Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Exchange 2013 infected by Backdoor:MSIL/Chopper & other variants


  • Please log in to reply
65 replies to this topic

#1 kpatel45

kpatel45

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 26 December 2023 - 02:51 AM

Hello,
 
MS Exchange 2013 CU23 server running on WIndows 2012 was infected with Backdoor:MSIL/Chopper.G!dha, Backdoor:ASP/Chopper.ZC!dha and many other variants. Microsoft Security Scanner was used to scan and remove the virus which requires a reboot each time the servers are cleaned. However, the virus reappears after a few days under another variant name. The server is fully updated with all available updates. The 4 mail servers are part of a DAG and all of them are infected, Scan is done in normal mode. malwarebytes was also used for scanning.
 
FARBAR SCAN RESULTS ARE ATTACHED TO THE POST

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-12-2023
Ran by ex-super_user (administrator) on C11-EX-SVR-MBX4 (HP ProLiant BL680c G7) (26-12-2023 11:23:02)
Running from C:\TEMP\FRST64.exe
Loaded Profiles: ex-super_user
Platform: Microsoft Windows Server 2012 Standard (X64) Language: English (United States)
Default browser: IE
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\hp\hpsmh\bin\hpsmhd.exe ->) (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\rotatelogs.exe <4>
(C:\hp\hpsmh\bin\smhstart.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\cmd.exe
(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Worker.exe <6>
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\noderunner.exe <3>
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\noderunner.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\noderunner.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMWorkerProcess.exe
(C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe
(C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe
(C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe
(C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe
(C:\Windows\Cluster\clussvc.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\Cluster\rhs.exe <2>
(cmd.exe ->) (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\hpsmhd.exe <2>
(inetsrv\w3wp.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\Bin\DocumentViewing\TranscodingService.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\ServerManager.exe
(services.exe ->) (Broadcom Inc -> Broadcom) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\sepWscSvc64.exe
(services.exe ->) (Hewlett-Packard Company -> Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe
(services.exe ->) (Hewlett-Packard Company -> Hewlett-Packard Company) C:\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe
(services.exe ->) (Hewlett-Packard Company -> Hewlett-Packard Company) C:\Windows\System32\CpqMgmt\cqmgserv\cqmgserv.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\smhstart.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Program Files\hp\Cissesrv\cissesrv.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Program Files\HPWBEM\Storage\Service\hpwmistor.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Windows\System32\CpqMgmt\cqmgstor\cqmgstor.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Windows\System32\CPQNiMgt\cpqnimgt.exe
(services.exe ->) (IBM India Pvt Ltd -> IBM Corporation) [File not signed] C:\Program Files\IBM\SDDDSM\sddsrv.exe
(services.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corp.) C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Search.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\fms.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\Cluster\clussvc.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\WMSvc.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\nfssvc.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rundll32.exe <2>
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\vds.exe
(services.exe ->) (Symantec Corporation -> Broadcom) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe <3>
(services.exe ->) (Veeam Software Group GmbH -> Veeam Software Group GmbH) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe
(services.exe ->) (Veeam Software Group GmbH -> Veeam Software Group GmbH) C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files (x86)\VERITAS\VxPBX\bin\pbx_exchange.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\bpcd.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\nbdisco.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\vnetd.exe <3>
(services.exe ->) (Zabbix SIA) [File not signed] C:\Zabbix\zabbix_agentd.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corp.) C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe <3>
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe <13>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(winlogon.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\LogonUI.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [QLogicSaveSystemInfo] => rundll32.exe qlco10010.dll,QLSaveSystemInfo (No File)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Policies\Explorer: [AllowOnlineTips] 0
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall: Restriction <==== ATTENTION
HKLM\...\Policies\system: [legalnoticecaption] “Government Online Centre (GOC)”
HKLM\...\Policies\system: [legalnoticetext] “This system is owned and operated by GOC. Use is restricted to GOC. Authorised users must comply with the GOC IT Security Policy. Usage is monitored
HKLM\Software\Policies\...\system: [DenyRsopToInteractiveUser] 1
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdmin
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUser
Lsa: [Notification Packages] scecli rassfm
BootExecute: autocheck autochk /q /v *
Policies: C:\Users\administrator.GOM\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\ex-super-var\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\ex-super-yb\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\ex-super_user\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin1\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin2\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin4\NTUSER.pol: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {9335200B-9EB5-4F29-8CA7-0555929B5408} - System32\Tasks\Delete Exchange Logs => C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [474624 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> -NonInteractive -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; .\ClearLogs.ps1"
Task: {734C4B31-C98B-47B1-911B-5CA88A69DA54} - System32\Tasks\Microsoft\Windows\CertificateServicesClient\Notification\ReplaceOMCert => C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [474624 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> -NonInteractive -File "C:\Program Files\Microsoft Monitoring Agent\Agent\Tools\UpdateOMCert.ps1" -OldCertHash $(OldCertHash) -NewCertHash $(NewCertHash) -EventRecordId $(EventRecordId)
Task: {4A2D7E4A-9C77-4CF0-9C9A-CF1435BBA2EB} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [256512 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
Task: {6EFE5C9E-9B8F-4468-A739-46BEB554ED57} - System32\Tasks\Microsoft\Windows\PLA\Exchange_Perfwiz => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> C:\Windows\system32\pla.dll,PlaHost "Exchange_Perfwiz" "$(Arg0)"
Task: {D0AECC17-F481-4226-8D50-CFC2747BFD71} - System32\Tasks\Microsoft\Windows\PLA\ExchangeDiagnosticsDailyPerformanceLog => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> C:\Windows\system32\pla.dll,PlaHost "ExchangeDiagnosticsDailyPerformanceLog" "$(Arg0)"
Task: {EBE323AD-A392-4B3A-84D1-89C71E53BC5F} - System32\Tasks\Microsoft\Windows\PLA\ExchangeDiagnosticsPerformanceLog => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> C:\Windows\system32\pla.dll,PlaHost "ExchangeDiagnosticsPerformanceLog" "$(Arg0)"
Task: {2DD4DAE1-5FA1-4A6D-BD04-9CAA551C7450} - System32\Tasks\Microsoft\Windows\PLA\Server Manager Performance Monitor => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> %systemroot%\system32\pla.dll,PlaHost "Server Manager Performance Monitor" "$(Arg0)"
Task: {64C59100-7846-4C78-9724-0B6E95E43CAF} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_ERROR_HB => C:\TEMP\MSERT.exe [150189544 2023-12-09] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
Task: {2E1D51CF-C57C-4B06-A34A-1A8210284088} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [156112424 2023-04-19] (Microsoft Windows -> Microsoft Corporation)
Task: {8B56BECD-7294-470A-B8E9-5A0C7A454E5E} - System32\Tasks\Microsoft\Windows\Server Manager\CleanupOldPerfLogs => C:\Windows\system32\cscript.exe [146944 2018-10-26] (Microsoft Windows -> Microsoft Corporation) -> /B /nologo %systemroot%\system32\calluxxprovider.vbs $(Arg0) $(Arg1) $(Arg2)
Task: {59E8FC39-8262-4D00-849D-3A7C447D385C} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [94720 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
Task: {5198D9B3-684F-47A5-BAB0-AB87C6B9C010} - System32\Tasks\Microsoft\Windows\Setup\WS2012EOSNotify => C:\Windows\system32\WS2012EOSNotify.exe [48640 2023-06-27] (Microsoft Windows -> Microsoft Corporation)
Task: {651D7463-FE66-4B99-A20C-588842AF48AC} - System32\Tasks\Symantec Endpoint Protection\Symantec Endpoint Protection Error Analyzer => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\SymErr.exe [102312 2023-06-20] (Symantec Corporation -> Broadcom)
Task: {29B87951-259A-4A25-A4DB-FA84F4634C93} - System32\Tasks\Symantec Endpoint Protection\Symantec Endpoint Protection Error Processor => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\SymErr.exe [102312 2023-06-20] (Symantec Corporation -> Broadcom)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <==== ATTENTION (Restriction - ProxySettings)
ProxyEnable: [S-1-5-21-1365522570-4229012047-2779133919-500] => Proxy is enabled.
ProxyServer: [S-1-5-21-1365522570-4229012047-2779133919-500] => 192.168.66.1:8783
ProxyServer: [S-1-5-21-3412390019-1648271104-2333346583-17206] => 192.168.66.1:8783
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{60576B43-9007-4DC3-A65F-130B9290A3E0}: [NameServer] 192.168.2.40,192.168.2.41,192.168.2.39
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.31,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.73,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.71,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.66,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.185,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.2.0,255.255.255.0,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [202.123.27.104,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [202.123.27.107,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.0,255.255.255.0,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.7.8,255.255.255.255,192.168.6.1,1]
PersistentRoutes: There are 22 PersistentRoutes.


==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AdtAgent; C:\Windows\system32\AdtAgent.exe [410808 2013-09-06] (Microsoft Corporation -> Microsoft Corporation)
S4 CIMnotify; C:\Windows\system32\CIMntfy\cimntfy.exe [265496 2013-07-12] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 Cissesrv; C:\Program Files\HP\Cissesrv\cissesrv.exe [194048 2013-05-08] (Hewlett-Packard Company) [File not signed]
R2 ClusSvc; C:\Windows\Cluster\clussvc.exe [7328768 2023-06-15] (Microsoft Windows -> Microsoft Corporation)
R2 CpqNicMgmt; C:\Windows\system32\CPQNiMgt\cpqnimgt.exe [9728 2013-07-12] (Hewlett-Packard Company) [File not signed]
R2 CqMgHost; C:\Windows\system32\CpqMgmt\cqmghost\cqmghost.exe [16664 2013-07-12] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 CqMgServ; C:\Windows\system32\CpqMgmt\cqmgserv\cqmgserv.exe [17176 2013-07-12] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 CqMgStor; C:\Windows\system32\CpqMgmt\cqmgstor\cqmgstor.exe [20992 2013-06-21] (Hewlett-Packard Company) [File not signed]
R2 FMS; C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe [1342912 2022-02-17] (Microsoft Corporation -> Microsoft Corporation)
R2 HealthService; C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe [25272 2013-09-06] (Microsoft Corporation -> Microsoft Corp.)
R2 HostControllerService; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe [33560 2019-05-29] (Microsoft Corporation -> Microsoft Corporation)
R2 HPWMISTOR; C:\Program Files\HPWBEM\Storage\Service\HPWMISTOR.exe [20992 2013-06-28] (Hewlett-Packard Company) [File not signed]
S3 KPSSVC; C:\Windows\system32\kpssvc.dll [171520 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S3 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2009-07-13] (Symantec Corporation -> Symantec Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [9343840 2023-12-04] (Malwarebytes Inc. -> Malwarebytes)
R2 MSExchangeADTopology; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe [194080 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeAntispamUpdate; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe [28680 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeDagMgmt; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe [24056 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeDelivery; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe [32800 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeDiagnostics; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe [128536 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeEdgeSync; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe [99304 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeFastSearch; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe [30224 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeFrontEndTransport; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe [26576 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeHM; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe [26640 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeImap4; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe [26136 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeIMAP4BE; C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe [26136 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeIS; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe [26144 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeMailboxAssistants; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe [2393136 2023-01-19] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeMailboxReplication; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe [21568 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangePop3; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe [26176 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangePOP3BE; C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe [26176 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeRepl; C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe [69120 2023-01-19] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeRPC; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe [32792 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeServiceHost; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe [55840 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeSubmission; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe [63008 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeThrottling; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe [41448 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeTransport; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe [78280 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeTransportLogSearch; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe [144336 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeUM; C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe [103976 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeUMCR; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe [23552 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
S3 mtstrmd; C:\Program Files\Veritas\pdde\mtstrmd.exe [1749400 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Client Service; C:\Program Files\Veritas\NetBackup\bin\bpcd.exe [840088 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Discovery Framework; C:\Program Files\Veritas\NetBackup\bin\nbdisco.exe [49048 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Legacy Client Service; C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe [287640 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Legacy Network Service; C:\Program Files\Veritas\NetBackup\bin\vnetd.exe [226712 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
S3 NetBackup Proxy Service; C:\Program Files\Veritas\NetBackup\bin\nbostpxy.exe [1050008 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
S4 NetBackup SAN Client Fibre Transport Service; C:\Program Files\Veritas\NetBackup\bin\nbftclnt.exe [906136 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NfsService; C:\Windows\system32\nfssvc.exe [67584 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R2 ProLiantMonitor; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [262424 2013-05-29] (Hewlett-Packard Company -> Hewlett-Packard Company)
S3 RPCHTTPLBS; C:\Windows\System32\RpcProxy\LBService.dll [25088 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [95744 2020-08-15] (Microsoft Windows -> Microsoft Corporation)
S3 RSoPProv; C:\Windows\SysWOW64\RSoPProv.exe [83968 2020-08-15] (Microsoft Windows -> Microsoft Corporation)
R3 sacsvr; C:\Windows\system32\sacsvr.dll [15872 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R2 SDD_Service; C:\Program Files\IBM\SDDDSM\sddsrv.exe [295656 2017-06-22] (IBM India Pvt Ltd -> IBM Corporation) [File not signed]
R2 SearchExchangeTracing; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe [159984 2019-05-29] (Microsoft Corporation -> Microsoft Corporation)
S4 SepLpsService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe [190664 2023-06-20] (Symantec Corporation -> Broadcom)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe [190664 2023-06-20] (Symantec Corporation -> Broadcom)
R2 SepScanService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\bin64\ccSvcHst.exe [190664 2023-06-20] (Symantec Corporation -> Broadcom)
R2 sepWscSvc; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\sepWscSvc64.exe [1398888 2023-06-20] (Broadcom Inc -> Broadcom)
S3 SmbWitness; C:\Windows\System32\witness.dll [129536 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe [173256 2023-06-20] (Symantec Corporation -> Broadcom)
R2 sysdown; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [262424 2013-05-29] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 SysMgmtHp; C:\hp\hpsmh\bin\smhstart.exe [734208 2013-07-10] (Hewlett-Packard Company) [File not signed]
S4 System Center Management APM; C:\Program Files\Microsoft Monitoring Agent\Agent\APMDOTNETAgent\InterceptSvc.exe [626872 2013-09-06] (Microsoft Corporation -> Microsoft Corp.)
R2 UALSVC; C:\Windows\System32\ualsvc.dll [241664 2014-09-13] (Microsoft Windows -> Microsoft Corporation)
R2 VeeamDeploySvc; C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe [1549848 2021-09-23] (Veeam Software Group GmbH -> Veeam Software Group GmbH)
R2 VeeamEndpointBackupSvc; C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe [130072 2022-02-20] (Veeam Software Group GmbH -> Veeam Software Group GmbH)
R2 VRTSpbx; C:\Program Files (x86)\VERITAS\VxPBX\bin\pbx_exchange.exe [272792 2021-05-02] (Veritas Technologies LLC -> Veritas Technologies LLC)
S3 wsbexchange; C:\Program Files\Microsoft\Exchange Server\V15\bin\wsbexchange.exe [125920 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 Zabbix Agent; C:\Zabbix\zabbix_agentd.exe [440832 2016-09-12] (Zabbix SIA) [File not signed]

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 be2iscsi; C:\Windows\System32\drivers\be2iscsi.sys [266960 2015-12-29] (EMULEX -> Emulex)
R3 be2net; C:\Windows\system32\DRIVERS\ocnd63.sys [746192 2016-01-07] (EMULEX -> Emulex)
S0 bfad; C:\Windows\System32\drivers\bfad.sys [1963760 2012-07-26] (Microsoft Windows -> Brocade Communications Systems, Inc.)
S0 bfadfcoe; C:\Windows\System32\drivers\bfadfcoe.sys [1964272 2012-07-26] (Microsoft Windows -> Brocade Communications Systems, Inc.)
R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\Definitions\BASHDefs\20231221.001\BHDrvx64.sys [1706512 2023-10-31] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S0 bxfcoe; C:\Windows\System32\drivers\bxfcoe.sys [186096 2012-07-26] (Microsoft Windows -> Broadcom Corporation)
S0 bxois; C:\Windows\System32\drivers\bxois.sys [564976 2012-07-26] (Microsoft Windows -> Broadcom Corporation)
R2 CCFFilter; C:\Windows\system32\drivers\CCFFilter.sys [33520 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R1 ccSettings_{6B7A2D6B-C77F-4C11-8B70-2CD28AD687A6}; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\ccSetx64.sys [200168 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 ClusDisk; C:\Windows\System32\drivers\ClusDisk.sys [67584 2022-04-07] (Microsoft Windows -> Microsoft Corporation)
R3 CsvFlt; C:\Windows\System32\drivers\CsvFlt.sys [205824 2022-03-17] (Microsoft Windows -> Microsoft Corporation)
R3 CsvFs; C:\Windows\System32\drivers\CsvFs.sys [628736 2022-03-17] (Microsoft Windows -> Microsoft Corporation)
R3 CsvNSFlt; C:\Windows\System32\drivers\CsvNSFlt.sys [66560 2022-03-17] (Microsoft Windows -> Microsoft Corporation)
R3 csvvbus; C:\Windows\System32\drivers\csvvbus.sys [148480 2022-04-14] (Microsoft Windows -> Microsoft Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [527832 2023-06-19] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S0 elxfcoe; C:\Windows\System32\drivers\elxfcoe.sys [699632 2012-07-26] (Microsoft Windows -> Emulex)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [159720 2023-06-21] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R0 HpCISSs2; C:\Windows\System32\drivers\HpCISSs2.sys [153920 2012-09-05] (Hewlett-Packard Company -> Hewlett-Packard Company)
R3 hpqilo3chif; C:\Windows\system32\DRIVERS\hpqilo3chif.sys [43800 2013-05-22] (Hewlett-Packard Company -> Hewlett-Packard Company)
R3 hpqilo3core; C:\Windows\System32\drivers\hpqilo3core.sys [47384 2013-05-22] (Hewlett-Packard Company -> Hewlett-Packard Company)
R0 hpqilo3whea; C:\Windows\System32\DRIVERS\hpqilo3whea.sys [18472 2010-02-12] (Hewlett-Packard -> Hewlett-Packard Company)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [222800 2023-12-26] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [239544 2023-06-12] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S3 MpKslbc7bf929; C:\Windows\Temp\C1FE0CF2-BF7D-7120-435F-0ED2A466AE19\MpKslDrv.sys [54680 2023-12-26] (Microsoft Windows -> Microsoft Corporation)
R2 MsLbfoProvider; C:\Windows\system32\DRIVERS\MsLbfoProvider.sys [99840 2013-07-02] (Microsoft Windows -> Microsoft Corporation)
R3 msnfsflt; C:\Windows\System32\drivers\msnfsflt.sys [32256 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R3 Netft; C:\Windows\system32\DRIVERS\netft.sys [86528 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R3 NfsServer; C:\Windows\System32\drivers\nfssvr.sys [1252352 2023-04-15] (Microsoft Windows -> Microsoft Corporation)
R2 Portmap; C:\Windows\System32\drivers\portmap.sys [59392 2023-04-11] (Microsoft Windows -> Microsoft Corporation)
R0 ql2300; C:\Windows\System32\drivers\ql2300.sys [1498408 2013-03-07] (QLogic Corporation -> QLogic Corporation)
R2 ResumeKeyFilter; C:\Windows\system32\drivers\ResumeKeyFilter.sys [336112 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [94448 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R0 sdddsm; C:\Windows\System32\drivers\sdddsm.sys [241896 2017-06-22] (IBM India Pvt Ltd -> IBM Corporation)
R1 SRTSP; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\SymPlatform\SRTSP64.SYS [996432 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\SRTSPX64.SYS [44112 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R0 SymEFASI; C:\Windows\System32\drivers\symefasi\0705020.03C\symefasi64.sys [2167304 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S0 SymELAM; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\SymELAM.sys [27136 2023-06-20] (Microsoft Windows Early Launch Anti-malware Publisher -> Broadcom)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [100832 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 SymEvnt; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\SymPlatform\SymEvnt.sys [951264 2023-08-11] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\Ironx64.SYS [297992 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R0 VeeamVolumeCT; C:\Windows\System32\drivers\VeeamVolumeCT.sys [227216 2022-02-20] (Microsoft Windows Hardware Compatibility Publisher -> Veeam Software AG)
R0 VirtFile; C:\Windows\System32\DRIVERS\VirtFile.sys [383304 2020-12-22] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 vstor2-mntapi20-shared; C:\Windows\system32\DRIVERS\vstor2-x64.sys [52576 2021-03-03] (VMware, Inc. -> VMware, Inc.)
S3 wtlmdrv; C:\Windows\System32\drivers\wtlmdrv.sys [31232 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S1 byghalnv; \??\C:\Windows\system32\drivers\byghalnv.sys [X]
S1 cvsofigq; \??\C:\Windows\system32\drivers\cvsofigq.sys [X]
S1 deftbkke; \??\C:\Windows\system32\drivers\deftbkke.sys [X]
S1 dwccxnns; \??\C:\Windows\system32\drivers\dwccxnns.sys [X]
S1 epoupsau; \??\C:\Windows\system32\drivers\epoupsau.sys [X]
S1 gwutsruh; \??\C:\Windows\system32\drivers\gwutsruh.sys [X]
S1 isutlwrp; \??\C:\Windows\system32\drivers\isutlwrp.sys [X]
S1 nvcrsrqw; \??\C:\Windows\system32\drivers\nvcrsrqw.sys [X]
S1 rlnzbdiz; \??\C:\Windows\system32\drivers\rlnzbdiz.sys [X]
U3 SymNetS; [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2023-12-26 11:15 - 2023-12-26 11:25 - 000000000 ____D C:\FRST
2023-12-26 11:01 - 2023-12-26 11:01 - 000000000 ____D C:\ClusterStorage

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2023-12-26 11:23 - 2014-01-20 10:36 - 000000000 ____D C:\TEMP
2023-12-26 11:18 - 2014-01-14 11:42 - 000000000 ____D C:\Windows\Cluster
2023-12-26 11:15 - 2023-06-12 11:55 - 000000000 ____D C:\Users\ex-super_user\AppData\Local\Malwarebytes
2023-12-26 11:05 - 2017-08-13 09:44 - 000000000 ____D C:\Windows\system32\Tasks\Symantec Endpoint Protection
2023-12-26 11:04 - 2017-10-29 00:09 - 000000031 _____ C:\BitlockerActiveMonitoringLogs
2023-12-26 11:04 - 2014-01-11 17:09 - 000000104 _____ C:\Windows\system32\config\netlogon.ftl
2023-12-26 11:02 - 2012-07-26 09:26 - 000262144 ___SH C:\Windows\system32\config\ELAM
2023-12-26 11:01 - 2012-07-26 12:04 - 000000000 ____D C:\Windows\system32\inetsrv
2023-12-26 10:59 - 2012-07-26 11:14 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2023-12-26 10:54 - 2012-07-26 09:26 - 000008192 ___SH C:\Windows\system32\config\BBI
2023-12-26 03:00 - 2014-01-11 15:00 - 000000000 ____D C:\Windows\system32\MRT
2023-12-11 16:00 - 2023-10-22 23:00 - 001048692 _____ C:\zabbix_agentd.log.old

==================== Files in the root of some directories ========

2015-08-07 08:42 - 2015-08-07 08:42 - 000007646 _____ () C:\Users\ex-super_user\AppData\Local\Resmon.ResmonCfg

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


LastRegBack: 2023-12-24 03:00
==================== End of FRST.txt ========================

Attached Files


Edited by Oh My!, 28 December 2023 - 12:21 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware


  •  Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 27 December 2023 - 06:28 PM

Greetings and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:
  • First, please keep in mind most of us at BleepingComputer volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.
  • It is important to not run any tools or take any steps other than those I will provide for you.
  • Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
  • Please copy and paste all logs into your post unless otherwise requested.
  • When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.
  • If you do not reply to your topic after 5 days I will assume it has been abandoned and I will close it.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and let me know.

We don't normally work on Servers but allow me some time to take a look at things.
Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.

John 6:68-69

#3 kpatel45

kpatel45
  • Topic Starter

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 28 December 2023 - 04:38 AM

Hello and thanks for your prompt response. Much grateful for assistance being provided. Im active daily so no worries there, Ill respond on a daily basis if need be. I tried pasting my logs in the post but it was too long hence why I attached it as files. Kindly advise on next step

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 22-12-2023
Ran by ex-super_user (26-12-2023 11:26:32)
Running from C:\TEMP
Microsoft Windows Server 2012 Standard (X64) (2014-01-09 23:03:31)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

CLIUSR (S-1-5-21-1365522570-4229012047-2779133919-1001 - Limited - Enabled)
goc1 (S-1-5-21-1365522570-4229012047-2779133919-500 - Administrator - Enabled) => C:\Users\Administrator
viewonly (S-1-5-21-1365522570-4229012047-2779133919-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Headless Server Registry Update (HKLM-x32\...\{4E5563B6-DE0A-4F3B-A5D6-15789FD12D9B}) (Version: 1.0.0.0 - Hewlett-Packard Company)
HP Insight Diagnostics Online Edition for Windows (HKLM\...\{DCEA910B-3269-4F5B-A915-D59293004751}) (Version: 9.50.1009 - Hewlett-Packard Development Company, L.P.)
HP Insight Management Agents (HKLM\...\{B2494189-21A9-4F7A-8F0E-D6F75CEDF2B3}) (Version: 9.40.0.0 - Hewlett-Packard Company)
HP Insight Management WBEM Providers (HKLM\...\{E4496CBA-EE2A-43AC-8F0A-D6B33CB598E2}) (Version: 9.4.0.0 - Hewlett-Packard Development Company, L.P.) Hidden
HP Insight Management WBEM Providers for Windows Server x64 Editions (HKLM\...\HP-{0D1A88D4-29D7-4ED4-8045-932D7205F589}) (Version: 9.4.0.0 - Hewlett-Packard Company)
HP Lights-Out Online Configuration Utility (HKLM\...\{B2B752DB-CF58-4845-8F5C-10E398D8491A}) (Version: 4.2.0.0 - Hewlett-Packard Development Company, L.P.)
HP ProLiant Health Monitor Service (X64) (HKLM\...\{CF2C042C-A75F-4948-8661-2A9FF01B75EB}) (Version: 3.9.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant iLO 3 WHEA Driver (X64) (HKLM\...\{17B03C4D-F682-41CC-BEAC-1F7C6847E8CE}) (Version: 3.0.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant iLO 3/4 Channel Interface Driver (HKLM\...\HP-{85171634-98E9-47E5-9E56-96BBC7FE1715}) (Version: 3.9.0.0 - Hewlett-Packard Company)
HP ProLiant iLO 3/4 Management Controller Package (HKLM\...\HP-{15EC9FFF-3B11-4F2A-92F8-F63F33F64B31}) (Version: 3.9.0.0 - Hewlett-Packard Company)
HP ProLiant iLO CHIF Driver (X64) (HKLM\...\{BEFED944-6FB2-4BE3-AC8A-5D763B5F070F}) (Version: 3.9.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant iLO Core Driver (X64) (HKLM\...\{61947408-43A6-490E-AD0B-20CB4F1B19F8}) (Version: 3.9.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant Integrated Management Log Viewer (HKLM\...\{1A533B2E-7336-4497-8061-E98803E3B2DF}) (Version: 6.5.0.0 - Hewlett-Packard Company)
HP Smart Array SAS/SATA Event Notification Service (HKLM\...\{6C0706F7-FCD1-4E13-BEB2-99C2DBC3C80D}) (Version: 6.34.0.64 - Hewlett-Packard Development Company, L.P.)
HP Smart Storage Administrator (HKLM\...\{2D97040F-3B62-4BDA-A779-72EA7EC42799}) (Version: 1.50.4.0 - Hewlett-Packard Development Company, L.P.)
HP Smart Storage Administrator CLI (HKLM\...\{FDA42EE0-E693-4B6D-8769-2FEDC7C544E2}) (Version: 1.50.4.0 - Hewlett-Packard Development Company, L.P.)
HP System Management Homepage (HKLM-x32\...\{3C4DF0FD-95CF-4F7B-A816-97CEF616948F}) (Version: 7.2.2 - Hewlett-Packard Development Company, L.P.)
IIS Advanced Logging 1.0 (HKLM\...\{58749A25-6D67-41A2-9B55-E4DD26B0676F}) (Version: 1.0.0625.10 - Microsoft Corporation)
IIS URL Rewrite Module 2 (HKLM\...\{9BCA2118-F753-4A1E-BCF3-5A820729965C}) (Version: 7.2.1993 - Microsoft Corporation)
LiveUpdate 3.3 (Symantec Corporation) (HKLM-x32\...\LiveUpdate) (Version: 3.3.0.92 - Symantec Corporation)
Malwarebytes version 4.6.6.294 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.6.6.294 - Malwarebytes)
Microsoft Exchange 2007 Enterprise Anti-spam Signatures (HKLM\...\{93FCFF43-49E2-4AE5-9AD4-0256878AB886}) (Version: 3.3.4604.600 - Microsoft Corporation) Hidden
Microsoft Exchange 2007 Enterprise Block List Updates (HKLM\...\{14F288C7-C695-40D5-971D-8890605C6040}) (Version: 3.3.4604.001 - Microsoft Corporation) Hidden
Microsoft Exchange 2007 Standard Anti-spam Filter Updates (HKLM\...\{C3F10D8C-BD70-4516-B2B4-BF6901980741}) (Version: 3.3.4604.600 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Amharic (Ethiopia) (HKLM\...\{DEDFFB64-42EC-4E26-005E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Arabic (HKLM\...\{DEDFFB64-42EC-4E26-0401-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Basque (HKLM\...\{DEDFFB64-42EC-4E26-042D-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Bengali (India) (HKLM\...\{DEDFFB64-42EC-4E26-0445-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Bulgarian (HKLM\...\{DEDFFB64-42EC-4E26-0402-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Catalan (HKLM\...\{DEDFFB64-42EC-4E26-0403-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Chinese (Simplified) (HKLM\...\{DEDFFB64-42EC-4E26-0804-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Chinese (Traditional) (HKLM\...\{DEDFFB64-42EC-4E26-0404-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Croatian (HKLM\...\{DEDFFB64-42EC-4E26-041A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Czech (HKLM\...\{DEDFFB64-42EC-4E26-0405-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Danish (HKLM\...\{DEDFFB64-42EC-4E26-0406-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Dutch (HKLM\...\{DEDFFB64-42EC-4E26-0413-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - English (HKLM\...\{DEDFFB64-42EC-4E26-0409-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Estonian (HKLM\...\{DEDFFB64-42EC-4E26-0425-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Filipino (Philippines) (HKLM\...\{DEDFFB64-42EC-4E26-0064-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Finnish (HKLM\...\{DEDFFB64-42EC-4E26-040B-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - French (HKLM\...\{DEDFFB64-42EC-4E26-040C-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Galician (HKLM\...\{DEDFFB64-42EC-4E26-0456-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - German (HKLM\...\{DEDFFB64-42EC-4E26-0407-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Greek (HKLM\...\{DEDFFB64-42EC-4E26-0408-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Gujarati (HKLM\...\{DEDFFB64-42EC-4E26-0447-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Hebrew (HKLM\...\{DEDFFB64-42EC-4E26-040D-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Hindi (HKLM\...\{DEDFFB64-42EC-4E26-0439-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Hungarian (HKLM\...\{DEDFFB64-42EC-4E26-040E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Icelandic (HKLM\...\{DEDFFB64-42EC-4E26-040F-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Indonesian (HKLM\...\{DEDFFB64-42EC-4E26-0421-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Italian (HKLM\...\{DEDFFB64-42EC-4E26-0410-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Japanese (HKLM\...\{DEDFFB64-42EC-4E26-0411-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Kannada (HKLM\...\{DEDFFB64-42EC-4E26-044B-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Kazakh (HKLM\...\{DEDFFB64-42EC-4E26-043F-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Kiswahili (HKLM\...\{DEDFFB64-42EC-4E26-0441-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Korean (HKLM\...\{DEDFFB64-42EC-4E26-0412-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Latvian (HKLM\...\{DEDFFB64-42EC-4E26-0426-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Lithuanian (HKLM\...\{DEDFFB64-42EC-4E26-0427-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Malay (HKLM\...\{DEDFFB64-42EC-4E26-043E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Malayalam (India) (HKLM\...\{DEDFFB64-42EC-4E26-004C-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Marathi (HKLM\...\{DEDFFB64-42EC-4E26-044E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Norwegian (HKLM\...\{DEDFFB64-42EC-4E26-0414-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Norwegian, Nynorsk (Norway) (HKLM\...\{DEDFFB64-42EC-4E26-0814-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Oriya (India) (HKLM\...\{DEDFFB64-42EC-4E26-0048-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Persian (HKLM\...\{DEDFFB64-42EC-4E26-0429-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Polish (HKLM\...\{DEDFFB64-42EC-4E26-0415-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Portuguese (HKLM\...\{DEDFFB64-42EC-4E26-0416-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Portuguese (Portugal) (HKLM\...\{DEDFFB64-42EC-4E26-0816-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Romanian (HKLM\...\{DEDFFB64-42EC-4E26-0418-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Russian (HKLM\...\{DEDFFB64-42EC-4E26-0419-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Serbian (Cyrillic, Serbia) (HKLM\...\{DEDFFB64-42EC-4E26-7C1A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Serbian (HKLM\...\{DEDFFB64-42EC-4E26-081A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Slovak (HKLM\...\{DEDFFB64-42EC-4E26-041B-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Slovenian (HKLM\...\{DEDFFB64-42EC-4E26-0424-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Spanish (HKLM\...\{DEDFFB64-42EC-4E26-0C0A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Swedish (HKLM\...\{DEDFFB64-42EC-4E26-041D-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Tamil (HKLM\...\{DEDFFB64-42EC-4E26-0449-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Telugu (HKLM\...\{DEDFFB64-42EC-4E26-044A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Thai (HKLM\...\{DEDFFB64-42EC-4E26-041E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Turkish (HKLM\...\{DEDFFB64-42EC-4E26-041F-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Ukrainian (HKLM\...\{DEDFFB64-42EC-4E26-0422-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Urdu (HKLM\...\{DEDFFB64-42EC-4E26-0420-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Vietnamese (HKLM\...\{DEDFFB64-42EC-4E26-042A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Welsh (United Kingdom) (HKLM\...\{DEDFFB64-42EC-4E26-0052-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server (HKLM\...\{4934D1EA-BE46-48B1-8847-F1AF20E892C1}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server 2013 Cumulative Update 23 (HKLM\...\Microsoft Exchange v15) (Version: 15.0.1497.2 - Microsoft Corporation)
Microsoft Exchange Server Language Pack - Chinese (Simplified) (HKLM\...\{521E6064-B4B1-4CBC-0804-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Chinese (Traditional) (HKLM\...\{521E6064-B4B1-4CBC-0404-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - English (HKLM\...\{521E6064-B4B1-4CBC-0409-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - French (HKLM\...\{521E6064-B4B1-4CBC-040C-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - German (HKLM\...\{521E6064-B4B1-4CBC-0407-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Italian (HKLM\...\{521E6064-B4B1-4CBC-0410-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Japanese (HKLM\...\{521E6064-B4B1-4CBC-0411-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Korean (HKLM\...\{521E6064-B4B1-4CBC-0412-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Portuguese (HKLM\...\{521E6064-B4B1-4CBC-0416-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Russian (HKLM\...\{521E6064-B4B1-4CBC-0419-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Spanish (HKLM\...\{521E6064-B4B1-4CBC-0C0A-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Speech - (en-US) (HKLM\...\{CEF60964-21AE-47E0-93C6-611AA8941B7F}) (Version: 15.0.1497.0 - Microsoft Corporation) Hidden
Microsoft Filter Pack 2.0 (HKLM\...\{95140000-2000-0409-1000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Lync Server 2013, Bootstrapper Prerequisites Installer Package (HKLM\...\{F582C996-9276-48C2-9878-546C9B164856}) (Version: 5.0.8308.0 - Microsoft Corporation)
Microsoft Monitoring Agent (HKLM\...\{786970C5-E6F6-4A41-B238-AE25D4B91EEA}) (Version: 7.1.10184.0 - Microsoft Corporation)
Microsoft RAP as a Service Client Package (HKLM-x32\...\{2ce313ae-4688-455b-ae6b-1172a583c20a}) (Version: 1.0.0.0 - Microsoft)
Microsoft Server Speech Platform Runtime (x64) (HKLM\...\{3B433087-E62E-4BF5-97F9-4AF6E1C2409C}) (Version: 11.0.7400.345 - Microsoft Corporation)
Microsoft Server Speech Recognition Language - TELE (ca-ES) (HKLM-x32\...\{55D56947-B976-4E27-822B-E87FEFFB35F2}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (da-DK) (HKLM-x32\...\{18B4B2E0-6A0D-4BAC-99EB-843F2C290E07}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (de-DE) (HKLM-x32\...\{955F43D9-38C4-4C22-BEE3-1A6C63F968FA}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-AU) (HKLM-x32\...\{FA19A2B8-9A24-49B0-A51C-CF4A6B4B2B62}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-CA) (HKLM-x32\...\{0C96ED3F-83E2-4917-89DC-7837DC775FEC}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-GB) (HKLM-x32\...\{E0D13850-F97C-4B30-9F05-862299CE8DA5}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-IN) (HKLM-x32\...\{3B06AC90-DE68-44A9-95EB-0A3C1AF1514F}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-US) (HKLM-x32\...\{66D57636-BD4B-402F-9E7D-5E89C28C8136}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (es-ES) (HKLM-x32\...\{5D4A25B6-3A4E-409B-90FA-EDE99E2006B4}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (es-MX) (HKLM-x32\...\{BE94188A-CA4F-4AC7-A1B3-52D37882C30D}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (fi-FI) (HKLM-x32\...\{E3B7DBC7-7551-4E61-9B0D-FE660CFFC4FC}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (fr-CA) (HKLM-x32\...\{58DE670F-4977-4A23-9D2E-8C82A2072920}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (fr-FR) (HKLM-x32\...\{4D2DDB98-1FE6-4CFE-BCFD-EFE27FF24FAE}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (it-IT) (HKLM-x32\...\{9267D7E7-5872-4CB1-B4E3-377F4CA272D0}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (ja-JP) (HKLM-x32\...\{A06F3EA5-7C55-4505-8982-534BA05F49BE}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (ko-KR) (HKLM-x32\...\{1D8F6891-9B7F-4F08-A54E-C568D8C33276}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (nb-NO) (HKLM-x32\...\{49B7E67F-5E62-4988-A4F4-6C54B9E814EB}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (nl-NL) (HKLM-x32\...\{2CBAB07E-4865-40F0-9D6A-EFA350420166}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (pl-PL) (HKLM-x32\...\{BEFB9378-5E88-4266-8EB1-C92869449885}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (pt-BR) (HKLM-x32\...\{F6B5EB21-0ABF-487C-B9A9-D9DB259C4403}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (pt-PT) (HKLM-x32\...\{DAFE30C6-C638-4505-9372-2ECD1A1B317C}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (ru-RU) (HKLM-x32\...\{9419B7EA-6A4B-4A57-8E2A-3BDD4676118F}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (sv-SE) (HKLM-x32\...\{12C43D71-15A1-4F83-9D4D-E3134AE6FFD6}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (zh-CN) (HKLM-x32\...\{BAD2A75A-1708-47BA-A498-20890D2C78A7}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (zh-HK) (HKLM-x32\...\{6BAA03F9-B2E5-40EB-8871-703FF0046E9D}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (zh-TW) (HKLM-x32\...\{28292B72-CF8A-4915-A5F5-07FF1E44C6F5}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TRANS (en-US) (HKLM-x32\...\{B07DA010-66CF-40A7-908F-F6482219C57F}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Text to Speech Voice (en-US, Helen) (HKLM-x32\...\{8466EAED-7024-4AEE-9D13-F3A55B98D114}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Speech Platform VXML Runtime (x64) (HKLM\...\{C82C698A-A0B7-412D-9396-31FB1A6AA45C}) (Version: 11.0.7400.345 - Microsoft Corporation)
Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit (HKLM\...\{ED98ABF5-B6BF-47ED-92AB-1CDCAB964447}) (Version: 5.0.8308.0 - Microsoft Corporation) Hidden
Microsoft Unified Communications Managed API 4.0, Runtime (HKLM\...\{41D635FE-4F9D-47F7-8230-9B29D6D42D31}) (Version: 5.0.8308.0 - Microsoft Corporation) Hidden
Microsoft Unified Communications Managed API 4.0, Runtime (HKLM\...\UCMA4) (Version: 5.0.8308.0 - Microsoft Corporation)
Microsoft Unified Communications Managed API 4.0, SSP Runtime (HKLM\...\{A41CBE7D-949C-41DD-9869-ABBD99D753DA}) (Version: 5.0.8308.0 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727 (HKLM\...\{AC53FC8B-EE18-3F9C-9B59-60937D0B182C}) (Version: 11.0.50727 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727 (HKLM\...\{A2CB1ACB-94A2-32BA-A15E-7D80319F7589}) (Version: 11.0.50727 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (HKLM\...\{929FBD26-9020-399B-9A7A-751D61F0B942}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (HKLM\...\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.27.29016 (HKLM-x32\...\{40d3fee2-b257-46c2-bdc0-cb1088d97327}) (Version: 14.27.29016.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.27.29016 (HKLM-x32\...\{1aaa01ad-3069-4288-9c6f-37a140a8f6c7}) (Version: 14.27.29016.0 - Microsoft Corporation)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.27.29016 (HKLM\...\{F07B1E25-5670-4556-9C7F-5A1966C83269}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.27.29016 (HKLM\...\{E493B8F4-E300-43EC-95D0-BDF3711297EA}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.27.29016 (HKLM-x32\...\{5CD4E357-9ED6-42AC-B654-F1FC21DD60C9}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.27.29016 (HKLM-x32\...\{E2C131AD-D30F-4D67-ACE9-B3D485E84DA8}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
PFA Server Registry Update (HKLM-x32\...\{173438F5-BD4D-47AE-9C8F-73E6BAA62624}) (Version: 1.0.0.0 - Hewlett-Packard Company)
RAP as a Service Client (HKLM-x32\...\{A2C2B1ED-F61E-4577-B7C3-ECF99CAF906A}) (Version: 2.0.40905.0 - Microsoft Corporation) Hidden
Subsystem Device Driver DSM (HKLM\...\Subsystem Device Driver DSM) (Version: - )
Symantec Endpoint Protection (HKLM\...\{034F3EDA-2F36-414D-906F-9B7B7EBA4E68}) (Version: 14.3.9681.7000 - Broadcom)
TreeSize Free V4.5.3 (HKLM-x32\...\TreeSize Free_is1) (Version: 4.5.3 - JAM Software)
Veeam Agent for Microsoft Windows (HKLM\...\{7796202E-3320-41ED-9A2C-14613AEED3D3}) (Version: 5.0.3.4708 - Veeam Software Group GmbH)
Veeam CBT Driver (HKLM\...\VeeamCBTDriver) (Version: 10.0.0.5015 - Veeam Software Group GmbH)
Veeam Installer Service (HKLM-x32\...\VeeamDeployerService) (Version: 11.0.1.1261 - Veeam Software Group GmbH)
Veritas NetBackup Client (HKLM\...\{A34B3E34-4E84-4CB9-8D6B-0EB4467DC789}) (Version: 9.1 - Veritas Technologies LLC) Hidden
Veritas NetBackup Client (HKLM\...\Veritas NetBackup Client) (Version: 9.1 - Veritas Technologies LLC)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [NFSShares] -> {04EA2470-913A-11D2-8CB8-0000F8083420} => C:\Windows\System32\nfssprop.dll [2012-07-26] (Microsoft Windows -> Microsoft Corporation)
ContextMenuHandlers1: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-20] (Symantec Corporation -> Broadcom)
ContextMenuHandlers2: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-20] (Symantec Corporation -> Broadcom)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2023-06-12] (Malwarebytes Inc. -> Malwarebytes)
ContextMenuHandlers6: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-20] (Symantec Corporation -> Broadcom)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2023-06-12] (Malwarebytes Inc. -> Malwarebytes)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2014-01-11 16:39 - 2013-07-10 15:44 - 001613312 _____ () [File not signed] C:\hp\hpsmh\bin\libxml2.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 001613312 _____ () [File not signed] C:\hp\hpsmh\modules\libxml2.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 000072704 _____ () [File not signed] C:\hp\hpsmh\modules\zlib1.dll
2013-06-28 00:01 - 2013-06-28 00:01 - 000041472 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CPQMDISK.dll
2013-06-28 00:01 - 2013-06-28 00:01 - 000057856 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CPQMSCSI.DLL
2013-06-28 00:01 - 2013-06-28 00:01 - 000055296 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CPQSAS.DLL
2013-06-28 00:01 - 2013-06-28 00:01 - 000032768 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CQMGSTOR.dll
2013-06-28 00:01 - 2013-06-28 00:01 - 000029696 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\cqstrutl.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000115200 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQFCA.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000044544 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQIDE.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000050176 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQISCSI.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000041472 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQMDISK.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000106496 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQMIDA.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000057856 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQMSCSI.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000055808 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQSAS.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000032768 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CQMGSTOR.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000026112 _____ () [File not signed] C:\Windows\system32\CpqMgmt\CqmgStor\iscsimib.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000030720 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\STORALRT.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000224256 _____ () [File not signed] C:\Windows\system32\CpqMgmt\Cqmgstor\stormib.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000007168 _____ () [File not signed] C:\Windows\system32\cpqmgmt\cqmgstor\storsnmp.dll
2013-07-12 10:32 - 2013-07-12 10:32 - 000048640 _____ () [File not signed] C:\Windows\system32\CpqNiMgt\CPQNIMIB.DLL
2013-07-12 10:32 - 2013-07-12 10:32 - 000018432 _____ () [File not signed] C:\Windows\system32\cpqnimgt\cqnisnmp.dll
2013-07-12 10:32 - 2013-07-12 10:32 - 000025088 _____ () [File not signed] C:\Windows\system32\CpqNiMgt\NICMIB.DLL
2013-07-12 10:33 - 2013-07-12 10:33 - 000246784 _____ () [File not signed] C:\Windows\system32\cpqnimgt\w2kmgdll.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000030720 _____ () [File not signed] C:\Windows\SYSTEM32\cqstrutl.dll
2014-01-11 16:39 - 2013-07-10 15:37 - 000175104 _____ (Apache Software Foundation) [File not signed] C:\hp\hpsmh\bin\libapr-1.dll
2014-01-11 16:39 - 2013-07-10 15:37 - 000035328 _____ (Apache Software Foundation) [File not signed] C:\hp\hpsmh\bin\libapriconv-1.dll
2014-01-11 16:39 - 2013-07-10 15:37 - 000240128 _____ (Apache Software Foundation) [File not signed] C:\hp\hpsmh\bin\libaprutil-1.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 000894464 _____ (Free Software Foundation) [File not signed] C:\hp\hpsmh\bin\iconv.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 000894464 _____ (Free Software Foundation) [File not signed] C:\hp\hpsmh\modules\iconv.dll
2014-01-11 16:39 - 2013-07-10 15:38 - 000483840 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\libhttpd.dll
2014-01-11 16:39 - 2013-07-10 15:38 - 000012800 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_access_compat.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000014848 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_alias.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000019968 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_authz_core.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000012288 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_authz_host.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000008704 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_authz_user.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000022528 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_cgi.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000012288 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_dir.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000009728 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_env.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000018944 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_headers.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000018432 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_imagemap.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000027136 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_log_config.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000019968 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_mime.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000034304 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_negotiation.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000085504 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_proxy.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000015872 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_proxy_connect.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000036864 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_proxy_http.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000060928 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_rewrite.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000013824 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_setenvif.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000109056 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_aa.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000065536 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_bc.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000159744 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_config.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000135680 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_help.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000063488 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_pkcs.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000041984 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_ui.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000020992 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_socache_shmcb.so
2014-01-11 16:39 - 2013-07-10 15:43 - 000166912 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_ssl.so
2019-05-29 01:02 - 2019-05-29 01:02 - 000270536 _____ (Microsoft Corporation -> Microsoft Corporation) [File not signed] C:\Program Files\Microsoft\Exchange Server\V15\Bin\osafehtm.dll
2023-03-16 01:50 - 2023-03-16 01:50 - 005302272 _____ (Microsoft) [File not signed] C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0ef69a75#\023b11063fcc191a4764fc2752b2acd3\Microsoft.Search.Platform.Parallax.ni.dll
2014-01-11 16:39 - 2013-07-10 15:46 - 000314880 _____ (The cURL library, hxxp://curl.haxx.se/) [File not signed] C:\hp\hpsmh\modules\libcurl.dll
2014-01-11 16:39 - 2013-07-10 15:40 - 001798656 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\hp\hpsmh\bin\LIBEAY32.dll
2014-01-11 16:39 - 2013-07-10 15:40 - 000366592 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\hp\hpsmh\bin\SSLEAY32.dll
2014-01-11 16:39 - 2013-07-10 15:52 - 009109504 _____ (The PHP Group) [File not signed] C:\hp\hpsmh\bin\php5ts.dll
2014-01-11 16:39 - 2013-07-10 15:53 - 001076224 _____ (The PHP Group) [File not signed] C:\hp\hpsmh\modules\php_mbstring.DLL
2014-01-11 16:39 - 2013-07-10 15:53 - 000034304 _____ (The PHP Group) [File not signed] C:\hp\hpsmh\modules\php5apache2.so

