024-04-23 13:34 - 000000000 ____D C:\Users\share-port_sysadmin1\AppData\Local\ESET
2024-04-23 11:58 - 2024-04-23 13:39 - 000000000 ____D C:\FRCI WindowsService DPCSBM
2024-04-21 16:13 - 2024-04-21 16:13 - 000000241 _____ C:\Windows\__1713701582.19173
2024-04-21 08:31 - 2024-04-21 08:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VMware
2024-04-21 08:31 - 2024-04-21 08:31 - 000000000 ____D C:\Program Files\VMware
2024-04-21 08:29 - 2024-04-21 08:29 - 000000000 ____D C:\Users\Administrator\AppData\Local\VirtualStore
2024-04-21 08:29 - 2024-04-21 08:29 - 000000000 ____D C:\Users\Administrator\AppData\Local\Symantec
2024-04-21 08:29 - 2024-04-21 08:29 - 000000000 ____D C:\Users\Administrator\AppData\Local\Google
2024-04-21 08:05 - 2024-04-21 08:05 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Roaming\Microsoft\Vault
2024-04-21 08:05 - 2024-04-21 08:05 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Local\Microsoft_Corporation
2024-04-21 08:03 - 2024-04-22 00:33 - 000000000 ____D C:\Users\share-port_sysadmin5
2024-04-21 08:03 - 2024-04-21 08:10 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Roaming\Microsoft\Windows
2024-04-21 08:03 - 2024-04-21 08:05 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Local\Packages
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ___SD C:\Users\share-port_sysadmin5\AppData\Roaming\Microsoft\SystemCertificates
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ___SD C:\Users\share-port_sysadmin5\AppData\Roaming\Microsoft\Protect
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ___SD C:\Users\share-port_sysadmin5\AppData\Roaming\Microsoft\Credentials
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Roaming\Microsoft\Network
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Roaming\Microsoft\InputMethod
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Roaming\Adobe
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Local\VirtualStore
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Local\TileDataLayer
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Local\Symantec
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Local\Google
2024-04-21 08:03 - 2024-04-21 08:03 - 000000000 ____D C:\Users\share-port_sysadmin5\AppData\Local\ConnectedDevicesPlatform
2024-04-17 09:01 - 2024-04-17 09:01 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Roaming\Microsoft\WebManagement
2024-04-16 15:52 - 2024-04-16 15:52 - 000000000 ____H C:\Users\share-port_sysadmin6\Documents\Default.rdp
2024-04-16 15:04 - 2024-04-16 15:04 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Roaming\Microsoft\Vault
2024-04-16 15:02 - 2024-04-21 15:37 - 000000000 ___SD C:\Users\share-port_sysadmin6\AppData\Roaming\Microsoft\Protect
2024-04-16 15:02 - 2024-04-17 09:04 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Roaming\Microsoft\Windows
2024-04-16 15:02 - 2024-04-16 15:27 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Local\ConnectedDevicesPlatform
2024-04-16 15:02 - 2024-04-16 15:04 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Local\Packages
2024-04-16 15:02 - 2024-04-16 15:02 - 000000000 ___SD C:\Users\share-port_sysadmin6\AppData\Roaming\Microsoft\SystemCertificates
2024-04-16 15:02 - 2024-04-16 15:02 - 000000000 ___SD C:\Users\share-port_sysadmin6\AppData\Roaming\Microsoft\Credentials
2024-04-16 15:02 - 2024-04-16 15:02 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Roaming\Microsoft\Network
2024-04-16 15:02 - 2024-04-16 15:02 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Roaming\Microsoft\InputMethod
2024-04-16 15:02 - 2024-04-16 15:02 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Roaming\Adobe
2024-04-16 15:02 - 2024-04-16 15:02 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Local\VirtualStore
2024-04-16 15:02 - 2024-04-16 15:02 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Local\TileDataLayer
2024-04-16 15:02 - 2024-04-16 15:02 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Local\Symantec
2024-04-16 15:02 - 2024-04-16 15:02 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Local\Microsoft_Corporation
2024-04-16 15:02 - 2024-04-16 15:02 - 000000000 ____D C:\Users\share-port_sysadmin6\AppData\Local\Google

