Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13.02.2019 Ran by administrator (15-02-2019 16:06:43) Running from \\192.168.1.22\public\SOSVIRUS\Soft Windows Server 2016 Standard (X64) (2018-11-10 13:16:10) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-2128993047-2488024704-32700118-500 - Administrator - Enabled) Guest (S-1-5-21-2128993047-2488024704-32700118-501 - Limited - Disabled) krbtgt (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile VVV (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile SpiceWorks (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile BU_Admin (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile Sacha (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile Lara (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile Mélanie (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile svc.sqladmin (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile DC01$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile VC$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile SPICEWORKS$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile W10-001$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile VIDEO$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile PRTG$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile W7-TEMPLATE$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile WSUS$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile TSGATEWAY$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile DC02$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile LANSWEEPER$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile WSUSHOME$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile SQL01$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile SQL2008$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile SQL2014$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile SQL2016$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile SQL2017$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile CS01$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile WKS-VVV$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile CS02$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile GATE01$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile LAB$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Administrative Templates (ADMX) for Windows 10 (HKLM-x32\...\{166A4A62-D19E-4DFB-8499-FBA08716D847}) (Version: 1.0 - Microsoft Corporation) Administrative Templates (ADMX) for Windows 10 Version 1511 (HKLM-x32\...\{39E58F1A-1DE1-4B60-8ECF-B54E2580D59C}) (Version: 1.0 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) VMware Tools (HKLM\...\{092CAFE8-7A43-4C32-82C6-A5547F93417F}) (Version: 10.2.1.8267844 - VMware, Inc.) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {18CFC687-ED43-4982-9DE7-FBC9E36BFEF6} - System32\Tasks\Microsoft\Windows\PLA\Server Manager Performance Monitor => %systemroot%\system32\rundll32.exe %systemroot%\system32\pla.dll,PlaHost "Server Manager Performance Monitor" "$(Arg0)" Task: {35ECAB80-112B-41D6-848D-F81316F38B41} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\Windows\explorer.exe /NOUACCHECK Task: {3E08592F-DD5E-4277-90D5-33D7FD84E0B5} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1901.7-0\MpCmdRun.exe (Microsoft Corporation -> Microsoft Corporation) Task: {41600EBB-B4B7-472A-9F58-8AA04A7F8984} - System32\Tasks\Microsoft\Windows\Network Controller\SDN Diagnostics Task Task: {423523CC-C7A9-46CD-B449-0C6C806C3F8D} - System32\Tasks\Microsoft\Windows\Software Inventory Logging\Configuration => %systemroot%\system32\cmd.exe /d /c %systemroot%\system32\silcollector.cmd configure Task: {6C4B3AC3-D155-4118-A777-F006EB7D1D98} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1901.7-0\MpCmdRun.exe (Microsoft Corporation -> Microsoft Corporation) Task: {7601C950-8C68-4D6C-9351-788E74E39B0A} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1901.7-0\MpCmdRun.exe (Microsoft Corporation -> Microsoft Corporation) Task: {C17C986F-BE76-456F-9803-49510F0BBD62} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1901.7-0\MpCmdRun.exe (Microsoft Corporation -> Microsoft Corporation) Task: {DF1BA6A6-82D9-4DF9-A787-7804CDFA74B5} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe (Microsoft Windows -> Microsoft Corporation) Task: {E0A67649-21C8-4620-81A8-EACF01A98AC3} - System32\Tasks\Microsoft\Windows\Software Inventory Logging\Collection => %systemroot%\system32\cmd.exe /d /c %systemroot%\system32\silcollector.cmd publish Task: {F0240DDF-FDD2-46B9-8664-34A1B0825CD3} - System32\Tasks\Microsoft\Windows\Server Manager\CleanupOldPerfLogs => %systemroot%\system32\cscript.exe /B /nologo %systemroot%\system32\calluxxprovider.vbs $(Arg0) $(Arg1) $(Arg2) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) ==================== Shortcuts & WMI ======================== (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2018-04-14 08:40 - 2018-04-14 08:40 - 000454584 _____ () C:\Program Files\VMware\VMware Tools\VMware VGAuth\pcre.dll 2018-04-14 08:58 - 2018-04-14 08:58 - 000454584 _____ () C:\Program Files\VMware\VMware Tools\pcre.dll 2016-07-16 14:18 - 2016-07-16 14:18 - 000231424 _____ () C:\Windows\SYSTEM32\ism32k.dll 2018-10-18 20:44 - 2018-10-10 09:31 - 002681616 _____ () C:\Windows\system32\CoreUIComponents.dll 2018-02-02 19:36 - 2018-02-02 19:36 - 000134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll 2018-02-02 19:37 - 2018-02-02 19:37 - 000474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll 2018-10-18 18:48 - 2018-08-07 05:12 - 009847808 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll 2018-10-18 18:50 - 2018-08-07 05:03 - 001402368 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll 2018-10-18 18:51 - 2018-08-07 05:03 - 000757760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll 2018-10-18 18:48 - 2018-08-07 05:04 - 002424832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll 2018-10-18 18:48 - 2018-08-07 05:11 - 004854272 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2016-07-16 14:23 - 2016-07-16 14:21 - 000000824 _____ C:\Windows\system32\drivers\etc\hosts ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-2894946948-3597676906-2984582856-500\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg DNS Servers: 192.168.10.10 - 192.168.11.10 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == If an entry is included in the fixlist, it will be removed. ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) %systemroot%\system32\dllhost.exe (Microsoft Windows -> Microsoft Corporation) FirewallRules: [SLBM-MUX-IN-TCP] => (Allow) %SystemRoot%\system32\MuxSvcHost.exe No File FirewallRules: [NTFRS-NTFRSSvc-In-TCP] => (Allow) %SystemRoot%\system32\NTFRS.exe (Microsoft Windows -> Microsoft Corporation) FirewallRules: [DfsMgmt-In-TCP] => (Allow) %systemroot%\system32\dfsfrsHost.exe (Microsoft Windows -> Microsoft Corporation) FirewallRules: [ADWS-TCP-In] => (Allow) %systemroot%\ADWS\Microsoft.ActiveDirectory.WebServices.exe (Microsoft Windows -> Microsoft Corporation) FirewallRules: [ADWS-TCP-Out] => (Allow) %systemroot%\ADWS\Microsoft.ActiveDirectory.WebServices.exe (Microsoft Windows -> Microsoft Corporation) FirewallRules: [DFSR-DFSRSvc-In-TCP] => (Allow) %SystemRoot%\system32\dfsrs.exe (Microsoft Windows -> Microsoft Corporation) FirewallRules: [DNSSrv-DNS-TCP-In] => (Allow) %systemroot%\System32\dns.exe (Microsoft Windows -> Microsoft Corporation) FirewallRules: [DNSSrv-DNS-UDP-In] => (Allow) %systemroot%\System32\dns.exe (Microsoft Windows -> Microsoft Corporation) FirewallRules: [DNSSrv-RPC-TCP-In] => (Allow) %systemroot%\System32\dns.exe (Microsoft Windows -> Microsoft Corporation) FirewallRules: [DNSSrv-TCP-Out] => (Allow) %systemroot%\System32\dns.exe (Microsoft Windows -> Microsoft Corporation) FirewallRules: [DNSSrv-UDP-Out] => (Allow) %systemroot%\System32\dns.exe (Microsoft Windows -> Microsoft Corporation) ==================== Restore Points ========================= ATTENTION: System Restore is disabled Check "winmgmt" service or repair WMI. ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (01/14/2019 08:02:50 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0xC004E028 Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c0b765fd-6e2e-42f9-80d7-4a7ca0d118cf;NotificationInterval=1440;Trigger=TimerEvent Error: (01/14/2019 08:41:30 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0x8007139F Command-line arguments: RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=8c1c5410-9f39-4805-8c9d-63a07706358f;NotificationInterval=1440;Trigger=TimerEvent Error: (01/13/2019 08:41:30 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0x8007139F Command-line arguments: RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=8c1c5410-9f39-4805-8c9d-63a07706358f;NotificationInterval=1440;Trigger=TimerEvent Error: (01/12/2019 08:41:30 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0x8007139F Command-line arguments: RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=8c1c5410-9f39-4805-8c9d-63a07706358f;NotificationInterval=1440;Trigger=TimerEvent Error: (01/11/2019 08:41:30 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0x8007139F Command-line arguments: RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=8c1c5410-9f39-4805-8c9d-63a07706358f;NotificationInterval=1440;Trigger=TimerEvent Error: (01/10/2019 08:41:30 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0x8007139F Command-line arguments: RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=8c1c5410-9f39-4805-8c9d-63a07706358f;NotificationInterval=1440;Trigger=TimerEvent Error: (01/09/2019 08:41:30 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0x8007139F Command-line arguments: RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=8c1c5410-9f39-4805-8c9d-63a07706358f;NotificationInterval=1440;Trigger=TimerEvent Error: (01/08/2019 08:41:31 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: ) Description: License Activation (slui.exe) failed with the following error code: hr=0x8007232B Command-line arguments: RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=8c1c5410-9f39-4805-8c9d-63a07706358f;NotificationInterval=1440;Trigger=UserLogon;SessionId=4 System errors: ============= Error: (02/15/2019 03:06:09 PM) (Source: NETLOGON) (EventID: 5722) (User: ) Description: The session setup from the computer VIDEO failed to authenticate. The