==================== Alternate Data Streams (Whitelisted) ========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ClusterStorage:{db19d832-b034-46ed-a6c5-61e0ebe370d1} [0]

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{1275C540-B92D-406A-B595-68C2B266A9A8}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{5CA4F88D-67B7-46CE-9653-5A17519F66F0}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{6B7A2D6B-C77F-4C11-8B70-2CD28AD687A6}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{BEC9211B-09AC-4B5B-9D31-561ADFF81A33}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{EBA0DEA8-AC55-458F-9726-2388EB4D982B}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

HKU\S-1-5-21-1365522570-4229012047-2779133919-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
HKU\S-1-5-21-3412390019-1648271104-2333346583-17206\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 09:26 - 2023-07-31 00:12 - 000001064 _____ C:\Windows\system32\drivers\etc\hosts
192.168.7.8 netbackup
192.168.7.8 netbackup.gov.mu
192.168.6.80 ecp.govmu.org
192.168.7.53 backupsvr
127.0.0.1 mail.govmu.org
192.168.6.50 GOC-EX13-SVR01.goc.ncb
192.168.6.50 GOC-EX13-SVR01

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> ; ;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft\Exchange Server\V15\bin;C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Native\
HKU\S-1-5-21-1365522570-4229012047-2779133919-500\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
HKU\S-1-5-21-3412390019-1648271104-2333346583-17206\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.2.40 - 192.168.2.41
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 0) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost => (EnableWebContentEvaluation: 0)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) C:\Windows\system32\scshost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) C:\Windows\system32\scshost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) C:\Windows\system32\dllhost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{A2CCFE80-3004-4D1F-B59C-69703E375A1B}] => (Allow) LPort=443
FirewallRules: [{ED70E132-AC43-4C5E-8536-DAA138AF8F3F}] => (Allow) LPort=RPC
FirewallRules: [{D42578C4-153E-4022-A569-B815FB0B1633}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.Topologyservice.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{AD6B3971-5DD3-412F-90C3-CEE969CAC935}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{57FFD6A2-5E32-4E65-A2F9-96DFBBCDC75E}] => (Allow) C:\Windows\system32\inetsrv\inetinfo.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{F779260D-1905-4B3D-BAAE-3F1EC35D0659}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{5BCF7254-AE77-4EFD-BE6B-0250073914F2}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{B5D9E7B9-D002-4A09-8591-AE7AB28A82E5}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{6244BDDB-9609-455B-9587-48F909C41F17}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{46E23EA3-714E-4E82-9A65-EA41E3DAB187}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{140688E3-F0B9-4831-AA87-13C204FEDF4F}] => (Allow) LPort=587
FirewallRules: [{02E8C397-B24E-4747-A69F-2E118805D154}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{46AB5D8A-3915-4F22-9E76-CFEC2C1AB69D}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{659FD464-FBCB-486F-8A31-B0229032C750}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{7151732B-9863-4238-8D43-2F4D6913BC8F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F5E200A2-6654-491A-99A7-9488ECB30363}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{03BA6FF9-701C-46F5-89D4-6BCB8278AF2C}] => (Allow) LPort=80
FirewallRules: [{757FB906-7A95-4446-88EA-8B9CC119F8E9}] => (Allow) LPort=80
FirewallRules: [{CB9BB596-8479-4073-8D75-CAB56E3DDB8E}] => (Allow) LPort=443
FirewallRules: [{4D1BD810-0186-4F4F-8DE8-D050EAB521DF}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{3887FF94-A06B-4767-9770-395D63BDE299}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{47EF1C9D-589E-409F-96E4-A84286CF922A}] => (Allow) LPort=9955
FirewallRules: [{09917463-5B36-412C-B64E-F64C609C91B9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{5774B08D-5563-4A58-B778-697595E49C34}] => (Allow) LPort=5077
FirewallRules: [{88E71246-80CF-44EB-A374-BA82F1ECE903}] => (Allow) LPort=808
FirewallRules: [{8E7D35D2-3D3F-4D72-AFAD-24319E4633B2}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{DBF0764A-DE51-4092-8BB6-5993A1DC69C5}] => (Allow) C:\Windows\system32\inetsrv\w3wp.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{79D50BD6-B118-4D2F-9A33-ABDFFA19E5EB}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F7D083A4-E78A-42D4-AFCC-CC05E3F7EC99}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{0DE9DEC2-4366-4475-9F7C-7915FC9071EF}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{BF2848A8-B99A-46B4-AE85-59009495E6E5}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{E63BF98D-026B-4BCC-A7E4-508A6E49C5A7}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{0C19B50B-53EA-4932-A1BB-0C8C1DED4527}] => (Allow) LPort=5063
FirewallRules: [{2E49034A-FA66-4D19-8323-C5BF7326B39A}] => (Allow) LPort=5068
FirewallRules: [{5F3634D0-8665-4EA3-B717-10974D20194F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMWorkerProcess.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{E680BB2B-BEFE-4C8E-8010-1DBF19D80997}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMWorkerProcess.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{9B3C643D-34CA-4833-97AE-8674659394AC}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{1548C0ED-A5CD-4CB5-BADB-8D27589D8C8C}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{2E45E4B8-C6A5-409F-ACE3-6D988A9C465F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{748511E7-65AD-4641-8475-242A50B83FED}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangemigration.exe => No File
FirewallRules: [{3CBB770C-C76A-4A8D-8414-D1A9EB0C9C08}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangemigration.exe => No File
FirewallRules: [{F6F4E443-8D4B-4BE9-9313-539EDAF179D2}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{4194C992-3445-4378-B70D-146779E6B100}] => (Allow) LPort=444
FirewallRules: [{55BC27AF-401A-4469-9158-97256C4F6D37}] => (Allow) LPort=64327
FirewallRules: [{C4036C1B-9773-49E5-ACAE-43E859E99FE8}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{9ED8E544-3892-4387-9747-B4B39ADB0262}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{875075B8-45AC-45AA-8A55-5A93C5E2D032}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{22DBFBCE-2677-48D2-901F-169755E5EBD9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{5FE1067D-2082-4A2D-9F09-755BD8D3A842}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{129592E1-763B-4317-9E03-DE51F0373A7E}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{C8AF02E2-9131-4B9C-AF8D-F186C7049BE5}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{CADA475D-E46E-496F-985F-606831A89A77}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{E79815E9-A1A9-419F-9B5E-3F76CCE20505}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{81442800-7345-4E0D-B8EF-9559D414573F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{1EFF9EB1-2DA2-44E7-A35B-ADACBFB74207}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{D2B0387D-45ED-4E97-AC5E-CA006D654136}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{2F7736FF-C87C-40A7-BF74-3E2FF28C64CE}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{36FF1C14-E793-4197-AD99-51FC068CA593}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F680402B-1388-4BCE-BF82-796226A624B9}] => (Allow) LPort=5061
FirewallRules: [{5E44A848-CB5C-494E-A0B6-1D471FF004C0}] => (Allow) LPort=139
FirewallRules: [{33319BCD-801C-4C93-A595-CF49F6EC3768}] => (Allow) LPort=993
FirewallRules: [FailoverClustering-ClusSvc-TCP-In] => (Allow) C:\Windows\cluster\clussvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverClustering-ClusSvc-TCP-Out] => (Allow) C:\Windows\cluster\clussvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverClustering-ClusSvcRPC-TCP-In] => (Allow) C:\Windows\cluster\clussvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverCluster-CPREPSRV-TCP-In] => (Allow) C:\Windows\system32\cprepsrv.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverCluster-FCSRV-TCP-In] => (Allow) C:\Windows\system32\fcsrv.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{8D49C1D2-0AA4-4E09-82E5-66C71B329DB6}] => (Allow) LPort=808
FirewallRules: [{DB4DF9C9-8671-429D-A814-A0729840EDBF}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{2D85085F-0B66-47F0-8673-910E60B43EBD}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{FF438642-A66E-47FF-908A-534557F2FDF0}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [Microsoft-Windows-NFS-ServerCore-NfsSvc-NFS-UDP-In] => (Allow) LPort=2049
FirewallRules: [Microsoft-Windows-NFS-ServerCore-NfsSvc-NFS-TCP-In] => (Allow) LPort=2049
FirewallRules: [Microsoft-Windows-NFS-OpenPortMapper-Portmap-UDP-In] => (Allow) LPort=111
FirewallRules: [Microsoft-Windows-NFS-OpenPortMapper-Portmap-TCP-In] => (Allow) LPort=111
FirewallRules: [{79ADD138-4978-42CD-8DE7-9BE071C0131F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{0523766E-B498-4EC9-B0C6-8F28EB1EF4B8}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{9A43FAC6-7B3C-491C-A9F4-77A05CD1A014}] => (Allow) LPort=10050
FirewallRules: [{8B6807AA-2204-4AFC-A798-86A487AF1E80}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{8145C7B5-19C4-449C-8737-99C186F73AA9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{D9DB26C0-5D6E-4531-AAFA-B7130746A7EB}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMService.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{559F0538-319C-4360-968A-A571E1E3DDF8}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{B4BCB5ED-FAAA-48E6-9842-5EB6A7920FE9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{1895413C-B03A-4E28-A34F-04DD4B750B35}] => (Allow) C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{AE51BF15-72FC-44AF-A395-CA1D6648133A}] => (Allow) C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{40EFAF0A-B64E-4BDF-ADDF-0E492ACF371F}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Recovery.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{DF0CE3C5-623A-4503-95FF-F21CE915DC2B}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{EC47FF57-BA9D-41E2-BB6A-FA4A702FC60B}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{F435E95A-61FE-4B14-9640-9FB07164750E}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x64\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{FF8C5504-55AC-42E2-B99C-93F462805D13}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x64\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{806C43F6-FE03-484D-946C-135F07FAF10B}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x86\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{54D3E2B2-96E8-4895-A3CC-A2CC4819B153}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x86\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{8080CB13-DE5C-40F2-BB2C-A9AC4ACCE17A}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{5A430A70-1FEB-40A8-8B56-634F8CF49945}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{FBB9C05C-71D6-4B21-A91C-59F40E41A64F}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\nbwin.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{8B5AD3A0-4109-4448-88CB-363F24A527E1}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\nbwin.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{7FF8343D-69F4-4010-8958-260D35431E4E}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\tracker.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{FD330AF1-52EF-43CD-8055-1C8797C117A0}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\tracker.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{C48451FC-6140-4415-A54D-95B11F89D8F1}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{62A77899-F09F-437E-914B-C6BFFB87ADEF}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{255E213E-3F47-40F8-9459-341628F332D8}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{66AC1B0F-9C87-46D7-A7E9-1064E5F2C06A}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe (Symantec Corporation -> Broadcom)

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:279.36 GB) (Free:59.31 GB) (21%)
Check "VSS" service


==================== Faulty Device Manager Devices ============

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #2
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #3
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #4
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #7
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #8
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #9
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #10
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #11
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #12
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: ========================

Application errors:
==================
Error: (12/26/2023 11:32:34 AM) (Source: MSExchange Common) (EventID: 106) (User: )
Description: Performance counter updating error. Counter name is Time in Resource per second, category name is MSExchange Activity Context Resources. Optional code: 2. Exception: The exception thrown is : System.InvalidOperationException: Instance 'ad-powershell-defaultdomain' already exists with a lifetime of Process. It cannot be recreated or reused until it has been removed or until the process using it has exited.
at System.Diagnostics.SharedPerformanceCounter.FindInstance(Int32 instanceNameHashCode, String instanceName, CategoryEntry* categoryPointer, InstanceEntry** returnInstancePointerReference, Boolean activateUnusedInstances, PerformanceCounterInstanceLifetime lifetime, Boolean& foundFreeInstance)
at System.Diagnostics.SharedPerformanceCounter.GetCounter(String counterName, String instanceName, Boolean enableReuse, PerformanceCounterInstanceLifetime lifetime)
at System.Diagnostics.SharedPerformanceCounter..ctor(String catName, String counterName, String instanceName, PerformanceCounterInstanceLifetime lifetime)
at System.Diagnostics.PerformanceCounter.InitializeImpl()
at System.Diagnostics.PerformanceCounter.get_RawValue()
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.get_RawValue()
Last worker process info : System.ArgumentException: Process with an Id of 26336 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId, String machineName)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Processes running while Performance counter failed to update:
1292 svchost
1720 bpcd
3444 rotatelogs
37488 ParserServer
4300 noderunner
31340 powershell
17352 Microsoft.Exchange.Imap4
4724 noderunner
28424 w3wp
9888 MSExchangeDagMgmt
836 svchost
17844 Microsoft.Exchange.Store.Worker
13332 bpinetd
27124 w3wp
3412 noderunner
3840 sftracing
16768 cmd
820 csrss
3404 ProLiantMonitor
13744 clussvc
39168 powershell
5092 conhost
10720 conhost
13304 umservice
4252 conhost
3388 svchost
27952 w3wp
39868 Microsoft.Exchange.Pop3
27948 w3wp
10704 Microsoft.Exchange.Imap4
1652 svchost
33976 mbamtray
4236 cmd
6188 cqmgstor
2828 MSExchangeHMHost
18744 ParserServer
31380 svchost
8536 conhost
11552 Microsoft.Exchange.ServiceHost
2496 Microsoft.Exchange.Diagnostics.Service
4916 noderunner
30076 w3wp
17572 Microsoft.Exchange.Store.Worker
8520 MSExchangeHMWorker
6364 MBAMService
9376 VeeamDeploymentSvc
10668 Microsoft.Exchange.Imap4Service
4632 hpsmhd
2476 mqsvc
9320 vnetd
19704 ccSvcHst
2032 hostcontrollerservice
11080 MSExchangeSubmission
14080 MSExchangeTransport
2440 inetinfo
22612 w3wp
4160 pbx_exchange
10624 rdpclip
8468 nbdisco
4156 conhost
26136 w3wp
9752 Microsoft.Exchange.AntispamUpdateSvc
23112 w3wp
13196 Microsoft.Exchange.UM.CallRouter
36900 conhost
2416 hpwmistor
4564 rotatelogs
9304 MSExchangeFrontendTransport
9724 cqmghost
1968 HealthService
4552 rotatelogs
2692 smhstart
30404 Microsoft.Exchange.Store.Worker
7128 zabbix_agentd
13160 csrss
19496 ParserServer
4536 w3wp
9332 vnetd
26944 MonitoringHost
24108 explorer
648 smss
8836 rundll32
1368 svchost
1504 svchost
1932 fms
10044 Microsoft.Exchange.EdgeSyncSvc
7100 WMSvc
18304 taskhostex
12700 MSExchangeTransportLogSearch
15716 rhs
27160 conhost
38556 conhost
15712 rhs
6608 w3wp
2528 conhost
39432 conhost
7508 WmiPrvSE
10952 scanningprocess
10088 MSExchangeMailboxReplication
9656 Veeam.EndPoint.Service
7500 WmiPrvSE
1896 cissesrv
26460 powershell
4268 hpsmhd
2752 updateservice
8784 vnetd
40184 conhost
1016 lsass
3724 sddsrv
10992 scanningprocess
18104 Microsoft.Exchange.Store.Worker
1868 svchost
1436 svchost
17812 Microsoft.Exchange.Store.Worker
6172 cpqnimgt
4016 sepWscSvc64
32028 TranscodingService
14356 EdgeTransport
132 ServerManager
13492 nfssvc
984 services
7876 Microsoft.Exchange.Directory.TopologyService
13908 Microsoft.Exchange.Store.Service
35456 dllhost
17784 ParserServer
1836 spoolsv
10024 MSExchangeDelivery
3988 ccSvcHst
27692 w3wp
1400 svchost
28552 w3wp
22084 dwm
964 winlogon
10876 scanningprocess
17340 FRST64
11736 conhost
19676 Microsoft.Exchange.Store.Worker
19488 svchost
34572 powershell
9136 rundll32
16888 conhost
1800 dwm
11712 Microsoft.Exchange.Pop3
25500 svchost
12136 msexchangerepl
11704 Microsoft.Exchange.Pop3Service
4052 snmp
10408 MSExchangeMailboxAssistants
3940 vds
7384 winlogon
17808 svchost
26776 conhost
21716 conhost
19444 msdtc
892 wininit
13836 UMWorkerProcess
5072 rotatelogs
23316 w3wp
14372 conhost
900 csrss
10808 Microsoft.Exchange.Pop3Service
3048 SMSvcHost
4340 MonitoringHost
1752 LogonUI
3904 ForefrontActiveDirectoryConnector
10368 Microsoft.Exchange.Imap4Service
13384 nfsclnt
33636 powershell
29304 Microsoft.Exchange.RpcClientAccess.Service
3888 ccSvcHst
40636 gpupdate
10080 Microsoft.Exchange.Search.Service
12504 MSExchangeThrottling
4 System
20260 svchost
6036 cqmgserv
0 Idle
Performance Counters Layout information: A process is holding onto a transport performance counter. processId : 26460, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 26460 StartupTime: 133480495280327482, currentInstance : rpca-powershell-defaultdomain(4598AFAF) RefCount=1 SpinLock=0 Offset=43136, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26460, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 26460 StartupTime: 133480495280327482, currentInstance : mb-powershell-defaultdomain(CC014C00) RefCount=1 SpinLock=0 Offset=42808, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26460, counter : time in resource per second Value=32 SpinLock=0 Lifetime=Type: 1 ProcessId: 26460 StartupTime: 133480495280327482, currentInstance : ad-powershell-defaultdomain(95CC324A) RefCount=1 SpinLock=0 Offset=42480, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : rpca-w3wp-msexchangeecpapppool(57806648) RefCount=1 SpinLock=0 Offset=42152, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=447 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : mb-w3wp-msexchangeecpapppool(E27E6507) RefCount=1 SpinLock=0 Offset=41824, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=3206 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : ad-w3wp-msexchangeecpapppool(B648688D) RefCount=1 SpinLock=0 Offset=41496, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : rpca-w3wp-msexchangepowershellfrontendapppool(E1115251) RefCount=1 SpinLock=0 Offset=41168, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : mb-w3wp-msexchangepowershellfrontendapppool(34B9187E) RefCount=1 SpinLock=0 Offset=40840, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=74 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : ad-w3wp-msexchangepowershellfrontendapppool(FAEFA1B4) RefCount=1 SpinLock=0 Offset=40512, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : rpca-w3wp-msexchangeowacalendarapppool(8F10D1B5) RefCount=1 SpinLock=0 Offset=40184, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : mb-w3wp-msexchangeowacalendarapppool(2D8C9EBA) RefCount=1 SpinLock=0 Offset=39856, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=19 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : ad-w3wp-msexchangeowacalendarapppool(D845E230) RefCount=1 SpinLock=0 Offset=39528, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : rpca-w3wp-msexchangeoabapppool(8149E8D2) RefCount=1 SpinLock=0 Offset=39200, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : mb-w3wp-msexchangeoabapppool(58D0A79D) RefCount=1 SpinLock=0 Offset=38872, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=163 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : ad-w3wp-msexchangeoabapppool(CC31A917) RefCount=1 SpinLock=0 Offset=38544, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : rpca-w3wp-msexchangemapimailboxapppool(E28F3117) RefCount=1 SpinLock=0 Offset=38216, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=224 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : mb-w3wp-msexchangemapimailboxapppool(F9439F58) RefCount=1 SpinLock=0 Offset=37888, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=979 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : ad-w3wp-msexchangemapimailboxapppool(35491652) RefCount=1 SpinLock=0 Offset=37560, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : rpca-w3wp-msexchangerpcproxyapppool(8B7590B3) RefCount=1 SpinLock=0 Offset=37232, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : mb-w3wp-msexchangerpcproxyapppool(B190F21C) RefCount=1 SpinLock=0 Offset=36904, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=84 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : ad-w3wp-msexchangerpcproxyapppool(99BB8ED6) RefCount=1 SpinLock=0 Offset=36576, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : rpca-w3wp-msexchangeservicesapppool(E8BBF810) RefCount=1 SpinLock=0 Offset=36248, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=8276 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : mb-w3wp-msexchangeservicesapppool(10FE94BF) RefCount=1 SpinLock=0 Offset=35920, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=9880 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : ad-w3wp-msexchangeservicesapppool(E0DE475) RefCount=1 SpinLock=0 Offset=35592, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : rpca-w3wp-msexchangepowershellapppool(3CF18BF) RefCount=1 SpinLock=0 Offset=35264, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : mb-w3wp-msexchangepowershellapppool(A686C810) RefCount=1 SpinLock=0 Offset=34936, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=4680 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : ad-w3wp-msexchangepowershellapppool(9E48CD5A) RefCount=1 SpinLock=0 Offset=34608, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : rpca-w3wp-msexchangemapifrontendapppool(2C7F2005) RefCount=1 SpinLock=0 Offset=34280, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : mb-w3wp-msexchangemapifrontendapppool(BE5C2DAA) RefCount=1 SpinLock=0 Offset=33952, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=31 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : ad-w3wp-msexchangemapifrontendapppool(C0FDFAE0) RefCount=1 SpinLock=0 Offset=33624, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : rpca-w3wp-msexchangerpcproxyfrontendapppool(903EFF5D) RefCount=1 SpinLock=0 Offset=33296, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : mb-w3wp-msexchangerpcproxyfrontendapppool(87BE0D72) RefCount=1 SpinLock=0 Offset=32968, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=127 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : ad-w3wp-msexchangerpcproxyfrontendapppool(E0452238) RefCount=1 SpinLock=0 Offset=32640, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : rpca-w3wp-msexchangeautodiscoverapppool(6DABF262) RefCount=1 SpinLock=0 Offset=32312, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : mb-w3wp-msexchangeautodiscoverapppool(D1C6EF4D) RefCount=1 SpinLock=0 Offset=31984, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=1987 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : ad-w3wp-msexchangeautodiscoverapppool(FD072087) RefCount=1 SpinLock=0 Offset=31656, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : rpca-w3wp-msexchangesyncapppool(9F5D0139) RefCount=1 SpinLock=0 Offset=31328, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=49878 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : mb-w3wp-msexchangesyncapppool(37D39796) RefCount=1 SpinLock=0 Offset=31000, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=8356 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : ad-w3wp-msexchangesyncapppool(15C89D5C) RefCount=1 SpinLock=0 Offset=30672, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : rpca-w3wp-msexchangeowaapppool(4AA799E7) RefCount=1 SpinLock=0 Offset=30344, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=2755883 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : mb-w3wp-msexchangeowaapppool(C3953468) RefCount=1 SpinLock=0 Offset=30016, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=205425 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : ad-w3wp-msexchangeowaapppool(160BE662) RefCount=1 SpinLock=0 Offset=29688, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : rpca-msexchangehmhost-msexchangehmhost.exe(87A5B053) RefCount=1 SpinLock=0 Offset=29360, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : mb-msexchangehmhost-msexchangehmhost.exe(FB9D599C) RefCount=1 SpinLock=0 Offset=29032, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=530 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : ad-msexchangehmhost-msexchangehmhost.exe(4E220B96) RefCount=1 SpinLock=0 Offset=28704, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=1509 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : ad-monad-defaultdomain(A8C763E2) RefCount=0 SpinLock=0 Offset=28376, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : mb-monad-defaultdomain(2EC4A7E8) RefCount=0 SpinLock=0 Offset=28048, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : rpca-monad-defaultdomain(EE460FE7) RefCount=0 SpinLock=0 Offset=27720, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : rpca-noderunner-contentenginenode1(316BF6E3) RefCount=1 SpinLock=0 Offset=27392, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=177418 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : mb-noderunner-contentenginenode1(2EE8286C) RefCount=1 SpinLock=0 Offset=27064, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=673 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : ad-noderunner-contentenginenode1(61591E6) RefCount=1 SpinLock=0 Offset=26736, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : rpca-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(ABB009B3) RefCount=1 SpinLock=0 Offset=26408, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : mb-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(38BA31BC) RefCount=1 SpinLock=0 Offset=26080, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=42569 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : ad-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(11106236) RefCount=1 SpinLock=0 Offset=25752, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : rpca-umworkerprocess-umworkerprocess.exe(970CCE33) RefCount=1 SpinLock=0 Offset=25424, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : mb-umworkerprocess-umworkerprocess.exe(8A7F8A3C) RefCount=1 SpinLock=0 Offset=25096, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=71 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : ad-umworkerprocess-umworkerprocess.exe(95818B6) RefCount=1 SpinLock=0 Offset=24768, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : rpca-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(A07BD4F3) RefCount=1 SpinLock=0 Offset=24440, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : mb-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(4519AFC) RefCount=1 SpinLock=0 Offset=24112, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=122 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : ad-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(6B0DD0F6) RefCount=1 SpinLock=0 Offset=23784, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : rpca-edgetransport-edgetransport.exe(911B6EB3) RefCount=1 SpinLock=0 Offset=23456, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : mb-edgetransport-edgetransport.exe(A5AF4BBC) RefCount=1 SpinLock=0 Offset=23128, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=2904 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : ad-edgetransport-edgetransport.exe(E79D4A36) RefCount=1 SpinLock=0 Offset=22800, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : rpca-msexchangetransport-msexchangetransport.exe(24F56C33) RefCount=1 SpinLock=0 Offset=22472, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : mb-msexchangetransport-msexchangetransport.exe(92FB3D3C) RefCount=1 SpinLock=0 Offset=22144, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=17 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : ad-msexchangetransport-msexchangetransport.exe(2447ECB6) RefCount=1 SpinLock=0 Offset=21816, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : rpca-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(E8475353) RefCount=1 SpinLock=0 Offset=21488, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : mb-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(8F65881C) RefCount=1 SpinLock=0 Offset=21160, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=26 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : ad-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(78F52196) RefCount=1 SpinLock=0 Offset=20832, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : rpca-umservice-umservice.exe(E39A1133) RefCount=1 SpinLock=0 Offset=20504, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : mb-umservice-umservice.exe(FFBB273C) RefCount=1 SpinLock=0 Offset=20176, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=25 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : ad-umservice-umservice.exe(9A8AC6B6) RefCount=1 SpinLock=0 Offset=19848, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12700, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type:...

Error: (12/26/2023 11:32:34 AM) (Source: MSExchange Common) (EventID: 106) (User: )
Description: Performance counter updating error. Counter name is Time in Resource per second, category name is MSExchange Activity Context Resources. Optional code: 2. Exception: The exception thrown is : System.InvalidOperationException: Instance 'ad-powershell-defaultdomain' already exists with a lifetime of Process. It cannot be recreated or reused until it has been removed or until the process using it has exited.
at System.Diagnostics.SharedPerformanceCounter.FindInstance(Int32 instanceNameHashCode, String instanceName, CategoryEntry* categoryPointer, InstanceEntry** returnInstancePointerReference, Boolean activateUnusedInstances, PerformanceCounterInstanceLifetime lifetime, Boolean& foundFreeInstance)
at System.Diagnostics.SharedPerformanceCounter.GetCounter(String counterName, String instanceName, Boolean enableReuse, PerformanceCounterInstanceLifetime lifetime)
at System.Diagnostics.SharedPerformanceCounter..ctor(String catName, String counterName, String instanceName, PerformanceCounterInstanceLifetime lifetime)
at System.Diagnostics.PerformanceCounter.InitializeImpl()
at System.Diagnostics.PerformanceCounter.get_RawValue()
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.get_RawValue()
Last worker process info : System.ArgumentException: Process with an Id of 26336 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId, String machineName)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Processes running while Performance counter failed to update:
1292 svchost
1720 bpcd
3444 rotatelogs
37488 ParserServer
4300 noderunner
31340 powershell
17352 Microsoft.Exchange.Imap4
4724 noderunner
28424 w3wp
9888 MSExchangeDagMgmt
836 svchost
17844 Microsoft.Exchange.Store.Worker
13332 bpinetd
27124 w3wp
3412 noderunner
3840 sftracing
16768 cmd
820 csrss
3404 ProLiantMonitor
13744 clussvc
39168 powershell
5092 conhost
10720 conhost
13304 umservice
4252 conhost
3388 svchost
27952 w3wp
39868 Microsoft.Exchange.Pop3
27948 w3wp
10704 Microsoft.Exchange.Imap4
1652 svchost
33976 mbamtray
4236 cmd
6188 cqmgstor
2828 MSExchangeHMHost
18744 ParserServer
31380 svchost
8536 conhost
11552 Microsoft.Exchange.ServiceHost
2496 Microsoft.Exchange.Diagnostics.Service
4916 noderunner
30076 w3wp
17572 Microsoft.Exchange.Store.Worker
8520 MSExchangeHMWorker
6364 MBAMService
9376 VeeamDeploymentSvc
10668 Microsoft.Exchange.Imap4Service
4632 hpsmhd
2476 mqsvc
9320 vnetd
19704 ccSvcHst
2032 hostcontrollerservice
11080 MSExchangeSubmission
14080 MSExchangeTransport
2440 inetinfo
22612 w3wp
4160 pbx_exchange
10624 rdpclip
8468 nbdisco
4156 conhost
26136 w3wp
9752 Microsoft.Exchange.AntispamUpdateSvc
23112 w3wp
13196 Microsoft.Exchange.UM.CallRouter
36900 conhost
2416 hpwmistor
4564 rotatelogs
9304 MSExchangeFrontendTransport
9724 cqmghost
1968 HealthService
4552 rotatelogs
2692 smhstart
30404 Microsoft.Exchange.Store.Worker
7128 zabbix_agentd
13160 csrss
19496 ParserServer
4536 w3wp
9332 vnetd
26944 MonitoringHost
24108 explorer
648 smss
8836 rundll32
1368 svchost
1504 svchost
1932 fms
10044 Microsoft.Exchange.EdgeSyncSvc
7100 WMSvc
18304 taskhostex
12700 MSExchangeTransportLogSearch
15716 rhs
27160 conhost
38556 conhost
15712 rhs
6608 w3wp
2528 conhost
39432 conhost
7508 WmiPrvSE
10952 scanningprocess
10088 MSExchangeMailboxReplication
9656 Veeam.EndPoint.Service
7500 WmiPrvSE
1896 cissesrv
26460 powershell
4268 hpsmhd
2752 updateservice
8784 vnetd
40184 conhost
1016 lsass
3724 sddsrv
10992 scanningprocess
18104 Microsoft.Exchange.Store.Worker
1868 svchost
1436 svchost
17812 Microsoft.Exchange.Store.Worker
6172 cpqnimgt
4016 sepWscSvc64
32028 TranscodingService
14356 EdgeTransport
132 ServerManager
13492 nfssvc
984 services
7876 Microsoft.Exchange.Directory.TopologyService
13908 Microsoft.Exchange.Store.Service
35456 dllhost
17784 ParserServer
1836 spoolsv
10024 MSExchangeDelivery
3988 ccSvcHst
27692 w3wp
1400 svchost
28552 w3wp
22084 dwm
964 winlogon
10876 scanningprocess
17340 FRST64
11736 conhost
19676 Microsoft.Exchange.Store.Worker
19488 svchost
34572 powershell
9136 rundll32
16888 conhost
1800 dwm
11712 Microsoft.Exchange.Pop3
25500 svchost
12136 msexchangerepl
11704 Microsoft.Exchange.Pop3Service
4052 snmp
10408 MSExchangeMailboxAssistants
3940 vds
7384 winlogon
17808 svchost
26776 conhost
21716 conhost
19444 msdtc
892 wininit
13836 UMWorkerProcess
5072 rotatelogs
23316 w3wp
14372 conhost
900 csrss
10808 Microsoft.Exchange.Pop3Service
3048 SMSvcHost
4340 MonitoringHost
1752 LogonUI
3904 ForefrontActiveDirectoryConnector
10368 Microsoft.Exchange.Imap4Service
13384 nfsclnt
33636 powershell
29304 Microsoft.Exchange.RpcClientAccess.Service
3888 ccSvcHst
40636 gpupdate
10080 Microsoft.Exchange.Search.Service
12504 MSExchangeThrottling
4 System
20260 svchost
6036 cqmgserv
0 Idle
Performance Counters Layout information: A process is holding onto a transport performance counter. processId : 26460, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 26460 StartupTime: 133480495280327482, currentInstance : rpca-powershell-defaultdomain(4598AFAF) RefCount=1 SpinLock=0 Offset=43136, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26460, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 26460 StartupTime: 133480495280327482, currentInstance : mb-powershell-defaultdomain(CC014C00) RefCount=1 SpinLock=0 Offset=42808, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26460, counter : time in resource per second Value=32 SpinLock=0 Lifetime=Type: 1 ProcessId: 26460 StartupTime: 133480495280327482, currentInstance : ad-powershell-defaultdomain(95CC324A) RefCount=1 SpinLock=0 Offset=42480, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : rpca-w3wp-msexchangeecpapppool(57806648) RefCount=1 SpinLock=0 Offset=42152, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=447 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : mb-w3wp-msexchangeecpapppool(E27E6507) RefCount=1 SpinLock=0 Offset=41824, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=3206 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : ad-w3wp-msexchangeecpapppool(B648688D) RefCount=1 SpinLock=0 Offset=41496, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : rpca-w3wp-msexchangepowershellfrontendapppool(E1115251) RefCount=1 SpinLock=0 Offset=41168, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : mb-w3wp-msexchangepowershellfrontendapppool(34B9187E) RefCount=1 SpinLock=0 Offset=40840, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=74 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : ad-w3wp-msexchangepowershellfrontendapppool(FAEFA1B4) RefCount=1 SpinLock=0 Offset=40512, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : rpca-w3wp-msexchangeowacalendarapppool(8F10D1B5) RefCount=1 SpinLock=0 Offset=40184, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : mb-w3wp-msexchangeowacalendarapppool(2D8C9EBA) RefCount=1 SpinLock=0 Offset=39856, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=19 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : ad-w3wp-msexchangeowacalendarapppool(D845E230) RefCount=1 SpinLock=0 Offset=39528, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : rpca-w3wp-msexchangeoabapppool(8149E8D2) RefCount=1 SpinLock=0 Offset=39200, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : mb-w3wp-msexchangeoabapppool(58D0A79D) RefCount=1 SpinLock=0 Offset=38872, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=163 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : ad-w3wp-msexchangeoabapppool(CC31A917) RefCount=1 SpinLock=0 Offset=38544, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : rpca-w3wp-msexchangemapimailboxapppool(E28F3117) RefCount=1 SpinLock=0 Offset=38216, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=224 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : mb-w3wp-msexchangemapimailboxapppool(F9439F58) RefCount=1 SpinLock=0 Offset=37888, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=979 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : ad-w3wp-msexchangemapimailboxapppool(35491652) RefCount=1 SpinLock=0 Offset=37560, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : rpca-w3wp-msexchangerpcproxyapppool(8B7590B3) RefCount=1 SpinLock=0 Offset=37232, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : mb-w3wp-msexchangerpcproxyapppool(B190F21C) RefCount=1 SpinLock=0 Offset=36904, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=84 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : ad-w3wp-msexchangerpcproxyapppool(99BB8ED6) RefCount=1 SpinLock=0 Offset=36576, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : rpca-w3wp-msexchangeservicesapppool(E8BBF810) RefCount=1 SpinLock=0 Offset=36248, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=8276 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : mb-w3wp-msexchangeservicesapppool(10FE94BF) RefCount=1 SpinLock=0 Offset=35920, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=9880 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : ad-w3wp-msexchangeservicesapppool(E0DE475) RefCount=1 SpinLock=0 Offset=35592, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : rpca-w3wp-msexchangepowershellapppool(3CF18BF) RefCount=1 SpinLock=0 Offset=35264, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : mb-w3wp-msexchangepowershellapppool(A686C810) RefCount=1 SpinLock=0 Offset=34936, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=4680 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : ad-w3wp-msexchangepowershellapppool(9E48CD5A) RefCount=1 SpinLock=0 Offset=34608, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : rpca-w3wp-msexchangemapifrontendapppool(2C7F2005) RefCount=1 SpinLock=0 Offset=34280, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : mb-w3wp-msexchangemapifrontendapppool(BE5C2DAA) RefCount=1 SpinLock=0 Offset=33952, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=31 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : ad-w3wp-msexchangemapifrontendapppool(C0FDFAE0) RefCount=1 SpinLock=0 Offset=33624, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : rpca-w3wp-msexchangerpcproxyfrontendapppool(903EFF5D) RefCount=1 SpinLock=0 Offset=33296, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : mb-w3wp-msexchangerpcproxyfrontendapppool(87BE0D72) RefCount=1 SpinLock=0 Offset=32968, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=127 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : ad-w3wp-msexchangerpcproxyfrontendapppool(E0452238) RefCount=1 SpinLock=0 Offset=32640, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : rpca-w3wp-msexchangeautodiscoverapppool(6DABF262) RefCount=1 SpinLock=0 Offset=32312, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : mb-w3wp-msexchangeautodiscoverapppool(D1C6EF4D) RefCount=1 SpinLock=0 Offset=31984, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=1987 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : ad-w3wp-msexchangeautodiscoverapppool(FD072087) RefCount=1 SpinLock=0 Offset=31656, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : rpca-w3wp-msexchangesyncapppool(9F5D0139) RefCount=1 SpinLock=0 Offset=31328, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=49878 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : mb-w3wp-msexchangesyncapppool(37D39796) RefCount=1 SpinLock=0 Offset=31000, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=8356 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : ad-w3wp-msexchangesyncapppool(15C89D5C) RefCount=1 SpinLock=0 Offset=30672, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : rpca-w3wp-msexchangeowaapppool(4AA799E7) RefCount=1 SpinLock=0 Offset=30344, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=2755883 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : mb-w3wp-msexchangeowaapppool(C3953468) RefCount=1 SpinLock=0 Offset=30016, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=205425 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : ad-w3wp-msexchangeowaapppool(160BE662) RefCount=1 SpinLock=0 Offset=29688, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : rpca-msexchangehmhost-msexchangehmhost.exe(87A5B053) RefCount=1 SpinLock=0 Offset=29360, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : mb-msexchangehmhost-msexchangehmhost.exe(FB9D599C) RefCount=1 SpinLock=0 Offset=29032, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=530 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : ad-msexchangehmhost-msexchangehmhost.exe(4E220B96) RefCount=1 SpinLock=0 Offset=28704, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=1509 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : ad-monad-defaultdomain(A8C763E2) RefCount=0 SpinLock=0 Offset=28376, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : mb-monad-defaultdomain(2EC4A7E8) RefCount=0 SpinLock=0 Offset=28048, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : rpca-monad-defaultdomain(EE460FE7) RefCount=0 SpinLock=0 Offset=27720, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : rpca-noderunner-contentenginenode1(316BF6E3) RefCount=1 SpinLock=0 Offset=27392, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=177418 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : mb-noderunner-contentenginenode1(2EE8286C) RefCount=1 SpinLock=0 Offset=27064, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=673 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : ad-noderunner-contentenginenode1(61591E6) RefCount=1 SpinLock=0 Offset=26736, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : rpca-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(ABB009B3) RefCount=1 SpinLock=0 Offset=26408, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : mb-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(38BA31BC) RefCount=1 SpinLock=0 Offset=26080, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=42569 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : ad-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(11106236) RefCount=1 SpinLock=0 Offset=25752, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : rpca-umworkerprocess-umworkerprocess.exe(970CCE33) RefCount=1 SpinLock=0 Offset=25424, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : mb-umworkerprocess-umworkerprocess.exe(8A7F8A3C) RefCount=1 SpinLock=0 Offset=25096, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=71 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : ad-umworkerprocess-umworkerprocess.exe(95818B6) RefCount=1 SpinLock=0 Offset=24768, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : rpca-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(A07BD4F3) RefCount=1 SpinLock=0 Offset=24440, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : mb-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(4519AFC) RefCount=1 SpinLock=0 Offset=24112, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=122 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : ad-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(6B0DD0F6) RefCount=1 SpinLock=0 Offset=23784, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : rpca-edgetransport-edgetransport.exe(911B6EB3) RefCount=1 SpinLock=0 Offset=23456, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : mb-edgetransport-edgetransport.exe(A5AF4BBC) RefCount=1 SpinLock=0 Offset=23128, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=2904 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : ad-edgetransport-edgetransport.exe(E79D4A36) RefCount=1 SpinLock=0 Offset=22800, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : rpca-msexchangetransport-msexchangetransport.exe(24F56C33) RefCount=1 SpinLock=0 Offset=22472, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : mb-msexchangetransport-msexchangetransport.exe(92FB3D3C) RefCount=1 SpinLock=0 Offset=22144, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=17 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : ad-msexchangetransport-msexchangetransport.exe(2447ECB6) RefCount=1 SpinLock=0 Offset=21816, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : rpca-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(E8475353) RefCount=1 SpinLock=0 Offset=21488, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : mb-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(8F65881C) RefCount=1 SpinLock=0 Offset=21160, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=26 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : ad-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(78F52196) RefCount=1 SpinLock=0 Offset=20832, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : rpca-umservice-umservice.exe(E39A1133) RefCount=1 SpinLock=0 Offset=20504, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : mb-umservice-umservice.exe(FFBB273C) RefCount=1 SpinLock=0 Offset=20176, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=25 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : ad-umservice-umservice.exe(9A8AC6B6) RefCount=1 SpinLock=0 Offset=19848, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12700, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type:...