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2024-04-24 08:58 - 2016-07-16 17:21 - 000000000 ____D C:\Windows\INF
2024-04-24 08:57 - 2019-05-10 16:23 - 000028204 __RSH C:\ProgramData\ntuser.pol
2024-04-24 08:42 - 2018-05-22 09:54 - 000000104 _____ C:\Windows\system32\config\netlogon.ftl
2024-04-23 16:30 - 2016-07-16 17:23 - 000000000 ____D C:\Windows\system32\inetsrv
2024-04-23 16:06 - 2020-05-14 09:52 - 000000000 ____D C:\Users\portal_farm\AppData\Local\CrashDumps
2024-04-23 14:15 - 2020-07-25 16:41 - 000000000 ____D C:\FRCI
2024-04-23 00:49 - 2019-05-14 19:01 - 000002261 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2024-04-23 00:49 - 2019-05-14 19:01 - 000002220 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2024-04-21 08:52 - 2019-05-30 16:04 - 000000000 ____D C:\Windows\system32\Tasks\Symantec Endpoint Protection
2024-04-21 08:49 - 2016-11-21 12:13 - 001716968 _____ C:\Windows\system32\PerfStringBackup.INI
2024-04-21 08:45 - 2016-11-21 12:06 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2024-04-21 08:45 - 2016-07-16 17:23 - 000000000 ____D C:\Windows\Registration
2024-04-21 08:44 - 2016-07-16 10:04 - 000131072 _____ C:\Windows\system32\config\BBI
2024-04-21 08:35 - 2016-07-16 10:04 - 000032768 _____ C:\Windows\system32\config\ELAM
2024-04-21 08:32 - 2019-05-30 14:45 - 000000000 ____D C:\Users\portal_farm
2024-04-21 08:32 - 2019-05-10 15:17 - 000000000 ____D C:\Users\share-port_sysadmin1
2024-04-21 08:31 - 2019-05-17 17:48 - 000000000 ____D C:\ProgramData\VMware
2024-04-21 08:31 - 2019-05-17 17:48 - 000000000 ____D C:\Program Files\Common Files\VMware
2024-04-21 08:29 - 2016-11-21 12:16 - 000000000 __RHD C:\Users\Public\AccountPictures
2024-04-21 08:29 - 2016-07-16 17:23 - 000000000 ____D C:\Windows\AppReadiness
2024-04-21 07:59 - 2019-05-13 13:08 - 000000000 ____D C:\ProgramData\Package Cache
2024-04-19 12:12 - 2019-06-02 01:03 - 000000768 _____ C:\EservicesONLINEAPIErrorLog.txt
2024-04-16 15:50 - 2020-06-23 14:56 - 000000000 ____D C:\TEMP
2024-04-16 15:40 - 2019-05-13 10:12 - 000000000 ____D C:\inetpub
2024-04-16 15:39 - 2016-07-16 17:23 - 000000000 ____D C:\Windows\SysWOW64\inetsrv

==================== Files in the root of some directories ========

2023-06-02 20:00 - 2024-02-26 10:31 - 000007634 _____ () C:\Users\share-port_sysadmin1\AppData\Local\resmon.resmoncfg

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

LastRegBack: 2024-04-21 08:10
==================== End of FRST.txt ========================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19.04.2024 01
Ran by share-port_sysadmin1 (24-04-2024 08:59:56)
Running from C:\Users\share-port_sysadmin1\Desktop
Microsoft Windows Server 2016 Standard Version 1607 14393.4583 (X64) (2018-04-02 11:00:22)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

(If an entry is included in the fixlist, it will be removed.)

DefaultAccount (S-1-5-21-4095144978-818792502-2840952194-503 - Limited - Disabled)
GOCGuest (S-1-5-21-4095144978-818792502-2840952194-501 - Limited - Disabled)
GOCLocalAdmin (S-1-5-21-4095144978-818792502-2840952194-500 - Administrator - Enabled) => C:\Users\Administrator