name(s) of the account(s) referenced in the security database is VIDEO$. The following error occurred: Access is denied. Error: (02/15/2019 03:06:09 PM) (Source: NETLOGON) (EventID: 5805) (User: ) Description: The session setup from the computer TEMPLATE-W10 failed to authenticate. The following error occurred: Access is denied. Error: (02/15/2019 03:01:17 PM) (Source: NETLOGON) (EventID: 5723) (User: ) Description: The session setup from computer 'TEMPLATE-W10' failed because the security database does not contain a trust account 'TEMPLATE-W10$' referenced by the specified computer. USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'TEMPLATE-W10$' is a legitimate machine account for the computer 'TEMPLATE-W10' then 'TEMPLATE-W10' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise, the following steps may be taken to resolve this problem: If 'TEMPLATE-W10$' is a legitimate machine account for the computer 'TEMPLATE-W10', then 'TEMPLATE-W10' should be rejoined to the domain. If 'TEMPLATE-W10$' is a legitimate interdomain trust account, then the trust should be recreated. Otherwise, assuming that 'TEMPLATE-W10$' is not a legitimate account, the following action should be taken on 'TEMPLATE-W10': If 'TEMPLATE-W10' is a Domain Controller, then the trust associated with 'TEMPLATE-W10$' should be deleted. If 'TEMPLATE-W10' is not a Domain Controller, it should be disjoined from the domain. Error: (02/15/2019 02:30:52 PM) (Source: NETLOGON) (EventID: 5722) (User: ) Description: The session setup from the computer TEMPLATE-W10 failed to authenticate. The name(s) of the account(s) referenced in the security database is TEMPLATE-W10$. The following error occurred: Access is denied. Error: (02/14/2019 02:38:50 PM) (Source: NETLOGON) (EventID: 5722) (User: ) Description: The session setup from the computer TEMPLATE-W10 failed to authenticate. The name(s) of the account(s) referenced in the security database is TEMPLATE-W10$. The following error occurred: Access is denied. Error: (01/18/2019 04:24:53 AM) (Source: NETLOGON) (EventID: 5719) (User: ) Description: This computer was not able to set up a secure session with a domain controller in domain LAB due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. Error: (01/18/2019 04:24:37 AM) (Source: NETLOGON) (EventID: 5783) (User: ) Description: The session setup to the Windows Domain Controller \\DCLAB.vvnet.lab for the domain LAB is not responsive. The current RPC call from Netlogon on \\DC02 to \\DCLAB.vvnet.lab has been cancelled. Error: (01/18/2019 04:14:46 AM) (Source: NETLOGON) (EventID: 5722) (User: ) Description: The session setup from the computer TEMPLATE-W10 failed to authenticate. The name(s) of the account(s) referenced in the security database is TEMPLATE-W10$. The following error occurred: Access is denied. Windows Defender: =================================== Date: 2019-01-04 15:12:16.353 Description: Windows Defender scan has been stopped before completion. Scan ID: {C854291A-9CF7-428C-88B0-D295387B4116} Scan Type: Antimalware Scan Parameters: Quick Scan Date: 2018-10-26 23:49:46.403 Description: Windows Defender scan has been stopped before completion. Scan ID: {8A1E5137-16CD-4A73-B08F-ABC822DCB3DB} Scan Type: Antimalware Scan Parameters: Quick Scan Date: 2018-10-19 05:26:56.669 Description: Windows Defender has detected a suspicious behavior. Name: Informational:Behavior/ModifiedKernel ID: 57587451 Severity: Low Category: Suspicious Behavior Path Found: process:_0 Detection Origin: Unknown Detection Type: Suspicious Detection Source: Real-Time Protection Status: Executing Process Name: Unknown Signature ID: 717259538435 Signature Version: AV: 1.279.64.0, AS: 1.279.64.0 Engine Version: 1.1.15400.4 Fidelity Label: Low Target File Name: Date: 2018-11-10 14:03:04.244 Description: Windows Defender has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.279.572.0 Update Source: Microsoft Update Server Signature Type: AntiVirus Update Type: Full Current Engine Version: Previous Engine Version: 1.1.15400.4 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. CodeIntegrity: =================================== Date: 2018-10-18 19:29:22.716 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\platform\4.18.1809.2-0\Drivers\WdBoot.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2018-10-18 19:29:22.713 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\platform\4.18.1809.2-0\Drivers\WdBoot.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. ==================== Memory info =========================== Processor: Intel(R) Xeon(R) CPU X5650 @ 2.67GHz Percentage of memory in use: 46% Total physical RAM: 4095.42 MB Available physical RAM: 2196.84 MB Total Virtual: 4799.42 MB Available Virtual: 2962.92 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:39.51 GB) (Free:17.16 GB) NTFS \\?\Volume{c380b0e1-0000-0000-0000-100000000000}\ (System Reserved) (Fixed) (Total:0.49 GB) (Free:0.15 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7/8/10) (Size: 40 GB) (Disk ID: C380B0E1) Partition 1: (Active) - (Size=500 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=39.5 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================