Error: (12/26/2023 11:32:21 AM) (Source: MSExchange Common) (EventID: 106) (User: )
Description: Performance counter updating error. Counter name is Time in Resource per second, category name is MSExchange Activity Context Resources. Optional code: 2. Exception: The exception thrown is : System.InvalidOperationException: Instance 'ad-microsoft.exchange.imap4-microsoft.exchange.imap4.exe' already exists with a lifetime of Process. It cannot be recreated or reused until it has been removed or until the process using it has exited.
at System.Diagnostics.SharedPerformanceCounter.FindInstance(Int32 instanceNameHashCode, String instanceName, CategoryEntry* categoryPointer, InstanceEntry** returnInstancePointerReference, Boolean activateUnusedInstances, PerformanceCounterInstanceLifetime lifetime, Boolean& foundFreeInstance)
at System.Diagnostics.SharedPerformanceCounter.GetCounter(String counterName, String instanceName, Boolean enableReuse, PerformanceCounterInstanceLifetime lifetime)
at System.Diagnostics.SharedPerformanceCounter..ctor(String catName, String counterName, String instanceName, PerformanceCounterInstanceLifetime lifetime)
at System.Diagnostics.PerformanceCounter.InitializeImpl()
at System.Diagnostics.PerformanceCounter.get_RawValue()
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.get_RawValue()
Last worker process info : System.ArgumentException: Process with an Id of 26336 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId, String machineName)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Processes running while Performance counter failed to update:
1292 svchost
1720 bpcd
3444 rotatelogs
37488 ParserServer
4300 noderunner
31340 powershell
17352 Microsoft.Exchange.Imap4
4724 noderunner
28424 w3wp
9888 MSExchangeDagMgmt
836 svchost
17844 Microsoft.Exchange.Store.Worker
13332 bpinetd
27124 w3wp
3412 noderunner
3840 sftracing
16768 cmd
820 csrss
3404 ProLiantMonitor
13744 clussvc
39168 powershell
5092 conhost
10720 conhost
13304 umservice
4252 conhost
3388 svchost
27952 w3wp
39868 Microsoft.Exchange.Pop3
27948 w3wp
10704 Microsoft.Exchange.Imap4
1652 svchost
33976 mbamtray
4236 cmd
6188 cqmgstor
2828 MSExchangeHMHost
18744 ParserServer
31380 svchost
8536 conhost
11552 Microsoft.Exchange.ServiceHost
2496 Microsoft.Exchange.Diagnostics.Service
4916 noderunner
30076 w3wp
17572 Microsoft.Exchange.Store.Worker
8520 MSExchangeHMWorker
6364 MBAMService
9376 VeeamDeploymentSvc
10668 Microsoft.Exchange.Imap4Service
4632 hpsmhd
2476 mqsvc
9320 vnetd
19704 ccSvcHst
2032 hostcontrollerservice
11080 MSExchangeSubmission
14080 MSExchangeTransport
2440 inetinfo
22612 w3wp
4160 pbx_exchange
10624 rdpclip
8468 nbdisco
4156 conhost
26136 w3wp
9752 Microsoft.Exchange.AntispamUpdateSvc
23112 w3wp
13196 Microsoft.Exchange.UM.CallRouter
36900 conhost
2416 hpwmistor
4564 rotatelogs
9304 MSExchangeFrontendTransport
9724 cqmghost
1968 HealthService
4552 rotatelogs
2692 smhstart
30404 Microsoft.Exchange.Store.Worker
7128 zabbix_agentd
13160 csrss
19496 ParserServer
4536 w3wp
9332 vnetd
24108 explorer
648 smss
8836 rundll32
1368 svchost
1504 svchost
1932 fms
10044 Microsoft.Exchange.EdgeSyncSvc
7100 WMSvc
18304 taskhostex
12700 MSExchangeTransportLogSearch
15716 rhs
27160 conhost
38556 conhost
15712 rhs
6608 w3wp
2528 conhost
39432 conhost
7508 WmiPrvSE
10952 scanningprocess
10088 MSExchangeMailboxReplication
9656 Veeam.EndPoint.Service
7500 WmiPrvSE
1896 cissesrv
26460 powershell
4268 hpsmhd
2752 updateservice
8784 vnetd
40184 conhost
1016 lsass
3724 sddsrv
10992 scanningprocess
18104 Microsoft.Exchange.Store.Worker
1868 svchost
1436 svchost
17812 Microsoft.Exchange.Store.Worker
6172 cpqnimgt
4016 sepWscSvc64
32028 TranscodingService
14356 EdgeTransport
132 ServerManager
13492 nfssvc
984 services
7876 Microsoft.Exchange.Directory.TopologyService
13908 Microsoft.Exchange.Store.Service
35456 dllhost
17784 ParserServer
1836 spoolsv
10024 MSExchangeDelivery
3988 ccSvcHst
27692 w3wp
1400 svchost
28552 w3wp
22084 dwm
964 winlogon
10876 scanningprocess
17340 FRST64
11736 conhost
19676 Microsoft.Exchange.Store.Worker
19488 svchost
34572 powershell
9136 rundll32
16888 conhost
1800 dwm
11712 Microsoft.Exchange.Pop3
25500 svchost
12136 msexchangerepl
11704 Microsoft.Exchange.Pop3Service
4052 snmp
10408 MSExchangeMailboxAssistants
3940 vds
7384 winlogon
17808 svchost
26776 conhost
21716 conhost
19444 msdtc
892 wininit
13836 UMWorkerProcess
5072 rotatelogs
23316 w3wp
14372 conhost
900 csrss
10808 Microsoft.Exchange.Pop3Service
3048 SMSvcHost
4340 MonitoringHost
1752 LogonUI
3904 ForefrontActiveDirectoryConnector
10368 Microsoft.Exchange.Imap4Service
13384 nfsclnt
33636 powershell
29304 Microsoft.Exchange.RpcClientAccess.Service
3888 ccSvcHst
40636 gpupdate
10080 Microsoft.Exchange.Search.Service
12504 MSExchangeThrottling
4 System
20260 svchost
6036 cqmgserv
0 Idle
Performance Counters Layout information: A process is holding onto a transport performance counter. processId : 35052, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 35052 StartupTime: 133480486282822215, currentInstance : rpca-powershell-defaultdomain(4598AFAF) RefCount=0 SpinLock=0 Offset=43136, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 35052, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 35052 StartupTime: 133480486282822215, currentInstance : mb-powershell-defaultdomain(CC014C00) RefCount=0 SpinLock=0 Offset=42808, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 35052, counter : time in resource per second Value=157 SpinLock=0 Lifetime=Type: 1 ProcessId: 35052 StartupTime: 133480486282822215, currentInstance : ad-powershell-defaultdomain(95CC324A) RefCount=0 SpinLock=0 Offset=42480, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : rpca-w3wp-msexchangeecpapppool(57806648) RefCount=1 SpinLock=0 Offset=42152, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=447 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : mb-w3wp-msexchangeecpapppool(E27E6507) RefCount=1 SpinLock=0 Offset=41824, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=3206 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : ad-w3wp-msexchangeecpapppool(B648688D) RefCount=1 SpinLock=0 Offset=41496, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : rpca-w3wp-msexchangepowershellfrontendapppool(E1115251) RefCount=1 SpinLock=0 Offset=41168, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : mb-w3wp-msexchangepowershellfrontendapppool(34B9187E) RefCount=1 SpinLock=0 Offset=40840, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=74 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : ad-w3wp-msexchangepowershellfrontendapppool(FAEFA1B4) RefCount=1 SpinLock=0 Offset=40512, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : rpca-w3wp-msexchangeowacalendarapppool(8F10D1B5) RefCount=1 SpinLock=0 Offset=40184, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : mb-w3wp-msexchangeowacalendarapppool(2D8C9EBA) RefCount=1 SpinLock=0 Offset=39856, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=19 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : ad-w3wp-msexchangeowacalendarapppool(D845E230) RefCount=1 SpinLock=0 Offset=39528, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : rpca-w3wp-msexchangeoabapppool(8149E8D2) RefCount=1 SpinLock=0 Offset=39200, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : mb-w3wp-msexchangeoabapppool(58D0A79D) RefCount=1 SpinLock=0 Offset=38872, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=163 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : ad-w3wp-msexchangeoabapppool(CC31A917) RefCount=1 SpinLock=0 Offset=38544, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : rpca-w3wp-msexchangemapimailboxapppool(E28F3117) RefCount=1 SpinLock=0 Offset=38216, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=224 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : mb-w3wp-msexchangemapimailboxapppool(F9439F58) RefCount=1 SpinLock=0 Offset=37888, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=979 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : ad-w3wp-msexchangemapimailboxapppool(35491652) RefCount=1 SpinLock=0 Offset=37560, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : rpca-w3wp-msexchangerpcproxyapppool(8B7590B3) RefCount=1 SpinLock=0 Offset=37232, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : mb-w3wp-msexchangerpcproxyapppool(B190F21C) RefCount=1 SpinLock=0 Offset=36904, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=82 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : ad-w3wp-msexchangerpcproxyapppool(99BB8ED6) RefCount=1 SpinLock=0 Offset=36576, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : rpca-w3wp-msexchangeservicesapppool(E8BBF810) RefCount=1 SpinLock=0 Offset=36248, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=8274 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : mb-w3wp-msexchangeservicesapppool(10FE94BF) RefCount=1 SpinLock=0 Offset=35920, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=9863 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : ad-w3wp-msexchangeservicesapppool(E0DE475) RefCount=1 SpinLock=0 Offset=35592, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : rpca-w3wp-msexchangepowershellapppool(3CF18BF) RefCount=1 SpinLock=0 Offset=35264, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : mb-w3wp-msexchangepowershellapppool(A686C810) RefCount=1 SpinLock=0 Offset=34936, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=4636 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : ad-w3wp-msexchangepowershellapppool(9E48CD5A) RefCount=1 SpinLock=0 Offset=34608, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : rpca-w3wp-msexchangemapifrontendapppool(2C7F2005) RefCount=1 SpinLock=0 Offset=34280, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : mb-w3wp-msexchangemapifrontendapppool(BE5C2DAA) RefCount=1 SpinLock=0 Offset=33952, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=31 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : ad-w3wp-msexchangemapifrontendapppool(C0FDFAE0) RefCount=1 SpinLock=0 Offset=33624, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : rpca-w3wp-msexchangerpcproxyfrontendapppool(903EFF5D) RefCount=1 SpinLock=0 Offset=33296, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : mb-w3wp-msexchangerpcproxyfrontendapppool(87BE0D72) RefCount=1 SpinLock=0 Offset=32968, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=127 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : ad-w3wp-msexchangerpcproxyfrontendapppool(E0452238) RefCount=1 SpinLock=0 Offset=32640, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : rpca-w3wp-msexchangeautodiscoverapppool(6DABF262) RefCount=1 SpinLock=0 Offset=32312, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : mb-w3wp-msexchangeautodiscoverapppool(D1C6EF4D) RefCount=1 SpinLock=0 Offset=31984, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=1985 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : ad-w3wp-msexchangeautodiscoverapppool(FD072087) RefCount=1 SpinLock=0 Offset=31656, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : rpca-w3wp-msexchangesyncapppool(9F5D0139) RefCount=1 SpinLock=0 Offset=31328, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=49859 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : mb-w3wp-msexchangesyncapppool(37D39796) RefCount=1 SpinLock=0 Offset=31000, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=8336 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : ad-w3wp-msexchangesyncapppool(15C89D5C) RefCount=1 SpinLock=0 Offset=30672, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : rpca-w3wp-msexchangeowaapppool(4AA799E7) RefCount=1 SpinLock=0 Offset=30344, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=2754722 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : mb-w3wp-msexchangeowaapppool(C3953468) RefCount=1 SpinLock=0 Offset=30016, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=205156 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : ad-w3wp-msexchangeowaapppool(160BE662) RefCount=1 SpinLock=0 Offset=29688, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : rpca-msexchangehmhost-msexchangehmhost.exe(87A5B053) RefCount=1 SpinLock=0 Offset=29360, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : mb-msexchangehmhost-msexchangehmhost.exe(FB9D599C) RefCount=1 SpinLock=0 Offset=29032, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=530 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : ad-msexchangehmhost-msexchangehmhost.exe(4E220B96) RefCount=1 SpinLock=0 Offset=28704, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=1509 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : ad-monad-defaultdomain(A8C763E2) RefCount=0 SpinLock=0 Offset=28376, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : mb-monad-defaultdomain(2EC4A7E8) RefCount=0 SpinLock=0 Offset=28048, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : rpca-monad-defaultdomain(EE460FE7) RefCount=0 SpinLock=0 Offset=27720, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : rpca-noderunner-contentenginenode1(316BF6E3) RefCount=1 SpinLock=0 Offset=27392, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=177058 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : mb-noderunner-contentenginenode1(2EE8286C) RefCount=1 SpinLock=0 Offset=27064, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=672 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : ad-noderunner-contentenginenode1(61591E6) RefCount=1 SpinLock=0 Offset=26736, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : rpca-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(ABB009B3) RefCount=1 SpinLock=0 Offset=26408, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : mb-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(38BA31BC) RefCount=1 SpinLock=0 Offset=26080, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=42546 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : ad-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(11106236) RefCount=1 SpinLock=0 Offset=25752, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : rpca-umworkerprocess-umworkerprocess.exe(970CCE33) RefCount=1 SpinLock=0 Offset=25424, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : mb-umworkerprocess-umworkerprocess.exe(8A7F8A3C) RefCount=1 SpinLock=0 Offset=25096, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=71 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : ad-umworkerprocess-umworkerprocess.exe(95818B6) RefCount=1 SpinLock=0 Offset=24768, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : rpca-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(A07BD4F3) RefCount=1 SpinLock=0 Offset=24440, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : mb-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(4519AFC) RefCount=1 SpinLock=0 Offset=24112, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=122 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : ad-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(6B0DD0F6) RefCount=1 SpinLock=0 Offset=23784, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : rpca-edgetransport-edgetransport.exe(911B6EB3) RefCount=1 SpinLock=0 Offset=23456, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : mb-edgetransport-edgetransport.exe(A5AF4BBC) RefCount=1 SpinLock=0 Offset=23128, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=2904 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : ad-edgetransport-edgetransport.exe(E79D4A36) RefCount=1 SpinLock=0 Offset=22800, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : rpca-msexchangetransport-msexchangetransport.exe(24F56C33) RefCount=1 SpinLock=0 Offset=22472, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : mb-msexchangetransport-msexchangetransport.exe(92FB3D3C) RefCount=1 SpinLock=0 Offset=22144, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=17 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : ad-msexchangetransport-msexchangetransport.exe(2447ECB6) RefCount=1 SpinLock=0 Offset=21816, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : rpca-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(E8475353) RefCount=1 SpinLock=0 Offset=21488, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : mb-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(8F65881C) RefCount=1 SpinLock=0 Offset=21160, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=26 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : ad-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(78F52196) RefCount=1 SpinLock=0 Offset=20832, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : rpca-umservice-umservice.exe(E39A1133) RefCount=1 SpinLock=0 Offset=20504, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : mb-umservice-umservice.exe(FFBB273C) RefCount=1 SpinLock=0 Offset=20176, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=25 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : ad-umservice-umservice.exe(9A8AC6B6) RefCount=1 SpinLock=0 Offset=19848, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12700, counter : time in resource per second Value=0 SpinLock=0 Lifeti...

Error: (12/26/2023 11:32:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Microsoft.Exchange.Imap4.exe, version: 15.0.1497.46, time stamp: 0x63a785a9
Faulting module name: exrpc32.dll, version: 15.0.1497.48, time stamp: 0x63f91554
Exception code: 0xc0000005
Fault offset: 0x00000000000b8498
Faulting process id: 0x66e0
Faulting application start time: 0x01da37cd67afe0cb
Faulting application path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe
Faulting module path: C:\Program Files\Microsoft\Exchange Server\V15\bin\exrpc32.dll
Report Id: e3a68db1-a3c0-11ee-94c1-0017a4770002
Faulting package full name:
Faulting package-relative application ID:

Error: (12/26/2023 11:32:15 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Microsoft.Exchange.Imap4.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: exception code c0000005, exception address 000000005B018498

Error: (12/26/2023 11:31:42 AM) (Source: MSExchange Common) (EventID: 4999) (User: )
Description: Watson report about to be sent for process id: 26336, with parameters: E12N, c-rtl-AMD64, 15.00.1497.046, Microsoft.Exchange.Imap4.exe, AUTHZ.dll, 180dc, c0000005, 1041, 6.2.9200.24517 (win8_ldr_escrow.230913-1759).
ErrorReportingEnabled: True
263364

Error: (12/26/2023 11:31:30 AM) (Source: MSExchangeFrontEndTransport) (EventID: 12018) (User: )
Description: The STARTTLS certificate will expire soon: subject: C11-EX-SVR-MBX4.gov.mu, thumbprint: 7D5ADF3BE38AF11C38D64BCB645B5D6E9DC78B19, hours remaining: 532. Run the New-ExchangeCertificate cmdlet to create a new certificate.

Error: (12/26/2023 11:31:22 AM) (Source: MSExchange Common) (EventID: 106) (User: )
Description: Performance counter updating error. Counter name is Time in Resource per second, category name is MSExchange Activity Context Resources. Optional code: 2. Exception: The exception thrown is : System.InvalidOperationException: Instance 'ad-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe' already exists with a lifetime of Process. It cannot be recreated or reused until it has been removed or until the process using it has exited.
at System.Diagnostics.SharedPerformanceCounter.FindInstance(Int32 instanceNameHashCode, String instanceName, CategoryEntry* categoryPointer, InstanceEntry** returnInstancePointerReference, Boolean activateUnusedInstances, PerformanceCounterInstanceLifetime lifetime, Boolean& foundFreeInstance)
at System.Diagnostics.SharedPerformanceCounter.GetCounter(String counterName, String instanceName, Boolean enableReuse, PerformanceCounterInstanceLifetime lifetime)
at System.Diagnostics.SharedPerformanceCounter..ctor(String catName, String counterName, String instanceName, PerformanceCounterInstanceLifetime lifetime)
at System.Diagnostics.PerformanceCounter.InitializeImpl()
at System.Diagnostics.PerformanceCounter.get_RawValue()
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.get_RawValue()
Last worker process info : System.ArgumentException: Process with an Id of 12148 is not running.
at System.Diagnostics.Process.GetProcessById(Int32 processId, String machineName)
at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Processes running while Performance counter failed to update:
1292 svchost
1720 bpcd
3444 rotatelogs
37488 ParserServer
4300 noderunner
4724 noderunner
21960 conhost
28424 w3wp
9888 MSExchangeDagMgmt
836 svchost
17844 Microsoft.Exchange.Store.Worker
13332 bpinetd
27124 w3wp
3412 noderunner
3840 sftracing
820 csrss
3404 ProLiantMonitor
13744 clussvc
5092 conhost
10720 conhost
13304 umservice
4252 conhost
3388 svchost
27952 w3wp
39868 Microsoft.Exchange.Pop3
27948 w3wp
10704 Microsoft.Exchange.Imap4
1652 svchost
33976 mbamtray
4236 cmd
6188 cqmgstor
2828 MSExchangeHMHost
18744 ParserServer
31380 svchost
8536 conhost
11552 Microsoft.Exchange.ServiceHost
2496 Microsoft.Exchange.Diagnostics.Service
4916 noderunner
30076 w3wp
17572 Microsoft.Exchange.Store.Worker
8520 MSExchangeHMWorker
6364 MBAMService
9376 VeeamDeploymentSvc
10668 Microsoft.Exchange.Imap4Service
4632 hpsmhd
2476 mqsvc
9320 vnetd
19704 ccSvcHst
2032 hostcontrollerservice
11080 MSExchangeSubmission
14080 MSExchangeTransport
2440 inetinfo
22612 w3wp
4160 pbx_exchange
10624 rdpclip
8468 nbdisco
4156 conhost
26136 w3wp
9752 Microsoft.Exchange.AntispamUpdateSvc
23112 w3wp
13196 Microsoft.Exchange.UM.CallRouter
36900 conhost
2416 hpwmistor
4564 rotatelogs
9304 MSExchangeFrontendTransport
9724 cqmghost
1968 HealthService
4552 rotatelogs
2692 smhstart
30404 Microsoft.Exchange.Store.Worker
7128 zabbix_agentd
13160 csrss
19496 ParserServer
4536 w3wp
9332 vnetd
24108 explorer
648 smss
8836 rundll32
1368 svchost
1504 svchost
1932 fms
10044 Microsoft.Exchange.EdgeSyncSvc
7100 WMSvc
18304 taskhostex
12700 MSExchangeTransportLogSearch
15716 rhs
27160 conhost
38556 conhost
15712 rhs
6608 w3wp
2528 conhost
7508 WmiPrvSE
10952 scanningprocess
10088 MSExchangeMailboxReplication
9656 Veeam.EndPoint.Service
7500 WmiPrvSE
1896 cissesrv
4268 hpsmhd
2752 updateservice
8784 vnetd
1016 lsass
3724 sddsrv
10992 scanningprocess
18104 Microsoft.Exchange.Store.Worker
1868 svchost
1436 svchost
17812 Microsoft.Exchange.Store.Worker
6172 cpqnimgt
4016 sepWscSvc64
32028 TranscodingService
14356 EdgeTransport
132 ServerManager
13492 nfssvc
35300 WmiPrvSE
984 services
7876 Microsoft.Exchange.Directory.TopologyService
13908 Microsoft.Exchange.Store.Service
35456 dllhost
17784 ParserServer
1836 spoolsv
10024 MSExchangeDelivery
3988 ccSvcHst
27692 w3wp
1400 svchost
28552 w3wp
22084 dwm
964 winlogon
10876 scanningprocess
17340 FRST64
11736 conhost
19676 Microsoft.Exchange.Store.Worker
19488 svchost
9136 rundll32
16888 conhost
1800 dwm
11712 Microsoft.Exchange.Pop3
12136 msexchangerepl
11704 Microsoft.Exchange.Pop3Service
4052 snmp
10408 MSExchangeMailboxAssistants
3940 vds
7384 winlogon
17808 svchost
26776 conhost
21716 conhost
37116 LogonUI
19444 msdtc
892 wininit
13836 UMWorkerProcess
5072 rotatelogs
23316 w3wp
14372 conhost
900 csrss
33224 svchost
10808 Microsoft.Exchange.Pop3Service
3048 SMSvcHost
4340 MonitoringHost
1752 LogonUI
3904 ForefrontActiveDirectoryConnector
10368 Microsoft.Exchange.Imap4Service
13384 nfsclnt
29304 Microsoft.Exchange.RpcClientAccess.Service
3888 ccSvcHst
10080 Microsoft.Exchange.Search.Service
12504 MSExchangeThrottling
4 System
20260 svchost
6036 cqmgserv
26336 Microsoft.Exchange.Imap4
0 Idle
Performance Counters Layout information: A process is holding onto a transport performance counter. processId : 35052, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 35052 StartupTime: 133480486282822215, currentInstance : rpca-powershell-defaultdomain(4598AFAF) RefCount=0 SpinLock=0 Offset=43136, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 35052, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 35052 StartupTime: 133480486282822215, currentInstance : mb-powershell-defaultdomain(CC014C00) RefCount=0 SpinLock=0 Offset=42808, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 35052, counter : time in resource per second Value=157 SpinLock=0 Lifetime=Type: 1 ProcessId: 35052 StartupTime: 133480486282822215, currentInstance : ad-powershell-defaultdomain(95CC324A) RefCount=0 SpinLock=0 Offset=42480, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : rpca-w3wp-msexchangeecpapppool(57806648) RefCount=1 SpinLock=0 Offset=42152, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=444 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : mb-w3wp-msexchangeecpapppool(E27E6507) RefCount=1 SpinLock=0 Offset=41824, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28552, counter : time in resource per second Value=3151 SpinLock=0 Lifetime=Type: 1 ProcessId: 28552 StartupTime: 133480480732364590, currentInstance : ad-w3wp-msexchangeecpapppool(B648688D) RefCount=1 SpinLock=0 Offset=41496, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : rpca-w3wp-msexchangepowershellfrontendapppool(E1115251) RefCount=1 SpinLock=0 Offset=41168, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : mb-w3wp-msexchangepowershellfrontendapppool(34B9187E) RefCount=1 SpinLock=0 Offset=40840, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 30076, counter : time in resource per second Value=74 SpinLock=0 Lifetime=Type: 1 ProcessId: 30076 StartupTime: 133480480802566668, currentInstance : ad-w3wp-msexchangepowershellfrontendapppool(FAEFA1B4) RefCount=1 SpinLock=0 Offset=40512, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : rpca-w3wp-msexchangeowacalendarapppool(8F10D1B5) RefCount=1 SpinLock=0 Offset=40184, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : mb-w3wp-msexchangeowacalendarapppool(2D8C9EBA) RefCount=1 SpinLock=0 Offset=39856, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27692, counter : time in resource per second Value=19 SpinLock=0 Lifetime=Type: 1 ProcessId: 27692 StartupTime: 133480480783179485, currentInstance : ad-w3wp-msexchangeowacalendarapppool(D845E230) RefCount=1 SpinLock=0 Offset=39528, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : rpca-w3wp-msexchangeoabapppool(8149E8D2) RefCount=1 SpinLock=0 Offset=39200, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : mb-w3wp-msexchangeoabapppool(58D0A79D) RefCount=1 SpinLock=0 Offset=38872, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27948, counter : time in resource per second Value=162 SpinLock=0 Lifetime=Type: 1 ProcessId: 27948 StartupTime: 133480480762541167, currentInstance : ad-w3wp-msexchangeoabapppool(CC31A917) RefCount=1 SpinLock=0 Offset=38544, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : rpca-w3wp-msexchangemapimailboxapppool(E28F3117) RefCount=1 SpinLock=0 Offset=38216, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=209 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : mb-w3wp-msexchangemapimailboxapppool(F9439F58) RefCount=1 SpinLock=0 Offset=37888, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27952, counter : time in resource per second Value=960 SpinLock=0 Lifetime=Type: 1 ProcessId: 27952 StartupTime: 133480480694526866, currentInstance : ad-w3wp-msexchangemapimailboxapppool(35491652) RefCount=1 SpinLock=0 Offset=37560, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : rpca-w3wp-msexchangerpcproxyapppool(8B7590B3) RefCount=1 SpinLock=0 Offset=37232, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : mb-w3wp-msexchangerpcproxyapppool(B190F21C) RefCount=1 SpinLock=0 Offset=36904, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28424, counter : time in resource per second Value=79 SpinLock=0 Lifetime=Type: 1 ProcessId: 28424 StartupTime: 133480482460069112, currentInstance : ad-w3wp-msexchangerpcproxyapppool(99BB8ED6) RefCount=1 SpinLock=0 Offset=36576, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : rpca-w3wp-msexchangeservicesapppool(E8BBF810) RefCount=1 SpinLock=0 Offset=36248, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=8266 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : mb-w3wp-msexchangeservicesapppool(10FE94BF) RefCount=1 SpinLock=0 Offset=35920, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 26136, counter : time in resource per second Value=9735 SpinLock=0 Lifetime=Type: 1 ProcessId: 26136 StartupTime: 133480480532545363, currentInstance : ad-w3wp-msexchangeservicesapppool(E0DE475) RefCount=1 SpinLock=0 Offset=35592, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : rpca-w3wp-msexchangepowershellapppool(3CF18BF) RefCount=1 SpinLock=0 Offset=35264, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : mb-w3wp-msexchangepowershellapppool(A686C810) RefCount=1 SpinLock=0 Offset=34936, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27124, counter : time in resource per second Value=4513 SpinLock=0 Lifetime=Type: 1 ProcessId: 27124 StartupTime: 133480481543746969, currentInstance : ad-w3wp-msexchangepowershellapppool(9E48CD5A) RefCount=1 SpinLock=0 Offset=34608, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : rpca-w3wp-msexchangemapifrontendapppool(2C7F2005) RefCount=1 SpinLock=0 Offset=34280, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : mb-w3wp-msexchangemapifrontendapppool(BE5C2DAA) RefCount=1 SpinLock=0 Offset=33952, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4536, counter : time in resource per second Value=31 SpinLock=0 Lifetime=Type: 1 ProcessId: 4536 StartupTime: 133480480514408434, currentInstance : ad-w3wp-msexchangemapifrontendapppool(C0FDFAE0) RefCount=1 SpinLock=0 Offset=33624, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : rpca-w3wp-msexchangerpcproxyfrontendapppool(903EFF5D) RefCount=1 SpinLock=0 Offset=33296, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : mb-w3wp-msexchangerpcproxyfrontendapppool(87BE0D72) RefCount=1 SpinLock=0 Offset=32968, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23316, counter : time in resource per second Value=127 SpinLock=0 Lifetime=Type: 1 ProcessId: 23316 StartupTime: 133480480374316316, currentInstance : ad-w3wp-msexchangerpcproxyfrontendapppool(E0452238) RefCount=1 SpinLock=0 Offset=32640, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : rpca-w3wp-msexchangeautodiscoverapppool(6DABF262) RefCount=1 SpinLock=0 Offset=32312, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : mb-w3wp-msexchangeautodiscoverapppool(D1C6EF4D) RefCount=1 SpinLock=0 Offset=31984, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23112, counter : time in resource per second Value=1853 SpinLock=0 Lifetime=Type: 1 ProcessId: 23112 StartupTime: 133480480366342302, currentInstance : ad-w3wp-msexchangeautodiscoverapppool(FD072087) RefCount=1 SpinLock=0 Offset=31656, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : rpca-w3wp-msexchangesyncapppool(9F5D0139) RefCount=1 SpinLock=0 Offset=31328, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=48150 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : mb-w3wp-msexchangesyncapppool(37D39796) RefCount=1 SpinLock=0 Offset=31000, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22612, counter : time in resource per second Value=8237 SpinLock=0 Lifetime=Type: 1 ProcessId: 22612 StartupTime: 133480480337261259, currentInstance : ad-w3wp-msexchangesyncapppool(15C89D5C) RefCount=1 SpinLock=0 Offset=30672, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : rpca-w3wp-msexchangeowaapppool(4AA799E7) RefCount=1 SpinLock=0 Offset=30344, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=2748220 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : mb-w3wp-msexchangeowaapppool(C3953468) RefCount=1 SpinLock=0 Offset=30016, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6608, counter : time in resource per second Value=203458 SpinLock=0 Lifetime=Type: 1 ProcessId: 6608 StartupTime: 133480480328348828, currentInstance : ad-w3wp-msexchangeowaapppool(160BE662) RefCount=1 SpinLock=0 Offset=29688, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : rpca-msexchangehmhost-msexchangehmhost.exe(87A5B053) RefCount=1 SpinLock=0 Offset=29360, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : mb-msexchangehmhost-msexchangehmhost.exe(FB9D599C) RefCount=1 SpinLock=0 Offset=29032, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 2828, counter : time in resource per second Value=530 SpinLock=0 Lifetime=Type: 1 ProcessId: 2828 StartupTime: 133480475700503503, currentInstance : ad-msexchangehmhost-msexchangehmhost.exe(4E220B96) RefCount=1 SpinLock=0 Offset=28704, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=1509 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : ad-monad-defaultdomain(A8C763E2) RefCount=0 SpinLock=0 Offset=28376, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : mb-monad-defaultdomain(2EC4A7E8) RefCount=0 SpinLock=0 Offset=28048, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 33804, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 33804 StartupTime: 133480482554832431, currentInstance : rpca-monad-defaultdomain(EE460FE7) RefCount=0 SpinLock=0 Offset=27720, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : rpca-noderunner-contentenginenode1(316BF6E3) RefCount=1 SpinLock=0 Offset=27392, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=168281 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : mb-noderunner-contentenginenode1(2EE8286C) RefCount=1 SpinLock=0 Offset=27064, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4724, counter : time in resource per second Value=671 SpinLock=0 Lifetime=Type: 1 ProcessId: 4724 StartupTime: 133480475900979796, currentInstance : ad-noderunner-contentenginenode1(61591E6) RefCount=1 SpinLock=0 Offset=26736, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : rpca-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(ABB009B3) RefCount=1 SpinLock=0 Offset=26408, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : mb-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(38BA31BC) RefCount=1 SpinLock=0 Offset=26080, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17572, counter : time in resource per second Value=42044 SpinLock=0 Lifetime=Type: 1 ProcessId: 17572 StartupTime: 133480477596510731, currentInstance : ad-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(11106236) RefCount=1 SpinLock=0 Offset=25752, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : rpca-umworkerprocess-umworkerprocess.exe(970CCE33) RefCount=1 SpinLock=0 Offset=25424, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : mb-umworkerprocess-umworkerprocess.exe(8A7F8A3C) RefCount=1 SpinLock=0 Offset=25096, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13836, counter : time in resource per second Value=71 SpinLock=0 Lifetime=Type: 1 ProcessId: 13836 StartupTime: 133480476996644396, currentInstance : ad-umworkerprocess-umworkerprocess.exe(95818B6) RefCount=1 SpinLock=0 Offset=24768, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : rpca-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(A07BD4F3) RefCount=1 SpinLock=0 Offset=24440, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : mb-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(4519AFC) RefCount=1 SpinLock=0 Offset=24112, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13908, counter : time in resource per second Value=120 SpinLock=0 Lifetime=Type: 1 ProcessId: 13908 StartupTime: 133480477022582526, currentInstance : ad-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(6B0DD0F6) RefCount=1 SpinLock=0 Offset=23784, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : rpca-edgetransport-edgetransport.exe(911B6EB3) RefCount=1 SpinLock=0 Offset=23456, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : mb-edgetransport-edgetransport.exe(A5AF4BBC) RefCount=1 SpinLock=0 Offset=23128, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14356, counter : time in resource per second Value=2846 SpinLock=0 Lifetime=Type: 1 ProcessId: 14356 StartupTime: 133480477024770728, currentInstance : ad-edgetransport-edgetransport.exe(E79D4A36) RefCount=1 SpinLock=0 Offset=22800, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : rpca-msexchangetransport-msexchangetransport.exe(24F56C33) RefCount=1 SpinLock=0 Offset=22472, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : mb-msexchangetransport-msexchangetransport.exe(92FB3D3C) RefCount=1 SpinLock=0 Offset=22144, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14080, counter : time in resource per second Value=15 SpinLock=0 Lifetime=Type: 1 ProcessId: 14080 StartupTime: 133480477011020539, currentInstance : ad-msexchangetransport-msexchangetransport.exe(2447ECB6) RefCount=1 SpinLock=0 Offset=21816, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : rpca-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(E8475353) RefCount=1 SpinLock=0 Offset=21488, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : mb-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(8F65881C) RefCount=1 SpinLock=0 Offset=21160, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13196, counter : time in resource per second Value=26 SpinLock=0 Lifetime=Type: 1 ProcessId: 13196 StartupTime: 133480476954611836, currentInstance : ad-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(78F52196) RefCount=1 SpinLock=0 Offset=20832, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : rpca-umservice-umservice.exe(E39A1133) RefCount=1 SpinLock=0 Offset=20504, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : mb-umservice-umservice.exe(FFBB273C) RefCount=1 SpinLock=0 Offset=20176, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13304, counter : time in resource per second Value=25 SpinLock=0 Lifetime=Type: 1 ProcessId: 13304 StartupTime: 133480476920704343, currentInstance : ad-umservice-umservice.exe(9A8AC6B6) RefCount=1 SpinLock=0 Offset=19848, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12700, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 12700 StartupTime: 133480476902266085, currentInstance : rpca-mse...


System errors:
=============
Error: (12/26/2023 11:32:20 AM) (Source: DCOM) (EventID: 10010) (User: GOM)
Description: The server {BB6DF56B-CACE-11DC-9992-0019B93A3A84} did not register with DCOM within the required timeout.

Error: (12/26/2023 11:31:47 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (12/26/2023 11:31:45 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (12/26/2023 11:31:20 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (12/26/2023 11:30:47 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (12/26/2023 11:30:47 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (12/26/2023 11:30:47 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (12/26/2023 11:30:20 AM) (Source: DCOM) (EventID: 10010) (User: GOM)
Description: The server {1ECCA34C-E88A-44E3-8D6A-8921BDE9E452} did not register with DCOM within the required timeout.


==================== Memory info ===========================

BIOS: HP I25 07/01/2013
Processor: Intel® Xeon® CPU E7- 4820 @ 2.00GHz
Percentage of memory in use: 27%
Total physical RAM: 131061.66 MB
Available physical RAM: 95325.26 MB
Total Virtual: 163829.66 MB
Available Virtual: 122135.63 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:279.36 GB) (Free:59.35 GB) (Model: HP LOGICAL VOLUME SCSI Disk Device) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (B_MBX4_VOL1) (Fixed) (Total:2764.67 GB) (Free:1420.35 GB) (Model: IBM 2145 Multi-Path Disk Device) NTFS
Drive e: (B_MBX4_VOL2) (Fixed) (Total:2764.67 GB) (Free:1187.23 GB) (Model: IBM 2145 Multi-Path Disk Device) NTFS
Drive f: (B_MBX4_VOL3) (Fixed) (Total:2764.67 GB) (Free:619.48 GB) (Model: IBM 2145 Multi-Path Disk Device) NTFS
Drive h: (B_MBX4_VOL5) (Fixed) (Total:2764.67 GB) (Free:1111.69 GB) (Model: IBM 2145 Multi-Path Disk Device) NTFS
Drive i: (B_MBX4_VOL6) (Fixed) (Total:2764.67 GB) (Free:1419.2 GB) (Model: IBM 2145 Multi-Path Disk Device) NTFS
Drive j: (B_MBX4_VOL7) (Fixed) (Total:2764.67 GB) (Free:1581.01 GB) (Model: IBM 2145 Multi-Path Disk Device) NTFS
Drive k: (LOGSMBX4) (Fixed) (Total:500 GB) (Free:65.12 GB) (Model: 3PARdata VV Multi-Path Disk Device) NTFS
Drive n: (B_MBX4_VOL4) (Fixed) (Total:2764.67 GB) (Free:2683.08 GB) (Model: IBM 2145 Multi-Path Disk Device) NTFS
Drive z: () (Network) (Total:100 GB) (Free:99 GB) (Model: HP LOGICAL VOLUME SCSI Disk Device) NFS


==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 279.4 GB) (Disk ID: D305A9FA)
Partition 1: (Active) - (Size=279.4 GB) - (Type=07 NTFS)

==========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 500 GB) (Disk ID: 09D0C734)
Partition 1: (Active) - (Size=500 GB) - (Type=07 NTFS)

==========================================================
Disk: 2 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 3 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 4 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 5 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 6 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 7 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 8 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt =======================

Edited by Oh My!, 28 December 2023 - 12:20 PM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware


  •  Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 28 December 2023 - 04:31 PM

Greetings and thank you for your patience.
 

2023-12-26 11:01 - 2023-12-26 11:01 - 000000000 ____D C:\ClusterStorage

This entry is odd in that it was created 2 days ago. Can you check the contents and see if it appears legitimate?

-----
 

S1 byghalnv; \??\C:\Windows\system32\drivers\byghalnv.sys [X]
S1 cvsofigq; \??\C:\Windows\system32\drivers\cvsofigq.sys [X]
S1 deftbkke; \??\C:\Windows\system32\drivers\deftbkke.sys [X]
S1 dwccxnns; \??\C:\Windows\system32\drivers\dwccxnns.sys [X]
S1 epoupsau; \??\C:\Windows\system32\drivers\epoupsau.sys [X]
S1 gwutsruh; \??\C:\Windows\system32\drivers\gwutsruh.sys [X]
S1 isutlwrp; \??\C:\Windows\system32\drivers\isutlwrp.sys [X]
S1 nvcrsrqw; \??\C:\Windows\system32\drivers\nvcrsrqw.sys [X]
S1 rlnzbdiz; \??\C:\Windows\system32\drivers\rlnzbdiz.sys [X]

Are these the reappearing malware entries?

-----

Please do this.

Zip and attach the C:\Windows\debug\msert.log report to your reply

===================================================

Farbar Recovery Scan Tool SearchAll

--------------------
  • Right click on FRST and select Run as administrator
  • Copy/paste the following in the Search: box
SearchAll: scshost.exe
  • Click Search Files button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of the report in your reply
===================================================

TaskSchedulerView by Nirsoft

--------------
  • Download TaskSchedulerView for 64 bit systems and save it to your Desktop
  • Right click on the folder, select Extract All... and extract the folder onto your Desktop
  • Right click on the TaskschedulerView application icon and select Run as administrator
  • Click View then HTML Report - All Items
  • When your browser opens click File, Save Page As... and save the file onto your Desktop with the default name
  • Please zip and upload the file here
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
  • Contents of the Directory seem legitimate?
  • Reappearing malware entries?
  • Attached msert.log zip file
  • Search.txt
  • Uploaded TasklSchedulerView report

Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.

John 6:68-69

#5 kpatel45

kpatel45
  • Topic Starter

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 29 December 2023 - 02:59 AM

Hello again and thanks for the steps forward. As requested, find relevant info:

 

  • Contents of the Directory seem legitimate? - the folder path is empty on the server
  • Reappearing malware entries? - not sure, but at the time of replying, none of these files exist in the corresponding folder path c:\windows\system32\drivers
  • Attached msert.log zip file - file attached as zip
  • Search.txt - copy and pasted below
  • Uploaded TasklSchedulerView report - uploaded to provided workspace link

THANK U!