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Active Directory Rights Management Services Client 2.1 (HKLM\...\{4802DDE7-3987-4F74-B2BA-068CFBA6835C}) (Version: 1.0.3865.326 - Microsoft Corporation)
AppFabric 1.1 for Windows Server (HKLM\...\{96E70525-4CD1-4920-9C0B-91055C79A962}) (Version: 1.1.2106.32 - Microsoft Corporation) Hidden
AppFabric 1.1 for Windows Server (HKLM\...\AppFabric) (Version: 1.1.2106.32 - Microsoft Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 124.0.6367.61 - Google LLC)
IIS URL Rewrite Module 2 (HKLM\...\{9BCA2118-F753-4A1E-BCF3-5A820729965C}) (Version: 7.2.1993 - Microsoft Corporation)
Language Pack for SharePoint and Project Server 2019 - French/Français (HKLM\...\Office16.OSMui.fr-fr) (Version: 16.0.10337.12109 - Microsoft Corporation)
Microsoft Application Request Routing 3.0 (HKLM\...\{E024E101-29AA-4345-8576-10C5B389ADDC}) (Version: 3.0.1988 - Microsoft Corporation)
Microsoft CCR and DSS Runtime 2008 R3 (HKLM-x32\...\{9B8AB202-8F61-42C1-BC7C-665B2D390B4D}) (Version: 2.2.760 - Microsoft Corporation)
Microsoft Identity Extensions (HKLM\...\{F99F24BF-0B90-463E-9658-3FD2EFC3C992}) (Version: 2.0.1459.0 - Microsoft Corporation)
Microsoft ODBC Driver 11 for SQL Server (HKLM\...\{4294D9EB-FECF-4E55-8615-1B9EF152EE95}) (Version: 12.2.5543.11 - Microsoft Corporation)
Microsoft OMUI French Language Pack (HKLM\...\{90160000-1168-040C-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft Server Proof (Arabic) 2019 (HKLM\...\{90160000-101E-0401-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft Server Proof (Dutch) 2019 (HKLM\...\{90160000-101E-0413-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft Server Proof (English) 2019 (HKLM\...\{90160000-101E-0409-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft Server Proof (French) 2019 (HKLM\...\{90160000-101E-040C-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft Server Proof (German) 2019 (HKLM\...\{90160000-101E-0407-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft Server Proof (Russian) 2019 (HKLM\...\{90160000-101E-0419-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft Server Proof (Spanish) 2019 (HKLM\...\{90160000-101E-0C0A-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft SharePoint Server 2019 (HKLM\...\{90160000-1167-0000-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft SharePoint Server 2019 (HKLM\...\Office16.OSERVER) (Version: 16.0.10337.12109 - Microsoft Corporation)
Microsoft SharePoint Server 2019 1033 Language Pack (HKLM\...\{90160000-1013-0409-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft SharePoint Server 2019 1036 Language Pack (HKLM\...\{90160000-1013-040C-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft SharePoint Server 2019 Core (HKLM\...\{90160000-1012-0000-1000-0000000FF1CE}) (Version: 16.0.10337.12109 - Microsoft Corporation) Hidden
Microsoft SQL Server 2005 Analysis Services ADOMD.NET (HKLM\...\{08F89FDB-9015-4D0E-818A-D1011924E8D8}) (Version: 9.00.1399.06 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client (HKLM\...\{B9274744-8BAE-4874-8E59-2610919CD419}) (Version: 11.4.7001.0 - Microsoft Corporation)
Microsoft Sync Framework Runtime v1.0 SP1 (x64) (HKLM\...\{8438EC02-B8A9-462D-AC72-1B521349C001}) (Version: 1.0.3010.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (HKLM\...\{37B8F9C7-03FB-3253-8781-2517C99D7C00}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (HKLM\...\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.29.30133 (HKLM-x32\...\{295d1583-fdb9-414b-a4c8-da539362a26b}) (Version: 14.29.30133.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.29.30133 (HKLM-x32\...\{38b2c744-ad08-4d5b-91a2-3fb6f739ff3e}) (Version: 14.29.30133.0 - Microsoft Corporation)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.29.30133 (HKLM\...\{E699E009-1C3C-4E50-9B57-2B39F0954C7F}) (Version: 14.29.30133 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.29.30133 (HKLM\...\{6CD9E9ED-906D-4196-8DC3-F987D2F6615F}) (Version: 14.29.30133 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.29.30133 (HKLM-x32\...\{42667D2E-B054-46C1-9D46-2EE1332C14C1}) (Version: 14.29.30133 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.29.30133 (HKLM-x32\...\{EC9807DE-B577-47B1-A024-0251805ACF24}) (Version: 14.29.30133 - Microsoft Corporation) Hidden