 

Apologirs for delayed replies - I am GMT +4 time zone

 

Farbar Recovery Scan Tool (x64) Version: 22-12-2023
Ran by ex-super_user (29-12-2023 11:40:26)
Running from C:\TEMP
Boot Mode: Normal

================== Search Files: "SearchAll: scshost.exe" =============

File:
========
C:\Windows\WinSxS\amd64_microsoft-windows-s..onfiguration-wizard_31bf3856ad364e35_6.2.9200.16384_none_94b90efdd4fe9c14\scshost.exe
[2012-07-26 05:56][2012-07-26 07:08] 000024064 _____ (Microsoft Corporation) C7C8A081B237F628166CCCBBE1AD717A [File is digitally signed]

C:\Windows\WinSxS\amd64_microsoft-windows-s..on-wizard.resources_31bf3856ad364e35_6.2.9200.16384_en-us_232c89b6d442fb69\scshost.exe.mui
[2012-07-26 12:03][2012-07-26 12:03] 000002048 _____ (Microsoft Corporation) 46F14184009D3FFE265E11AB7DDA448F [File is digitally signed]

C:\Windows\System32\scshost.exe
[2012-07-26 05:56][2012-07-26 07:08] 000024064 _____ (Microsoft Corporation) C7C8A081B237F628166CCCBBE1AD717A [File is digitally signed]

C:\Windows\System32\en-US\scshost.exe.mui
[2012-07-26 12:03][2012-07-26 12:03] 000002048 _____ (Microsoft Corporation) 46F14184009D3FFE265E11AB7DDA448F [File is digitally signed]


folder:
========

Registry:
========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{05E7C5B7-52B4-4AB0-B081-545F1F60CAB7}]
"DllSurrogate"="C:\Windows\System32\scshost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3f2db10f-6368-4702-a4b1-e5149d931370}]
"DllSurrogate"="C:\Windows\System32\scshost.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules]
"SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC"="v2.20|Action=Allow|Active=FALSE|Dir=In|Protocol=6|LPort=RPC|App=%systemroot%\system32\scshost.exe|Name=@scwcmd.exe,-8001|Desc=@scwcmd.exe,-8002|EmbedCtxt=@scwcmd.exe,-8000|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules]
"SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper"="v2.20|Action=Allow|Active=FALSE|Dir=In|Protocol=6|LPort=RPC-EPMap|App=%systemroot%\system32\scshost.exe|Name=@scwcmd.exe,-8003|Desc=@scwcmd.exe,-8004|EmbedCtxt=@scwcmd.exe,-8000|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC"="v2.20|Action=Allow|Active=FALSE|Dir=In|Protocol=6|LPort=RPC|App=%systemroot%\system32\scshost.exe|Name=@scwcmd.exe,-8001|Desc=@scwcmd.exe,-8002|EmbedCtxt=@scwcmd.exe,-8000|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper"="v2.20|Action=Allow|Active=FALSE|Dir=In|Protocol=6|LPort=RPC-EPMap|App=%systemroot%\system32\scshost.exe|Name=@scwcmd.exe,-8003|Desc=@scwcmd.exe,-8004|EmbedCtxt=@scwcmd.exe,-8000|"


====== End of Search ======

Attached Files



#6 Oh My!

Oh My!

    Adware and Spyware and Malware


  •  Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 30 December 2023 - 11:49 AM

Before we begin I need to verify the following patches have been applied to the Server, if applicable.

CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065

In addition, If you have not imaged your system I would strongly suggest you do so before we make any modifications.

Let me know about these 2 issues.
Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.

John 6:68-69

#7 kpatel45

kpatel45
  • Topic Starter

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 30 December 2023 - 02:40 PM

Hello mate and thanks for prompt reply. Offices are closed for now. I resume work on the 3rd of January 2024. I will post requested info then. Sorry for inconvenience

#8 Oh My!

Oh My!

    Adware and Spyware and Malware


  •  Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 30 December 2023 - 05:10 PM

I understand, no inconvenience at all.
Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.

John 6:68-69

#9 kpatel45

kpatel45
  • Topic Starter

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 January 2024 - 04:46 AM

Hello Gary,

 

I have run healthchecker.ps1 on the server. The latest cumulative update is installed. security updates have been installed as and when they were released. The script results show only these missing updates:

 

Security Vulnerabilities CVE-2022-24516, CVE-2022-21979, CVE-2022-21980, CVE-2022-24477, CVE-2022-30134
Extended Protection isn't configured as expected


For more information about Extended Protection and how to configure, please read this article: https://aka.ms/HC-ExchangeEPDoc

 

From the result, these updates are installed:

 

Exchange IU or Security Hotfix Detected     Security Update for Exchange Server 2013 Cumulative Update 23 (KB5000871)   Security Update for Exchange Server 2013 Cumulative Update 23 (KB5003435)   Security Update for Exchange Server 2013 Cumulative Update 23 (KB5004778)   Security Update for Exchange Server 2013 Cumulative Update 23 (KB5007409)   Security Update for Exchange Server 2013 Cumulative Update 23 (KB5010324)   Security Update for Exchange Server 2013 Cumulative Update 23 (KB5014260)   Security Update for Exchange Server 2013 Cumulative Update 23 (KB5019758)   Security Update for Exchange Server 2013 Cumulative Update 23 (KB5022188)   Security Update for Exchange Server 2013 Cumulative Update 23 (KB5023038)   Security Update for Exchange Server 2013 Cumulative Update 23 (KB5024296)

 

the 4 updates referred to are resolved in KB5000871 (https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b)

 

Server system state backup is done.



#10 Oh My!

Oh My!

    Adware and Spyware and Malware


  •  Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 03 January 2024 - 08:11 PM

Thank you.

Because of all the updates/modifications please run a new FRST Scan and copy/paste both reports in your reply. We need to work with the most current information.
Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.

John 6:68-69

#11 kpatel45

kpatel45
  • Topic Starter

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 04 January 2024 - 01:31 AM

Hello Gary,

 

as requested, scan results are posted below. However,do not expect any major differences in results since the previous scan results were posted after all patches had already been installed.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-12-2023
Ran by ex-super_user (administrator) on C11-EX-SVR-MBX4 (HP ProLiant BL680c G7) (04-01-2024 10:18:31)
Running from C:\TEMP\FRST64.exe
Loaded Profiles: ex-super_user
Platform: Microsoft Windows Server 2012 Standard (X64) Language: English (United States)
Default browser: IE
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\hp\hpsmh\bin\hpsmhd.exe ->) (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\rotatelogs.exe <4>
(C:\hp\hpsmh\bin\smhstart.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\cmd.exe
(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Worker.exe <6>
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\noderunner.exe <3>
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\noderunner.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\noderunner.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe <5>
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMWorkerProcess.exe
(C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe
(C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe
(C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe
(C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe
(C:\Program Files\Veritas\NetBackup\bin\bpfis.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\monad.exe <2>
(C:\Windows\Cluster\clussvc.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\Cluster\rhs.exe <2>
(cmd.exe ->) (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\hpsmhd.exe <2>
(inetsrv\w3wp.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\Bin\DocumentViewing\TranscodingService.exe <3>
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\ServerManager.exe
(services.exe ->) (Broadcom Inc -> Broadcom) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\sepWscSvc64.exe
(services.exe ->) (Hewlett-Packard Company -> Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe
(services.exe ->) (Hewlett-Packard Company -> Hewlett-Packard Company) C:\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe
(services.exe ->) (Hewlett-Packard Company -> Hewlett-Packard Company) C:\Windows\System32\CpqMgmt\cqmgserv\cqmgserv.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\smhstart.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Program Files\hp\Cissesrv\cissesrv.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Program Files\HPWBEM\Storage\Service\hpwmistor.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Windows\System32\CpqMgmt\cqmgstor\cqmgstor.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Windows\System32\CPQNiMgt\cpqnimgt.exe
(services.exe ->) (IBM India Pvt Ltd -> IBM Corporation) [File not signed] C:\Program Files\IBM\SDDDSM\sddsrv.exe
(services.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corp.) C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Search.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\fms.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe <2>
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\Cluster\clussvc.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\WMSvc.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\nfssvc.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rundll32.exe <2>
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\vds.exe
(services.exe ->) (Symantec Corporation -> Broadcom) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe <3>
(services.exe ->) (Veeam Software Group GmbH -> Veeam Software Group GmbH) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe
(services.exe ->) (Veeam Software Group GmbH -> Veeam Software Group GmbH) C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files (x86)\VERITAS\VxPBX\bin\pbx_exchange.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\bpcd.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\nbdisco.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\vnetd.exe <3>
(services.exe ->) (Zabbix SIA) [File not signed] C:\Zabbix\zabbix_agentd.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corp.) C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe <3>
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe <13>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\bpbkar32.exe
(Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\bpfis.exe
(winlogon.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\LogonUI.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [QLogicSaveSystemInfo] => rundll32.exe qlco10010.dll,QLSaveSystemInfo (No File)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Policies\Explorer: [AllowOnlineTips] 0
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall: Restriction <==== ATTENTION
HKLM\...\Policies\system: [legalnoticecaption] “Government Online Centre (GOC)”
HKLM\...\Policies\system: [legalnoticetext] “This system is owned and operated by GOC. Use is restricted to GOC. Authorised users must comply with the GOC IT Security Policy. Usage is monitored
HKLM\Software\Policies\...\system: [DenyRsopToInteractiveUser] 1
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdmin
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUser
Lsa: [Notification Packages] scecli rassfm
BootExecute: autocheck autochk /q /v *
Policies: C:\Users\administrator.GOM\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\ex-super-var\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\ex-super-yb\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\ex-super_user\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin1\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin2\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin4\NTUSER.pol: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {9335200B-9EB5-4F29-8CA7-0555929B5408} - System32\Tasks\Delete Exchange Logs => C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [474624 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> -NonInteractive -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; .\ClearLogs.ps1"
Task: {734C4B31-C98B-47B1-911B-5CA88A69DA54} - System32\Tasks\Microsoft\Windows\CertificateServicesClient\Notification\ReplaceOMCert => C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [474624 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> -NonInteractive -File "C:\Program Files\Microsoft Monitoring Agent\Agent\Tools\UpdateOMCert.ps1" -OldCertHash $(OldCertHash) -NewCertHash $(NewCertHash) -EventRecordId $(EventRecordId)
Task: {4A2D7E4A-9C77-4CF0-9C9A-CF1435BBA2EB} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [256512 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
Task: {6EFE5C9E-9B8F-4468-A739-46BEB554ED57} - System32\Tasks\Microsoft\Windows\PLA\Exchange_Perfwiz => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> C:\Windows\system32\pla.dll,PlaHost "Exchange_Perfwiz" "$(Arg0)"
Task: {D0AECC17-F481-4226-8D50-CFC2747BFD71} - System32\Tasks\Microsoft\Windows\PLA\ExchangeDiagnosticsDailyPerformanceLog => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> C:\Windows\system32\pla.dll,PlaHost "ExchangeDiagnosticsDailyPerformanceLog" "$(Arg0)"
Task: {EBE323AD-A392-4B3A-84D1-89C71E53BC5F} - System32\Tasks\Microsoft\Windows\PLA\ExchangeDiagnosticsPerformanceLog => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> C:\Windows\system32\pla.dll,PlaHost "ExchangeDiagnosticsPerformanceLog" "$(Arg0)"
Task: {2DD4DAE1-5FA1-4A6D-BD04-9CAA551C7450} - System32\Tasks\Microsoft\Windows\PLA\Server Manager Performance Monitor => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> %systemroot%\system32\pla.dll,PlaHost "Server Manager Performance Monitor" "$(Arg0)"
Task: {64C59100-7846-4C78-9724-0B6E95E43CAF} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_ERROR_HB => C:\TEMP\MSERT.exe [150189544 2023-12-09] (Microsoft Corporation -> Microsoft Corporation) <==== ATTENTION
Task: {2E1D51CF-C57C-4B06-A34A-1A8210284088} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [156112424 2023-04-19] (Microsoft Windows -> Microsoft Corporation)
Task: {8B56BECD-7294-470A-B8E9-5A0C7A454E5E} - System32\Tasks\Microsoft\Windows\Server Manager\CleanupOldPerfLogs => C:\Windows\system32\cscript.exe [146944 2018-10-26] (Microsoft Windows -> Microsoft Corporation) -> /B /nologo %systemroot%\system32\calluxxprovider.vbs $(Arg0) $(Arg1) $(Arg2)
Task: {59E8FC39-8262-4D00-849D-3A7C447D385C} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [94720 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
Task: {5198D9B3-684F-47A5-BAB0-AB87C6B9C010} - System32\Tasks\Microsoft\Windows\Setup\WS2012EOSNotify => C:\Windows\system32\WS2012EOSNotify.exe [48640 2023-06-27] (Microsoft Windows -> Microsoft Corporation)
Task: {01DEBF2D-14F6-43E4-A999-B0A5991380AF} - System32\Tasks\Symantec Endpoint Protection\Symantec Endpoint Protection Error Analyzer => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\SymErr.exe [102312 2023-06-20] (Symantec Corporation -> Broadcom)
Task: {3143C95F-6616-4E79-A3E8-3FEA5CD8C432} - System32\Tasks\Symantec Endpoint Protection\Symantec Endpoint Protection Error Processor => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\SymErr.exe [102312 2023-06-20] (Symantec Corporation -> Broadcom)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <==== ATTENTION (Restriction - ProxySettings)
ProxyEnable: [S-1-5-21-1365522570-4229012047-2779133919-500] => Proxy is enabled.
ProxyServer: [S-1-5-21-1365522570-4229012047-2779133919-500] => 192.168.66.1:8783
ProxyServer: [S-1-5-21-3412390019-1648271104-2333346583-17206] => 192.168.66.1:8783
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{60576B43-9007-4DC3-A65F-130B9290A3E0}: [NameServer] 192.168.2.40,192.168.2.41,192.168.2.39
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.31,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.73,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.71,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.66,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.185,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.2.0,255.255.255.0,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [202.123.27.104,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [202.123.27.107,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.0,255.255.255.0,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.7.8,255.255.255.255,192.168.6.1,1]
PersistentRoutes: There are 22 PersistentRoutes.


==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AdtAgent; C:\Windows\system32\AdtAgent.exe [410808 2013-09-06] (Microsoft Corporation -> Microsoft Corporation)
S4 CIMnotify; C:\Windows\system32\CIMntfy\cimntfy.exe [265496 2013-07-12] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 Cissesrv; C:\Program Files\HP\Cissesrv\cissesrv.exe [194048 2013-05-08] (Hewlett-Packard Company) [File not signed]
R2 ClusSvc; C:\Windows\Cluster\clussvc.exe [7328768 2023-06-15] (Microsoft Windows -> Microsoft Corporation)
R2 CpqNicMgmt; C:\Windows\system32\CPQNiMgt\cpqnimgt.exe [9728 2013-07-12] (Hewlett-Packard Company) [File not signed]
R2 CqMgHost; C:\Windows\system32\CpqMgmt\cqmghost\cqmghost.exe [16664 2013-07-12] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 CqMgServ; C:\Windows\system32\CpqMgmt\cqmgserv\cqmgserv.exe [17176 2013-07-12] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 CqMgStor; C:\Windows\system32\CpqMgmt\cqmgstor\cqmgstor.exe [20992 2013-06-21] (Hewlett-Packard Company) [File not signed]
R2 FMS; C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe [1342912 2022-02-17] (Microsoft Corporation -> Microsoft Corporation)
R2 HealthService; C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe [25272 2013-09-06] (Microsoft Corporation -> Microsoft Corp.)
R2 HostControllerService; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe [33560 2019-05-29] (Microsoft Corporation -> Microsoft Corporation)
R2 HPWMISTOR; C:\Program Files\HPWBEM\Storage\Service\HPWMISTOR.exe [20992 2013-06-28] (Hewlett-Packard Company) [File not signed]
S3 KPSSVC; C:\Windows\system32\kpssvc.dll [171520 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S3 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2009-07-13] (Symantec Corporation -> Symantec Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [9343840 2023-12-04] (Malwarebytes Inc. -> Malwarebytes)
R2 MSExchangeADTopology; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe [194080 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeAntispamUpdate; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe [28680 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeDagMgmt; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe [24056 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeDelivery; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe [32800 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeDiagnostics; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe [128536 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeEdgeSync; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe [99304 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeFastSearch; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe [30224 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeFrontEndTransport; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe [26576 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeHM; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe [26640 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeImap4; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe [26136 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeIMAP4BE; C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe [26136 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeIS; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe [26144 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeMailboxAssistants; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe [2393136 2023-01-19] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeMailboxReplication; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe [21568 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangePop3; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe [26176 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangePOP3BE; C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe [26176 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeRepl; C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe [69120 2023-01-19] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeRPC; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe [32792 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeServiceHost; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe [55840 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeSubmission; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe [63008 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeThrottling; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe [41448 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeTransport; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe [78280 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeTransportLogSearch; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe [144336 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeUM; C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe [103976 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeUMCR; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe [23552 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
S3 mtstrmd; C:\Program Files\Veritas\pdde\mtstrmd.exe [1749400 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Client Service; C:\Program Files\Veritas\NetBackup\bin\bpcd.exe [840088 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Discovery Framework; C:\Program Files\Veritas\NetBackup\bin\nbdisco.exe [49048 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Legacy Client Service; C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe [287640 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Legacy Network Service; C:\Program Files\Veritas\NetBackup\bin\vnetd.exe [226712 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
S3 NetBackup Proxy Service; C:\Program Files\Veritas\NetBackup\bin\nbostpxy.exe [1050008 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
S4 NetBackup SAN Client Fibre Transport Service; C:\Program Files\Veritas\NetBackup\bin\nbftclnt.exe [906136 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NfsService; C:\Windows\system32\nfssvc.exe [67584 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R2 ProLiantMonitor; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [262424 2013-05-29] (Hewlett-Packard Company -> Hewlett-Packard Company)
S3 RPCHTTPLBS; C:\Windows\System32\RpcProxy\LBService.dll [25088 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [95744 2020-08-15] (Microsoft Windows -> Microsoft Corporation)
S3 RSoPProv; C:\Windows\SysWOW64\RSoPProv.exe [83968 2020-08-15] (Microsoft Windows -> Microsoft Corporation)
R3 sacsvr; C:\Windows\system32\sacsvr.dll [15872 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R2 SDD_Service; C:\Program Files\IBM\SDDDSM\sddsrv.exe [295656 2017-06-22] (IBM India Pvt Ltd -> IBM Corporation) [File not signed]
R2 SearchExchangeTracing; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe [159984 2019-05-29] (Microsoft Corporation -> Microsoft Corporation)
S4 SepLpsService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe [190664 2023-06-20] (Symantec Corporation -> Broadcom)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe [190664 2023-06-20] (Symantec Corporation -> Broadcom)
R2 SepScanService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\bin64\ccSvcHst.exe [190664 2023-06-20] (Symantec Corporation -> Broadcom)
R2 sepWscSvc; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\sepWscSvc64.exe [1398888 2023-06-20] (Broadcom Inc -> Broadcom)
S3 SmbWitness; C:\Windows\System32\witness.dll [129536 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe [173256 2023-06-20] (Symantec Corporation -> Broadcom)
R2 sysdown; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [262424 2013-05-29] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 SysMgmtHp; C:\hp\hpsmh\bin\smhstart.exe [734208 2013-07-10] (Hewlett-Packard Company) [File not signed]
S4 System Center Management APM; C:\Program Files\Microsoft Monitoring Agent\Agent\APMDOTNETAgent\InterceptSvc.exe [626872 2013-09-06] (Microsoft Corporation -> Microsoft Corp.)
R2 UALSVC; C:\Windows\System32\ualsvc.dll [241664 2014-09-13] (Microsoft Windows -> Microsoft Corporation)
R2 VeeamDeploySvc; C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe [1549848 2021-09-23] (Veeam Software Group GmbH -> Veeam Software Group GmbH)
R2 VeeamEndpointBackupSvc; C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe [130072 2022-02-20] (Veeam Software Group GmbH -> Veeam Software Group GmbH)
R2 VRTSpbx; C:\Program Files (x86)\VERITAS\VxPBX\bin\pbx_exchange.exe [272792 2021-05-02] (Veritas Technologies LLC -> Veritas Technologies LLC)
S3 wsbexchange; C:\Program Files\Microsoft\Exchange Server\V15\bin\wsbexchange.exe [125920 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 Zabbix Agent; C:\Zabbix\zabbix_agentd.exe [440832 2016-09-12] (Zabbix SIA) [File not signed]

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 be2iscsi; C:\Windows\System32\drivers\be2iscsi.sys [266960 2015-12-29] (EMULEX -> Emulex)
R3 be2net; C:\Windows\system32\DRIVERS\ocnd63.sys [746192 2016-01-07] (EMULEX -> Emulex)
S0 bfad; C:\Windows\System32\drivers\bfad.sys [1963760 2012-07-26] (Microsoft Windows -> Brocade Communications Systems, Inc.)
S0 bfadfcoe; C:\Windows\System32\drivers\bfadfcoe.sys [1964272 2012-07-26] (Microsoft Windows -> Brocade Communications Systems, Inc.)
R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\Definitions\BASHDefs\20240102.001\BHDrvx64.sys [1706512 2023-10-31] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S0 bxfcoe; C:\Windows\System32\drivers\bxfcoe.sys [186096 2012-07-26] (Microsoft Windows -> Broadcom Corporation)
S0 bxois; C:\Windows\System32\drivers\bxois.sys [564976 2012-07-26] (Microsoft Windows -> Broadcom Corporation)
R2 CCFFilter; C:\Windows\system32\drivers\CCFFilter.sys [33520 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R1 ccSettings_{6B7A2D6B-C77F-4C11-8B70-2CD28AD687A6}; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\ccSetx64.sys [200168 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 ClusDisk; C:\Windows\System32\drivers\ClusDisk.sys [67584 2022-04-07] (Microsoft Windows -> Microsoft Corporation)
R3 CsvFlt; C:\Windows\System32\drivers\CsvFlt.sys [205824 2022-03-17] (Microsoft Windows -> Microsoft Corporation)
R3 CsvFs; C:\Windows\System32\drivers\CsvFs.sys [628736 2022-03-17] (Microsoft Windows -> Microsoft Corporation)
R3 CsvNSFlt; C:\Windows\System32\drivers\CsvNSFlt.sys [66560 2022-03-17] (Microsoft Windows -> Microsoft Corporation)
R3 csvvbus; C:\Windows\System32\drivers\csvvbus.sys [148480 2022-04-14] (Microsoft Windows -> Microsoft Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [527832 2023-06-19] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S0 elxfcoe; C:\Windows\System32\drivers\elxfcoe.sys [699632 2012-07-26] (Microsoft Windows -> Emulex)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [159720 2023-06-21] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R0 HpCISSs2; C:\Windows\System32\drivers\HpCISSs2.sys [153920 2012-09-05] (Hewlett-Packard Company -> Hewlett-Packard Company)
R3 hpqilo3chif; C:\Windows\system32\DRIVERS\hpqilo3chif.sys [43800 2013-05-22] (Hewlett-Packard Company -> Hewlett-Packard Company)
R3 hpqilo3core; C:\Windows\System32\drivers\hpqilo3core.sys [47384 2013-05-22] (Hewlett-Packard Company -> Hewlett-Packard Company)
R0 hpqilo3whea; C:\Windows\System32\DRIVERS\hpqilo3whea.sys [18472 2010-02-12] (Hewlett-Packard -> Hewlett-Packard Company)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [222800 2024-01-04] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [239544 2023-06-12] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S3 MpKsld867c176; C:\Windows\Temp\053D3164-F6E2-0C1A-F406-B659D0506F7B\MpKslDrv.sys [54680 2024-01-03] (Microsoft Windows -> Microsoft Corporation)
R2 MsLbfoProvider; C:\Windows\system32\DRIVERS\MsLbfoProvider.sys [99840 2013-07-02] (Microsoft Windows -> Microsoft Corporation)
R3 msnfsflt; C:\Windows\System32\drivers\msnfsflt.sys [32256 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R3 Netft; C:\Windows\system32\DRIVERS\netft.sys [86528 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R3 NfsServer; C:\Windows\System32\drivers\nfssvr.sys [1252352 2023-04-15] (Microsoft Windows -> Microsoft Corporation)
R2 Portmap; C:\Windows\System32\drivers\portmap.sys [59392 2023-04-11] (Microsoft Windows -> Microsoft Corporation)
R0 ql2300; C:\Windows\System32\drivers\ql2300.sys [1498408 2013-03-07] (QLogic Corporation -> QLogic Corporation)
R2 ResumeKeyFilter; C:\Windows\system32\drivers\ResumeKeyFilter.sys [336112 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [94448 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R0 sdddsm; C:\Windows\System32\drivers\sdddsm.sys [241896 2017-06-22] (IBM India Pvt Ltd -> IBM Corporation)
R1 SRTSP; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\SymPlatform\SRTSP64.SYS [996432 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\SRTSPX64.SYS [44112 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R0 SymEFASI; C:\Windows\System32\drivers\symefasi\0705020.03C\symefasi64.sys [2167304 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S0 SymELAM; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\SymELAM.sys [27136 2023-06-20] (Microsoft Windows Early Launch Anti-malware Publisher -> Broadcom)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [100832 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 SymEvnt; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\SymPlatform\SymEvnt.sys [951264 2023-08-11] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\Ironx64.SYS [297992 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R0 VeeamVolumeCT; C:\Windows\System32\drivers\VeeamVolumeCT.sys [227216 2022-02-20] (Microsoft Windows Hardware Compatibility Publisher -> Veeam Software AG)
R0 VirtFile; C:\Windows\System32\DRIVERS\VirtFile.sys [383304 2020-12-22] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 vstor2-mntapi20-shared; C:\Windows\system32\DRIVERS\vstor2-x64.sys [52576 2021-03-03] (VMware, Inc. -> VMware, Inc.)
S3 wtlmdrv; C:\Windows\System32\drivers\wtlmdrv.sys [31232 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S1 byghalnv; \??\C:\Windows\system32\drivers\byghalnv.sys [X]
S1 cvsofigq; \??\C:\Windows\system32\drivers\cvsofigq.sys [X]
S1 deftbkke; \??\C:\Windows\system32\drivers\deftbkke.sys [X]
S1 dwccxnns; \??\C:\Windows\system32\drivers\dwccxnns.sys [X]
S1 epoupsau; \??\C:\Windows\system32\drivers\epoupsau.sys [X]
S1 gonxeyhu; \??\C:\Windows\system32\drivers\gonxeyhu.sys [X]
S1 gwutsruh; \??\C:\Windows\system32\drivers\gwutsruh.sys [X]
S1 isutlwrp; \??\C:\Windows\system32\drivers\isutlwrp.sys [X]
S1 nvcrsrqw; \??\C:\Windows\system32\drivers\nvcrsrqw.sys [X]
S1 rlnzbdiz; \??\C:\Windows\system32\drivers\rlnzbdiz.sys [X]
U3 SymNetS;  [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2024-01-04 10:01 - 2024-01-04 10:01 - 001048576 ____H C:\Windows\system32\ESE07_REQ.DAT
2024-01-04 09:13 - 2024-01-04 09:13 - 000000000 ____D C:\ClusterStorage
2024-01-03 10:22 - 2024-01-03 10:22 - 000000000 ____D C:\Users\Administrator\AppData\Local\Malwarebytes
2023-12-29 11:43 - 2023-12-29 11:43 - 000747888 _____ C:\Users\ex-super_user\Desktop\Tasks List.html
2023-12-29 11:41 - 2024-01-03 10:14 - 000000000 ____D C:\Users\ex-super_user\Desktop\taskschedulerview-x64
2023-12-29 11:41 - 2023-12-29 11:41 - 000097708 _____ C:\Users\ex-super_user\Desktop\taskschedulerview-x64.zip
2023-12-29 11:32 - 2024-01-03 10:17 - 000000000 ____D C:\Users\share-port_sysadmin1\AppData\Local\Malwarebytes
2023-12-26 11:32 - 2023-12-26 11:32 - 000019708 __RSH C:\ProgramData\ntuser.pol
2023-12-26 11:15 - 2024-01-04 10:20 - 000000000 ____D C:\FRST

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2024-01-04 10:18 - 2014-01-20 10:36 - 000000000 ____D C:\TEMP
2024-01-04 09:28 - 2023-06-12 11:55 - 000000000 ____D C:\Users\ex-super_user\AppData\Local\Malwarebytes
2024-01-04 09:28 - 2014-01-11 17:09 - 000000104 _____ C:\Windows\system32\config\netlogon.ftl
2024-01-04 09:18 - 2017-08-13 09:44 - 000000000 ____D C:\Windows\system32\Tasks\Symantec Endpoint Protection
2024-01-04 09:16 - 2014-01-14 11:42 - 000000000 ____D C:\Windows\Cluster
2024-01-04 09:15 - 2012-07-26 09:26 - 000262144 ___SH C:\Windows\system32\config\ELAM
2024-01-04 09:14 - 2017-10-29 00:09 - 000000031 _____ C:\BitlockerActiveMonitoringLogs
2024-01-04 09:12 - 2012-07-26 12:04 - 000000000 ____D C:\Windows\system32\inetsrv
2024-01-04 09:10 - 2012-07-26 11:14 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2024-01-04 03:00 - 2014-01-11 15:00 - 000000000 ____D C:\Windows\system32\MRT
2024-01-03 14:26 - 2014-01-14 11:42 - 000000000 ____D C:\Windows\system32\msmq
2024-01-03 10:22 - 2014-01-10 04:58 - 000000000 ____D C:\Users\Administrator
2024-01-03 10:21 - 2014-01-10 04:58 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows
2023-12-26 10:54 - 2012-07-26 09:26 - 000008192 ___SH C:\Windows\system32\config\BBI
2023-12-11 16:00 - 2023-10-22 23:00 - 001048692 _____ C:\zabbix_agentd.log.old

==================== Files in the root of some directories ========

2015-08-07 08:42 - 2015-08-07 08:42 - 000007646 _____ () C:\Users\ex-super_user\AppData\Local\Resmon.ResmonCfg

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


LastRegBack: 2024-01-03 03:00
==================== End of FRST.txt ========================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 22-12-2023
Ran by ex-super_user (04-01-2024 10:22:19)
Running from C:\TEMP
Microsoft Windows Server 2012 Standard (X64) (2014-01-09 23:03:31)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

CLIUSR (S-1-5-21-1365522570-4229012047-2779133919-1001 - Limited - Enabled)
goc1 (S-1-5-21-1365522570-4229012047-2779133919-500 - Administrator - Enabled) => C:\Users\Administrator
viewonly (S-1-5-21-1365522570-4229012047-2779133919-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Headless Server Registry Update (HKLM-x32\...\{4E5563B6-DE0A-4F3B-A5D6-15789FD12D9B}) (Version: 1.0.0.0 - Hewlett-Packard Company)
HP Insight Diagnostics  Online Edition for Windows (HKLM\...\{DCEA910B-3269-4F5B-A915-D59293004751}) (Version: 9.50.1009 - Hewlett-Packard Development Company, L.P.)
HP Insight Management Agents (HKLM\...\{B2494189-21A9-4F7A-8F0E-D6F75CEDF2B3}) (Version: 9.40.0.0 - Hewlett-Packard Company)
HP Insight Management WBEM Providers (HKLM\...\{E4496CBA-EE2A-43AC-8F0A-D6B33CB598E2}) (Version: 9.4.0.0 - Hewlett-Packard Development Company, L.P.) Hidden
HP Insight Management WBEM Providers for Windows Server x64 Editions (HKLM\...\HP-{0D1A88D4-29D7-4ED4-8045-932D7205F589}) (Version: 9.4.0.0 - Hewlett-Packard Company)
HP Lights-Out Online Configuration Utility (HKLM\...\{B2B752DB-CF58-4845-8F5C-10E398D8491A}) (Version: 4.2.0.0 - Hewlett-Packard Development Company, L.P.)
HP ProLiant Health Monitor Service (X64) (HKLM\...\{CF2C042C-A75F-4948-8661-2A9FF01B75EB}) (Version: 3.9.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant iLO 3 WHEA Driver (X64) (HKLM\...\{17B03C4D-F682-41CC-BEAC-1F7C6847E8CE}) (Version: 3.0.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant iLO 3/4 Channel Interface Driver (HKLM\...\HP-{85171634-98E9-47E5-9E56-96BBC7FE1715}) (Version: 3.9.0.0 - Hewlett-Packard Company)
HP ProLiant iLO 3/4 Management Controller Package (HKLM\...\HP-{15EC9FFF-3B11-4F2A-92F8-F63F33F64B31}) (Version: 3.9.0.0 - Hewlett-Packard Company)
HP ProLiant iLO CHIF Driver (X64) (HKLM\...\{BEFED944-6FB2-4BE3-AC8A-5D763B5F070F}) (Version: 3.9.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant iLO Core Driver (X64) (HKLM\...\{61947408-43A6-490E-AD0B-20CB4F1B19F8}) (Version: 3.9.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant Integrated Management Log Viewer (HKLM\...\{1A533B2E-7336-4497-8061-E98803E3B2DF}) (Version: 6.5.0.0 - Hewlett-Packard Company)
HP Smart Array SAS/SATA Event Notification Service (HKLM\...\{6C0706F7-FCD1-4E13-BEB2-99C2DBC3C80D}) (Version: 6.34.0.64 - Hewlett-Packard Development Company, L.P.)
HP Smart Storage Administrator (HKLM\...\{2D97040F-3B62-4BDA-A779-72EA7EC42799}) (Version: 1.50.4.0 - Hewlett-Packard Development Company, L.P.)
HP Smart Storage Administrator CLI (HKLM\...\{FDA42EE0-E693-4B6D-8769-2FEDC7C544E2}) (Version: 1.50.4.0 - Hewlett-Packard Development Company, L.P.)
HP System Management Homepage (HKLM-x32\...\{3C4DF0FD-95CF-4F7B-A816-97CEF616948F}) (Version: 7.2.2 - Hewlett-Packard Development Company, L.P.)
IIS Advanced Logging 1.0 (HKLM\...\{58749A25-6D67-41A2-9B55-E4DD26B0676F}) (Version: 1.0.0625.10 - Microsoft Corporation)
IIS URL Rewrite Module 2 (HKLM\...\{9BCA2118-F753-4A1E-BCF3-5A820729965C}) (Version: 7.2.1993 - Microsoft Corporation)
LiveUpdate 3.3 (Symantec Corporation) (HKLM-x32\...\LiveUpdate) (Version: 3.3.0.92 - Symantec Corporation)
Malwarebytes version 4.6.6.294 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.6.6.294 - Malwarebytes)
Microsoft Exchange 2007 Enterprise Anti-spam Signatures (HKLM\...\{93FCFF43-49E2-4AE5-9AD4-0256878AB886}) (Version: 3.3.4604.600 - Microsoft Corporation) Hidden
Microsoft Exchange 2007 Enterprise Block List Updates (HKLM\...\{14F288C7-C695-40D5-971D-8890605C6040}) (Version: 3.3.4604.001 - Microsoft Corporation) Hidden
Microsoft Exchange 2007 Standard Anti-spam Filter Updates (HKLM\...\{C3F10D8C-BD70-4516-B2B4-BF6901980741}) (Version: 3.3.4604.600 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Amharic (Ethiopia) (HKLM\...\{DEDFFB64-42EC-4E26-005E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Arabic (HKLM\...\{DEDFFB64-42EC-4E26-0401-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Basque (HKLM\...\{DEDFFB64-42EC-4E26-042D-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Bengali (India) (HKLM\...\{DEDFFB64-42EC-4E26-0445-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Bulgarian (HKLM\...\{DEDFFB64-42EC-4E26-0402-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Catalan (HKLM\...\{DEDFFB64-42EC-4E26-0403-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Chinese (Simplified) (HKLM\...\{DEDFFB64-42EC-4E26-0804-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Chinese (Traditional) (HKLM\...\{DEDFFB64-42EC-4E26-0404-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Croatian (HKLM\...\{DEDFFB64-42EC-4E26-041A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Czech (HKLM\...\{DEDFFB64-42EC-4E26-0405-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Danish (HKLM\...\{DEDFFB64-42EC-4E26-0406-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Dutch (HKLM\...\{DEDFFB64-42EC-4E26-0413-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - English (HKLM\...\{DEDFFB64-42EC-4E26-0409-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Estonian (HKLM\...\{DEDFFB64-42EC-4E26-0425-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Filipino (Philippines) (HKLM\...\{DEDFFB64-42EC-4E26-0064-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Finnish (HKLM\...\{DEDFFB64-42EC-4E26-040B-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - French (HKLM\...\{DEDFFB64-42EC-4E26-040C-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Galician (HKLM\...\{DEDFFB64-42EC-4E26-0456-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - German (HKLM\...\{DEDFFB64-42EC-4E26-0407-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Greek (HKLM\...\{DEDFFB64-42EC-4E26-0408-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Gujarati (HKLM\...\{DEDFFB64-42EC-4E26-0447-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Hebrew (HKLM\...\{DEDFFB64-42EC-4E26-040D-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Hindi (HKLM\...\{DEDFFB64-42EC-4E26-0439-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Hungarian (HKLM\...\{DEDFFB64-42EC-4E26-040E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Icelandic (HKLM\...\{DEDFFB64-42EC-4E26-040F-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Indonesian (HKLM\...\{DEDFFB64-42EC-4E26-0421-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Italian (HKLM\...\{DEDFFB64-42EC-4E26-0410-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Japanese (HKLM\...\{DEDFFB64-42EC-4E26-0411-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Kannada (HKLM\...\{DEDFFB64-42EC-4E26-044B-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Kazakh (HKLM\...\{DEDFFB64-42EC-4E26-043F-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Kiswahili (HKLM\...\{DEDFFB64-42EC-4E26-0441-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Korean (HKLM\...\{DEDFFB64-42EC-4E26-0412-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Latvian (HKLM\...\{DEDFFB64-42EC-4E26-0426-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Lithuanian (HKLM\...\{DEDFFB64-42EC-4E26-0427-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Malay (HKLM\...\{DEDFFB64-42EC-4E26-043E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Malayalam (India) (HKLM\...\{DEDFFB64-42EC-4E26-004C-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Marathi (HKLM\...\{DEDFFB64-42EC-4E26-044E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Norwegian (HKLM\...\{DEDFFB64-42EC-4E26-0414-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Norwegian, Nynorsk (Norway) (HKLM\...\{DEDFFB64-42EC-4E26-0814-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Oriya (India) (HKLM\...\{DEDFFB64-42EC-4E26-0048-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Persian (HKLM\...\{DEDFFB64-42EC-4E26-0429-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Polish (HKLM\...\{DEDFFB64-42EC-4E26-0415-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Portuguese (HKLM\...\{DEDFFB64-42EC-4E26-0416-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Portuguese (Portugal) (HKLM\...\{DEDFFB64-42EC-4E26-0816-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Romanian (HKLM\...\{DEDFFB64-42EC-4E26-0418-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Russian (HKLM\...\{DEDFFB64-42EC-4E26-0419-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Serbian (Cyrillic, Serbia) (HKLM\...\{DEDFFB64-42EC-4E26-7C1A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Serbian (HKLM\...\{DEDFFB64-42EC-4E26-081A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Slovak (HKLM\...\{DEDFFB64-42EC-4E26-041B-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Slovenian (HKLM\...\{DEDFFB64-42EC-4E26-0424-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Spanish (HKLM\...\{DEDFFB64-42EC-4E26-0C0A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Swedish (HKLM\...\{DEDFFB64-42EC-4E26-041D-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Tamil (HKLM\...\{DEDFFB64-42EC-4E26-0449-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Telugu (HKLM\...\{DEDFFB64-42EC-4E26-044A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Thai (HKLM\...\{DEDFFB64-42EC-4E26-041E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Turkish (HKLM\...\{DEDFFB64-42EC-4E26-041F-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Ukrainian (HKLM\...\{DEDFFB64-42EC-4E26-0422-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Urdu (HKLM\...\{DEDFFB64-42EC-4E26-0420-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Vietnamese (HKLM\...\{DEDFFB64-42EC-4E26-042A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Welsh (United Kingdom) (HKLM\...\{DEDFFB64-42EC-4E26-0052-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server (HKLM\...\{4934D1EA-BE46-48B1-8847-F1AF20E892C1}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server 2013 Cumulative Update 23 (HKLM\...\Microsoft Exchange v15) (Version: 15.0.1497.2 - Microsoft Corporation)
Microsoft Exchange Server Language Pack - Chinese (Simplified) (HKLM\...\{521E6064-B4B1-4CBC-0804-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Chinese (Traditional) (HKLM\...\{521E6064-B4B1-4CBC-0404-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - English (HKLM\...\{521E6064-B4B1-4CBC-0409-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - French (HKLM\...\{521E6064-B4B1-4CBC-040C-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - German (HKLM\...\{521E6064-B4B1-4CBC-0407-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Italian (HKLM\...\{521E6064-B4B1-4CBC-0410-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Japanese (HKLM\...\{521E6064-B4B1-4CBC-0411-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Korean (HKLM\...\{521E6064-B4B1-4CBC-0412-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Portuguese (HKLM\...\{521E6064-B4B1-4CBC-0416-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Russian (HKLM\...\{521E6064-B4B1-4CBC-0419-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Spanish (HKLM\...\{521E6064-B4B1-4CBC-0C0A-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Speech - (en-US)  (HKLM\...\{CEF60964-21AE-47E0-93C6-611AA8941B7F}) (Version: 15.0.1497.0 - Microsoft Corporation) Hidden
Microsoft Filter Pack 2.0 (HKLM\...\{95140000-2000-0409-1000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Lync Server 2013, Bootstrapper Prerequisites Installer Package (HKLM\...\{F582C996-9276-48C2-9878-546C9B164856}) (Version: 5.0.8308.0 - Microsoft Corporation)
Microsoft Monitoring Agent (HKLM\...\{786970C5-E6F6-4A41-B238-AE25D4B91EEA}) (Version: 7.1.10184.0 - Microsoft Corporation)
Microsoft RAP as a Service Client Package (HKLM-x32\...\{2ce313ae-4688-455b-ae6b-1172a583c20a}) (Version: 1.0.0.0 - Microsoft)
Microsoft Server Speech Platform Runtime (x64) (HKLM\...\{3B433087-E62E-4BF5-97F9-4AF6E1C2409C}) (Version: 11.0.7400.345 - Microsoft Corporation)
Microsoft Server Speech Recognition Language - TELE (ca-ES) (HKLM-x32\...\{55D56947-B976-4E27-822B-E87FEFFB35F2}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (da-DK) (HKLM-x32\...\{18B4B2E0-6A0D-4BAC-99EB-843F2C290E07}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (de-DE) (HKLM-x32\...\{955F43D9-38C4-4C22-BEE3-1A6C63F968FA}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-AU) (HKLM-x32\...\{FA19A2B8-9A24-49B0-A51C-CF4A6B4B2B62}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-CA) (HKLM-x32\...\{0C96ED3F-83E2-4917-89DC-7837DC775FEC}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-GB) (HKLM-x32\...\{E0D13850-F97C-4B30-9F05-862299CE8DA5}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-IN) (HKLM-x32\...\{3B06AC90-DE68-44A9-95EB-0A3C1AF1514F}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-US) (HKLM-x32\...\{66D57636-BD4B-402F-9E7D-5E89C28C8136}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (es-ES) (HKLM-x32\...\{5D4A25B6-3A4E-409B-90FA-EDE99E2006B4}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (es-MX) (HKLM-x32\...\{BE94188A-CA4F-4AC7-A1B3-52D37882C30D}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (fi-FI) (HKLM-x32\...\{E3B7DBC7-7551-4E61-9B0D-FE660CFFC4FC}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (fr-CA) (HKLM-x32\...\{58DE670F-4977-4A23-9D2E-8C82A2072920}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (fr-FR) (HKLM-x32\...\{4D2DDB98-1FE6-4CFE-BCFD-EFE27FF24FAE}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (it-IT) (HKLM-x32\...\{9267D7E7-5872-4CB1-B4E3-377F4CA272D0}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (ja-JP) (HKLM-x32\...\{A06F3EA5-7C55-4505-8982-534BA05F49BE}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (ko-KR) (HKLM-x32\...\{1D8F6891-9B7F-4F08-A54E-C568D8C33276}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (nb-NO) (HKLM-x32\...\{49B7E67F-5E62-4988-A4F4-6C54B9E814EB}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (nl-NL) (HKLM-x32\...\{2CBAB07E-4865-40F0-9D6A-EFA350420166}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (pl-PL) (HKLM-x32\...\{BEFB9378-5E88-4266-8EB1-C92869449885}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (pt-BR) (HKLM-x32\...\{F6B5EB21-0ABF-487C-B9A9-D9DB259C4403}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (pt-PT) (HKLM-x32\...\{DAFE30C6-C638-4505-9372-2ECD1A1B317C}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (ru-RU) (HKLM-x32\...\{9419B7EA-6A4B-4A57-8E2A-3BDD4676118F}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (sv-SE) (HKLM-x32\...\{12C43D71-15A1-4F83-9D4D-E3134AE6FFD6}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (zh-CN) (HKLM-x32\...\{BAD2A75A-1708-47BA-A498-20890D2C78A7}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (zh-HK) (HKLM-x32\...\{6BAA03F9-B2E5-40EB-8871-703FF0046E9D}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (zh-TW) (HKLM-x32\...\{28292B72-CF8A-4915-A5F5-07FF1E44C6F5}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TRANS (en-US) (HKLM-x32\...\{B07DA010-66CF-40A7-908F-F6482219C57F}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Text to Speech Voice (en-US, Helen) (HKLM-x32\...\{8466EAED-7024-4AEE-9D13-F3A55B98D114}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Speech Platform VXML Runtime (x64) (HKLM\...\{C82C698A-A0B7-412D-9396-31FB1A6AA45C}) (Version: 11.0.7400.345 - Microsoft Corporation)
Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit (HKLM\...\{ED98ABF5-B6BF-47ED-92AB-1CDCAB964447}) (Version: 5.0.8308.0 - Microsoft Corporation) Hidden
Microsoft Unified Communications Managed API 4.0, Runtime (HKLM\...\{41D635FE-4F9D-47F7-8230-9B29D6D42D31}) (Version: 5.0.8308.0 - Microsoft Corporation) Hidden
Microsoft Unified Communications Managed API 4.0, Runtime (HKLM\...\UCMA4) (Version: 5.0.8308.0 - Microsoft Corporation)
Microsoft Unified Communications Managed API 4.0, SSP Runtime (HKLM\...\{A41CBE7D-949C-41DD-9869-ABBD99D753DA}) (Version: 5.0.8308.0 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727 (HKLM\...\{AC53FC8B-EE18-3F9C-9B59-60937D0B182C}) (Version: 11.0.50727 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727 (HKLM\...\{A2CB1ACB-94A2-32BA-A15E-7D80319F7589}) (Version: 11.0.50727 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (HKLM\...\{929FBD26-9020-399B-9A7A-751D61F0B942}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (HKLM\...\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.27.29016 (HKLM-x32\...\{40d3fee2-b257-46c2-bdc0-cb1088d97327}) (Version: 14.27.29016.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.27.29016 (HKLM-x32\...\{1aaa01ad-3069-4288-9c6f-37a140a8f6c7}) (Version: 14.27.29016.0 - Microsoft Corporation)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.27.29016 (HKLM\...\{F07B1E25-5670-4556-9C7F-5A1966C83269}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.27.29016 (HKLM\...\{E493B8F4-E300-43EC-95D0-BDF3711297EA}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.27.29016 (HKLM-x32\...\{5CD4E357-9ED6-42AC-B654-F1FC21DD60C9}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.27.29016 (HKLM-x32\...\{E2C131AD-D30F-4D67-ACE9-B3D485E84DA8}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
PFA Server Registry Update (HKLM-x32\...\{173438F5-BD4D-47AE-9C8F-73E6BAA62624}) (Version: 1.0.0.0 - Hewlett-Packard Company)
RAP as a Service Client  (HKLM-x32\...\{A2C2B1ED-F61E-4577-B7C3-ECF99CAF906A}) (Version: 2.0.40905.0 - Microsoft Corporation) Hidden
Subsystem Device Driver DSM (HKLM\...\Subsystem Device Driver DSM) (Version:  - )
Symantec Endpoint Protection (HKLM\...\{034F3EDA-2F36-414D-906F-9B7B7EBA4E68}) (Version: 14.3.9681.7000 - Broadcom)
TreeSize Free V4.5.3 (HKLM-x32\...\TreeSize Free_is1) (Version: 4.5.3 - JAM Software)
Veeam Agent for Microsoft Windows (HKLM\...\{7796202E-3320-41ED-9A2C-14613AEED3D3}) (Version: 5.0.3.4708 - Veeam Software Group GmbH)
Veeam CBT Driver (HKLM\...\VeeamCBTDriver) (Version: 10.0.0.5015 - Veeam Software Group GmbH)
Veeam Installer Service (HKLM-x32\...\VeeamDeployerService) (Version: 11.0.1.1261 - Veeam Software Group GmbH)
Veritas NetBackup Client (HKLM\...\{A34B3E34-4E84-4CB9-8D6B-0EB4467DC789}) (Version: 9.1 - Veritas Technologies LLC) Hidden
Veritas NetBackup Client (HKLM\...\Veritas NetBackup Client) (Version: 9.1 - Veritas Technologies LLC)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [NFSShares] -> {04EA2470-913A-11D2-8CB8-0000F8083420} => C:\Windows\System32\nfssprop.dll [2012-07-26] (Microsoft Windows -> Microsoft Corporation)
ContextMenuHandlers1: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-20] (Symantec Corporation -> Broadcom)
ContextMenuHandlers2: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-20] (Symantec Corporation -> Broadcom)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2023-06-12] (Malwarebytes Inc. -> Malwarebytes)
ContextMenuHandlers6: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-20] (Symantec Corporation -> Broadcom)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2023-06-12] (Malwarebytes Inc. -> Malwarebytes)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2014-01-11 16:39 - 2013-07-10 15:44 - 001613312 _____ () [File not signed] C:\hp\hpsmh\bin\libxml2.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 001613312 _____ () [File not signed] C:\hp\hpsmh\modules\libxml2.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 000072704 _____ () [File not signed] C:\hp\hpsmh\modules\zlib1.dll
2013-06-28 00:01 - 2013-06-28 00:01 - 000041472 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CPQMDISK.dll
2013-06-28 00:01 - 2013-06-28 00:01 - 000057856 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CPQMSCSI.DLL
2013-06-28 00:01 - 2013-06-28 00:01 - 000055296 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CPQSAS.DLL
2013-06-28 00:01 - 2013-06-28 00:01 - 000032768 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CQMGSTOR.dll
2013-06-28 00:01 - 2013-06-28 00:01 - 000029696 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\cqstrutl.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000115200 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQFCA.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000044544 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQIDE.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000050176 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQISCSI.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000041472 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQMDISK.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000106496 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQMIDA.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000057856 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQMSCSI.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000055808 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQSAS.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000032768 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CQMGSTOR.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000026112 _____ () [File not signed] C:\Windows\system32\CpqMgmt\CqmgStor\iscsimib.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000030720 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\STORALRT.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000224256 _____ () [File not signed] C:\Windows\system32\CpqMgmt\Cqmgstor\stormib.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000007168 _____ () [File not signed] C:\Windows\system32\cpqmgmt\cqmgstor\storsnmp.dll
2013-07-12 10:32 - 2013-07-12 10:32 - 000048640 _____ () [File not signed] C:\Windows\system32\CpqNiMgt\CPQNIMIB.DLL
2013-07-12 10:32 - 2013-07-12 10:32 - 000018432 _____ () [File not signed] C:\Windows\system32\cpqnimgt\cqnisnmp.dll
2013-07-12 10:32 - 2013-07-12 10:32 - 000025088 _____ () [File not signed] C:\Windows\system32\CpqNiMgt\NICMIB.DLL
2013-07-12 10:33 - 2013-07-12 10:33 - 000246784 _____ () [File not signed] C:\Windows\system32\cpqnimgt\w2kmgdll.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000030720 _____ () [File not signed] C:\Windows\SYSTEM32\cqstrutl.dll
2014-01-11 16:39 - 2013-07-10 15:37 - 000175104 _____ (Apache Software Foundation) [File not signed] C:\hp\hpsmh\bin\libapr-1.dll
2014-01-11 16:39 - 2013-07-10 15:37 - 000035328 _____ (Apache Software Foundation) [File not signed] C:\hp\hpsmh\bin\libapriconv-1.dll
2014-01-11 16:39 - 2013-07-10 15:37 - 000240128 _____ (Apache Software Foundation) [File not signed] C:\hp\hpsmh\bin\libaprutil-1.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 000894464 _____ (Free Software Foundation) [File not signed] C:\hp\hpsmh\bin\iconv.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 000894464 _____ (Free Software Foundation) [File not signed] C:\hp\hpsmh\modules\iconv.dll
2014-01-11 16:39 - 2013-07-10 15:38 - 000483840 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\libhttpd.dll
2014-01-11 16:39 - 2013-07-10 15:38 - 000012800 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_access_compat.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000014848 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_alias.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000019968 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_authz_core.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000012288 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_authz_host.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000008704 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_authz_user.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000022528 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_cgi.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000012288 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_dir.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000009728 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_env.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000018944 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_headers.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000018432 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_imagemap.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000027136 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_log_config.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000019968 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_mime.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000034304 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_negotiation.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000085504 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_proxy.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000015872 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_proxy_connect.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000036864 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_proxy_http.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000060928 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_rewrite.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000013824 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_setenvif.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000109056 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_aa.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000065536 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_bc.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000159744 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_config.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000135680 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_help.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000063488 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_pkcs.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000041984 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_ui.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000020992 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_socache_shmcb.so
2014-01-11 16:39 - 2013-07-10 15:43 - 000166912 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_ssl.so
2019-05-29 01:02 - 2019-05-29 01:02 - 000270536 _____ (Microsoft Corporation -> Microsoft Corporation) [File not signed] C:\Program Files\Microsoft\Exchange Server\V15\Bin\osafehtm.dll
2023-03-16 01:50 - 2023-03-16 01:50 - 005302272 _____ (Microsoft) [File not signed] C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0ef69a75#\023b11063fcc191a4764fc2752b2acd3\Microsoft.Search.Platform.Parallax.ni.dll
2014-01-11 16:39 - 2013-07-10 15:46 - 000314880 _____ (The cURL library, hxxp://curl.haxx.se/) [File not signed] C:\hp\hpsmh\modules\libcurl.dll
2014-01-11 16:39 - 2013-07-10 15:40 - 001798656 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\hp\hpsmh\bin\LIBEAY32.dll
2014-01-11 16:39 - 2013-07-10 15:40 - 000366592 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\hp\hpsmh\bin\SSLEAY32.dll
2014-01-11 16:39 - 2013-07-10 15:52 - 009109504 _____ (The PHP Group) [File not signed] C:\hp\hpsmh\bin\php5ts.dll
2014-01-11 16:39 - 2013-07-10 15:53 - 001076224 _____ (The PHP Group) [File not signed] C:\hp\hpsmh\modules\php_mbstring.DLL
2014-01-11 16:39 - 2013-07-10 15:53 - 000034304 _____ (The PHP Group) [File not signed] C:\hp\hpsmh\modules\php5apache2.so

==================== Alternate Data Streams (Whitelisted) ========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ClusterStorage:{db19d832-b034-46ed-a6c5-61e0ebe370d1} [0]

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{1275C540-B92D-406A-B595-68C2B266A9A8}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{5CA4F88D-67B7-46CE-9653-5A17519F66F0}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{6B7A2D6B-C77F-4C11-8B70-2CD28AD687A6}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{BEC9211B-09AC-4B5B-9D31-561ADFF81A33}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{EBA0DEA8-AC55-458F-9726-2388EB4D982B}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

HKU\S-1-5-21-1365522570-4229012047-2779133919-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
HKU\S-1-5-21-3412390019-1648271104-2333346583-17206\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 09:26 - 2023-07-31 00:12 - 000001064 _____ C:\Windows\system32\drivers\etc\hosts
192.168.7.8    netbackup
192.168.7.8    netbackup.gov.mu
192.168.6.80    ecp.govmu.org
192.168.7.53    backupsvr
127.0.0.1    mail.govmu.org    
192.168.6.50    GOC-EX13-SVR01.goc.ncb
192.168.6.50    GOC-EX13-SVR01

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> ; ;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft\Exchange Server\V15\bin;C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Native\
HKU\S-1-5-21-1365522570-4229012047-2779133919-500\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
HKU\S-1-5-21-3412390019-1648271104-2333346583-17206\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.2.40 - 192.168.2.41
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 0) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost => (EnableWebContentEvaluation: 0)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) C:\Windows\system32\scshost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) C:\Windows\system32\scshost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) C:\Windows\system32\dllhost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{A2CCFE80-3004-4D1F-B59C-69703E375A1B}] => (Allow) LPort=443
FirewallRules: [{ED70E132-AC43-4C5E-8536-DAA138AF8F3F}] => (Allow) LPort=RPC
FirewallRules: [{D42578C4-153E-4022-A569-B815FB0B1633}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.Topologyservice.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{AD6B3971-5DD3-412F-90C3-CEE969CAC935}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{57FFD6A2-5E32-4E65-A2F9-96DFBBCDC75E}] => (Allow) C:\Windows\system32\inetsrv\inetinfo.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{F779260D-1905-4B3D-BAAE-3F1EC35D0659}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{5BCF7254-AE77-4EFD-BE6B-0250073914F2}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{B5D9E7B9-D002-4A09-8591-AE7AB28A82E5}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{6244BDDB-9609-455B-9587-48F909C41F17}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{46E23EA3-714E-4E82-9A65-EA41E3DAB187}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{140688E3-F0B9-4831-AA87-13C204FEDF4F}] => (Allow) LPort=587
FirewallRules: [{02E8C397-B24E-4747-A69F-2E118805D154}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{46AB5D8A-3915-4F22-9E76-CFEC2C1AB69D}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{659FD464-FBCB-486F-8A31-B0229032C750}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{7151732B-9863-4238-8D43-2F4D6913BC8F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F5E200A2-6654-491A-99A7-9488ECB30363}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{03BA6FF9-701C-46F5-89D4-6BCB8278AF2C}] => (Allow) LPort=80
FirewallRules: [{757FB906-7A95-4446-88EA-8B9CC119F8E9}] => (Allow) LPort=80
FirewallRules: [{CB9BB596-8479-4073-8D75-CAB56E3DDB8E}] => (Allow) LPort=443
FirewallRules: [{4D1BD810-0186-4F4F-8DE8-D050EAB521DF}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{3887FF94-A06B-4767-9770-395D63BDE299}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{47EF1C9D-589E-409F-96E4-A84286CF922A}] => (Allow) LPort=9955
FirewallRules: [{09917463-5B36-412C-B64E-F64C609C91B9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{5774B08D-5563-4A58-B778-697595E49C34}] => (Allow) LPort=5077
FirewallRules: [{88E71246-80CF-44EB-A374-BA82F1ECE903}] => (Allow) LPort=808
FirewallRules: [{8E7D35D2-3D3F-4D72-AFAD-24319E4633B2}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{DBF0764A-DE51-4092-8BB6-5993A1DC69C5}] => (Allow) C:\Windows\system32\inetsrv\w3wp.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{79D50BD6-B118-4D2F-9A33-ABDFFA19E5EB}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F7D083A4-E78A-42D4-AFCC-CC05E3F7EC99}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{0DE9DEC2-4366-4475-9F7C-7915FC9071EF}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{BF2848A8-B99A-46B4-AE85-59009495E6E5}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{E63BF98D-026B-4BCC-A7E4-508A6E49C5A7}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{0C19B50B-53EA-4932-A1BB-0C8C1DED4527}] => (Allow) LPort=5063
FirewallRules: [{2E49034A-FA66-4D19-8323-C5BF7326B39A}] => (Allow) LPort=5068
FirewallRules: [{5F3634D0-8665-4EA3-B717-10974D20194F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMWorkerProcess.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{E680BB2B-BEFE-4C8E-8010-1DBF19D80997}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMWorkerProcess.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{9B3C643D-34CA-4833-97AE-8674659394AC}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{1548C0ED-A5CD-4CB5-BADB-8D27589D8C8C}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{2E45E4B8-C6A5-409F-ACE3-6D988A9C465F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{748511E7-65AD-4641-8475-242A50B83FED}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangemigration.exe => No File
FirewallRules: [{3CBB770C-C76A-4A8D-8414-D1A9EB0C9C08}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangemigration.exe => No File
FirewallRules: [{F6F4E443-8D4B-4BE9-9313-539EDAF179D2}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{4194C992-3445-4378-B70D-146779E6B100}] => (Allow) LPort=444
FirewallRules: [{55BC27AF-401A-4469-9158-97256C4F6D37}] => (Allow) LPort=64327
FirewallRules: [{C4036C1B-9773-49E5-ACAE-43E859E99FE8}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{9ED8E544-3892-4387-9747-B4B39ADB0262}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{875075B8-45AC-45AA-8A55-5A93C5E2D032}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{22DBFBCE-2677-48D2-901F-169755E5EBD9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{5FE1067D-2082-4A2D-9F09-755BD8D3A842}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{129592E1-763B-4317-9E03-DE51F0373A7E}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{C8AF02E2-9131-4B9C-AF8D-F186C7049BE5}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{CADA475D-E46E-496F-985F-606831A89A77}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{E79815E9-A1A9-419F-9B5E-3F76CCE20505}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{81442800-7345-4E0D-B8EF-9559D414573F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{1EFF9EB1-2DA2-44E7-A35B-ADACBFB74207}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{D2B0387D-45ED-4E97-AC5E-CA006D654136}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{2F7736FF-C87C-40A7-BF74-3E2FF28C64CE}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{36FF1C14-E793-4197-AD99-51FC068CA593}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F680402B-1388-4BCE-BF82-796226A624B9}] => (Allow) LPort=5061
FirewallRules: [{5E44A848-CB5C-494E-A0B6-1D471FF004C0}] => (Allow) LPort=139
FirewallRules: [{33319BCD-801C-4C93-A595-CF49F6EC3768}] => (Allow) LPort=993
FirewallRules: [FailoverClustering-ClusSvc-TCP-In] => (Allow) C:\Windows\cluster\clussvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverClustering-ClusSvc-TCP-Out] => (Allow) C:\Windows\cluster\clussvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverClustering-ClusSvcRPC-TCP-In] => (Allow) C:\Windows\cluster\clussvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverCluster-CPREPSRV-TCP-In] => (Allow) C:\Windows\system32\cprepsrv.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverCluster-FCSRV-TCP-In] => (Allow) C:\Windows\system32\fcsrv.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{8D49C1D2-0AA4-4E09-82E5-66C71B329DB6}] => (Allow) LPort=808
FirewallRules: [{DB4DF9C9-8671-429D-A814-A0729840EDBF}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{2D85085F-0B66-47F0-8673-910E60B43EBD}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{FF438642-A66E-47FF-908A-534557F2FDF0}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [Microsoft-Windows-NFS-ServerCore-NfsSvc-NFS-UDP-In] => (Allow) LPort=2049
FirewallRules: [Microsoft-Windows-NFS-ServerCore-NfsSvc-NFS-TCP-In] => (Allow) LPort=2049
FirewallRules: [Microsoft-Windows-NFS-OpenPortMapper-Portmap-UDP-In] => (Allow) LPort=111
FirewallRules: [Microsoft-Windows-NFS-OpenPortMapper-Portmap-TCP-In] => (Allow) LPort=111
FirewallRules: [{79ADD138-4978-42CD-8DE7-9BE071C0131F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{0523766E-B498-4EC9-B0C6-8F28EB1EF4B8}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{9A43FAC6-7B3C-491C-A9F4-77A05CD1A014}] => (Allow) LPort=10050
FirewallRules: [{8B6807AA-2204-4AFC-A798-86A487AF1E80}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{8145C7B5-19C4-449C-8737-99C186F73AA9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{D9DB26C0-5D6E-4531-AAFA-B7130746A7EB}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMService.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{559F0538-319C-4360-968A-A571E1E3DDF8}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{B4BCB5ED-FAAA-48E6-9842-5EB6A7920FE9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{1895413C-B03A-4E28-A34F-04DD4B750B35}] => (Allow) C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{AE51BF15-72FC-44AF-A395-CA1D6648133A}] => (Allow) C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{40EFAF0A-B64E-4BDF-ADDF-0E492ACF371F}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Recovery.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{DF0CE3C5-623A-4503-95FF-F21CE915DC2B}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{EC47FF57-BA9D-41E2-BB6A-FA4A702FC60B}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{F435E95A-61FE-4B14-9640-9FB07164750E}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x64\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{FF8C5504-55AC-42E2-B99C-93F462805D13}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x64\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{806C43F6-FE03-484D-946C-135F07FAF10B}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x86\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{54D3E2B2-96E8-4895-A3CC-A2CC4819B153}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x86\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{8080CB13-DE5C-40F2-BB2C-A9AC4ACCE17A}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{5A430A70-1FEB-40A8-8B56-634F8CF49945}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{FBB9C05C-71D6-4B21-A91C-59F40E41A64F}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\nbwin.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{8B5AD3A0-4109-4448-88CB-363F24A527E1}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\nbwin.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{7FF8343D-69F4-4010-8958-260D35431E4E}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\tracker.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{FD330AF1-52EF-43CD-8055-1C8797C117A0}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\tracker.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{C48451FC-6140-4415-A54D-95B11F89D8F1}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{62A77899-F09F-437E-914B-C6BFFB87ADEF}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{255E213E-3F47-40F8-9459-341628F332D8}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{66AC1B0F-9C87-46D7-A7E9-1064E5F2C06A}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe (Symantec Corporation -> Broadcom)

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:279.36 GB) (Free:89.65 GB) (32%)

==================== Faulty Device Manager Devices ============

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #2
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #3
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #4
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #7
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #8
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #9
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #10
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #11
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #12
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: ========================

Application errors:
==================
Error: (01/04/2024 10:27:39 AM) (Source: MSExchangeFrontEndTransport) (EventID: 12018) (User: )
Description: The STARTTLS certificate will expire soon: subject: C11-EX-SVR-MBX4.gov.mu, thumbprint: 7D5ADF3BE38AF11C38D64BCB645B5D6E9DC78B19, hours remaining: 317. Run the New-ExchangeCertificate cmdlet to create a new certificate.

Error: (01/04/2024 10:26:51 AM) (Source: Microsoft-Filtering-FIPFS) (EventID: 6027) (User: NT AUTHORITY)
Description: MS Filtering Engine Update process was unsuccessful in contacting the Primary Update Path. Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate

Error: (01/04/2024 10:26:51 AM) (Source: MSExchange Common) (EventID: 106) (User: )
Description: Performance counter updating error. Counter name is Time in Resource per second, category name is MSExchange Activity Context Resources. Optional code: 2. Exception: The exception thrown is : System.InvalidOperationException: Instance 'ad-powershell-defaultdomain' already exists with a lifetime of Process.  It cannot be recreated or reused until it has been removed or until the process using it has exited.
   at System.Diagnostics.SharedPerformanceCounter.FindInstance(Int32 instanceNameHashCode, String instanceName, CategoryEntry* categoryPointer, InstanceEntry** returnInstancePointerReference, Boolean activateUnusedInstances, PerformanceCounterInstanceLifetime lifetime, Boolean& foundFreeInstance)
   at System.Diagnostics.SharedPerformanceCounter.GetCounter(String counterName, String instanceName, Boolean enableReuse, PerformanceCounterInstanceLifetime lifetime)
   at System.Diagnostics.SharedPerformanceCounter..ctor(String catName, String counterName, String instanceName, PerformanceCounterInstanceLifetime lifetime)
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.get_RawValue()
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.get_RawValue()
Last worker process info : System.ArgumentException: Process with an Id of 14356 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId, String machineName)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Processes running while Performance counter failed to update:
21604 ParserServer
6456 mmc
31452 ParserServer
4728 hpsmhd
4848 w3wp
844 svchost
38340 Microsoft.Exchange.Store.Worker
2564 bpcd
6872 bpfis
16352 Microsoft.Exchange.ServiceHost
14228 Microsoft.Exchange.Pop3
7296 vnetd
2116 vds
4272 conhost
14184 Microsoft.Exchange.Pop3Service
20648 svchost
45412 conhost
820 csrss
1680 svchost
2540 Microsoft.Exchange.Diagnostics.Service
8572 vnetd
11156 Microsoft.Exchange.Imap4Service
30980 conhost
3824 svchost
18908 nfssvc
4252 rotatelogs
19336 w3wp
1664 dwm
43468 csrss
15876 dllhost
31828 w3wp
14584 msexchangerepl
36564 Microsoft.Exchange.RpcClientAccess.Service
8548 SMSvcHost
25568 svchost
4236 conhost
18888 Microsoft.Exchange.Store.Service
952 winlogon
20392 powershell
14572 Microsoft.Exchange.Pop3
14140 Microsoft.Exchange.Store.Worker
11984 Microsoft.Exchange.Imap4
3360 noderunner
17148 MSExchangeThrottling
4648 noderunner
11972 Microsoft.Exchange.Imap4Service
2488 inetinfo
9788 ParserServer
8512 w3wp
4200 hpsmhd
3768 sftracing
1612 LogonUI
21668 ParserServer
3764 conhost
3332 ProLiantMonitor
40396 Microsoft.Exchange.Store.Worker
40824 ccSvcHst
2464 hpwmistor
4008 ccSvcHst
10104 w3wp
4184 conhost
2028 svchost
19248 clussvc
17920 Microsoft.Exchange.Store.Worker
4168 cmd
44248 taskhostex
7180 nbdisco
3700 sddsrv
2528 mqsvc
2864 MSExchangeHMHost
13704 Microsoft.Exchange.Pop3Service
39492 conhost
1992 spoolsv
11904 w3wp
3276 smhstart
23532 w3wp
7152 MSExchangeHMWorker
10348 scanningprocess
7148 Veeam.EndPoint.Service
6716 scanningprocess
9300 Microsoft.Exchange.EdgeSyncSvc
31280 cscript
18780 nfsclnt
7572 Microsoft.Exchange.AntispamUpdateSvc
21056 bpbkar32
18932 ServerManager
12460 MSExchangeMailboxAssistants
17912 umservice
1532 HealthService
12736 w3wp
4976 cqmgserv
24028 w3wp
42292 explorer
6692 svchost
45912 WmiPrvSE
4104 pbx_exchange
21340 monad
1512 svchost
648 smss
17024 EdgeTransport
18744 bpinetd
29948 w3wp
32964 w3wp
4516 noderunner
14636 conhost
34036 msdtc
38992 conhost
8560 vnetd
12468 w3wp
4076 snmp
4504 FRST64
17000 MSExchangeTransportLogSearch
36824 powershell
128 conhost
8800 VeeamDeploymentSvc
39400 powershell
4188 zabbix_agentd
4916 svchost
7496 rundll32
6200 MBAMService
16540 MSExchangeSubmission
4040 sepWscSvc64
2312 rotatelogs
8344 cqmghost
1016 lsass
1444 svchost
36156 TranscodingService
2732 updateservice
1004 services
42808 mbamtray
35600 conhost
1860 cpqnimgt
6600 WmiPrvSE
2164 hostcontrollerservice
12628 conhost
12196 conhost
10468 MSExchangeFrontendTransport
4432 rotatelogs
42012 powershell
43820 winlogon
2704 SMSvcHost
26408 conhost
8888 Microsoft.Exchange.Search.Service
4420 rotatelogs
9160 MSExchangeDagMgmt
44932 monad
1400 svchost
38896 TranscodingService
23364 rhs
10300 scanningprocess
18616 UMWorkerProcess
23356 rhs
40164 powershell
28524 Microsoft.Exchange.Store.Worker
3956 ForefrontActiveDirectoryConnector
6108 cqmgstor
1364 svchost
1792 conhost
4808 noderunner
17980 Microsoft.Exchange.UM.CallRouter
13420 MSExchangeMailboxReplication
38848 rdpclip
39276 VSSVC
4364 MonitoringHost
4992 WMSvc
45804 cscript
904 wininit
27892 svchost
44000 WmiPrvSE
14260 conhost
4344 w3wp
6928 Microsoft.Exchange.Directory.TopologyService
28908 Microsoft.Exchange.Store.Worker
892 csrss
1320 cissesrv
30196 conhost
10368 MSExchangeTransport
37352 conhost
13752 WmiApSrv
1736 fms
9492 MSExchangeDelivery
12508 Microsoft.Exchange.Imap4
1300 svchost
7332 rundll32
4 System
10628 dwm
3880 ccSvcHst
0 Idle
Performance Counters Layout information: A process is holding onto a transport performance counter. processId : 42012, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 42012 StartupTime: 133488231850154178, currentInstance : rpca-powershell-defaultdomain(4598AFAF) RefCount=1 SpinLock=0 Offset=43136, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 42012, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 42012 StartupTime: 133488231850154178, currentInstance : mb-powershell-defaultdomain(CC014C00) RefCount=1 SpinLock=0 Offset=42808, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 42012, counter : time in resource per second Value=32 SpinLock=0 Lifetime=Type: 1 ProcessId: 42012 StartupTime: 133488231850154178, currentInstance : ad-powershell-defaultdomain(95CC324A) RefCount=1 SpinLock=0 Offset=42480, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21340, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 21340 StartupTime: 133488216612797011, currentInstance : rpca-monad-defaultdomain(EE460FE7) RefCount=1 SpinLock=0 Offset=42152, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21340, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 21340 StartupTime: 133488216612797011, currentInstance : mb-monad-defaultdomain(2EC4A7E8) RefCount=1 SpinLock=0 Offset=41824, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21340, counter : time in resource per second Value=1605 SpinLock=0 Lifetime=Type: 1 ProcessId: 21340 StartupTime: 133488216612797011, currentInstance : ad-monad-defaultdomain(A8C763E2) RefCount=1 SpinLock=0 Offset=41496, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4344, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4344 StartupTime: 133488191853916155, currentInstance : rpca-w3wp-msexchangerpcproxyapppool(8B7590B3) RefCount=1 SpinLock=0 Offset=41168, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4344, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4344 StartupTime: 133488191853916155, currentInstance : mb-w3wp-msexchangerpcproxyapppool(B190F21C) RefCount=1 SpinLock=0 Offset=40840, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4344, counter : time in resource per second Value=233 SpinLock=0 Lifetime=Type: 1 ProcessId: 4344 StartupTime: 133488191853916155, currentInstance : ad-w3wp-msexchangerpcproxyapppool(99BB8ED6) RefCount=1 SpinLock=0 Offset=40512, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 32964, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 32964 StartupTime: 133488189060363061, currentInstance : rpca-w3wp-msexchangeowacalendarapppool(8F10D1B5) RefCount=1 SpinLock=0 Offset=40184, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 32964, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 32964 StartupTime: 133488189060363061, currentInstance : mb-w3wp-msexchangeowacalendarapppool(2D8C9EBA) RefCount=1 SpinLock=0 Offset=39856, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 32964, counter : time in resource per second Value=39 SpinLock=0 Lifetime=Type: 1 ProcessId: 32964 StartupTime: 133488189060363061, currentInstance : ad-w3wp-msexchangeowacalendarapppool(D845E230) RefCount=1 SpinLock=0 Offset=39528, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 31828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 31828 StartupTime: 133488188988971557, currentInstance : rpca-w3wp-msexchangepowershellapppool(3CF18BF) RefCount=1 SpinLock=0 Offset=39200, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 31828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 31828 StartupTime: 133488188988971557, currentInstance : mb-w3wp-msexchangepowershellapppool(A686C810) RefCount=1 SpinLock=0 Offset=38872, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 31828, counter : time in resource per second Value=15616 SpinLock=0 Lifetime=Type: 1 ProcessId: 31828 StartupTime: 133488188988971557, currentInstance : ad-w3wp-msexchangepowershellapppool(9E48CD5A) RefCount=1 SpinLock=0 Offset=38544, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23532, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23532 StartupTime: 133488188980222858, currentInstance : rpca-w3wp-msexchangepowershellfrontendapppool(E1115251) RefCount=1 SpinLock=0 Offset=38216, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23532, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23532 StartupTime: 133488188980222858, currentInstance : mb-w3wp-msexchangepowershellfrontendapppool(34B9187E) RefCount=1 SpinLock=0 Offset=37888, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23532, counter : time in resource per second Value=30 SpinLock=0 Lifetime=Type: 1 ProcessId: 23532 StartupTime: 133488188980222858, currentInstance : ad-w3wp-msexchangepowershellfrontendapppool(FAEFA1B4) RefCount=1 SpinLock=0 Offset=37560, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4516, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4516 StartupTime: 133488186610993542, currentInstance : rpca-noderunner-contentenginenode1(316BF6E3) RefCount=1 SpinLock=0 Offset=37232, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4516, counter : time in resource per second Value=556413 SpinLock=0 Lifetime=Type: 1 ProcessId: 4516 StartupTime: 133488186610993542, currentInstance : mb-noderunner-contentenginenode1(2EE8286C) RefCount=1 SpinLock=0 Offset=36904, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4516, counter : time in resource per second Value=880 SpinLock=0 Lifetime=Type: 1 ProcessId: 4516 StartupTime: 133488186610993542, currentInstance : ad-noderunner-contentenginenode1(61591E6) RefCount=1 SpinLock=0 Offset=36576, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28524, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28524 StartupTime: 133488188491999484, currentInstance : rpca-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(ABB009B3) RefCount=1 SpinLock=0 Offset=36248, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28524, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28524 StartupTime: 133488188491999484, currentInstance : mb-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(38BA31BC) RefCount=1 SpinLock=0 Offset=35920, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28524, counter : time in resource per second Value=56835 SpinLock=0 Lifetime=Type: 1 ProcessId: 28524 StartupTime: 133488188491999484, currentInstance : ad-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(11106236) RefCount=1 SpinLock=0 Offset=35592, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29948, counter : time in resource per second Value=58 SpinLock=0 Lifetime=Type: 1 ProcessId: 29948 StartupTime: 133488188731051690, currentInstance : ad-w3wp-msexchangemapifrontendapppool(C0FDFAE0) RefCount=1 SpinLock=0 Offset=35264, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 29948 StartupTime: 133488188731051690, currentInstance : mb-w3wp-msexchangemapifrontendapppool(BE5C2DAA) RefCount=1 SpinLock=0 Offset=34936, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 29948 StartupTime: 133488188731051690, currentInstance : rpca-w3wp-msexchangemapifrontendapppool(2C7F2005) RefCount=1 SpinLock=0 Offset=34608, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 24028, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 24028 StartupTime: 133488187826038140, currentInstance : rpca-w3wp-msexchangemapimailboxapppool(E28F3117) RefCount=1 SpinLock=0 Offset=34280, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 24028, counter : time in resource per second Value=298 SpinLock=0 Lifetime=Type: 1 ProcessId: 24028 StartupTime: 133488187826038140, currentInstance : mb-w3wp-msexchangemapimailboxapppool(F9439F58) RefCount=1 SpinLock=0 Offset=33952, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 24028, counter : time in resource per second Value=1626 SpinLock=0 Lifetime=Type: 1 ProcessId: 24028 StartupTime: 133488187826038140, currentInstance : ad-w3wp-msexchangemapimailboxapppool(35491652) RefCount=1 SpinLock=0 Offset=33624, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18616, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 18616 StartupTime: 133488187582122702, currentInstance : rpca-umworkerprocess-umworkerprocess.exe(970CCE33) RefCount=1 SpinLock=0 Offset=33296, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18616, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 18616 StartupTime: 133488187582122702, currentInstance : mb-umworkerprocess-umworkerprocess.exe(8A7F8A3C) RefCount=1 SpinLock=0 Offset=32968, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18616, counter : time in resource per second Value=98 SpinLock=0 Lifetime=Type: 1 ProcessId: 18616 StartupTime: 133488187582122702, currentInstance : ad-umworkerprocess-umworkerprocess.exe(95818B6) RefCount=1 SpinLock=0 Offset=32640, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19336, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 19336 StartupTime: 133488187596810207, currentInstance : rpca-w3wp-msexchangeecpapppool(57806648) RefCount=1 SpinLock=0 Offset=32312, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19336, counter : time in resource per second Value=805 SpinLock=0 Lifetime=Type: 1 ProcessId: 19336 StartupTime: 133488187596810207, currentInstance : mb-w3wp-msexchangeecpapppool(E27E6507) RefCount=1 SpinLock=0 Offset=31984, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19336, counter : time in resource per second Value=7124 SpinLock=0 Lifetime=Type: 1 ProcessId: 19336 StartupTime: 133488187596810207, currentInstance : ad-w3wp-msexchangeecpapppool(B648688D) RefCount=1 SpinLock=0 Offset=31656, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18888, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 18888 StartupTime: 133488187589622974, currentInstance : rpca-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(A07BD4F3) RefCount=1 SpinLock=0 Offset=31328, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18888, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 18888 StartupTime: 133488187589622974, currentInstance : mb-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(4519AFC) RefCount=1 SpinLock=0 Offset=31000, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18888, counter : time in resource per second Value=547 SpinLock=0 Lifetime=Type: 1 ProcessId: 18888 StartupTime: 133488187589622974, currentInstance : ad-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(6B0DD0F6) RefCount=1 SpinLock=0 Offset=30672, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17980, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17980 StartupTime: 133488187523526951, currentInstance : rpca-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(E8475353) RefCount=1 SpinLock=0 Offset=30344, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17980, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17980 StartupTime: 133488187523526951, currentInstance : mb-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(8F65881C) RefCount=1 SpinLock=0 Offset=30016, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17980, counter : time in resource per second Value=45 SpinLock=0 Lifetime=Type: 1 ProcessId: 17980 StartupTime: 133488187523526951, currentInstance : ad-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(78F52196) RefCount=1 SpinLock=0 Offset=29688, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17912, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17912 StartupTime: 133488187474618915, currentInstance : rpca-umservice-umservice.exe(E39A1133) RefCount=1 SpinLock=0 Offset=29360, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17912, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17912 StartupTime: 133488187474618915, currentInstance : mb-umservice-umservice.exe(FFBB273C) RefCount=1 SpinLock=0 Offset=29032, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17912, counter : time in resource per second Value=27 SpinLock=0 Lifetime=Type: 1 ProcessId: 17912 StartupTime: 133488187474618915, currentInstance : ad-umservice-umservice.exe(9A8AC6B6) RefCount=1 SpinLock=0 Offset=28704, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17024, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17024 StartupTime: 133488187455554985, currentInstance : rpca-edgetransport-edgetransport.exe(911B6EB3) RefCount=1 SpinLock=0 Offset=28376, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17024, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17024 StartupTime: 133488187455554985, currentInstance : mb-edgetransport-edgetransport.exe(A5AF4BBC) RefCount=1 SpinLock=0 Offset=28048, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17024, counter : time in resource per second Value=10824 SpinLock=0 Lifetime=Type: 1 ProcessId: 17024 StartupTime: 133488187455554985, currentInstance : ad-edgetransport-edgetransport.exe(E79D4A36) RefCount=1 SpinLock=0 Offset=27720, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17000, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17000 StartupTime: 133488187453992438, currentInstance : rpca-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(EF66F2D3) RefCount=1 SpinLock=0 Offset=27392, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17000, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17000 StartupTime: 133488187453992438, currentInstance : mb-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(B020391C) RefCount=1 SpinLock=0 Offset=27064, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17000, counter : time in resource per second Value=21 SpinLock=0 Lifetime=Type: 1 ProcessId: 17000 StartupTime: 133488187453992438, currentInstance : ad-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(20578116) RefCount=1 SpinLock=0 Offset=26736, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 10368, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 10368 StartupTime: 133488187442273850, currentInstance : rpca-msexchangetransport-msexchangetransport.exe(24F56C33) RefCount=1 SpinLock=0 Offset=26408, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 10368, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 10368 StartupTime: 133488187442273850, currentInstance : mb-msexchangetransport-msexchangetransport.exe(92FB3D3C) RefCount=1 SpinLock=0 Offset=26080, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 10368, counter : time in resource per second Value=25 SpinLock=0 Lifetime=Type: 1 ProcessId: 10368 StartupTime: 133488187442273850, currentInstance : ad-msexchangetransport-msexchangetransport.exe(2447ECB6) RefCount=1 SpinLock=0 Offset=25752, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17148, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17148 StartupTime: 133488187436023527, currentInstance : rpca-msexchangethrottling-msexchangethrottling.exe(8C1DA893) RefCount=1 SpinLock=0 Offset=25424, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17148, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17148 StartupTime: 133488187436023527, currentInstance : mb-msexchangethrottling-msexchangethrottling.exe(AB2BADDC) RefCount=1 SpinLock=0 Offset=25096, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17148, counter : time in resource per second Value=21 SpinLock=0 Lifetime=Type: 1 ProcessId: 17148 StartupTime: 133488187436023527, currentInstance : ad-msexchangethrottling-msexchangethrottling.exe(8962F4D6) RefCount=1 SpinLock=0 Offset=24768, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16540, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 16540 StartupTime: 133488187405240650, currentInstance : rpca-msexchangesubmission-msexchangesubmission.exe(60747EB3) RefCount=1 SpinLock=0 Offset=24440, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16540, counter : time in resource per second Value=25266 SpinLock=0 Lifetime=Type: 1 ProcessId: 16540 StartupTime: 133488187405240650, currentInstance : mb-msexchangesubmission-msexchangesubmission.exe(67B4173C) RefCount=1 SpinLock=0 Offset=24112, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16540, counter : time in resource per second Value=8881 SpinLock=0 Lifetime=Type: 1 ProcessId: 16540 StartupTime: 133488187405240650, currentInstance : ad-msexchangesubmission-msexchangesubmission.exe(85200236) RefCount=1 SpinLock=0 Offset=23784, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16352, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 16352 StartupTime: 133488187400396702, currentInstance : rpca-microsoft.exchange.servicehost-microsoft.exchange.servicehost.exe(39C8D53) RefCount=1 SpinLock=0 Offset=23456, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16352, counter : time in resource per second Value=53 SpinLock=0 Lifetime=Type: 1 ProcessId: 16352 StartupTime: 133488187400396702, currentInstance : mb-microsoft.exchange.servicehost-microsoft.exchange.servicehost.exe(E7963A1C) RefCount=1 SpinLock=0 Offset=23128, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16352, counter : time in resource per second Value=1052 SpinLock=0 Lifetime=Type: 1 ProcessId: 16352 StartupTime: 133488187400396702, currentInstance : ad-microsoft.exchange.servicehost-microsoft.exchange.servicehost.exe(10E8B196) RefCount=1 SpinLock=0 Offset=22800, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 36564, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 36564 StartupTime: 133488191855791077, currentInstance : rpca-microsoft.exchange.rpcclientaccess.service-microsoft.exchange.rpcclientaccess.service.exe(E4305E13) RefCount=1 SpinLock=0 Offset=22472, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 36564, counter : time in resource per second Value=15346 SpinLock=0 Lifetime=Type: 1 ProcessId: 36564 StartupTime: 133488191855791077, currentInstance : mb-microsoft.exchange.rpcclientaccess.service-microsoft.exchange.rpcclientaccess.service.exe(BBA60BDC) RefCount=1 SpinLock=0 Offset=22144, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 36564, counter : time in resource per second Value=3935 SpinLock=0 Lifetime=Type: 1 ProcessId: 36564 StartupTime: 133488191855791077, currentInstance : ad-microsoft.exchange.rpcclientaccess.service-microsoft.exchange.rpcclientaccess.service.exe(B6581E56) RefCount=1 SpinLock=0 Offset=21816, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14584, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14584 StartupTime: 133488187372895687, currentInstance : rpca-msexchangerepl-msexchangerepl.exe(7148D1D3) RefCount=1 SpinLock=0 Offset=21488, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14584, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14584 StartupTime: 133488187372895687, currentInstance : mb-msexchangerepl-msexchangerepl.exe(7544DE9C) RefCount=1 SpinLock=0 Offset=21160, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14584, counter : time in resource per second Value=1361 SpinLock=0 Lifetime=Type: 1 ProcessId: 14584 StartupTime: 133488187372895687, currentInstance : ad-msexchangerepl-msexchangerepl.exe(4FE1D16) RefCount=1 SpinLock=0 Offset=20832, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14228, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14228 StartupTime: 133488187340238241, currentInstance : rpca-microsoft.exchange.pop3-microsoft.exchange.pop3.exe(C9982B33) RefCount=1 SpinLock=0 Offset=20504, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14228, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14228 StartupTime: 133488187340238241, currentInstan...