Microsoft Web Platform Installer 5.1 (HKLM\...\{4D38C3A3-B685-4AB5-BD6D-FD88BCED5805}) (Version: 5.1.51515.0 - Microsoft Corporation)
Postman-win64-7.36.5 (HKU\S-1-5-21-3412390019-1648271104-2333346583-500\...\Postman) (Version: 7.36.5 - Postman)
Progress Telerik Fiddler (HKU\S-1-5-21-3412390019-1648271104-2333346583-500\...\Fiddler2) (Version: 5.0.20182.28034 - Telerik)
Symantec Endpoint Protection (HKLM\...\{034F3EDA-2F36-414D-906F-9B7B7EBA4E68}) (Version: 14.3.9681.7000 - Broadcom)
Symantec Protection 6.1 for SharePoint Servers (HKLM\...\{CB9C46F8-B7B1-4C98-AFBC-1FC0338A98DB}) (Version: 6.1.1.0 - Broadcom Inc)
TreeSize Free V4.6 (64 bit) (HKLM\...\TreeSize Free_is1) (Version: 4.6 - JAM Software)
VMware Tools (HKLM\...\{AC968A64-CCC0-4916-A426-BA05F38AC28B}) (Version: 12.0.0.19345655 - VMware, Inc.)
WCF Data Services 5.6 Tools (HKLM-x32\...\{25a2ff3c-b7f9-425b-89c1-88468be73b64}) (Version: 5.6.61587.0 - Microsoft Corporation)
WCF Data Services 5.6.0 CHS Language Pack (HKLM-x32\...\{27C1B85F-6057-4869-A536-2587F692A02C}) (Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF Data Services 5.6.0 CHT Language Pack (HKLM-x32\...\{D0AEEFB0-F456-421F-982B-CF8020FA5BC3}) (Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF Data Services 5.6.0 DEU Language Pack (HKLM-x32\...\{284F5338-4886-460A-BE3E-E510888517BA}) (Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF Data Services 5.6.0 ESN Language Pack (HKLM-x32\...\{F3428242-2D69-4E79-B654-1EC06BCEE402}) (Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF Data Services 5.6.0 FRA Language Pack (HKLM-x32\...\{35BCEC03-6257-4E45-8C63-FDA427202ADD}) (Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF Data Services 5.6.0 ITA Language Pack (HKLM-x32\...\{20FACF5D-023E-4BD0-A14A-2A8A69FC7D9E}) (Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF Data Services 5.6.0 JPN Language Pack (HKLM-x32\...\{FC87A84F-5BF6-4984-9A6A-94743B6B7DBD}) (Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF Data Services 5.6.0 KOR Language Pack (HKLM-x32\...\{F3DFC581-4066-4987-90FB-BE1403E07B05}) (Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF Data Services 5.6.0 Runtime (HKLM-x32\...\{46910786-E4AC-41E4-A4A0-C086EA85242D}) (Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF Data Services 5.6.0 RUS Language Pack (HKLM-x32\...\{059054F0-64DA-493C-ABCE-69663D004B84}) (Version: 5.6.61587.0 - Microsoft Corporation) Hidden
Windows Server AppFabric v1.1 CU7 [KB3092423]LDR (HKLM-x32\...\Windows Server AppFabric v1.1 CU7 [KB3092423]LDR) (Version: 1.1.2106.32 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-21] (Symantec Corporation -> Broadcom)
ContextMenuHandlers2: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-21] (Symantec Corporation -> Broadcom)
ContextMenuHandlers6: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-21] (Symantec Corporation -> Broadcom)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2021-08-30 20:46 - 2021-08-30 20:46 - 000286208 _____ () [File not signed] C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Iden827dcf76#\fc01ad48c5bd923e47fd988478796942\System.IdentityModel.Tokens.Jwt.ni.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{1275C540-B92D-406A-B595-68C2B266A9A8}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{5CA4F88D-67B7-46CE-9653-5A17519F66F0}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{6B7A2D6B-C77F-4C11-8B70-2CD28AD687A6}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{EBA0DEA8-AC55-458F-9726-2388EB4D982B}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

HKU\S-1-5-21-3412390019-1648271104-2333346583-16634\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
HKU\S-1-5-21-3412390019-1648271104-2333346583-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
HKU\S-1-5-21-4095144978-818792502-2840952194-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-3412390019-1648271104-2333346583-16634\...\ngp-svr-app01 -> hxxp://ngp-svr-app01
IE trusted site: HKU\S-1-5-21-3412390019-1648271104-2333346583-500\...\ngp-svr-app01 -> hxxp://ngp-svr-app01

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2016-07-16 17:23 - 2022-12-21 14:14 - 000008740 _____ C:\Windows\system32\drivers\etc\hosts
192.168.5.54 GVP-STG-DB19
10.1.4.13   mish.gov.mu
192.168.12.62    eservices1.govmu.org
192.168.12.61    admin2.govmu.org
192.168.6.90     infohighway.govmu.org
192.168.33.134       innovtech.govmu.org
192.168.33.134       cairo.mauritius.govmu.org
192.168.33.134   mitcihema.govmu.org
192.168.33.134   mnzptemplate1.govmu.org
192.168.33.134   mnzptemplate2.govmu.org
192.168.33.134   cisdtemplate1.govmu.org
192.168.33.134   cisdtemplate2.govmu.org
192.168.33.134   mnzptemplate.govmu.org
192.168.33.134   cisdtemplate.govmu.org
192.168.33.134   www.mofed19.mu
192.168.33.134   morisnouzolipei2020.govmu.org
192.168.33.134   amlnew2020.govmu.org
192.168.33.134   migration.govmu.org
192.168.33.134   rda2020.govmu.org
192.168.33.134   cert-mu.govmu.org
192.168.33.134   ncc2020.govmu.org
192.168.33.134   msb.intnet.mu
192.168.33.134   mauritius-addisababa.govmu.org
192.168.33.134   mauritius-antananarivo.govmu.org
192.168.33.134   mauritius-beijing.govmu.org
192.168.33.134   mauritius-berlin.govmu.org
192.168.33.134   mauritius-brussels.govmu.org
192.168.33.134   mauritius-cairo.govmu.org
192.168.33.134   mauritius-canberra.govmu.org
192.168.33.134   mauritius-geneva.govmu.org

There are 172 more lines.