Error: (01/04/2024 10:26:51 AM) (Source: MSExchange Common) (EventID: 106) (User: )
Description: Performance counter updating error. Counter name is Time in Resource per second, category name is MSExchange Activity Context Resources. Optional code: 2. Exception: The exception thrown is : System.InvalidOperationException: Instance 'ad-powershell-defaultdomain' already exists with a lifetime of Process.  It cannot be recreated or reused until it has been removed or until the process using it has exited.
   at System.Diagnostics.SharedPerformanceCounter.FindInstance(Int32 instanceNameHashCode, String instanceName, CategoryEntry* categoryPointer, InstanceEntry** returnInstancePointerReference, Boolean activateUnusedInstances, PerformanceCounterInstanceLifetime lifetime, Boolean& foundFreeInstance)
   at System.Diagnostics.SharedPerformanceCounter.GetCounter(String counterName, String instanceName, Boolean enableReuse, PerformanceCounterInstanceLifetime lifetime)
   at System.Diagnostics.SharedPerformanceCounter..ctor(String catName, String counterName, String instanceName, PerformanceCounterInstanceLifetime lifetime)
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.get_RawValue()
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.get_RawValue()
Last worker process info : System.ArgumentException: Process with an Id of 14356 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId, String machineName)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Processes running while Performance counter failed to update:
21604 ParserServer
6456 mmc
31452 ParserServer
4728 hpsmhd
4848 w3wp
844 svchost
38340 Microsoft.Exchange.Store.Worker
2564 bpcd
6872 bpfis
16352 Microsoft.Exchange.ServiceHost
14228 Microsoft.Exchange.Pop3
7296 vnetd
2116 vds
4272 conhost
14184 Microsoft.Exchange.Pop3Service
20648 svchost
45412 conhost
820 csrss
1680 svchost
2540 Microsoft.Exchange.Diagnostics.Service
8572 vnetd
11156 Microsoft.Exchange.Imap4Service
30980 conhost
3824 svchost
18908 nfssvc
4252 rotatelogs
19336 w3wp
1664 dwm
43468 csrss
15876 dllhost
31828 w3wp
14584 msexchangerepl
36564 Microsoft.Exchange.RpcClientAccess.Service
8548 SMSvcHost
25568 svchost
4236 conhost
18888 Microsoft.Exchange.Store.Service
952 winlogon
20392 powershell
14572 Microsoft.Exchange.Pop3
14140 Microsoft.Exchange.Store.Worker
11984 Microsoft.Exchange.Imap4
3360 noderunner
17148 MSExchangeThrottling
4648 noderunner
11972 Microsoft.Exchange.Imap4Service
2488 inetinfo
9788 ParserServer
8512 w3wp
4200 hpsmhd
3768 sftracing
1612 LogonUI
21668 ParserServer
3764 conhost
3332 ProLiantMonitor
40396 Microsoft.Exchange.Store.Worker
40824 ccSvcHst
2464 hpwmistor
4008 ccSvcHst
10104 w3wp
4184 conhost
2028 svchost
19248 clussvc
17920 Microsoft.Exchange.Store.Worker
4168 cmd
44248 taskhostex
7180 nbdisco
3700 sddsrv
2528 mqsvc
2864 MSExchangeHMHost
13704 Microsoft.Exchange.Pop3Service
39492 conhost
1992 spoolsv
11904 w3wp
3276 smhstart
23532 w3wp
7152 MSExchangeHMWorker
10348 scanningprocess
7148 Veeam.EndPoint.Service
6716 scanningprocess
9300 Microsoft.Exchange.EdgeSyncSvc
31280 cscript
18780 nfsclnt
7572 Microsoft.Exchange.AntispamUpdateSvc
21056 bpbkar32
18932 ServerManager
12460 MSExchangeMailboxAssistants
17912 umservice
1532 HealthService
12736 w3wp
4976 cqmgserv
24028 w3wp
42292 explorer
6692 svchost
45912 WmiPrvSE
4104 pbx_exchange
21340 monad
1512 svchost
648 smss
17024 EdgeTransport
18744 bpinetd
29948 w3wp
32964 w3wp
4516 noderunner
14636 conhost
34036 msdtc
38992 conhost
8560 vnetd
12468 w3wp
4076 snmp
4504 FRST64
17000 MSExchangeTransportLogSearch
36824 powershell
128 conhost
8800 VeeamDeploymentSvc
39400 powershell
4188 zabbix_agentd
4916 svchost
7496 rundll32
6200 MBAMService
16540 MSExchangeSubmission
4040 sepWscSvc64
2312 rotatelogs
8344 cqmghost
1016 lsass
1444 svchost
36156 TranscodingService
2732 updateservice
1004 services
42808 mbamtray
35600 conhost
1860 cpqnimgt
6600 WmiPrvSE
2164 hostcontrollerservice
12628 conhost
12196 conhost
10468 MSExchangeFrontendTransport
4432 rotatelogs
42012 powershell
43820 winlogon
2704 SMSvcHost
26408 conhost
8888 Microsoft.Exchange.Search.Service
4420 rotatelogs
9160 MSExchangeDagMgmt
44932 monad
1400 svchost
38896 TranscodingService
23364 rhs
10300 scanningprocess
18616 UMWorkerProcess
23356 rhs
40164 powershell
28524 Microsoft.Exchange.Store.Worker
3956 ForefrontActiveDirectoryConnector
6108 cqmgstor
1364 svchost
1792 conhost
4808 noderunner
17980 Microsoft.Exchange.UM.CallRouter
13420 MSExchangeMailboxReplication
38848 rdpclip
39276 VSSVC
4364 MonitoringHost
4992 WMSvc
45804 cscript
904 wininit
27892 svchost
44000 WmiPrvSE
14260 conhost
4344 w3wp
6928 Microsoft.Exchange.Directory.TopologyService
28908 Microsoft.Exchange.Store.Worker
892 csrss
1320 cissesrv
30196 conhost
10368 MSExchangeTransport
37352 conhost
13752 WmiApSrv
1736 fms
9492 MSExchangeDelivery
12508 Microsoft.Exchange.Imap4
1300 svchost
7332 rundll32
4 System
10628 dwm
3880 ccSvcHst
0 Idle
Performance Counters Layout information: A process is holding onto a transport performance counter. processId : 42012, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 42012 StartupTime: 133488231850154178, currentInstance : rpca-powershell-defaultdomain(4598AFAF) RefCount=1 SpinLock=0 Offset=43136, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 42012, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 42012 StartupTime: 133488231850154178, currentInstance : mb-powershell-defaultdomain(CC014C00) RefCount=1 SpinLock=0 Offset=42808, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 42012, counter : time in resource per second Value=32 SpinLock=0 Lifetime=Type: 1 ProcessId: 42012 StartupTime: 133488231850154178, currentInstance : ad-powershell-defaultdomain(95CC324A) RefCount=1 SpinLock=0 Offset=42480, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21340, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 21340 StartupTime: 133488216612797011, currentInstance : rpca-monad-defaultdomain(EE460FE7) RefCount=1 SpinLock=0 Offset=42152, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21340, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 21340 StartupTime: 133488216612797011, currentInstance : mb-monad-defaultdomain(2EC4A7E8) RefCount=1 SpinLock=0 Offset=41824, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21340, counter : time in resource per second Value=1605 SpinLock=0 Lifetime=Type: 1 ProcessId: 21340 StartupTime: 133488216612797011, currentInstance : ad-monad-defaultdomain(A8C763E2) RefCount=1 SpinLock=0 Offset=41496, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4344, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4344 StartupTime: 133488191853916155, currentInstance : rpca-w3wp-msexchangerpcproxyapppool(8B7590B3) RefCount=1 SpinLock=0 Offset=41168, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4344, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4344 StartupTime: 133488191853916155, currentInstance : mb-w3wp-msexchangerpcproxyapppool(B190F21C) RefCount=1 SpinLock=0 Offset=40840, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4344, counter : time in resource per second Value=233 SpinLock=0 Lifetime=Type: 1 ProcessId: 4344 StartupTime: 133488191853916155, currentInstance : ad-w3wp-msexchangerpcproxyapppool(99BB8ED6) RefCount=1 SpinLock=0 Offset=40512, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 32964, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 32964 StartupTime: 133488189060363061, currentInstance : rpca-w3wp-msexchangeowacalendarapppool(8F10D1B5) RefCount=1 SpinLock=0 Offset=40184, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 32964, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 32964 StartupTime: 133488189060363061, currentInstance : mb-w3wp-msexchangeowacalendarapppool(2D8C9EBA) RefCount=1 SpinLock=0 Offset=39856, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 32964, counter : time in resource per second Value=39 SpinLock=0 Lifetime=Type: 1 ProcessId: 32964 StartupTime: 133488189060363061, currentInstance : ad-w3wp-msexchangeowacalendarapppool(D845E230) RefCount=1 SpinLock=0 Offset=39528, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 31828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 31828 StartupTime: 133488188988971557, currentInstance : rpca-w3wp-msexchangepowershellapppool(3CF18BF) RefCount=1 SpinLock=0 Offset=39200, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 31828, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 31828 StartupTime: 133488188988971557, currentInstance : mb-w3wp-msexchangepowershellapppool(A686C810) RefCount=1 SpinLock=0 Offset=38872, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 31828, counter : time in resource per second Value=15616 SpinLock=0 Lifetime=Type: 1 ProcessId: 31828 StartupTime: 133488188988971557, currentInstance : ad-w3wp-msexchangepowershellapppool(9E48CD5A) RefCount=1 SpinLock=0 Offset=38544, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23532, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23532 StartupTime: 133488188980222858, currentInstance : rpca-w3wp-msexchangepowershellfrontendapppool(E1115251) RefCount=1 SpinLock=0 Offset=38216, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23532, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23532 StartupTime: 133488188980222858, currentInstance : mb-w3wp-msexchangepowershellfrontendapppool(34B9187E) RefCount=1 SpinLock=0 Offset=37888, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23532, counter : time in resource per second Value=30 SpinLock=0 Lifetime=Type: 1 ProcessId: 23532 StartupTime: 133488188980222858, currentInstance : ad-w3wp-msexchangepowershellfrontendapppool(FAEFA1B4) RefCount=1 SpinLock=0 Offset=37560, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4516, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4516 StartupTime: 133488186610993542, currentInstance : rpca-noderunner-contentenginenode1(316BF6E3) RefCount=1 SpinLock=0 Offset=37232, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4516, counter : time in resource per second Value=556409 SpinLock=0 Lifetime=Type: 1 ProcessId: 4516 StartupTime: 133488186610993542, currentInstance : mb-noderunner-contentenginenode1(2EE8286C) RefCount=1 SpinLock=0 Offset=36904, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4516, counter : time in resource per second Value=880 SpinLock=0 Lifetime=Type: 1 ProcessId: 4516 StartupTime: 133488186610993542, currentInstance : ad-noderunner-contentenginenode1(61591E6) RefCount=1 SpinLock=0 Offset=36576, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28524, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28524 StartupTime: 133488188491999484, currentInstance : rpca-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(ABB009B3) RefCount=1 SpinLock=0 Offset=36248, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28524, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 28524 StartupTime: 133488188491999484, currentInstance : mb-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(38BA31BC) RefCount=1 SpinLock=0 Offset=35920, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 28524, counter : time in resource per second Value=56835 SpinLock=0 Lifetime=Type: 1 ProcessId: 28524 StartupTime: 133488188491999484, currentInstance : ad-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(11106236) RefCount=1 SpinLock=0 Offset=35592, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29948, counter : time in resource per second Value=58 SpinLock=0 Lifetime=Type: 1 ProcessId: 29948 StartupTime: 133488188731051690, currentInstance : ad-w3wp-msexchangemapifrontendapppool(C0FDFAE0) RefCount=1 SpinLock=0 Offset=35264, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 29948 StartupTime: 133488188731051690, currentInstance : mb-w3wp-msexchangemapifrontendapppool(BE5C2DAA) RefCount=1 SpinLock=0 Offset=34936, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29948, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 29948 StartupTime: 133488188731051690, currentInstance : rpca-w3wp-msexchangemapifrontendapppool(2C7F2005) RefCount=1 SpinLock=0 Offset=34608, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 24028, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 24028 StartupTime: 133488187826038140, currentInstance : rpca-w3wp-msexchangemapimailboxapppool(E28F3117) RefCount=1 SpinLock=0 Offset=34280, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 24028, counter : time in resource per second Value=298 SpinLock=0 Lifetime=Type: 1 ProcessId: 24028 StartupTime: 133488187826038140, currentInstance : mb-w3wp-msexchangemapimailboxapppool(F9439F58) RefCount=1 SpinLock=0 Offset=33952, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 24028, counter : time in resource per second Value=1626 SpinLock=0 Lifetime=Type: 1 ProcessId: 24028 StartupTime: 133488187826038140, currentInstance : ad-w3wp-msexchangemapimailboxapppool(35491652) RefCount=1 SpinLock=0 Offset=33624, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18616, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 18616 StartupTime: 133488187582122702, currentInstance : rpca-umworkerprocess-umworkerprocess.exe(970CCE33) RefCount=1 SpinLock=0 Offset=33296, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18616, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 18616 StartupTime: 133488187582122702, currentInstance : mb-umworkerprocess-umworkerprocess.exe(8A7F8A3C) RefCount=1 SpinLock=0 Offset=32968, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18616, counter : time in resource per second Value=98 SpinLock=0 Lifetime=Type: 1 ProcessId: 18616 StartupTime: 133488187582122702, currentInstance : ad-umworkerprocess-umworkerprocess.exe(95818B6) RefCount=1 SpinLock=0 Offset=32640, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19336, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 19336 StartupTime: 133488187596810207, currentInstance : rpca-w3wp-msexchangeecpapppool(57806648) RefCount=1 SpinLock=0 Offset=32312, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19336, counter : time in resource per second Value=805 SpinLock=0 Lifetime=Type: 1 ProcessId: 19336 StartupTime: 133488187596810207, currentInstance : mb-w3wp-msexchangeecpapppool(E27E6507) RefCount=1 SpinLock=0 Offset=31984, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19336, counter : time in resource per second Value=7124 SpinLock=0 Lifetime=Type: 1 ProcessId: 19336 StartupTime: 133488187596810207, currentInstance : ad-w3wp-msexchangeecpapppool(B648688D) RefCount=1 SpinLock=0 Offset=31656, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18888, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 18888 StartupTime: 133488187589622974, currentInstance : rpca-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(A07BD4F3) RefCount=1 SpinLock=0 Offset=31328, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18888, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 18888 StartupTime: 133488187589622974, currentInstance : mb-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(4519AFC) RefCount=1 SpinLock=0 Offset=31000, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 18888, counter : time in resource per second Value=547 SpinLock=0 Lifetime=Type: 1 ProcessId: 18888 StartupTime: 133488187589622974, currentInstance : ad-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(6B0DD0F6) RefCount=1 SpinLock=0 Offset=30672, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17980, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17980 StartupTime: 133488187523526951, currentInstance : rpca-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(E8475353) RefCount=1 SpinLock=0 Offset=30344, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17980, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17980 StartupTime: 133488187523526951, currentInstance : mb-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(8F65881C) RefCount=1 SpinLock=0 Offset=30016, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17980, counter : time in resource per second Value=45 SpinLock=0 Lifetime=Type: 1 ProcessId: 17980 StartupTime: 133488187523526951, currentInstance : ad-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(78F52196) RefCount=1 SpinLock=0 Offset=29688, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17912, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17912 StartupTime: 133488187474618915, currentInstance : rpca-umservice-umservice.exe(E39A1133) RefCount=1 SpinLock=0 Offset=29360, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17912, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17912 StartupTime: 133488187474618915, currentInstance : mb-umservice-umservice.exe(FFBB273C) RefCount=1 SpinLock=0 Offset=29032, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17912, counter : time in resource per second Value=27 SpinLock=0 Lifetime=Type: 1 ProcessId: 17912 StartupTime: 133488187474618915, currentInstance : ad-umservice-umservice.exe(9A8AC6B6) RefCount=1 SpinLock=0 Offset=28704, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17024, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17024 StartupTime: 133488187455554985, currentInstance : rpca-edgetransport-edgetransport.exe(911B6EB3) RefCount=1 SpinLock=0 Offset=28376, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17024, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17024 StartupTime: 133488187455554985, currentInstance : mb-edgetransport-edgetransport.exe(A5AF4BBC) RefCount=1 SpinLock=0 Offset=28048, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17024, counter : time in resource per second Value=10824 SpinLock=0 Lifetime=Type: 1 ProcessId: 17024 StartupTime: 133488187455554985, currentInstance : ad-edgetransport-edgetransport.exe(E79D4A36) RefCount=1 SpinLock=0 Offset=27720, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17000, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17000 StartupTime: 133488187453992438, currentInstance : rpca-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(EF66F2D3) RefCount=1 SpinLock=0 Offset=27392, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17000, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17000 StartupTime: 133488187453992438, currentInstance : mb-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(B020391C) RefCount=1 SpinLock=0 Offset=27064, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17000, counter : time in resource per second Value=21 SpinLock=0 Lifetime=Type: 1 ProcessId: 17000 StartupTime: 133488187453992438, currentInstance : ad-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(20578116) RefCount=1 SpinLock=0 Offset=26736, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 10368, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 10368 StartupTime: 133488187442273850, currentInstance : rpca-msexchangetransport-msexchangetransport.exe(24F56C33) RefCount=1 SpinLock=0 Offset=26408, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 10368, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 10368 StartupTime: 133488187442273850, currentInstance : mb-msexchangetransport-msexchangetransport.exe(92FB3D3C) RefCount=1 SpinLock=0 Offset=26080, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 10368, counter : time in resource per second Value=25 SpinLock=0 Lifetime=Type: 1 ProcessId: 10368 StartupTime: 133488187442273850, currentInstance : ad-msexchangetransport-msexchangetransport.exe(2447ECB6) RefCount=1 SpinLock=0 Offset=25752, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17148, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17148 StartupTime: 133488187436023527, currentInstance : rpca-msexchangethrottling-msexchangethrottling.exe(8C1DA893) RefCount=1 SpinLock=0 Offset=25424, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17148, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 17148 StartupTime: 133488187436023527, currentInstance : mb-msexchangethrottling-msexchangethrottling.exe(AB2BADDC) RefCount=1 SpinLock=0 Offset=25096, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 17148, counter : time in resource per second Value=21 SpinLock=0 Lifetime=Type: 1 ProcessId: 17148 StartupTime: 133488187436023527, currentInstance : ad-msexchangethrottling-msexchangethrottling.exe(8962F4D6) RefCount=1 SpinLock=0 Offset=24768, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16540, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 16540 StartupTime: 133488187405240650, currentInstance : rpca-msexchangesubmission-msexchangesubmission.exe(60747EB3) RefCount=1 SpinLock=0 Offset=24440, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16540, counter : time in resource per second Value=25266 SpinLock=0 Lifetime=Type: 1 ProcessId: 16540 StartupTime: 133488187405240650, currentInstance : mb-msexchangesubmission-msexchangesubmission.exe(67B4173C) RefCount=1 SpinLock=0 Offset=24112, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16540, counter : time in resource per second Value=8881 SpinLock=0 Lifetime=Type: 1 ProcessId: 16540 StartupTime: 133488187405240650, currentInstance : ad-msexchangesubmission-msexchangesubmission.exe(85200236) RefCount=1 SpinLock=0 Offset=23784, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16352, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 16352 StartupTime: 133488187400396702, currentInstance : rpca-microsoft.exchange.servicehost-microsoft.exchange.servicehost.exe(39C8D53) RefCount=1 SpinLock=0 Offset=23456, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16352, counter : time in resource per second Value=53 SpinLock=0 Lifetime=Type: 1 ProcessId: 16352 StartupTime: 133488187400396702, currentInstance : mb-microsoft.exchange.servicehost-microsoft.exchange.servicehost.exe(E7963A1C) RefCount=1 SpinLock=0 Offset=23128, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16352, counter : time in resource per second Value=1052 SpinLock=0 Lifetime=Type: 1 ProcessId: 16352 StartupTime: 133488187400396702, currentInstance : ad-microsoft.exchange.servicehost-microsoft.exchange.servicehost.exe(10E8B196) RefCount=1 SpinLock=0 Offset=22800, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 36564, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 36564 StartupTime: 133488191855791077, currentInstance : rpca-microsoft.exchange.rpcclientaccess.service-microsoft.exchange.rpcclientaccess.service.exe(E4305E13) RefCount=1 SpinLock=0 Offset=22472, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 36564, counter : time in resource per second Value=15345 SpinLock=0 Lifetime=Type: 1 ProcessId: 36564 StartupTime: 133488191855791077, currentInstance : mb-microsoft.exchange.rpcclientaccess.service-microsoft.exchange.rpcclientaccess.service.exe(BBA60BDC) RefCount=1 SpinLock=0 Offset=22144, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 36564, counter : time in resource per second Value=3935 SpinLock=0 Lifetime=Type: 1 ProcessId: 36564 StartupTime: 133488191855791077, currentInstance : ad-microsoft.exchange.rpcclientaccess.service-microsoft.exchange.rpcclientaccess.service.exe(B6581E56) RefCount=1 SpinLock=0 Offset=21816, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14584, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14584 StartupTime: 133488187372895687, currentInstance : rpca-msexchangerepl-msexchangerepl.exe(7148D1D3) RefCount=1 SpinLock=0 Offset=21488, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14584, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14584 StartupTime: 133488187372895687, currentInstance : mb-msexchangerepl-msexchangerepl.exe(7544DE9C) RefCount=1 SpinLock=0 Offset=21160, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14584, counter : time in resource per second Value=1361 SpinLock=0 Lifetime=Type: 1 ProcessId: 14584 StartupTime: 133488187372895687, currentInstance : ad-msexchangerepl-msexchangerepl.exe(4FE1D16) RefCount=1 SpinLock=0 Offset=20832, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14228, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14228 StartupTime: 133488187340238241, currentInstance : rpca-microsoft.exchange.pop3-microsoft.exchange.pop3.exe(C9982B33) RefCount=1 SpinLock=0 Offset=20504, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14228, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14228 StartupTime: 133488187340238241, currentInstan...

Error: (01/04/2024 10:21:36 AM) (Source: MSExchangeIS) (EventID: 9646) (User: )
Description: Mapi session /o=GOVMU/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=82af46657e89434480e05277a5fe89c7-RESHMA SAYEDHOSSEN with client type AirSync exceeded the maximum of 250 objects of type Message.

Error: (01/04/2024 10:19:02 AM) (Source: Microsoft-Filtering-FIPFS) (EventID: 6027) (User: NT AUTHORITY)
Description: MS Filtering Engine Update process was unsuccessful in contacting the Primary Update Path. Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate

Error: (01/04/2024 10:17:14 AM) (Source: MSExchangeTransportSubmission) (EventID: 12018) (User: )
Description: The STARTTLS certificate will expire soon: subject: C11-EX-SVR-MBX4.gov.mu, thumbprint: 7D5ADF3BE38AF11C38D64BCB645B5D6E9DC78B19, hours remaining: 317. Run the New-ExchangeCertificate cmdlet to create a new certificate.

Error: (01/04/2024 10:16:54 AM) (Source: MSExchangeApplicationLogic) (EventID: 3018) (User: )
Description: Scenario[ServiceHealth]: GetConfig. CorrelationId: cfa894c2-a30d-4500-acc5-05ca8066191c. The request failed. Mailbox:  Url: https://o15.officeredir.microsoft.com/r/rlidMktplcWSConfig15?CV=15.0.1497.48&Client=WAC_Outlook&corr=cfa894c2-a30d-4500-acc5-05ca8066191c Exception: System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 52.109.124.140:443
   at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)
   at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at Microsoft.Exchange.Data.ApplicationLogic.Extension.BaseAsyncOmexCommand.<>c__DisplayClass2.<EndGetResponseCallback>b__1()


System errors:
=============
Error: (01/04/2024 10:28:08 AM) (Source: DCOM) (EventID: 10010) (User: GOM)
Description: The server {BB6DF56B-CACE-11DC-9992-0019B93A3A84} did not register with DCOM within the required timeout.

Error: (01/04/2024 10:27:47 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/04/2024 10:27:25 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/04/2024 10:27:07 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/04/2024 10:26:47 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/04/2024 10:26:37 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/04/2024 10:26:26 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/04/2024 10:26:08 AM) (Source: DCOM) (EventID: 10010) (User: GOM)
Description: The server {1ECCA34C-E88A-44E3-8D6A-8921BDE9E452} did not register with DCOM within the required timeout.


==================== Memory info ===========================

BIOS: HP I25 07/01/2013
Processor: Intel® Xeon® CPU E7- 4820 @ 2.00GHz
Percentage of memory in use: 31%
Total physical RAM: 131061.66 MB
Available physical RAM: 89815.52 MB
Total Virtual: 163829.66 MB
Available Virtual: 117115.11 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:279.36 GB) (Free:89.67 GB) (Model: HP LOGICAL VOLUME SCSI Disk Device) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (B_MBX4_VOL1) (Fixed) (Total:2764.67 GB) (Free:1417.68 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive e: (B_MBX4_VOL2) (Fixed) (Total:2764.67 GB) (Free:1180.06 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive f: (B_MBX4_VOL3) (Fixed) (Total:2764.67 GB) (Free:621.04 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive h: (B_MBX4_VOL5) (Fixed) (Total:2764.67 GB) (Free:1109.95 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive i: (B_MBX4_VOL6) (Fixed) (Total:2764.67 GB) (Free:1415.43 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive j: (B_MBX4_VOL7) (Fixed) (Total:2764.67 GB) (Free:1577.93 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive k: (LOGSMBX4) (Fixed) (Total:500 GB) (Free:132.28 GB) (Model: 3PARdata VV  Multi-Path Disk Device) NTFS
Drive n: (B_MBX4_VOL4) (Fixed) (Total:2764.67 GB) (Free:2680.15 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive z: () (Network) (Total:100 GB) (Free:99 GB) (Model: HP LOGICAL VOLUME SCSI Disk Device) NFS


==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 279.4 GB) (Disk ID: D305A9FA)
Partition 1: (Active) - (Size=279.4 GB) - (Type=07 NTFS)

==========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 500 GB) (Disk ID: 09D0C734)
Partition 1: (Active) - (Size=500 GB) - (Type=07 NTFS)

==========================================================
Disk: 2 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 3 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 4 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 5 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 6 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 7 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 8 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt =======================



#12 Oh My!

Oh My!

    Adware and Spyware and Malware


  •  Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 04 January 2024 - 12:09 PM

Thank you.

Part of what I wanted to see is if there were any additional rogue services created/deleted. There were not.

-----
 

S1 byghalnv; \??\C:\Windows\system32\drivers\byghalnv.sys [X]
none of these files exist in the corresponding folder path c:\windows\system32\drivers

What this entry, and the others like it, indicates is there is a Services entry in the Registry, the Registry is instructing the computer to locate and use the C:\Windows\system32\drivers\byghalnv.sys file, but the file does not exist. In this case we simply delete the Registry entries which we will do via the Fixlist.

-----
 

FirewallRules: [{A2CCFE80-3004-4D1F-B59C-69703E375A1B}] => (Allow) LPort=443
FirewallRules: [{ED70E132-AC43-4C5E-8536-DAA138AF8F3F}] => (Allow) LPort=RPC
FirewallRules: [{140688E3-F0B9-4831-AA87-13C204FEDF4F}] => (Allow) LPort=587
FirewallRules: [{03BA6FF9-701C-46F5-89D4-6BCB8278AF2C}] => (Allow) LPort=80
FirewallRules: [{757FB906-7A95-4446-88EA-8B9CC119F8E9}] => (Allow) LPort=80
FirewallRules: [{CB9BB596-8479-4073-8D75-CAB56E3DDB8E}] => (Allow) LPort=443
FirewallRules: [{47EF1C9D-589E-409F-96E4-A84286CF922A}] => (Allow) LPort=9955
FirewallRules: [{5774B08D-5563-4A58-B778-697595E49C34}] => (Allow) LPort=5077
FirewallRules: [{88E71246-80CF-44EB-A374-BA82F1ECE903}] => (Allow) LPort=808
FirewallRules: [{0C19B50B-53EA-4932-A1BB-0C8C1DED4527}] => (Allow) LPort=5063
FirewallRules: [{2E49034A-FA66-4D19-8323-C5BF7326B39A}] => (Allow) LPort=5068
FirewallRules: [{4194C992-3445-4378-B70D-146779E6B100}] => (Allow) LPort=444
FirewallRules: [{55BC27AF-401A-4469-9158-97256C4F6D37}] => (Allow) LPort=64327
FirewallRules: [{F680402B-1388-4BCE-BF82-796226A624B9}] => (Allow) LPort=5061
FirewallRules: [{5E44A848-CB5C-494E-A0B6-1D471FF004C0}] => (Allow) LPort=139
FirewallRules: [{33319BCD-801C-4C93-A595-CF49F6EC3768}] => (Allow) LPort=993
FirewallRules: [{8D49C1D2-0AA4-4E09-82E5-66C71B329DB6}] => (Allow) LPort=808
FirewallRules: [Microsoft-Windows-NFS-ServerCore-NfsSvc-NFS-UDP-In] => (Allow) LPort=2049
FirewallRules: [Microsoft-Windows-NFS-ServerCore-NfsSvc-NFS-TCP-In] => (Allow) LPort=2049
FirewallRules: [Microsoft-Windows-NFS-OpenPortMapper-Portmap-UDP-In] => (Allow) LPort=111
FirewallRules: [Microsoft-Windows-NFS-OpenPortMapper-Portmap-TCP-In] => (Allow) LPort=111
FirewallRules: [{9A43FAC6-7B3C-491C-A9F4-77A05CD1A014}] => (Allow) LPort=10050

Open Ports on a Server are common. Above is a list of those present on your system. I am not able to determine which are legitimate and which may be harmful. If you want to monitor them and need assistance let me know.

-----

Please do this.

===================================================

Farbar Recovery Scan Tool Fix

--------------------
  • Right click on the FRST64 icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
  • There is no need to paste the information anywhere, FRST64 will do it for you
Start::
CloseProcesses:
Move: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owaold"
FilesInDirectory: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\*.aspx
FilesInDirectory: c:\inetpub\wwwroot\aspnet_client\system_web\*.aspx
cmd: dir /b /s "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy" 
cmd: tasklist /m /fi "IMAGENAME eq w3wp.exe" >"C:\Temp\w3wp.txt"
HKLM\...\Run: [QLogicSaveSystemInfo] => rundll32.exe qlco10010.dll,QLSaveSystemInfo (No File)
S1 byghalnv; \??\C:\Windows\system32\drivers\byghalnv.sys [X]
S1 cvsofigq; \??\C:\Windows\system32\drivers\cvsofigq.sys [X]
S1 deftbkke; \??\C:\Windows\system32\drivers\deftbkke.sys [X]
S1 dwccxnns; \??\C:\Windows\system32\drivers\dwccxnns.sys [X]
S1 epoupsau; \??\C:\Windows\system32\drivers\epoupsau.sys [X]
S1 gonxeyhu; \??\C:\Windows\system32\drivers\gonxeyhu.sys [X]
S1 gwutsruh; \??\C:\Windows\system32\drivers\gwutsruh.sys [X]
S1 isutlwrp; \??\C:\Windows\system32\drivers\isutlwrp.sys [X]
S1 nvcrsrqw; \??\C:\Windows\system32\drivers\nvcrsrqw.sys [X]
S1 rlnzbdiz; \??\C:\Windows\system32\drivers\rlnzbdiz.sys [X]
U3 SymNetS;  [X]
C:\TEMP
AlternateDataStreams: C:\ClusterStorage:{db19d832-b034-46ed-a6c5-61e0ebe370d1} [0]
FirewallRules: [{748511E7-65AD-4641-8475-242A50B83FED}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangemigration.exe => No File
FirewallRules: [{3CBB770C-C76A-4A8D-8414-D1A9EB0C9C08}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangemigration.exe => No File
FirewallRules: [{FF438642-A66E-47FF-908A-534557F2FDF0}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{0523766E-B498-4EC9-B0C6-8F28EB1EF4B8}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{8145C7B5-19C4-449C-8737-99C186F73AA9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{B4BCB5ED-FAAA-48E6-9842-5EB6A7920FE9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
Zip: C:\Windows\system32\ESE07_REQ.DAT
End::
  • Click Fix
  • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • The tool will create a w3wp.txt
  • in the C:\Temp folder. Attach that report in your reply
  • The tool will create a zipped folder on your Desktop with today's date, example: 06.20.2023_13.24.50.zip. Upload the file here
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
  • Fixlog
  • Attached file
  • Uploaded file

Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.

John 6:68-69

#13 kpatel45

kpatel45
  • Topic Starter

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 05 January 2024 - 12:57 AM

hello Gary,

 

so I have done as asked. Initially, I copied the the text as requested (browser runs locally on my computer and not server) & clicked FIX( FRST64 tool was run from c:\temp folder). On task completion, tool requested to reboot server which  I did. Upon login, I noticed that the C:\TEMP file was no longer there. It has been deleted. ONLY fixlog.txt was created on desktop. There was no w3wp.txt file or the zipped file. Find below the results in fixlog.txt

 

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 05-01-2024 09:29:14)

C:\TEMP => Is moved successfully

==== End of Fixlog 09:29:14 ====

 

I tried executing the tool a 2nd time this time from desktop. Applied same instructions. Only fixlog.txt generated. The other 2 files not there and no TEMP folder created (it was deleted on tool first run). results below:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 22-12-2023
Ran by ex-super_user (05-01-2024 09:32:06) Run:2
Running from C:\Users\ex-super_user\Desktop
Loaded Profiles: ex-super_user
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start::
CloseProcesses:
Move: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owaold"
FilesInDirectory: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\*.aspx
FilesInDirectory: c:\inetpub\wwwroot\aspnet_client\system_web\*.aspx
cmd: dir /b /s "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy"
cmd: tasklist /m /fi "IMAGENAME eq w3wp.exe" >"C:\Temp\w3wp.txt"
HKLM\...\Run: [QLogicSaveSystemInfo] => rundll32.exe qlco10010.dll,QLSaveSystemInfo (No File)
S1 byghalnv; \??\C:\Windows\system32\drivers\byghalnv.sys [X]
S1 cvsofigq; \??\C:\Windows\system32\drivers\cvsofigq.sys [X]
S1 deftbkke; \??\C:\Windows\system32\drivers\deftbkke.sys [X]
S1 dwccxnns; \??\C:\Windows\system32\drivers\dwccxnns.sys [X]
S1 epoupsau; \??\C:\Windows\system32\drivers\epoupsau.sys [X]
S1 gonxeyhu; \??\C:\Windows\system32\drivers\gonxeyhu.sys [X]
S1 gwutsruh; \??\C:\Windows\system32\drivers\gwutsruh.sys [X]
S1 isutlwrp; \??\C:\Windows\system32\drivers\isutlwrp.sys [X]
S1 nvcrsrqw; \??\C:\Windows\system32\drivers\nvcrsrqw.sys [X]
S1 rlnzbdiz; \??\C:\Windows\system32\drivers\rlnzbdiz.sys [X]
U3 SymNetS;  [X]
C:\TEMP
AlternateDataStreams: C:\ClusterStorage:{db19d832-b034-46ed-a6c5-61e0ebe370d1} [0]
FirewallRules: [{748511E7-65AD-4641-8475-242A50B83FED}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangemigration.exe => No File
FirewallRules: [{3CBB770C-C76A-4A8D-8414-D1A9EB0C9C08}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangemigration.exe => No File
FirewallRules: [{FF438642-A66E-47FF-908A-534557F2FDF0}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{0523766E-B498-4EC9-B0C6-8F28EB1EF4B8}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{8145C7B5-19C4-449C-8737-99C186F73AA9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{B4BCB5ED-FAAA-48E6-9842-5EB6A7920FE9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
Zip: C:\Windows\system32\ESE07_REQ.DAT
End::
*****************

Processes closed successfully.
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owa" Could not move to C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\owaold

========================= FilesInDirectory: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\*.aspx ========================

2019-05-29 01:02 - 2019-05-29 01:02 - 000007716 ____A [B6B0F9840DE40C22AC40D7A280AA197E] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorFE.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000007200 ____A [10A28A8F008A75D350CACEE22696E8FB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ExpiredPassword.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000005254 ____A [04094AB25586D3451EF25B4A6CF1167D] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logoff.aspx
2019-02-05 10:12 - 2023-03-23 14:10 - 000016108 ____A [99F6D0A35A8E91618F737BEDC27DEAA5] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000015766 ____A [983F085A62CC27A1F66BEEB9BCB785EB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon08032021.aspx
2023-02-22 13:49 - 2023-02-22 14:10 - 000016121 ____A [BE5003DE7B3341DB43D927983F19280B] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon_captcha22feb2023.aspx
2021-03-08 21:23 - 2020-02-09 23:22 - 000016822 ____A [797B804C2F6282C4C39021819AAE7345] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon_captcha_12Apr22.aspx
2015-08-27 22:05 - 2015-08-27 22:05 - 000015766 ____A [983F085A62CC27A1F66BEEB9BCB785EB] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon_origin.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000000257 ____A [0494A5F48BC291915045D8EFFA38EF0D] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\outlconfig.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000001897 ____A [E32582526C6D44DE688A1846BA0525B6] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx
2020-02-09 17:59 - 2020-02-09 18:39 - 000000653 ____A [E2DAB1CC6D91C0E2C44A160DD79A951A] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\recaptcha.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000000684 ____A [92FA71D92D3EBA29FAFF1D34C94444FD] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\signin.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000004475 ____A [8F7F55B223F978A43E2C3F1EE860C402] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\signout.aspx
2019-05-29 01:02 - 2019-05-29 01:02 - 000004694 ____A [01FD325E91A479A7B0B50FF2F916FBE4] () C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\SvmFeedback.aspx

====== End of Filesindirectory ======

========================= FilesInDirectory: c:\inetpub\wwwroot\aspnet_client\system_web\*.aspx ========================


====== End of Filesindirectory ======

========= dir /b /s "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy" =========

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\mapi
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\oab
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\powershell
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\pushnotifications
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ReportingWebService
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\SharedWebConfig.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\airfilter.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\exppw.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\Microsoft.Exchange.Clients.Strings.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\Microsoft.Exchange.FrontEndHttpProxy.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\Microsoft.Exchange.HttpProxy.AddressFinder.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\Microsoft.Exchange.HttpProxy.Diagnostics.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\Microsoft.Exchange.HttpProxy.ProxyAssistant.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\Microsoft.Exchange.HttpProxy.RouteRefresher.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\Microsoft.Exchange.HttpProxy.RouteSelector.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\Microsoft.Exchange.HttpRedirectModules.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\Microsoft.Exchange.HttpUtilities.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\NativeHttpProxy.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\bin\owaauth.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\web.config.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\TimeoutLogout.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews\web.config.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\mapi\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\mapi\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\mapi\web.config.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\oab\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\oab\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\oab\web.config.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\Bin
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\web.config.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.775
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.995
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorFE.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ExpiredPassword.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\getidtoken.htm
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logoff.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon08032021.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon_captcha22feb2023.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon_captcha_12Apr22.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logon_origin.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\outlconfig.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\recaptcha.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\signin.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\signout.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\SvmFeedback.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\scripts
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\scripts\premium
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\scripts\premium\fexppw.js
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\scripts\premium\flogon.js
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\bg_gradient.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\bg_gradient_login.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\errorFE.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\favicon.ico
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\favicon_office.ico
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\icon_settings.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\icp.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnbotl.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnbotm.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnbotr.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnexlogo.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnleft.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgnright.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgntopl.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgntopm.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\lgntopr.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\logon.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\office365_cn.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\olk_logo_white.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\olk_logo_white_cropped.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\olk_logo_white_small.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont_ja.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont_ko.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont_vi.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont_zh_chs.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owafont_zh_cht.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\owa_text_blue.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-Regular.eot
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-Regular.ttf
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-SemiBold.eot
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-SemiBold.ttf
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-SemiLight.eot
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\SegoeUI-SemiLight.ttf
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\Sign_in_arrow.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\Sign_in_arrow_rtl.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.1497\themes\resources\warn.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.775\themes
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.775\themes\resources
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.775\themes\resources\bg.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.775\themes\resources\pics.jpg
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.995\scripts
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.995\scripts\premium
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\15.0.995\scripts\premium\fexppw - Copy.js
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium\fexppw.js
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\scripts\premium\flogon.js
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\bg_gradient.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\bg_gradient_login.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err1.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\err4.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\errorFE.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\favicon.ico
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\favicon_office.ico
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\icon_settings.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\icp.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnbotl.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnbotm.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnbotr.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnexlogo.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnleft.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgnright.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgntopl.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgntopm.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\lgntopr.gif
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\logon.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\logon_captcha.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\office365_cn.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\olk_logo_white.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\olk_logo_white_cropped.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\olk_logo_white_small.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont_ja.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont_ko.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont_vi.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont_zh_chs.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owafont_zh_cht.css
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owa_logo.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\owa_text_blue.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-Regular.eot
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-Regular.ttf
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-SemiBold.eot
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-SemiBold.ttf
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-SemiLight.eot
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\SegoeUI-SemiLight.ttf
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\Sign_in_arrow.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\Sign_in_arrow_rtl.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\warn.png
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\Bin\Microsoft.Exchange.Clients.Event.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\Bin\Microsoft.Exchange.Common.dll
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\powershell\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\powershell\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\powershell\web.config.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\pushnotifications\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\pushnotifications\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\pushnotifications\web.config.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ReportingWebService\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ReportingWebService\partner
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ReportingWebService\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ReportingWebService\web.config.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc\web.config.bak
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync\global.asax
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync\Proxy
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync\web.config.bak


========= End of CMD: =========


========= tasklist /m /fi "IMAGENAME eq w3wp.exe" >"C:\Temp\w3wp.txt" =========


========= End of CMD: =========

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\QLogicSaveSystemInfo" => not found
byghalnv => service not found.
cvsofigq => service not found.
deftbkke => service not found.
dwccxnns => service not found.
epoupsau => service not found.
gonxeyhu => service not found.
gwutsruh => service not found.
isutlwrp => service not found.
nvcrsrqw => service not found.
rlnzbdiz => service not found.
SymNetS => service not found.
"C:\TEMP" => not found
C:\ClusterStorage => ":{db19d832-b034-46ed-a6c5-61e0ebe370d1}" ADS could not remove.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{748511E7-65AD-4641-8475-242A50B83FED}" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3CBB770C-C76A-4A8D-8414-D1A9EB0C9C08}" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FF438642-A66E-47FF-908A-534557F2FDF0}" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0523766E-B498-4EC9-B0C6-8F28EB1EF4B8}" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8145C7B5-19C4-449C-8737-99C186F73AA9}" => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B4BCB5ED-FAAA-48E6-9842-5EB6A7920FE9}" => not found
================== Zip: ===================
"C:\Windows\system32\ESE07_REQ.DAT" => not found
=========== Zip: End ===========


The system needed a reboot.

==== End of Fixlog 09:32:31 ====



#14 Oh My!

Oh My!

    Adware and Spyware and Malware


  •  Avatar image
  • Malware Response Instructor
  • 57,028 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:58 PM

Posted 05 January 2024 - 10:19 AM

Thank you for the information. Let me know if the malware continues to reappear.

Before doing anything else I would like to review another FRST Scan. Please post both reports.
Gary 

Lord, to whom shall we go? You have the words of eternal life. We have come to believe and to know that you are the Holy One of God.