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3412390019-1648271104-2333346583-1609\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-5-21-3412390019-1648271104-2333346583-16634\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
HKU\S-1-5-21-3412390019-1648271104-2333346583-500\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
HKU\S-1-5-21-4095144978-818792502-2840952194-500\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.2.40 - 192.168.2.41
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 0) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost => (EnableWebContentEvaluation: 0)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) C:\Windows\system32\dllhost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SLBM-MUX-IN-TCP] => (Allow) %SystemRoot%\system32\MuxSvcHost.exe => No File
FirewallRules: [{39EE8243-B00B-4957-B28C-6898D4AF72D6}] => (Allow) c:\Program Files\AppFabric 1.1 for Windows Server\DistributedCacheService.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F289D120-2E19-4953-A1F7-8E18C14CAD39}] => (Allow) c:\Program Files\AppFabric 1.1 for Windows Server\DistributedCacheService.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{A2F9EB9A-B3AF-4086-90B4-2CD50D4578A0}] => (Allow) LPort=8007
FirewallRules: [{D9B3D172-AC77-4F6B-B8A4-A229A967FDFA}] => (Allow) LPort=8090
FirewallRules: [{98C12E68-073B-4DA3-ABD5-8F541DCCEE01}] => (Allow) LPort=32846
FirewallRules: [{FF8316B9-8F21-4C38-B753-A7D6F60CA96D}] => (Allow) LPort=32845
FirewallRules: [{F60DC7F9-7763-44AC-8105-809A5F66FF23}] => (Allow) C:\zabbix\zabbix_agentd.exe (Zabbix SIA) [File not signed]
FirewallRules: [{AAEDFCB8-A310-4ECB-B120-63733E7945FA}] => (Allow) C:\zabbix\zabbix_agentd.exe (Zabbix SIA) [File not signed]
FirewallRules: [{6B936554-3E2C-49D0-B0C0-180C14B81BCA}] => (Allow) LPort=80
FirewallRules: [{19F19AFA-5CF6-45A5-9DFC-F48D9E1CEF18}] => (Allow) LPort=18001
FirewallRules: [{E9D89787-86FD-4762-BD82-AD7EBC0FDC2A}] => (Allow) LPort=16001
FirewallRules: [{31052F32-0850-419B-8CCB-F102C1E403B1}] => (Allow) LPort=26001
FirewallRules: [{F23F14A1-753B-4CA7-87BE-A15B52E73931}] => (Allow) LPort=40548
FirewallRules: [{038FD726-18D5-467A-AE20-BE531AC75A59}] => (Allow) LPort=8006
FirewallRules: [{1AC11A6C-4F95-4B4F-B88A-E1238D2876C4}] => (Allow) LPort=18006
FirewallRules: [{41E2265E-BA43-4D38-9F23-1751899424AA}] => (Allow) LPort=2910
FirewallRules: [{7B58B24D-621D-4393-B295-6505DF430EE4}] => (Allow) LPort=9007
FirewallRules: [{564D85BB-B9E0-468F-A128-21EA415053B0}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.3.1169.0100.105\Bin\ccSvcHst.exe => No File
FirewallRules: [{47AB42B0-B5BD-41B0-9D28-A68EB7FF5351}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.3.1169.0100.105\Bin\ccSvcHst.exe => No File
FirewallRules: [{5C9FA7EA-E38C-4BA5-BBAA-CD09197FF6BD}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.3.1169.0100.105\Bin64\snac64.exe => No File
FirewallRules: [{326BD70F-B0B0-4C5D-BB89-9F14A55DC070}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.3.1169.0100.105\Bin64\snac64.exe => No File
FirewallRules: [{8DB0FA04-9D39-4C9E-8133-0785A529E637}] => (Allow) LPort=8005
FirewallRules: [{DD9F6CD9-05D6-4952-A11C-AFEF46A93294}] => (Allow) LPort=18005
FirewallRules: [{785961B1-A59E-4B69-BBEC-AF454F3C87A4}] => (Allow) LPort=16519
FirewallRules: [{CDFB750F-C3DE-42B7-9F81-1BBE54B97488}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{55576F9D-6CD5-46AC-A9CE-945AC5734F8B}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{9FF4F84E-84A8-435C-B9A7-588093197BFA}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{EE030CEE-7D34-4B06-9F6D-5CAA974660F3}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{64182094-B7BA-4998-BF5F-159E5A5FE3B3}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC -> Google LLC)

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:199.51 GB) (Free:85.01 GB) (43%)

==================== Faulty Device Manager Devices ============

Name: VMware VMCI Host Device
Description: VMware VMCI Host Device
Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer: VMware, Inc.
Service: vmci
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

==================== Event log errors: ========================

Application errors:
==================
Error: (04/24/2024 06:02:01 AM) (Source: Microsoft-SharePoint Products-SharePoint Foundation) (EventID: 2159) (User: GOM)
Description: Event 5586 (SharePoint Foundation) of severity 'Error' occurred 17 more time(s) and was suppressed in the event log

Error: (04/24/2024 06:00:00 AM) (Source: Microsoft-SharePoint Products-SharePoint Foundation) (EventID: 6772) (User: GOM)
Description: There was an internal error invoking the timer job '{FD730E80-C470-4D92-B0E5-F57C98ABDF4A}' for service '{00000000-0000-0000-0000-000000000000}'.

Error: (04/24/2024 06:00:00 AM) (Source: Microsoft-SharePoint Products-SharePoint Foundation) (EventID: 5586) (User: GOM)
Description: Unknown SQL Exception 18452 occurred. Additional error information from SQL Server is included below.

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Error: (04/24/2024 06:00:00 AM) (Source: Microsoft-SharePoint Products-SharePoint Foundation) (EventID: 5586) (User: GOM)
Description: Unknown SQL Exception 18452 occurred. Additional error information from SQL Server is included below.

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Error: (04/24/2024 06:00:00 AM) (Source: Microsoft-SharePoint Products-SharePoint Foundation) (EventID: 5586) (User: GOM)
Description: Unknown SQL Exception 18452 occurred. Additional error information from SQL Server is included below.