John 6:68-69

#15 kpatel45

kpatel45
  • Topic Starter

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 08 January 2024 - 12:21 AM

Hi Gary,

 

results posted below. i will be running a new scan with MSRT.exe from Microsoft to detect if there is any new malware detected.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-12-2023
Ran by ex-super_user (administrator) on C11-EX-SVR-MBX4 (HP ProLiant BL680c G7) (08-01-2024 09:01:25)
Running from C:\Users\ex-super_user\Desktop\FRST64.exe
Loaded Profiles: ex-super_user
Platform: Microsoft Windows Server 2012 Standard (X64) Language: English (United States)
Default browser: IE
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\hp\hpsmh\bin\hpsmhd.exe ->) (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\rotatelogs.exe <4>
(C:\hp\hpsmh\bin\smhstart.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\cmd.exe
(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Worker.exe <6>
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\noderunner.exe <3>
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\noderunner.exe
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\noderunner.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe <3>
(C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMWorkerProcess.exe
(C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe
(C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3.exe
(C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe
(C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3.exe
(C:\Windows\Cluster\clussvc.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\Cluster\rhs.exe <2>
(cmd.exe ->) (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\hpsmhd.exe <2>
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\ServerManager.exe
(services.exe ->) (Broadcom Inc -> Broadcom) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\sepWscSvc64.exe
(services.exe ->) (Hewlett-Packard Company -> Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe
(services.exe ->) (Hewlett-Packard Company -> Hewlett-Packard Company) C:\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe
(services.exe ->) (Hewlett-Packard Company -> Hewlett-Packard Company) C:\Windows\System32\CpqMgmt\cqmgserv\cqmgserv.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\smhstart.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Program Files\hp\Cissesrv\cissesrv.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Program Files\HPWBEM\Storage\Service\hpwmistor.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Windows\System32\CpqMgmt\cqmgstor\cqmgstor.exe
(services.exe ->) (Hewlett-Packard Company) [File not signed] C:\Windows\System32\CPQNiMgt\cpqnimgt.exe
(services.exe ->) (IBM India Pvt Ltd -> IBM Corporation) [File not signed] C:\Program Files\IBM\SDDDSM\sddsrv.exe
(services.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corp.) C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Search.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\fms.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe <2>
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\Cluster\clussvc.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\WMSvc.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\nfssvc.exe
(services.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rundll32.exe <2>
(services.exe ->) (Symantec Corporation -> Broadcom) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe <3>
(services.exe ->) (Veeam Software Group GmbH -> Veeam Software Group GmbH) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe
(services.exe ->) (Veeam Software Group GmbH -> Veeam Software Group GmbH) C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files (x86)\VERITAS\VxPBX\bin\pbx_exchange.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\bpcd.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\nbdisco.exe
(services.exe ->) (Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\vnetd.exe <3>
(services.exe ->) (Zabbix SIA) [File not signed] C:\Zabbix\zabbix_agentd.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corp.) C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe <3>
(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe <13>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Veritas Technologies LLC -> Veritas Technologies LLC) C:\Program Files\Veritas\NetBackup\bin\bpfis.exe
(winlogon.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\LogonUI.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Policies\Explorer: [AllowOnlineTips] 0
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall: Restriction <==== ATTENTION
HKLM\...\Policies\system: [legalnoticecaption] “Government Online Centre (GOC)”
HKLM\...\Policies\system: [legalnoticetext] “This system is owned and operated by GOC. Use is restricted to GOC. Authorised users must comply with the GOC IT Security Policy. Usage is monitored
HKLM\Software\Policies\...\system: [DenyRsopToInteractiveUser] 1
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] -> "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdmin
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] -> "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUser
Lsa: [Notification Packages] scecli rassfm
BootExecute: autocheck autochk /q /v *
Policies: C:\Users\administrator.GOM\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\ex-super-var\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\ex-super-yb\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\ex-super_user\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin1\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin2\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\share-port_sysadmin4\NTUSER.pol: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {9335200B-9EB5-4F29-8CA7-0555929B5408} - System32\Tasks\Delete Exchange Logs => C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [474624 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> -NonInteractive -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; .\ClearLogs.ps1"
Task: {734C4B31-C98B-47B1-911B-5CA88A69DA54} - System32\Tasks\Microsoft\Windows\CertificateServicesClient\Notification\ReplaceOMCert => C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [474624 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> -NonInteractive -File "C:\Program Files\Microsoft Monitoring Agent\Agent\Tools\UpdateOMCert.ps1" -OldCertHash $(OldCertHash) -NewCertHash $(NewCertHash) -EventRecordId $(EventRecordId)
Task: {4A2D7E4A-9C77-4CF0-9C9A-CF1435BBA2EB} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [256512 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
Task: {6EFE5C9E-9B8F-4468-A739-46BEB554ED57} - System32\Tasks\Microsoft\Windows\PLA\Exchange_Perfwiz => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> C:\Windows\system32\pla.dll,PlaHost "Exchange_Perfwiz" "$(Arg0)"
Task: {D0AECC17-F481-4226-8D50-CFC2747BFD71} - System32\Tasks\Microsoft\Windows\PLA\ExchangeDiagnosticsDailyPerformanceLog => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> C:\Windows\system32\pla.dll,PlaHost "ExchangeDiagnosticsDailyPerformanceLog" "$(Arg0)"
Task: {EBE323AD-A392-4B3A-84D1-89C71E53BC5F} - System32\Tasks\Microsoft\Windows\PLA\ExchangeDiagnosticsPerformanceLog => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> C:\Windows\system32\pla.dll,PlaHost "ExchangeDiagnosticsPerformanceLog" "$(Arg0)"
Task: {2DD4DAE1-5FA1-4A6D-BD04-9CAA551C7450} - System32\Tasks\Microsoft\Windows\PLA\Server Manager Performance Monitor => C:\Windows\system32\rundll32.exe [51712 2012-07-26] (Microsoft Windows -> Microsoft Corporation) -> %systemroot%\system32\pla.dll,PlaHost "Server Manager Performance Monitor" "$(Arg0)"
Task: {64C59100-7846-4C78-9724-0B6E95E43CAF} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_ERROR_HB => C:\TEMP\MSERT.exe  /EHB /HeartbeatFailure "SubmitHeartbeatReportData" /HeartbeatError "0x80072ee2" (No File) <==== ATTENTION
Task: {2E1D51CF-C57C-4B06-A34A-1A8210284088} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [156112424 2023-04-19] (Microsoft Windows -> Microsoft Corporation)
Task: {8B56BECD-7294-470A-B8E9-5A0C7A454E5E} - System32\Tasks\Microsoft\Windows\Server Manager\CleanupOldPerfLogs => C:\Windows\system32\cscript.exe [146944 2018-10-26] (Microsoft Windows -> Microsoft Corporation) -> /B /nologo %systemroot%\system32\calluxxprovider.vbs $(Arg0) $(Arg1) $(Arg2)
Task: {59E8FC39-8262-4D00-849D-3A7C447D385C} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [94720 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
Task: {5198D9B3-684F-47A5-BAB0-AB87C6B9C010} - System32\Tasks\Microsoft\Windows\Setup\WS2012EOSNotify => C:\Windows\system32\WS2012EOSNotify.exe [48640 2023-06-27] (Microsoft Windows -> Microsoft Corporation)
Task: {7CC43635-0AD2-40B7-907A-8EFCDA8995A7} - System32\Tasks\Symantec Endpoint Protection\Symantec Endpoint Protection Error Analyzer => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\SymErr.exe [102312 2023-06-20] (Symantec Corporation -> Broadcom)
Task: {C0D067EE-042D-48EF-B39A-FCB884F86FBE} - System32\Tasks\Symantec Endpoint Protection\Symantec Endpoint Protection Error Processor => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\SymErr.exe [102312 2023-06-20] (Symantec Corporation -> Broadcom)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <==== ATTENTION (Restriction - ProxySettings)
ProxyEnable: [S-1-5-21-1365522570-4229012047-2779133919-500] => Proxy is enabled.
ProxyServer: [S-1-5-21-1365522570-4229012047-2779133919-500] => 192.168.66.1:8783
ProxyServer: [S-1-5-21-3412390019-1648271104-2333346583-17206] => 192.168.66.1:8783
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{60576B43-9007-4DC3-A65F-130B9290A3E0}: [NameServer] 192.168.2.40,192.168.2.41,192.168.2.39
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.31,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.73,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.71,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.66,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.185,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.2.0,255.255.255.0,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [202.123.27.104,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [202.123.27.107,255.255.255.255,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.3.0,255.255.255.0,192.168.6.1,1]
HKLM\System\...\Parameters\PersistentRoutes: [192.168.7.8,255.255.255.255,192.168.6.1,1]
PersistentRoutes: There are 22 PersistentRoutes.


==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AdtAgent; C:\Windows\system32\AdtAgent.exe [410808 2013-09-06] (Microsoft Corporation -> Microsoft Corporation)
S4 CIMnotify; C:\Windows\system32\CIMntfy\cimntfy.exe [265496 2013-07-12] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 Cissesrv; C:\Program Files\HP\Cissesrv\cissesrv.exe [194048 2013-05-08] (Hewlett-Packard Company) [File not signed]
R2 ClusSvc; C:\Windows\Cluster\clussvc.exe [7328768 2023-06-15] (Microsoft Windows -> Microsoft Corporation)
R2 CpqNicMgmt; C:\Windows\system32\CPQNiMgt\cpqnimgt.exe [9728 2013-07-12] (Hewlett-Packard Company) [File not signed]
R2 CqMgHost; C:\Windows\system32\CpqMgmt\cqmghost\cqmghost.exe [16664 2013-07-12] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 CqMgServ; C:\Windows\system32\CpqMgmt\cqmgserv\cqmgserv.exe [17176 2013-07-12] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 CqMgStor; C:\Windows\system32\CpqMgmt\cqmgstor\cqmgstor.exe [20992 2013-06-21] (Hewlett-Packard Company) [File not signed]
R2 FMS; C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe [1342912 2022-02-17] (Microsoft Corporation -> Microsoft Corporation)
R2 HealthService; C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe [25272 2013-09-06] (Microsoft Corporation -> Microsoft Corp.)
R2 HostControllerService; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe [33560 2019-05-29] (Microsoft Corporation -> Microsoft Corporation)
R2 HPWMISTOR; C:\Program Files\HPWBEM\Storage\Service\HPWMISTOR.exe [20992 2013-06-28] (Hewlett-Packard Company) [File not signed]
S3 KPSSVC; C:\Windows\system32\kpssvc.dll [171520 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S3 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2009-07-13] (Symantec Corporation -> Symantec Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [9343840 2023-12-04] (Malwarebytes Inc. -> Malwarebytes)
R2 MSExchangeADTopology; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe [194080 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeAntispamUpdate; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe [28680 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeDagMgmt; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe [24056 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeDelivery; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe [32800 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeDiagnostics; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe [128536 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeEdgeSync; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe [99304 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeFastSearch; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe [30224 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeFrontEndTransport; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe [26576 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeHM; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe [26640 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeImap4; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe [26136 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeIMAP4BE; C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe [26136 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeIS; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe [26144 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeMailboxAssistants; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe [2393136 2023-01-19] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeMailboxReplication; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe [21568 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangePop3; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe [26176 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangePOP3BE; C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe [26176 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeRepl; C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe [69120 2023-01-19] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeRPC; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe [32792 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeServiceHost; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe [55840 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeSubmission; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe [63008 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeThrottling; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe [41448 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeTransport; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe [78280 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeTransportLogSearch; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe [144336 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeUM; C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe [103976 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 MSExchangeUMCR; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe [23552 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
S3 mtstrmd; C:\Program Files\Veritas\pdde\mtstrmd.exe [1749400 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Client Service; C:\Program Files\Veritas\NetBackup\bin\bpcd.exe [840088 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Discovery Framework; C:\Program Files\Veritas\NetBackup\bin\nbdisco.exe [49048 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Legacy Client Service; C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe [287640 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NetBackup Legacy Network Service; C:\Program Files\Veritas\NetBackup\bin\vnetd.exe [226712 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
S3 NetBackup Proxy Service; C:\Program Files\Veritas\NetBackup\bin\nbostpxy.exe [1050008 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
S4 NetBackup SAN Client Fibre Transport Service; C:\Program Files\Veritas\NetBackup\bin\nbftclnt.exe [906136 2021-05-25] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 NfsService; C:\Windows\system32\nfssvc.exe [67584 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R2 ProLiantMonitor; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [262424 2013-05-29] (Hewlett-Packard Company -> Hewlett-Packard Company)
S3 RPCHTTPLBS; C:\Windows\System32\RpcProxy\LBService.dll [25088 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [95744 2020-08-15] (Microsoft Windows -> Microsoft Corporation)
S3 RSoPProv; C:\Windows\SysWOW64\RSoPProv.exe [83968 2020-08-15] (Microsoft Windows -> Microsoft Corporation)
R3 sacsvr; C:\Windows\system32\sacsvr.dll [15872 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R2 SDD_Service; C:\Program Files\IBM\SDDDSM\sddsrv.exe [295656 2017-06-22] (IBM India Pvt Ltd -> IBM Corporation) [File not signed]
R2 SearchExchangeTracing; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe [159984 2019-05-29] (Microsoft Corporation -> Microsoft Corporation)
S4 SepLpsService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe [190664 2023-06-20] (Symantec Corporation -> Broadcom)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe [190664 2023-06-20] (Symantec Corporation -> Broadcom)
R2 SepScanService; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\bin64\ccSvcHst.exe [190664 2023-06-20] (Symantec Corporation -> Broadcom)
R2 sepWscSvc; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\sepWscSvc64.exe [1398888 2023-06-20] (Broadcom Inc -> Broadcom)
S3 SmbWitness; C:\Windows\System32\witness.dll [129536 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe [173256 2023-06-20] (Symantec Corporation -> Broadcom)
R2 sysdown; C:\Program Files\Hewlett-Packard\iLO 3\service\ProLiantMonitor.exe [262424 2013-05-29] (Hewlett-Packard Company -> Hewlett-Packard Company)
R2 SysMgmtHp; C:\hp\hpsmh\bin\smhstart.exe [734208 2013-07-10] (Hewlett-Packard Company) [File not signed]
S4 System Center Management APM; C:\Program Files\Microsoft Monitoring Agent\Agent\APMDOTNETAgent\InterceptSvc.exe [626872 2013-09-06] (Microsoft Corporation -> Microsoft Corp.)
R2 UALSVC; C:\Windows\System32\ualsvc.dll [241664 2014-09-13] (Microsoft Windows -> Microsoft Corporation)
R2 VeeamDeploySvc; C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe [1549848 2021-09-23] (Veeam Software Group GmbH -> Veeam Software Group GmbH)
R2 VeeamEndpointBackupSvc; C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe [130072 2022-02-20] (Veeam Software Group GmbH -> Veeam Software Group GmbH)
R2 VRTSpbx; C:\Program Files (x86)\VERITAS\VxPBX\bin\pbx_exchange.exe [272792 2021-05-02] (Veritas Technologies LLC -> Veritas Technologies LLC)
S3 wsbexchange; C:\Program Files\Microsoft\Exchange Server\V15\bin\wsbexchange.exe [125920 2023-02-24] (Microsoft Corporation -> Microsoft Corporation)
R2 Zabbix Agent; C:\Zabbix\zabbix_agentd.exe [440832 2016-09-12] (Zabbix SIA) [File not signed]

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 be2iscsi; C:\Windows\System32\drivers\be2iscsi.sys [266960 2015-12-29] (EMULEX -> Emulex)
R3 be2net; C:\Windows\system32\DRIVERS\ocnd63.sys [746192 2016-01-07] (EMULEX -> Emulex)
S0 bfad; C:\Windows\System32\drivers\bfad.sys [1963760 2012-07-26] (Microsoft Windows -> Brocade Communications Systems, Inc.)
S0 bfadfcoe; C:\Windows\System32\drivers\bfadfcoe.sys [1964272 2012-07-26] (Microsoft Windows -> Brocade Communications Systems, Inc.)
R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\Definitions\BASHDefs\20240104.001\BHDrvx64.sys [1706512 2023-10-31] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S0 bxfcoe; C:\Windows\System32\drivers\bxfcoe.sys [186096 2012-07-26] (Microsoft Windows -> Broadcom Corporation)
S0 bxois; C:\Windows\System32\drivers\bxois.sys [564976 2012-07-26] (Microsoft Windows -> Broadcom Corporation)
R2 CCFFilter; C:\Windows\system32\drivers\CCFFilter.sys [33520 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R1 ccSettings_{6B7A2D6B-C77F-4C11-8B70-2CD28AD687A6}; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\ccSetx64.sys [200168 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 ClusDisk; C:\Windows\System32\drivers\ClusDisk.sys [67584 2022-04-07] (Microsoft Windows -> Microsoft Corporation)
R3 CsvFlt; C:\Windows\System32\drivers\CsvFlt.sys [205824 2022-03-17] (Microsoft Windows -> Microsoft Corporation)
R3 CsvFs; C:\Windows\System32\drivers\CsvFs.sys [628736 2022-03-17] (Microsoft Windows -> Microsoft Corporation)
R3 CsvNSFlt; C:\Windows\System32\drivers\CsvNSFlt.sys [66560 2022-03-17] (Microsoft Windows -> Microsoft Corporation)
R3 csvvbus; C:\Windows\System32\drivers\csvvbus.sys [148480 2022-04-14] (Microsoft Windows -> Microsoft Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [527832 2023-06-19] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S0 elxfcoe; C:\Windows\System32\drivers\elxfcoe.sys [699632 2012-07-26] (Microsoft Windows -> Emulex)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [159720 2023-06-21] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R0 HpCISSs2; C:\Windows\System32\drivers\HpCISSs2.sys [153920 2012-09-05] (Hewlett-Packard Company -> Hewlett-Packard Company)
R3 hpqilo3chif; C:\Windows\system32\DRIVERS\hpqilo3chif.sys [43800 2013-05-22] (Hewlett-Packard Company -> Hewlett-Packard Company)
R3 hpqilo3core; C:\Windows\System32\drivers\hpqilo3core.sys [47384 2013-05-22] (Hewlett-Packard Company -> Hewlett-Packard Company)
R0 hpqilo3whea; C:\Windows\System32\DRIVERS\hpqilo3whea.sys [18472 2010-02-12] (Hewlett-Packard -> Hewlett-Packard Company)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [222800 2024-01-04] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [239544 2023-06-12] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S3 MpKsld867c176; C:\Windows\Temp\053D3164-F6E2-0C1A-F406-B659D0506F7B\MpKslDrv.sys [54680 2024-01-03] (Microsoft Windows -> Microsoft Corporation)
R2 MsLbfoProvider; C:\Windows\system32\DRIVERS\MsLbfoProvider.sys [99840 2013-07-02] (Microsoft Windows -> Microsoft Corporation)
R3 msnfsflt; C:\Windows\System32\drivers\msnfsflt.sys [32256 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R3 Netft; C:\Windows\system32\DRIVERS\netft.sys [86528 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R3 NfsServer; C:\Windows\System32\drivers\nfssvr.sys [1252352 2023-04-15] (Microsoft Windows -> Microsoft Corporation)
R2 Portmap; C:\Windows\System32\drivers\portmap.sys [59392 2023-04-11] (Microsoft Windows -> Microsoft Corporation)
R0 ql2300; C:\Windows\System32\drivers\ql2300.sys [1498408 2013-03-07] (QLogic Corporation -> QLogic Corporation)
R2 ResumeKeyFilter; C:\Windows\system32\drivers\ResumeKeyFilter.sys [336112 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [94448 2012-07-26] (Microsoft Windows -> Microsoft Corporation)
R0 sdddsm; C:\Windows\System32\drivers\sdddsm.sys [241896 2017-06-22] (IBM India Pvt Ltd -> IBM Corporation)
R1 SRTSP; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\SymPlatform\SRTSP64.SYS [996432 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\SRTSPX64.SYS [44112 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R0 SymEFASI; C:\Windows\System32\drivers\symefasi\0705020.03C\symefasi64.sys [2167304 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S0 SymELAM; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\SymELAM.sys [27136 2023-06-20] (Microsoft Windows Early Launch Anti-malware Publisher -> Broadcom)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [100832 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 SymEvnt; C:\ProgramData\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Data\SymPlatform\SymEvnt.sys [951264 2023-08-11] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0E0325D1\1B58.105\x64\Ironx64.SYS [297992 2023-06-20] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R0 VeeamVolumeCT; C:\Windows\System32\drivers\VeeamVolumeCT.sys [227216 2022-02-20] (Microsoft Windows Hardware Compatibility Publisher -> Veeam Software AG)
R0 VirtFile; C:\Windows\System32\DRIVERS\VirtFile.sys [383304 2020-12-22] (Veritas Technologies LLC -> Veritas Technologies LLC)
R2 vstor2-mntapi20-shared; C:\Windows\system32\DRIVERS\vstor2-x64.sys [52576 2021-03-03] (VMware, Inc. -> VMware, Inc.)
S3 wtlmdrv; C:\Windows\System32\drivers\wtlmdrv.sys [31232 2012-07-26] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2024-01-08 09:01 - 2024-01-08 09:03 - 000037963 _____ C:\Users\ex-super_user\Desktop\FRST.txt
2024-01-06 00:10 - 2024-01-08 00:10 - 000000000 ____D C:\temp
2024-01-05 10:14 - 2024-01-05 10:14 - 001048576 ____H C:\Windows\system32\ESE07_REQ.DAT
2024-01-05 09:41 - 2024-01-05 09:41 - 000000000 ____D C:\ClusterStorage
2024-01-05 09:32 - 2024-01-05 09:32 - 000026702 _____ C:\Users\ex-super_user\Desktop\Fixlog.txt
2024-01-05 09:29 - 2024-01-05 09:29 - 000000160 _____ C:\Users\ex-super_user\Desktop\Fixlog1.txt
2024-01-05 09:29 - 2023-12-26 11:04 - 002387456 _____ (Farbar) C:\Users\ex-super_user\Desktop\FRST64.exe
2024-01-03 10:22 - 2024-01-03 10:22 - 000000000 ____D C:\Users\Administrator\AppData\Local\Malwarebytes
2023-12-29 11:43 - 2023-12-29 11:43 - 000747888 _____ C:\Users\ex-super_user\Desktop\Tasks List.html
2023-12-29 11:41 - 2024-01-05 09:52 - 000000000 ____D C:\Users\ex-super_user\Desktop\taskschedulerview-x64
2023-12-29 11:41 - 2023-12-29 11:41 - 000097708 _____ C:\Users\ex-super_user\Desktop\taskschedulerview-x64.zip
2023-12-29 11:32 - 2024-01-03 10:17 - 000000000 ____D C:\Users\share-port_sysadmin1\AppData\Local\Malwarebytes
2023-12-26 11:32 - 2023-12-26 11:32 - 000019708 __RSH C:\ProgramData\ntuser.pol
2023-12-26 11:15 - 2024-01-08 09:03 - 000000000 ____D C:\FRST

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2024-01-08 08:09 - 2014-01-11 17:09 - 000000104 _____ C:\Windows\system32\config\netlogon.ftl
2024-01-08 03:00 - 2014-01-11 15:00 - 000000000 ____D C:\Windows\system32\MRT
2024-01-07 09:45 - 2023-06-12 11:55 - 000000000 ____D C:\Users\ex-super_user\AppData\Local\Malwarebytes
2024-01-05 09:46 - 2017-08-13 09:44 - 000000000 ____D C:\Windows\system32\Tasks\Symantec Endpoint Protection
2024-01-05 09:43 - 2017-10-29 00:09 - 000000031 _____ C:\BitlockerActiveMonitoringLogs
2024-01-05 09:41 - 2014-01-14 11:42 - 000000000 ____D C:\Windows\Cluster
2024-01-05 09:41 - 2012-07-26 12:04 - 000000000 ____D C:\Windows\system32\inetsrv
2024-01-05 09:39 - 2012-07-26 11:14 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2024-01-05 09:07 - 2012-07-26 09:26 - 000008192 ___SH C:\Windows\system32\config\BBI
2024-01-05 09:00 - 2012-07-26 09:26 - 000262144 ___SH C:\Windows\system32\config\ELAM
2024-01-03 14:26 - 2014-01-14 11:42 - 000000000 ____D C:\Windows\system32\msmq
2024-01-03 10:22 - 2014-01-10 04:58 - 000000000 ____D C:\Users\Administrator
2024-01-03 10:21 - 2014-01-10 04:58 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows
2023-12-11 16:00 - 2023-10-22 23:00 - 001048692 _____ C:\zabbix_agentd.log.old

==================== Files in the root of some directories ========

2015-08-07 08:42 - 2015-08-07 08:42 - 000007646 _____ () C:\Users\ex-super_user\AppData\Local\Resmon.ResmonCfg

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)


LastRegBack: 2024-01-03 03:00
==================== End of FRST.txt ========================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 22-12-2023
Ran by ex-super_user (08-01-2024 09:04:23)
Running from C:\Users\ex-super_user\Desktop
Microsoft Windows Server 2012 Standard (X64) (2014-01-09 23:03:31)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================


(If an entry is included in the fixlist, it will be removed.)

CLIUSR (S-1-5-21-1365522570-4229012047-2779133919-1001 - Limited - Enabled)
goc1 (S-1-5-21-1365522570-4229012047-2779133919-500 - Administrator - Enabled) => C:\Users\Administrator
viewonly (S-1-5-21-1365522570-4229012047-2779133919-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Headless Server Registry Update (HKLM-x32\...\{4E5563B6-DE0A-4F3B-A5D6-15789FD12D9B}) (Version: 1.0.0.0 - Hewlett-Packard Company)
HP Insight Diagnostics  Online Edition for Windows (HKLM\...\{DCEA910B-3269-4F5B-A915-D59293004751}) (Version: 9.50.1009 - Hewlett-Packard Development Company, L.P.)
HP Insight Management Agents (HKLM\...\{B2494189-21A9-4F7A-8F0E-D6F75CEDF2B3}) (Version: 9.40.0.0 - Hewlett-Packard Company)
HP Insight Management WBEM Providers (HKLM\...\{E4496CBA-EE2A-43AC-8F0A-D6B33CB598E2}) (Version: 9.4.0.0 - Hewlett-Packard Development Company, L.P.) Hidden
HP Insight Management WBEM Providers for Windows Server x64 Editions (HKLM\...\HP-{0D1A88D4-29D7-4ED4-8045-932D7205F589}) (Version: 9.4.0.0 - Hewlett-Packard Company)
HP Lights-Out Online Configuration Utility (HKLM\...\{B2B752DB-CF58-4845-8F5C-10E398D8491A}) (Version: 4.2.0.0 - Hewlett-Packard Development Company, L.P.)
HP ProLiant Health Monitor Service (X64) (HKLM\...\{CF2C042C-A75F-4948-8661-2A9FF01B75EB}) (Version: 3.9.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant iLO 3 WHEA Driver (X64) (HKLM\...\{17B03C4D-F682-41CC-BEAC-1F7C6847E8CE}) (Version: 3.0.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant iLO 3/4 Channel Interface Driver (HKLM\...\HP-{85171634-98E9-47E5-9E56-96BBC7FE1715}) (Version: 3.9.0.0 - Hewlett-Packard Company)
HP ProLiant iLO 3/4 Management Controller Package (HKLM\...\HP-{15EC9FFF-3B11-4F2A-92F8-F63F33F64B31}) (Version: 3.9.0.0 - Hewlett-Packard Company)
HP ProLiant iLO CHIF Driver (X64) (HKLM\...\{BEFED944-6FB2-4BE3-AC8A-5D763B5F070F}) (Version: 3.9.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant iLO Core Driver (X64) (HKLM\...\{61947408-43A6-490E-AD0B-20CB4F1B19F8}) (Version: 3.9.0.0 - Hewlett-Packard Company) Hidden
HP ProLiant Integrated Management Log Viewer (HKLM\...\{1A533B2E-7336-4497-8061-E98803E3B2DF}) (Version: 6.5.0.0 - Hewlett-Packard Company)
HP Smart Array SAS/SATA Event Notification Service (HKLM\...\{6C0706F7-FCD1-4E13-BEB2-99C2DBC3C80D}) (Version: 6.34.0.64 - Hewlett-Packard Development Company, L.P.)
HP Smart Storage Administrator (HKLM\...\{2D97040F-3B62-4BDA-A779-72EA7EC42799}) (Version: 1.50.4.0 - Hewlett-Packard Development Company, L.P.)
HP Smart Storage Administrator CLI (HKLM\...\{FDA42EE0-E693-4B6D-8769-2FEDC7C544E2}) (Version: 1.50.4.0 - Hewlett-Packard Development Company, L.P.)
HP System Management Homepage (HKLM-x32\...\{3C4DF0FD-95CF-4F7B-A816-97CEF616948F}) (Version: 7.2.2 - Hewlett-Packard Development Company, L.P.)
IIS Advanced Logging 1.0 (HKLM\...\{58749A25-6D67-41A2-9B55-E4DD26B0676F}) (Version: 1.0.0625.10 - Microsoft Corporation)
IIS URL Rewrite Module 2 (HKLM\...\{9BCA2118-F753-4A1E-BCF3-5A820729965C}) (Version: 7.2.1993 - Microsoft Corporation)
LiveUpdate 3.3 (Symantec Corporation) (HKLM-x32\...\LiveUpdate) (Version: 3.3.0.92 - Symantec Corporation)
Malwarebytes version 4.6.6.294 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.6.6.294 - Malwarebytes)
Microsoft Exchange 2007 Enterprise Anti-spam Signatures (HKLM\...\{93FCFF43-49E2-4AE5-9AD4-0256878AB886}) (Version: 3.3.4604.600 - Microsoft Corporation) Hidden
Microsoft Exchange 2007 Enterprise Block List Updates (HKLM\...\{14F288C7-C695-40D5-971D-8890605C6040}) (Version: 3.3.4604.001 - Microsoft Corporation) Hidden
Microsoft Exchange 2007 Standard Anti-spam Filter Updates (HKLM\...\{C3F10D8C-BD70-4516-B2B4-BF6901980741}) (Version: 3.3.4604.600 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Amharic (Ethiopia) (HKLM\...\{DEDFFB64-42EC-4E26-005E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Arabic (HKLM\...\{DEDFFB64-42EC-4E26-0401-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Basque (HKLM\...\{DEDFFB64-42EC-4E26-042D-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Bengali (India) (HKLM\...\{DEDFFB64-42EC-4E26-0445-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Bulgarian (HKLM\...\{DEDFFB64-42EC-4E26-0402-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Catalan (HKLM\...\{DEDFFB64-42EC-4E26-0403-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Chinese (Simplified) (HKLM\...\{DEDFFB64-42EC-4E26-0804-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Chinese (Traditional) (HKLM\...\{DEDFFB64-42EC-4E26-0404-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Croatian (HKLM\...\{DEDFFB64-42EC-4E26-041A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Czech (HKLM\...\{DEDFFB64-42EC-4E26-0405-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Danish (HKLM\...\{DEDFFB64-42EC-4E26-0406-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Dutch (HKLM\...\{DEDFFB64-42EC-4E26-0413-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - English (HKLM\...\{DEDFFB64-42EC-4E26-0409-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Estonian (HKLM\...\{DEDFFB64-42EC-4E26-0425-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Filipino (Philippines) (HKLM\...\{DEDFFB64-42EC-4E26-0064-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Finnish (HKLM\...\{DEDFFB64-42EC-4E26-040B-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - French (HKLM\...\{DEDFFB64-42EC-4E26-040C-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Galician (HKLM\...\{DEDFFB64-42EC-4E26-0456-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - German (HKLM\...\{DEDFFB64-42EC-4E26-0407-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Greek (HKLM\...\{DEDFFB64-42EC-4E26-0408-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Gujarati (HKLM\...\{DEDFFB64-42EC-4E26-0447-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Hebrew (HKLM\...\{DEDFFB64-42EC-4E26-040D-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Hindi (HKLM\...\{DEDFFB64-42EC-4E26-0439-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Hungarian (HKLM\...\{DEDFFB64-42EC-4E26-040E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Icelandic (HKLM\...\{DEDFFB64-42EC-4E26-040F-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Indonesian (HKLM\...\{DEDFFB64-42EC-4E26-0421-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Italian (HKLM\...\{DEDFFB64-42EC-4E26-0410-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Japanese (HKLM\...\{DEDFFB64-42EC-4E26-0411-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Kannada (HKLM\...\{DEDFFB64-42EC-4E26-044B-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Kazakh (HKLM\...\{DEDFFB64-42EC-4E26-043F-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Kiswahili (HKLM\...\{DEDFFB64-42EC-4E26-0441-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Korean (HKLM\...\{DEDFFB64-42EC-4E26-0412-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Latvian (HKLM\...\{DEDFFB64-42EC-4E26-0426-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Lithuanian (HKLM\...\{DEDFFB64-42EC-4E26-0427-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Malay (HKLM\...\{DEDFFB64-42EC-4E26-043E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Malayalam (India) (HKLM\...\{DEDFFB64-42EC-4E26-004C-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Marathi (HKLM\...\{DEDFFB64-42EC-4E26-044E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Norwegian (HKLM\...\{DEDFFB64-42EC-4E26-0414-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Norwegian, Nynorsk (Norway) (HKLM\...\{DEDFFB64-42EC-4E26-0814-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Oriya (India) (HKLM\...\{DEDFFB64-42EC-4E26-0048-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Persian (HKLM\...\{DEDFFB64-42EC-4E26-0429-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Polish (HKLM\...\{DEDFFB64-42EC-4E26-0415-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Portuguese (HKLM\...\{DEDFFB64-42EC-4E26-0416-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Portuguese (Portugal) (HKLM\...\{DEDFFB64-42EC-4E26-0816-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Romanian (HKLM\...\{DEDFFB64-42EC-4E26-0418-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Russian (HKLM\...\{DEDFFB64-42EC-4E26-0419-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Serbian (Cyrillic, Serbia) (HKLM\...\{DEDFFB64-42EC-4E26-7C1A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Serbian (HKLM\...\{DEDFFB64-42EC-4E26-081A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Slovak (HKLM\...\{DEDFFB64-42EC-4E26-041B-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Slovenian (HKLM\...\{DEDFFB64-42EC-4E26-0424-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Spanish (HKLM\...\{DEDFFB64-42EC-4E26-0C0A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Swedish (HKLM\...\{DEDFFB64-42EC-4E26-041D-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Tamil (HKLM\...\{DEDFFB64-42EC-4E26-0449-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Telugu (HKLM\...\{DEDFFB64-42EC-4E26-044A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Thai (HKLM\...\{DEDFFB64-42EC-4E26-041E-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Turkish (HKLM\...\{DEDFFB64-42EC-4E26-041F-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Ukrainian (HKLM\...\{DEDFFB64-42EC-4E26-0422-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Urdu (HKLM\...\{DEDFFB64-42EC-4E26-0420-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Vietnamese (HKLM\...\{DEDFFB64-42EC-4E26-042A-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Client Language Pack - Welsh (United Kingdom) (HKLM\...\{DEDFFB64-42EC-4E26-0052-430E86DF378C}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server (HKLM\...\{4934D1EA-BE46-48B1-8847-F1AF20E892C1}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server 2013 Cumulative Update 23 (HKLM\...\Microsoft Exchange v15) (Version: 15.0.1497.2 - Microsoft Corporation)
Microsoft Exchange Server Language Pack - Chinese (Simplified) (HKLM\...\{521E6064-B4B1-4CBC-0804-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Chinese (Traditional) (HKLM\...\{521E6064-B4B1-4CBC-0404-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - English (HKLM\...\{521E6064-B4B1-4CBC-0409-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - French (HKLM\...\{521E6064-B4B1-4CBC-040C-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - German (HKLM\...\{521E6064-B4B1-4CBC-0407-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Italian (HKLM\...\{521E6064-B4B1-4CBC-0410-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Japanese (HKLM\...\{521E6064-B4B1-4CBC-0411-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Korean (HKLM\...\{521E6064-B4B1-4CBC-0412-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Portuguese (HKLM\...\{521E6064-B4B1-4CBC-0416-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Russian (HKLM\...\{521E6064-B4B1-4CBC-0419-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Server Language Pack - Spanish (HKLM\...\{521E6064-B4B1-4CBC-0C0A-25AD697801FA}) (Version: 15.0.1497.2 - Microsoft Corporation) Hidden
Microsoft Exchange Speech - (en-US)  (HKLM\...\{CEF60964-21AE-47E0-93C6-611AA8941B7F}) (Version: 15.0.1497.0 - Microsoft Corporation) Hidden
Microsoft Filter Pack 2.0 (HKLM\...\{95140000-2000-0409-1000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Lync Server 2013, Bootstrapper Prerequisites Installer Package (HKLM\...\{F582C996-9276-48C2-9878-546C9B164856}) (Version: 5.0.8308.0 - Microsoft Corporation)
Microsoft Monitoring Agent (HKLM\...\{786970C5-E6F6-4A41-B238-AE25D4B91EEA}) (Version: 7.1.10184.0 - Microsoft Corporation)
Microsoft RAP as a Service Client Package (HKLM-x32\...\{2ce313ae-4688-455b-ae6b-1172a583c20a}) (Version: 1.0.0.0 - Microsoft)
Microsoft Server Speech Platform Runtime (x64) (HKLM\...\{3B433087-E62E-4BF5-97F9-4AF6E1C2409C}) (Version: 11.0.7400.345 - Microsoft Corporation)
Microsoft Server Speech Recognition Language - TELE (ca-ES) (HKLM-x32\...\{55D56947-B976-4E27-822B-E87FEFFB35F2}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (da-DK) (HKLM-x32\...\{18B4B2E0-6A0D-4BAC-99EB-843F2C290E07}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (de-DE) (HKLM-x32\...\{955F43D9-38C4-4C22-BEE3-1A6C63F968FA}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-AU) (HKLM-x32\...\{FA19A2B8-9A24-49B0-A51C-CF4A6B4B2B62}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-CA) (HKLM-x32\...\{0C96ED3F-83E2-4917-89DC-7837DC775FEC}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-GB) (HKLM-x32\...\{E0D13850-F97C-4B30-9F05-862299CE8DA5}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-IN) (HKLM-x32\...\{3B06AC90-DE68-44A9-95EB-0A3C1AF1514F}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (en-US) (HKLM-x32\...\{66D57636-BD4B-402F-9E7D-5E89C28C8136}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (es-ES) (HKLM-x32\...\{5D4A25B6-3A4E-409B-90FA-EDE99E2006B4}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (es-MX) (HKLM-x32\...\{BE94188A-CA4F-4AC7-A1B3-52D37882C30D}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (fi-FI) (HKLM-x32\...\{E3B7DBC7-7551-4E61-9B0D-FE660CFFC4FC}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (fr-CA) (HKLM-x32\...\{58DE670F-4977-4A23-9D2E-8C82A2072920}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (fr-FR) (HKLM-x32\...\{4D2DDB98-1FE6-4CFE-BCFD-EFE27FF24FAE}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (it-IT) (HKLM-x32\...\{9267D7E7-5872-4CB1-B4E3-377F4CA272D0}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (ja-JP) (HKLM-x32\...\{A06F3EA5-7C55-4505-8982-534BA05F49BE}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (ko-KR) (HKLM-x32\...\{1D8F6891-9B7F-4F08-A54E-C568D8C33276}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (nb-NO) (HKLM-x32\...\{49B7E67F-5E62-4988-A4F4-6C54B9E814EB}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (nl-NL) (HKLM-x32\...\{2CBAB07E-4865-40F0-9D6A-EFA350420166}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (pl-PL) (HKLM-x32\...\{BEFB9378-5E88-4266-8EB1-C92869449885}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (pt-BR) (HKLM-x32\...\{F6B5EB21-0ABF-487C-B9A9-D9DB259C4403}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (pt-PT) (HKLM-x32\...\{DAFE30C6-C638-4505-9372-2ECD1A1B317C}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (ru-RU) (HKLM-x32\...\{9419B7EA-6A4B-4A57-8E2A-3BDD4676118F}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (sv-SE) (HKLM-x32\...\{12C43D71-15A1-4F83-9D4D-E3134AE6FFD6}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (zh-CN) (HKLM-x32\...\{BAD2A75A-1708-47BA-A498-20890D2C78A7}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (zh-HK) (HKLM-x32\...\{6BAA03F9-B2E5-40EB-8871-703FF0046E9D}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TELE (zh-TW) (HKLM-x32\...\{28292B72-CF8A-4915-A5F5-07FF1E44C6F5}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Recognition Language - TRANS (en-US) (HKLM-x32\...\{B07DA010-66CF-40A7-908F-F6482219C57F}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Server Speech Text to Speech Voice (en-US, Helen) (HKLM-x32\...\{8466EAED-7024-4AEE-9D13-F3A55B98D114}) (Version: 11.0.7400.345 - Microsoft Corporation) Hidden
Microsoft Speech Platform VXML Runtime (x64) (HKLM\...\{C82C698A-A0B7-412D-9396-31FB1A6AA45C}) (Version: 11.0.7400.345 - Microsoft Corporation)
Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit (HKLM\...\{ED98ABF5-B6BF-47ED-92AB-1CDCAB964447}) (Version: 5.0.8308.0 - Microsoft Corporation) Hidden
Microsoft Unified Communications Managed API 4.0, Runtime (HKLM\...\{41D635FE-4F9D-47F7-8230-9B29D6D42D31}) (Version: 5.0.8308.0 - Microsoft Corporation) Hidden
Microsoft Unified Communications Managed API 4.0, Runtime (HKLM\...\UCMA4) (Version: 5.0.8308.0 - Microsoft Corporation)
Microsoft Unified Communications Managed API 4.0, SSP Runtime (HKLM\...\{A41CBE7D-949C-41DD-9869-ABBD99D753DA}) (Version: 5.0.8308.0 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727 (HKLM\...\{AC53FC8B-EE18-3F9C-9B59-60937D0B182C}) (Version: 11.0.50727 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727 (HKLM\...\{A2CB1ACB-94A2-32BA-A15E-7D80319F7589}) (Version: 11.0.50727 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (HKLM\...\{929FBD26-9020-399B-9A7A-751D61F0B942}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (HKLM\...\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.27.29016 (HKLM-x32\...\{40d3fee2-b257-46c2-bdc0-cb1088d97327}) (Version: 14.27.29016.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.27.29016 (HKLM-x32\...\{1aaa01ad-3069-4288-9c6f-37a140a8f6c7}) (Version: 14.27.29016.0 - Microsoft Corporation)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.27.29016 (HKLM\...\{F07B1E25-5670-4556-9C7F-5A1966C83269}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.27.29016 (HKLM\...\{E493B8F4-E300-43EC-95D0-BDF3711297EA}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.27.29016 (HKLM-x32\...\{5CD4E357-9ED6-42AC-B654-F1FC21DD60C9}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.27.29016 (HKLM-x32\...\{E2C131AD-D30F-4D67-ACE9-B3D485E84DA8}) (Version: 14.27.29016 - Microsoft Corporation) Hidden
PFA Server Registry Update (HKLM-x32\...\{173438F5-BD4D-47AE-9C8F-73E6BAA62624}) (Version: 1.0.0.0 - Hewlett-Packard Company)
RAP as a Service Client  (HKLM-x32\...\{A2C2B1ED-F61E-4577-B7C3-ECF99CAF906A}) (Version: 2.0.40905.0 - Microsoft Corporation) Hidden
Subsystem Device Driver DSM (HKLM\...\Subsystem Device Driver DSM) (Version:  - )
Symantec Endpoint Protection (HKLM\...\{034F3EDA-2F36-414D-906F-9B7B7EBA4E68}) (Version: 14.3.9681.7000 - Broadcom)
TreeSize Free V4.5.3 (HKLM-x32\...\TreeSize Free_is1) (Version: 4.5.3 - JAM Software)
Veeam Agent for Microsoft Windows (HKLM\...\{7796202E-3320-41ED-9A2C-14613AEED3D3}) (Version: 5.0.3.4708 - Veeam Software Group GmbH)
Veeam CBT Driver (HKLM\...\VeeamCBTDriver) (Version: 10.0.0.5015 - Veeam Software Group GmbH)
Veeam Installer Service (HKLM-x32\...\VeeamDeployerService) (Version: 11.0.1.1261 - Veeam Software Group GmbH)
Veritas NetBackup Client (HKLM\...\{A34B3E34-4E84-4CB9-8D6B-0EB4467DC789}) (Version: 9.1 - Veritas Technologies LLC) Hidden
Veritas NetBackup Client (HKLM\...\Veritas NetBackup Client) (Version: 9.1 - Veritas Technologies LLC)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [NFSShares] -> {04EA2470-913A-11D2-8CB8-0000F8083420} => C:\Windows\System32\nfssprop.dll [2012-07-26] (Microsoft Windows -> Microsoft Corporation)
ContextMenuHandlers1: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-20] (Symantec Corporation -> Broadcom)
ContextMenuHandlers2: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-20] (Symantec Corporation -> Broadcom)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2023-06-12] (Malwarebytes Inc. -> Malwarebytes)
ContextMenuHandlers6: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\vpshell2.dll [2023-06-20] (Symantec Corporation -> Broadcom)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2023-06-12] (Malwarebytes Inc. -> Malwarebytes)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2014-01-11 16:39 - 2013-07-10 15:44 - 001613312 _____ () [File not signed] C:\hp\hpsmh\bin\libxml2.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 001613312 _____ () [File not signed] C:\hp\hpsmh\modules\libxml2.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 000072704 _____ () [File not signed] C:\hp\hpsmh\modules\zlib1.dll
2013-06-28 00:01 - 2013-06-28 00:01 - 000041472 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CPQMDISK.dll
2013-06-28 00:01 - 2013-06-28 00:01 - 000057856 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CPQMSCSI.DLL
2013-06-28 00:01 - 2013-06-28 00:01 - 000055296 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CPQSAS.DLL
2013-06-28 00:01 - 2013-06-28 00:01 - 000032768 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\CQMGSTOR.dll
2013-06-28 00:01 - 2013-06-28 00:01 - 000029696 _____ () [File not signed] C:\Program Files\HPWBEM\Storage\Service\cqstrutl.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000115200 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQFCA.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000044544 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQIDE.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000050176 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQISCSI.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000041472 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQMDISK.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000106496 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQMIDA.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000057856 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQMSCSI.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000055808 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CPQSAS.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000032768 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\CQMGSTOR.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000026112 _____ () [File not signed] C:\Windows\system32\CpqMgmt\CqmgStor\iscsimib.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000030720 _____ () [File not signed] C:\Windows\system32\CpqMgmt\cqmgstor\STORALRT.DLL
2013-06-21 03:33 - 2013-06-21 03:33 - 000224256 _____ () [File not signed] C:\Windows\system32\CpqMgmt\Cqmgstor\stormib.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000007168 _____ () [File not signed] C:\Windows\system32\cpqmgmt\cqmgstor\storsnmp.dll
2013-07-12 10:32 - 2013-07-12 10:32 - 000048640 _____ () [File not signed] C:\Windows\system32\CpqNiMgt\CPQNIMIB.DLL
2013-07-12 10:32 - 2013-07-12 10:32 - 000018432 _____ () [File not signed] C:\Windows\system32\cpqnimgt\cqnisnmp.dll
2013-07-12 10:32 - 2013-07-12 10:32 - 000025088 _____ () [File not signed] C:\Windows\system32\CpqNiMgt\NICMIB.DLL
2013-07-12 10:33 - 2013-07-12 10:33 - 000246784 _____ () [File not signed] C:\Windows\system32\cpqnimgt\w2kmgdll.dll
2013-06-21 03:33 - 2013-06-21 03:33 - 000030720 _____ () [File not signed] C:\Windows\SYSTEM32\cqstrutl.dll
2014-01-11 16:39 - 2013-07-10 15:37 - 000175104 _____ (Apache Software Foundation) [File not signed] C:\hp\hpsmh\bin\libapr-1.dll
2014-01-11 16:39 - 2013-07-10 15:37 - 000035328 _____ (Apache Software Foundation) [File not signed] C:\hp\hpsmh\bin\libapriconv-1.dll
2014-01-11 16:39 - 2013-07-10 15:37 - 000240128 _____ (Apache Software Foundation) [File not signed] C:\hp\hpsmh\bin\libaprutil-1.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 000894464 _____ (Free Software Foundation) [File not signed] C:\hp\hpsmh\bin\iconv.dll
2014-01-11 16:39 - 2013-07-10 15:44 - 000894464 _____ (Free Software Foundation) [File not signed] C:\hp\hpsmh\modules\iconv.dll
2014-01-11 16:39 - 2013-07-10 15:38 - 000483840 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\bin\libhttpd.dll
2014-01-11 16:39 - 2013-07-10 15:38 - 000012800 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_access_compat.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000014848 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_alias.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000019968 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_authz_core.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000012288 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_authz_host.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000008704 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_authz_user.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000022528 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_cgi.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000012288 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_dir.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000009728 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_env.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000018944 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_headers.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000018432 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_imagemap.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000027136 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_log_config.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000019968 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_mime.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000034304 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_negotiation.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000085504 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_proxy.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000015872 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_proxy_connect.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000036864 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_proxy_http.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000060928 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_rewrite.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000013824 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_setenvif.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000109056 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_aa.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000065536 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_bc.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000159744 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_config.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000135680 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_help.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000063488 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_pkcs.so
2014-01-11 16:39 - 2013-07-10 15:47 - 000041984 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_smh_ui.so
2014-01-11 16:39 - 2013-07-10 15:38 - 000020992 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_socache_shmcb.so
2014-01-11 16:39 - 2013-07-10 15:43 - 000166912 _____ (Hewlett-Packard Company) [File not signed] C:\hp\hpsmh\modules\mod_ssl.so
2019-05-29 01:02 - 2019-05-29 01:02 - 000270536 _____ (Microsoft Corporation -> Microsoft Corporation) [File not signed] C:\Program Files\Microsoft\Exchange Server\V15\Bin\osafehtm.dll
2023-03-16 01:50 - 2023-03-16 01:50 - 005302272 _____ (Microsoft) [File not signed] C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0ef69a75#\023b11063fcc191a4764fc2752b2acd3\Microsoft.Search.Platform.Parallax.ni.dll
2014-01-11 16:39 - 2013-07-10 15:46 - 000314880 _____ (The cURL library, hxxp://curl.haxx.se/) [File not signed] C:\hp\hpsmh\modules\libcurl.dll
2014-01-11 16:39 - 2013-07-10 15:40 - 001798656 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\hp\hpsmh\bin\LIBEAY32.dll
2014-01-11 16:39 - 2013-07-10 15:40 - 000366592 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\hp\hpsmh\bin\SSLEAY32.dll
2014-01-11 16:39 - 2013-07-10 15:52 - 009109504 _____ (The PHP Group) [File not signed] C:\hp\hpsmh\bin\php5ts.dll
2014-01-11 16:39 - 2013-07-10 15:53 - 001076224 _____ (The PHP Group) [File not signed] C:\hp\hpsmh\modules\php_mbstring.DLL
2014-01-11 16:39 - 2013-07-10 15:53 - 000034304 _____ (The PHP Group) [File not signed] C:\hp\hpsmh\modules\php5apache2.so