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Error: (04/24/2024 06:00:00 AM) (Source: Microsoft-SharePoint Products-SharePoint Foundation) (EventID: 5586) (User: GOM)
Description: Unknown SQL Exception 18452 occurred. Additional error information from SQL Server is included below.

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Error: (04/24/2024 06:00:00 AM) (Source: Microsoft-SharePoint Products-SharePoint Foundation) (EventID: 5586) (User: GOM)
Description: Unknown SQL Exception 18452 occurred. Additional error information from SQL Server is included below.

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

Error: (04/24/2024 05:57:00 AM) (Source: Microsoft-SharePoint Products-SharePoint Foundation) (EventID: 5586) (User: GOM)
Description: Unknown SQL Exception 18452 occurred. Additional error information from SQL Server is included below.

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

System errors:
=============
Error: (06/18/2019 06:11:01 AM) (Source: DCOM) (EventID: 10016) (User: GOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user GOM\portal_farm SID (S-1-5-21-3412390019-1648271104-2333346583-1609) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/18/2019 02:02:02 AM) (Source: DCOM) (EventID: 10016) (User: GOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user GOM\portal_farm SID (S-1-5-21-3412390019-1648271104-2333346583-1609) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/18/2019 01:09:02 AM) (Source: DCOM) (EventID: 10016) (User: GOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user GOM\portal_farm SID (S-1-5-21-3412390019-1648271104-2333346583-1609) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/18/2019 12:43:05 AM) (Source: Disk) (EventID: 15) (User: )
Description: The device, \Device\Harddisk3\DR19, is not ready for access yet.

Error: (06/18/2019 12:42:55 AM) (Source: NTFS) (EventID: 137) (User: )
Description: The default transaction resource manager on volume \\?\Volume{c419c3af-0000-0000-0000-501f00000000} encountered a non-retryable error and could not start. The data contains the error code.

Error: (06/17/2019 06:11:01 AM) (Source: DCOM) (EventID: 10016) (User: GOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user GOM\portal_farm SID (S-1-5-21-3412390019-1648271104-2333346583-1609) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/17/2019 02:02:02 AM) (Source: DCOM) (EventID: 10016) (User: GOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user GOM\portal_farm SID (S-1-5-21-3412390019-1648271104-2333346583-1609) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (06/17/2019 01:09:02 AM) (Source: DCOM) (EventID: 10016) (User: GOM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user GOM\portal_farm SID (S-1-5-21-3412390019-1648271104-2333346583-1609) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Windows Defender:
================Event[0]:

Date: 2023-10-09 12:29:06.382
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.399.246.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.23090.2007
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2023-08-06 01:49:33.972
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.393.2180.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.23070.1005
Error code: 0x80072ee2
Error description: The operation timed out

Date: 2023-08-06 01:49:33.971
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.393.2180.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.23070.1005
Error code: 0x80072ee2
Error description: The operation timed out

Date: 2023-08-06 01:49:33.970
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.393.2180.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.23070.1005
Error code: 0x80072ee2
Error description: The operation timed out

Date: 2023-08-06 01:48:30.743
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.393.2180.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.23070.1005
Error code: 0x80072ee2
Error description: The operation timed out

==================== Memory info ===========================

BIOS: Phoenix Technologies LTD 6.00 12/12/2018
Motherboard: Intel Corporation 440BX Desktop Reference Platform
Processor: Intel® Xeon® Gold 5218R CPU @ 2.10GHz
Percentage of memory in use: 29%
Total physical RAM: 32767.49 MB
Available physical RAM: 23024.61 MB
Total Virtual: 65535.49 MB
Available Virtual: 53205.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:199.51 GB) (Free:85.01 GB) (Model: VMware Virtual disk SCSI Disk Device) NTFS
Drive e: (LOGS) (Fixed) (Total:300 GB) (Free:284.69 GB) (Model: VMware Virtual disk SCSI Disk Device) NTFS

\\?\Volume{1827bf92-0000-0000-0000-100000000000}\ (System Reserved) (Fixed) (Total:0.49 GB) (Free:0.15 GB) NTFS

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 200 GB) (Disk ID: 1827BF92)
Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=199.5 GB) - (Type=07 NTFS)

==========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 300 GB) (Disk ID: 58A11489)
Partition 1: (Not Active) - (Size=300 GB) - (Type=07 NTFS)

==================== End of Addition.txt =======================