==================== Alternate Data Streams (Whitelisted) ========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ClusterStorage:{db19d832-b034-46ed-a6c5-61e0ebe370d1} [0]

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{1275C540-B92D-406A-B595-68C2B266A9A8}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{5CA4F88D-67B7-46CE-9653-5A17519F66F0}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{6B7A2D6B-C77F-4C11-8B70-2CD28AD687A6}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{BEC9211B-09AC-4B5B-9D31-561ADFF81A33}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{EBA0DEA8-AC55-458F-9726-2388EB4D982B}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

HKU\S-1-5-21-1365522570-4229012047-2779133919-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
HKU\S-1-5-21-3412390019-1648271104-2333346583-17206\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 09:26 - 2023-07-31 00:12 - 000001064 _____ C:\Windows\system32\drivers\etc\hosts
192.168.7.8    netbackup
192.168.7.8    netbackup.gov.mu
192.168.6.80    ecp.govmu.org
192.168.7.53    backupsvr
127.0.0.1    mail.govmu.org    
192.168.6.50    GOC-EX13-SVR01.goc.ncb
192.168.6.50    GOC-EX13-SVR01

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> ; ;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft\Exchange Server\V15\bin;C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Native\
HKU\S-1-5-21-1365522570-4229012047-2779133919-500\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
HKU\S-1-5-21-3412390019-1648271104-2333346583-17206\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.2.40 - 192.168.2.41
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 0) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost => (EnableWebContentEvaluation: 0)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) C:\Windows\system32\scshost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) C:\Windows\system32\scshost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) C:\Windows\system32\dllhost.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{A2CCFE80-3004-4D1F-B59C-69703E375A1B}] => (Allow) LPort=443
FirewallRules: [{ED70E132-AC43-4C5E-8536-DAA138AF8F3F}] => (Allow) LPort=RPC
FirewallRules: [{D42578C4-153E-4022-A569-B815FB0B1633}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.Topologyservice.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{AD6B3971-5DD3-412F-90C3-CEE969CAC935}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{57FFD6A2-5E32-4E65-A2F9-96DFBBCDC75E}] => (Allow) C:\Windows\system32\inetsrv\inetinfo.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{F779260D-1905-4B3D-BAAE-3F1EC35D0659}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{5BCF7254-AE77-4EFD-BE6B-0250073914F2}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{B5D9E7B9-D002-4A09-8591-AE7AB28A82E5}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\edgetransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{6244BDDB-9609-455B-9587-48F909C41F17}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{46E23EA3-714E-4E82-9A65-EA41E3DAB187}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{140688E3-F0B9-4831-AA87-13C204FEDF4F}] => (Allow) LPort=587
FirewallRules: [{02E8C397-B24E-4747-A69F-2E118805D154}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{46AB5D8A-3915-4F22-9E76-CFEC2C1AB69D}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{659FD464-FBCB-486F-8A31-B0229032C750}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{7151732B-9863-4238-8D43-2F4D6913BC8F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F5E200A2-6654-491A-99A7-9488ECB30363}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{03BA6FF9-701C-46F5-89D4-6BCB8278AF2C}] => (Allow) LPort=80
FirewallRules: [{757FB906-7A95-4446-88EA-8B9CC119F8E9}] => (Allow) LPort=80
FirewallRules: [{CB9BB596-8479-4073-8D75-CAB56E3DDB8E}] => (Allow) LPort=443
FirewallRules: [{4D1BD810-0186-4F4F-8DE8-D050EAB521DF}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{3887FF94-A06B-4767-9770-395D63BDE299}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{47EF1C9D-589E-409F-96E4-A84286CF922A}] => (Allow) LPort=9955
FirewallRules: [{09917463-5B36-412C-B64E-F64C609C91B9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{5774B08D-5563-4A58-B778-697595E49C34}] => (Allow) LPort=5077
FirewallRules: [{88E71246-80CF-44EB-A374-BA82F1ECE903}] => (Allow) LPort=808
FirewallRules: [{8E7D35D2-3D3F-4D72-AFAD-24319E4633B2}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{DBF0764A-DE51-4092-8BB6-5993A1DC69C5}] => (Allow) C:\Windows\system32\inetsrv\w3wp.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{79D50BD6-B118-4D2F-9A33-ABDFFA19E5EB}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F7D083A4-E78A-42D4-AFCC-CC05E3F7EC99}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{0DE9DEC2-4366-4475-9F7C-7915FC9071EF}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{BF2848A8-B99A-46B4-AE85-59009495E6E5}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{E63BF98D-026B-4BCC-A7E4-508A6E49C5A7}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{0C19B50B-53EA-4932-A1BB-0C8C1DED4527}] => (Allow) LPort=5063
FirewallRules: [{2E49034A-FA66-4D19-8323-C5BF7326B39A}] => (Allow) LPort=5068
FirewallRules: [{5F3634D0-8665-4EA3-B717-10974D20194F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMWorkerProcess.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{E680BB2B-BEFE-4C8E-8010-1DBF19D80997}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMWorkerProcess.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{9B3C643D-34CA-4833-97AE-8674659394AC}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{1548C0ED-A5CD-4CB5-BADB-8D27589D8C8C}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{2E45E4B8-C6A5-409F-ACE3-6D988A9C465F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F6F4E443-8D4B-4BE9-9313-539EDAF179D2}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\NodeRunner.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{4194C992-3445-4378-B70D-146779E6B100}] => (Allow) LPort=444
FirewallRules: [{55BC27AF-401A-4469-9158-97256C4F6D37}] => (Allow) LPort=64327
FirewallRules: [{C4036C1B-9773-49E5-ACAE-43E859E99FE8}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{9ED8E544-3892-4387-9747-B4B39ADB0262}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{875075B8-45AC-45AA-8A55-5A93C5E2D032}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{22DBFBCE-2677-48D2-901F-169755E5EBD9}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{5FE1067D-2082-4A2D-9F09-755BD8D3A842}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{129592E1-763B-4317-9E03-DE51F0373A7E}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{C8AF02E2-9131-4B9C-AF8D-F186C7049BE5}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{CADA475D-E46E-496F-985F-606831A89A77}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{E79815E9-A1A9-419F-9B5E-3F76CCE20505}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{81442800-7345-4E0D-B8EF-9559D414573F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Worker.exe => No File
FirewallRules: [{1EFF9EB1-2DA2-44E7-A35B-ADACBFB74207}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{D2B0387D-45ED-4E97-AC5E-CA006D654136}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{2F7736FF-C87C-40A7-BF74-3E2FF28C64CE}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{36FF1C14-E793-4197-AD99-51FC068CA593}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{F680402B-1388-4BCE-BF82-796226A624B9}] => (Allow) LPort=5061
FirewallRules: [{5E44A848-CB5C-494E-A0B6-1D471FF004C0}] => (Allow) LPort=139
FirewallRules: [{33319BCD-801C-4C93-A595-CF49F6EC3768}] => (Allow) LPort=993
FirewallRules: [FailoverClustering-ClusSvc-TCP-In] => (Allow) C:\Windows\cluster\clussvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverClustering-ClusSvc-TCP-Out] => (Allow) C:\Windows\cluster\clussvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverClustering-ClusSvcRPC-TCP-In] => (Allow) C:\Windows\cluster\clussvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverCluster-CPREPSRV-TCP-In] => (Allow) C:\Windows\system32\cprepsrv.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [FailoverCluster-FCSRV-TCP-In] => (Allow) C:\Windows\system32\fcsrv.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{8D49C1D2-0AA4-4E09-82E5-66C71B329DB6}] => (Allow) LPort=808
FirewallRules: [{DB4DF9C9-8671-429D-A814-A0729840EDBF}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDagMgmt.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{2D85085F-0B66-47F0-8673-910E60B43EBD}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [Microsoft-Windows-NFS-ServerCore-NfsSvc-NFS-UDP-In] => (Allow) LPort=2049
FirewallRules: [Microsoft-Windows-NFS-ServerCore-NfsSvc-NFS-TCP-In] => (Allow) LPort=2049
FirewallRules: [Microsoft-Windows-NFS-OpenPortMapper-Portmap-UDP-In] => (Allow) LPort=111
FirewallRules: [Microsoft-Windows-NFS-OpenPortMapper-Portmap-TCP-In] => (Allow) LPort=111
FirewallRules: [{79ADD138-4978-42CD-8DE7-9BE071C0131F}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{9A43FAC6-7B3C-491C-A9F4-77A05CD1A014}] => (Allow) LPort=10050
FirewallRules: [{8B6807AA-2204-4AFC-A798-86A487AF1E80}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{D9DB26C0-5D6E-4531-AAFA-B7130746A7EB}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMService.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{559F0538-319C-4360-968A-A571E1E3DDF8}] => (Allow) C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{1895413C-B03A-4E28-A34F-04DD4B750B35}] => (Allow) C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{AE51BF15-72FC-44AF-A395-CA1D6648133A}] => (Allow) C:\Windows\Veeam\Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{40EFAF0A-B64E-4BDF-ADDF-0E492ACF371F}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Recovery.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{DF0CE3C5-623A-4503-95FF-F21CE915DC2B}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{EC47FF57-BA9D-41E2-BB6A-FA4A702FC60B}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Service.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{F435E95A-61FE-4B14-9640-9FB07164750E}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x64\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{FF8C5504-55AC-42E2-B99C-93F462805D13}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x64\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{806C43F6-FE03-484D-946C-135F07FAF10B}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x86\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{54D3E2B2-96E8-4895-A3CC-A2CC4819B153}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\x86\VeeamAgent.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{8080CB13-DE5C-40F2-BB2C-A9AC4ACCE17A}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{5A430A70-1FEB-40A8-8B56-634F8CF49945}] => (Allow) C:\Program Files\Veeam\Endpoint Backup\VeeamDeploymentSvc.exe (Veeam Software Group GmbH -> Veeam Software Group GmbH)
FirewallRules: [{FBB9C05C-71D6-4B21-A91C-59F40E41A64F}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\nbwin.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{8B5AD3A0-4109-4448-88CB-363F24A527E1}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\nbwin.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{7FF8343D-69F4-4010-8958-260D35431E4E}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\tracker.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{FD330AF1-52EF-43CD-8055-1C8797C117A0}] => (Allow) C:\Program Files\Veritas\NetBackup\bin\tracker.exe (Veritas Technologies LLC -> Veritas Technologies LLC)
FirewallRules: [{C48451FC-6140-4415-A54D-95B11F89D8F1}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{62A77899-F09F-437E-914B-C6BFFB87ADEF}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\ccSvcHst.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{255E213E-3F47-40F8-9459-341628F332D8}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe (Symantec Corporation -> Broadcom)
FirewallRules: [{66AC1B0F-9C87-46D7-A7E9-1064E5F2C06A}] => (Allow) C:\Program Files\Symantec\Symantec Endpoint Protection\14.3.9681.7000.105\Bin64\snac64.exe (Symantec Corporation -> Broadcom)

==================== Restore Points =========================

ATTENTION: System Restore is disabled (Total:279.36 GB) (Free:84.71 GB) (30%)
Check "VSS" service


==================== Faulty Device Manager Devices ============

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #2
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #3
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #4
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #7
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #8
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #9
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #10
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #11
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter #12
Description: HP NC553i Dual Port FlexFabric 10Gb Converged Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Emulex
Service: be2net
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: ========================

Application errors:
==================
Error: (01/08/2024 09:06:17 AM) (Source: MSExchangeFrontEndTransport) (EventID: 12018) (User: )
Description: The STARTTLS certificate will expire soon: subject: C11-EX-SVR-MBX4.gov.mu, thumbprint: 7D5ADF3BE38AF11C38D64BCB645B5D6E9DC78B19, hours remaining: 223. Run the New-ExchangeCertificate cmdlet to create a new certificate.

Error: (01/08/2024 09:04:39 AM) (Source: MSExchangeTransport) (EventID: 12018) (User: )
Description: The STARTTLS certificate will expire soon: subject: C11-EX-SVR-MBX4.gov.mu, thumbprint: 7D5ADF3BE38AF11C38D64BCB645B5D6E9DC78B19, hours remaining: 223. Run the New-ExchangeCertificate cmdlet to create a new certificate.

Error: (01/08/2024 09:01:38 AM) (Source: MSExchangeFrontEndTransport) (EventID: 12018) (User: )
Description: The STARTTLS certificate will expire soon: subject: C11-EX-SVR-MBX4.gov.mu, thumbprint: 7D5ADF3BE38AF11C38D64BCB645B5D6E9DC78B19, hours remaining: 223. Run the New-ExchangeCertificate cmdlet to create a new certificate.

Error: (01/08/2024 09:01:33 AM) (Source: MSExchangeTransport) (EventID: 12018) (User: )
Description: The STARTTLS certificate will expire soon: subject: C11-EX-SVR-MBX4.gov.mu, thumbprint: 7D5ADF3BE38AF11C38D64BCB645B5D6E9DC78B19, hours remaining: 223. Run the New-ExchangeCertificate cmdlet to create a new certificate.

Error: (01/08/2024 08:56:16 AM) (Source: Microsoft-Filtering-FIPFS) (EventID: 6027) (User: NT AUTHORITY)
Description: MS Filtering Engine Update process was unsuccessful in contacting the Primary Update Path. Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate

Error: (01/08/2024 08:55:42 AM) (Source: MSExchange Common) (EventID: 106) (User: )
Description: Performance counter updating error. Counter name is Time in Resource per second, category name is MSExchange Activity Context Resources. Optional code: 2. Exception: The exception thrown is : System.InvalidOperationException: Instance 'ad-powershell-defaultdomain' already exists with a lifetime of Process.  It cannot be recreated or reused until it has been removed or until the process using it has exited.
   at System.Diagnostics.SharedPerformanceCounter.FindInstance(Int32 instanceNameHashCode, String instanceName, CategoryEntry* categoryPointer, InstanceEntry** returnInstancePointerReference, Boolean activateUnusedInstances, PerformanceCounterInstanceLifetime lifetime, Boolean& foundFreeInstance)
   at System.Diagnostics.SharedPerformanceCounter.GetCounter(String counterName, String instanceName, Boolean enableReuse, PerformanceCounterInstanceLifetime lifetime)
   at System.Diagnostics.SharedPerformanceCounter..ctor(String catName, String counterName, String instanceName, PerformanceCounterInstanceLifetime lifetime)
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.get_RawValue()
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.get_RawValue()
Last worker process info : System.ArgumentException: Process with an Id of 36352 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId, String machineName)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Processes running while Performance counter failed to update:
14652 MSExchangeTransport
7324 rundll32
4296 cmd
8564 Microsoft.Exchange.EdgeSyncSvc
4292 zabbix_agentd
2348 Microsoft.Exchange.Search.Service
27132 mbamtray
7736 Microsoft.Exchange.AntispamUpdateSvc
3856 sddsrv
32280 powershell
8164 cqmghost
27988 w3wp
2556 inetinfo
16652 Microsoft.Exchange.Store.Worker
820 lsass
19352 w3wp
2972 MSExchangeHMHost
16576 rhs
29692 w3wp
4260 pbx_exchange
900 svchost
28824 WmiPrvSE
21496 w3wp
3392 snmp
2528 hpwmistor
7268 VeeamDeploymentSvc
19392 svchost
11144 Microsoft.Exchange.Pop3
16580 rhs
2948 sepWscSvc64
36560 conhost
20180 w3wp
14576 UMWorkerProcess
6816 w3wp
8108 vnetd
13708 umservice
40860 WmiPrvSE
32024 powershell
340 winlogon
2924 updateservice
6368 MBAMService
44724 HealthService
17136 Microsoft.Exchange.Store.Worker
35668 bpfis
26668 ccSvcHst
18420 svchost
6776 WmiPrvSE
14100 nfsclnt
5048 noderunner
8064 SMSvcHost
11080 Microsoft.Exchange.Imap4
10472 Microsoft.Exchange.Imap4Service
2888 mqsvc
6764 WmiPrvSE
1900 dwm
12364 Microsoft.Exchange.RpcClientAccess.Service
11068 conhost
1584 svchost
27008 rdpclip
12784 MSExchangeSubmission
7180 conhost
2000 fms
4584 hpsmhd
7164 Microsoft.Exchange.Directory.TopologyService
10608 scanningprocess
5004 svchost
692 smss
4672 noderunner
8012 Veeam.EndPoint.Service
1908 spoolsv
6284 MSExchangeTransportLogSearch
11408 Microsoft.Exchange.Pop3Service
1972 cissesrv
16192 Microsoft.Exchange.Store.Worker
2892 ccSvcHst
18776 dwm
25668 ServerManager
5032 WMSvc
7120 Microsoft.Exchange.Store.Service
1516 svchost
1944 svchost
22200 wuauclt
45040 conhost
4524 rotatelogs
14432 clussvc
10552 conhost
26928 svchost
6236 MSExchangeHMWorker
26492 winlogon
13992 bpinetd
7956 vnetd
45020 powershell
10968 conhost
12252 msexchangerepl
26904 taskhostex
1472 svchost
10520 Microsoft.Exchange.Imap4
4052 svchost
8360 MSExchangeDelivery
10944 MSExchangeMailboxAssistants
26456 csrss
22144 notepad
37676 conhost
29468 WmiPrvSE
4900 w3wp
10932 scanningprocess
1880 LogonUI
9428 MonitoringHost
7912 powershell
23424 w3wp
12216 conhost
1440 svchost
7472 rundll32
4884 conhost
27724 w3wp
23844 w3wp
6164 cqmgstor
12196 Microsoft.Exchange.Pop3
4868 rotatelogs
2280 noderunner
4000 ForefrontActiveDirectoryConnector
13420 Microsoft.Exchange.UM.CallRouter
15204 conhost
4512 rotatelogs
3992 ccSvcHst
25540 w3wp
540 services
25968 msdtc
968 wininit
12172 Microsoft.Exchange.Pop3Service
8292 w3wp
6136 cqmgserv
23372 powershell
15180 EdgeTransport
956 csrss
10864 scanningprocess
4824 rotatelogs
16888 Microsoft.Exchange.Store.Worker
11284 MSExchangeMailboxReplication
22920 w3wp
1368 svchost
2656 nbdisco
15152 bpcd
14288 nfssvc
1784 hostcontrollerservice
4800 noderunner
9540 MSExchangeFrontendTransport
3504 smhstart
46020 ParserServer
4836 conhost
3496 ProLiantMonitor
27200 explorer
8120 vnetd
4348 hpsmhd
8224 MSExchangeDagMgmt
22444 Microsoft.Exchange.Store.Worker
3908 sftracing
12656 Microsoft.Exchange.ServiceHost
884 csrss
1744 svchost
33588 Microsoft.Exchange.Store.Worker
2600 Microsoft.Exchange.Diagnostics.Service
41916 ParserServer
25440 MonitoringHost
6044 cpqnimgt
12076 MSExchangeThrottling
9920 Microsoft.Exchange.Imap4Service
2160 SMSvcHost
4 System
4312 conhost
0 Idle
Performance Counters Layout information: A process is holding onto a transport performance counter. processId : 45020, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 45020 StartupTime: 133491633189419484, currentInstance : rpca-powershell-defaultdomain(4598AFAF) RefCount=1 SpinLock=0 Offset=43136, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 45020, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 45020 StartupTime: 133491633189419484, currentInstance : mb-powershell-defaultdomain(CC014C00) RefCount=1 SpinLock=0 Offset=42808, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 45020, counter : time in resource per second Value=29 SpinLock=0 Lifetime=Type: 1 ProcessId: 45020 StartupTime: 133491633189419484, currentInstance : ad-powershell-defaultdomain(95CC324A) RefCount=1 SpinLock=0 Offset=42480, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 34272, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 34272 StartupTime: 133491589729478267, currentInstance : rpca-monad-defaultdomain(EE460FE7) RefCount=0 SpinLock=0 Offset=42152, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 34272, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 34272 StartupTime: 133491589729478267, currentInstance : mb-monad-defaultdomain(2EC4A7E8) RefCount=0 SpinLock=0 Offset=41824, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 34272, counter : time in resource per second Value=1305 SpinLock=0 Lifetime=Type: 1 ProcessId: 34272 StartupTime: 133491589729478267, currentInstance : ad-monad-defaultdomain(A8C763E2) RefCount=0 SpinLock=0 Offset=41496, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27988, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27988 StartupTime: 133489071878927669, currentInstance : rpca-w3wp-msexchangerpcproxyapppool(8B7590B3) RefCount=1 SpinLock=0 Offset=41168, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27988, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27988 StartupTime: 133489071878927669, currentInstance : mb-w3wp-msexchangerpcproxyapppool(B190F21C) RefCount=1 SpinLock=0 Offset=40840, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27988, counter : time in resource per second Value=14 SpinLock=0 Lifetime=Type: 1 ProcessId: 27988 StartupTime: 133489071878927669, currentInstance : ad-w3wp-msexchangerpcproxyapppool(99BB8ED6) RefCount=1 SpinLock=0 Offset=40512, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27724, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27724 StartupTime: 133489070832560650, currentInstance : rpca-w3wp-msexchangeowacalendarapppool(8F10D1B5) RefCount=1 SpinLock=0 Offset=40184, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27724, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27724 StartupTime: 133489070832560650, currentInstance : mb-w3wp-msexchangeowacalendarapppool(2D8C9EBA) RefCount=1 SpinLock=0 Offset=39856, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27724, counter : time in resource per second Value=1754 SpinLock=0 Lifetime=Type: 1 ProcessId: 27724 StartupTime: 133489070832560650, currentInstance : ad-w3wp-msexchangeowacalendarapppool(D845E230) RefCount=1 SpinLock=0 Offset=39528, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19352, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 19352 StartupTime: 133489070772191067, currentInstance : rpca-w3wp-msexchangemapifrontendapppool(2C7F2005) RefCount=1 SpinLock=0 Offset=39200, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19352, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 19352 StartupTime: 133489070772191067, currentInstance : mb-w3wp-msexchangemapifrontendapppool(BE5C2DAA) RefCount=1 SpinLock=0 Offset=38872, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19352, counter : time in resource per second Value=3847 SpinLock=0 Lifetime=Type: 1 ProcessId: 19352 StartupTime: 133489070772191067, currentInstance : ad-w3wp-msexchangemapifrontendapppool(C0FDFAE0) RefCount=1 SpinLock=0 Offset=38544, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6816, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6816 StartupTime: 133489070658647644, currentInstance : rpca-w3wp-msexchangesyncapppool(9F5D0139) RefCount=1 SpinLock=0 Offset=38216, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6816, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6816 StartupTime: 133489070658647644, currentInstance : mb-w3wp-msexchangesyncapppool(37D39796) RefCount=1 SpinLock=0 Offset=37888, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6816, counter : time in resource per second Value=28456 SpinLock=0 Lifetime=Type: 1 ProcessId: 6816 StartupTime: 133489070658647644, currentInstance : ad-w3wp-msexchangesyncapppool(15C89D5C) RefCount=1 SpinLock=0 Offset=37560, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 25540, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 25540 StartupTime: 133489070590458216, currentInstance : rpca-w3wp-msexchangeautodiscoverapppool(6DABF262) RefCount=1 SpinLock=0 Offset=37232, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 25540, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 25540 StartupTime: 133489070590458216, currentInstance : mb-w3wp-msexchangeautodiscoverapppool(D1C6EF4D) RefCount=1 SpinLock=0 Offset=36904, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 25540, counter : time in resource per second Value=51504 SpinLock=0 Lifetime=Type: 1 ProcessId: 25540 StartupTime: 133489070590458216, currentInstance : ad-w3wp-msexchangeautodiscoverapppool(FD072087) RefCount=1 SpinLock=0 Offset=36576, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23844, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23844 StartupTime: 133489070521800629, currentInstance : rpca-w3wp-msexchangeecpapppool(57806648) RefCount=1 SpinLock=0 Offset=36248, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23844, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23844 StartupTime: 133489070521800629, currentInstance : mb-w3wp-msexchangeecpapppool(E27E6507) RefCount=1 SpinLock=0 Offset=35920, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23844, counter : time in resource per second Value=372 SpinLock=0 Lifetime=Type: 1 ProcessId: 23844 StartupTime: 133489070521800629, currentInstance : ad-w3wp-msexchangeecpapppool(B648688D) RefCount=1 SpinLock=0 Offset=35592, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23424 StartupTime: 133489070481919732, currentInstance : rpca-w3wp-msexchangepowershellfrontendapppool(E1115251) RefCount=1 SpinLock=0 Offset=35264, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23424 StartupTime: 133489070481919732, currentInstance : mb-w3wp-msexchangepowershellfrontendapppool(34B9187E) RefCount=1 SpinLock=0 Offset=34936, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23424, counter : time in resource per second Value=596 SpinLock=0 Lifetime=Type: 1 ProcessId: 23424 StartupTime: 133489070481919732, currentInstance : ad-w3wp-msexchangepowershellfrontendapppool(FAEFA1B4) RefCount=1 SpinLock=0 Offset=34608, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 20180, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 20180 StartupTime: 133489070480667789, currentInstance : rpca-w3wp-msexchangepowershellapppool(3CF18BF) RefCount=1 SpinLock=0 Offset=34280, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 20180, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 20180 StartupTime: 133489070480667789, currentInstance : mb-w3wp-msexchangepowershellapppool(A686C810) RefCount=1 SpinLock=0 Offset=33952, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 20180, counter : time in resource per second Value=633489 SpinLock=0 Lifetime=Type: 1 ProcessId: 20180 StartupTime: 133489070480667789, currentInstance : ad-w3wp-msexchangepowershellapppool(9E48CD5A) RefCount=1 SpinLock=0 Offset=33624, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4900, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4900 StartupTime: 133489070460649587, currentInstance : rpca-w3wp-msexchangeoabapppool(8149E8D2) RefCount=1 SpinLock=0 Offset=33296, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4900, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4900 StartupTime: 133489070460649587, currentInstance : mb-w3wp-msexchangeoabapppool(58D0A79D) RefCount=1 SpinLock=0 Offset=32968, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4900, counter : time in resource per second Value=9008 SpinLock=0 Lifetime=Type: 1 ProcessId: 4900 StartupTime: 133489070460649587, currentInstance : ad-w3wp-msexchangeoabapppool(CC31A917) RefCount=1 SpinLock=0 Offset=32640, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22920, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 22920 StartupTime: 133489070351797526, currentInstance : rpca-w3wp-msexchangerpcproxyfrontendapppool(903EFF5D) RefCount=1 SpinLock=0 Offset=32312, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22920, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 22920 StartupTime: 133489070351797526, currentInstance : mb-w3wp-msexchangerpcproxyfrontendapppool(87BE0D72) RefCount=1 SpinLock=0 Offset=31984, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22920, counter : time in resource per second Value=6622 SpinLock=0 Lifetime=Type: 1 ProcessId: 22920 StartupTime: 133489070351797526, currentInstance : ad-w3wp-msexchangerpcproxyfrontendapppool(E0452238) RefCount=1 SpinLock=0 Offset=31656, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29692, counter : time in resource per second Value=64526 SpinLock=0 Lifetime=Type: 1 ProcessId: 29692 StartupTime: 133489071758746097, currentInstance : ad-w3wp-msexchangemapimailboxapppool(35491652) RefCount=1 SpinLock=0 Offset=31328, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 29692 StartupTime: 133489071758746097, currentInstance : mb-w3wp-msexchangemapimailboxapppool(F9439F58) RefCount=1 SpinLock=0 Offset=31000, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 29692 StartupTime: 133489071758746097, currentInstance : rpca-w3wp-msexchangemapimailboxapppool(E28F3117) RefCount=1 SpinLock=0 Offset=30672, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21496, counter : time in resource per second Value=23233 SpinLock=0 Lifetime=Type: 1 ProcessId: 21496 StartupTime: 133489070263902919, currentInstance : ad-w3wp-msexchangeservicesapppool(E0DE475) RefCount=1 SpinLock=0 Offset=30344, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21496, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 21496 StartupTime: 133489070263902919, currentInstance : mb-w3wp-msexchangeservicesapppool(10FE94BF) RefCount=1 SpinLock=0 Offset=30016, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21496, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 21496 StartupTime: 133489070263902919, currentInstance : rpca-w3wp-msexchangeservicesapppool(E8BBF810) RefCount=1 SpinLock=0 Offset=29688, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4672, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4672 StartupTime: 133489068209114554, currentInstance : rpca-noderunner-contentenginenode1(316BF6E3) RefCount=1 SpinLock=0 Offset=29360, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4672, counter : time in resource per second Value=2126740 SpinLock=0 Lifetime=Type: 1 ProcessId: 4672 StartupTime: 133489068209114554, currentInstance : mb-noderunner-contentenginenode1(2EE8286C) RefCount=1 SpinLock=0 Offset=29032, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4672, counter : time in resource per second Value=25505 SpinLock=0 Lifetime=Type: 1 ProcessId: 4672 StartupTime: 133489068209114554, currentInstance : ad-noderunner-contentenginenode1(61591E6) RefCount=1 SpinLock=0 Offset=28704, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16652, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 16652 StartupTime: 133489069273214413, currentInstance : rpca-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(ABB009B3) RefCount=1 SpinLock=0 Offset=28376, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16652, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 16652 StartupTime: 133489069273214413, currentInstance : mb-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(38BA31BC) RefCount=1 SpinLock=0 Offset=28048, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16652, counter : time in resource per second Value=4824 SpinLock=0 Lifetime=Type: 1 ProcessId: 16652 StartupTime: 133489069273214413, currentInstance : ad-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(11106236) RefCount=1 SpinLock=0 Offset=27720, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14576, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14576 StartupTime: 133489069033362178, currentInstance : rpca-umworkerprocess-umworkerprocess.exe(970CCE33) RefCount=1 SpinLock=0 Offset=27392, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14576, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14576 StartupTime: 133489069033362178, currentInstance : mb-umworkerprocess-umworkerprocess.exe(8A7F8A3C) RefCount=1 SpinLock=0 Offset=27064, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14576, counter : time in resource per second Value=152 SpinLock=0 Lifetime=Type: 1 ProcessId: 14576 StartupTime: 133489069033362178, currentInstance : ad-umworkerprocess-umworkerprocess.exe(95818B6) RefCount=1 SpinLock=0 Offset=26736, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 7120, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 7120 StartupTime: 133489069053362885, currentInstance : rpca-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(A07BD4F3) RefCount=1 SpinLock=0 Offset=26408, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 7120, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 7120 StartupTime: 133489069053362885, currentInstance : mb-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(4519AFC) RefCount=1 SpinLock=0 Offset=26080, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 7120, counter : time in resource per second Value=6102 SpinLock=0 Lifetime=Type: 1 ProcessId: 7120 StartupTime: 133489069053362885, currentInstance : ad-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(6B0DD0F6) RefCount=1 SpinLock=0 Offset=25752, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 15180, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 15180 StartupTime: 133489069047425174, currentInstance : rpca-edgetransport-edgetransport.exe(911B6EB3) RefCount=1 SpinLock=0 Offset=25424, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 15180, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 15180 StartupTime: 133489069047425174, currentInstance : mb-edgetransport-edgetransport.exe(A5AF4BBC) RefCount=1 SpinLock=0 Offset=25096, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 15180, counter : time in resource per second Value=103959 SpinLock=0 Lifetime=Type: 1 ProcessId: 15180 StartupTime: 133489069047425174, currentInstance : ad-edgetransport-edgetransport.exe(E79D4A36) RefCount=1 SpinLock=0 Offset=24768, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14652, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14652 StartupTime: 133489069035393504, currentInstance : rpca-msexchangetransport-msexchangetransport.exe(24F56C33) RefCount=1 SpinLock=0 Offset=24440, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14652, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14652 StartupTime: 133489069035393504, currentInstance : mb-msexchangetransport-msexchangetransport.exe(92FB3D3C) RefCount=1 SpinLock=0 Offset=24112, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14652, counter : time in resource per second Value=477 SpinLock=0 Lifetime=Type: 1 ProcessId: 14652 StartupTime: 133489069035393504, currentInstance : ad-msexchangetransport-msexchangetransport.exe(2447ECB6) RefCount=1 SpinLock=0 Offset=23784, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13420, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13420 StartupTime: 133489068984922968, currentInstance : rpca-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(E8475353) RefCount=1 SpinLock=0 Offset=23456, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13420, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13420 StartupTime: 133489068984922968, currentInstance : mb-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(8F65881C) RefCount=1 SpinLock=0 Offset=23128, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13420, counter : time in resource per second Value=26 SpinLock=0 Lifetime=Type: 1 ProcessId: 13420 StartupTime: 133489068984922968, currentInstance : ad-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(78F52196) RefCount=1 SpinLock=0 Offset=22800, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13708, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13708 StartupTime: 133489068927264688, currentInstance : rpca-umservice-umservice.exe(E39A1133) RefCount=1 SpinLock=0 Offset=22472, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13708, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13708 StartupTime: 133489068927264688, currentInstance : mb-umservice-umservice.exe(FFBB273C) RefCount=1 SpinLock=0 Offset=22144, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13708, counter : time in resource per second Value=27 SpinLock=0 Lifetime=Type: 1 ProcessId: 13708 StartupTime: 133489068927264688, currentInstance : ad-umservice-umservice.exe(9A8AC6B6) RefCount=1 SpinLock=0 Offset=21816, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6284, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6284 StartupTime: 133489068910857861, currentInstance : rpca-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(EF66F2D3) RefCount=1 SpinLock=0 Offset=21488, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6284, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6284 StartupTime: 133489068910857861, currentInstance : mb-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(B020391C) RefCount=1 SpinLock=0 Offset=21160, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6284, counter : time in resource per second Value=697 SpinLock=0 Lifetime=Type: 1 ProcessId: 6284 StartupTime: 133489068910857861, currentInstance : ad-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(20578116) RefCount=1 SpinLock=0 Offset=20832, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 12076 StartupTime: 133489068904451392, currentInstance : rpca-msexchangethrottling-msexchangethrottling.exe(8C1DA893) RefCount=1 SpinLock=0 Offset=20504, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 12076 StartupTime: 133489068904451392, currentInstance : mb-msexchangethrottling-msexchangethrottling.exe(AB2BADDC) RefCount=1 SpinLock=0 Offset=20176, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12076, counter : time in resource per second Value=14 SpinLock=0 Lifetime=Type: 1 ProcessId: 12076 StartupTime: 133489068904451392, currentInstance : ad-msexchangethrottling-msexchangethrottling.exe(8962F4D6) RefCount=1 SpinLock=0 Offset=19848, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12784, counter : time in resource per second Value=0 Spin...

Error: (01/08/2024 08:55:42 AM) (Source: MSExchange Common) (EventID: 106) (User: )
Description: Performance counter updating error. Counter name is Time in Resource per second, category name is MSExchange Activity Context Resources. Optional code: 2. Exception: The exception thrown is : System.InvalidOperationException: Instance 'ad-powershell-defaultdomain' already exists with a lifetime of Process.  It cannot be recreated or reused until it has been removed or until the process using it has exited.
   at System.Diagnostics.SharedPerformanceCounter.FindInstance(Int32 instanceNameHashCode, String instanceName, CategoryEntry* categoryPointer, InstanceEntry** returnInstancePointerReference, Boolean activateUnusedInstances, PerformanceCounterInstanceLifetime lifetime, Boolean& foundFreeInstance)
   at System.Diagnostics.SharedPerformanceCounter.GetCounter(String counterName, String instanceName, Boolean enableReuse, PerformanceCounterInstanceLifetime lifetime)
   at System.Diagnostics.SharedPerformanceCounter..ctor(String catName, String counterName, String instanceName, PerformanceCounterInstanceLifetime lifetime)
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.get_RawValue()
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.get_RawValue()
Last worker process info : System.ArgumentException: Process with an Id of 36352 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId, String machineName)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Processes running while Performance counter failed to update:
14652 MSExchangeTransport
7324 rundll32
4296 cmd
8564 Microsoft.Exchange.EdgeSyncSvc
4292 zabbix_agentd
2348 Microsoft.Exchange.Search.Service
27132 mbamtray
7736 Microsoft.Exchange.AntispamUpdateSvc
3856 sddsrv
32280 powershell
8164 cqmghost
27988 w3wp
2556 inetinfo
16652 Microsoft.Exchange.Store.Worker
820 lsass
19352 w3wp
2972 MSExchangeHMHost
16576 rhs
29692 w3wp
4260 pbx_exchange
900 svchost
28824 WmiPrvSE
21496 w3wp
3392 snmp
2528 hpwmistor
7268 VeeamDeploymentSvc
19392 svchost
11144 Microsoft.Exchange.Pop3
16580 rhs
2948 sepWscSvc64
36560 conhost
20180 w3wp
14576 UMWorkerProcess
6816 w3wp
8108 vnetd
13708 umservice
40860 WmiPrvSE
32024 powershell
340 winlogon
2924 updateservice
6368 MBAMService
44724 HealthService
17136 Microsoft.Exchange.Store.Worker
35668 bpfis
26668 ccSvcHst
18420 svchost
6776 WmiPrvSE
14100 nfsclnt
5048 noderunner
8064 SMSvcHost
11080 Microsoft.Exchange.Imap4
10472 Microsoft.Exchange.Imap4Service
2888 mqsvc
6764 WmiPrvSE
1900 dwm
12364 Microsoft.Exchange.RpcClientAccess.Service
11068 conhost
1584 svchost
27008 rdpclip
12784 MSExchangeSubmission
7180 conhost
2000 fms
4584 hpsmhd
7164 Microsoft.Exchange.Directory.TopologyService
10608 scanningprocess
5004 svchost
692 smss
4672 noderunner
8012 Veeam.EndPoint.Service
1908 spoolsv
6284 MSExchangeTransportLogSearch
11408 Microsoft.Exchange.Pop3Service
1972 cissesrv
16192 Microsoft.Exchange.Store.Worker
2892 ccSvcHst
18776 dwm
25668 ServerManager
5032 WMSvc
7120 Microsoft.Exchange.Store.Service
1516 svchost
1944 svchost
22200 wuauclt
45040 conhost
4524 rotatelogs
14432 clussvc
10552 conhost
26928 svchost
6236 MSExchangeHMWorker
26492 winlogon
13992 bpinetd
7956 vnetd
45020 powershell
10968 conhost
12252 msexchangerepl
26904 taskhostex
1472 svchost
10520 Microsoft.Exchange.Imap4
4052 svchost
8360 MSExchangeDelivery
10944 MSExchangeMailboxAssistants
26456 csrss
22144 notepad
37676 conhost
29468 WmiPrvSE
4900 w3wp
10932 scanningprocess
1880 LogonUI
9428 MonitoringHost
7912 powershell
23424 w3wp
12216 conhost
1440 svchost
7472 rundll32
4884 conhost
27724 w3wp
23844 w3wp
6164 cqmgstor
12196 Microsoft.Exchange.Pop3
4868 rotatelogs
2280 noderunner
4000 ForefrontActiveDirectoryConnector
13420 Microsoft.Exchange.UM.CallRouter
15204 conhost
4512 rotatelogs
3992 ccSvcHst
25540 w3wp
540 services
25968 msdtc
968 wininit
12172 Microsoft.Exchange.Pop3Service
8292 w3wp
6136 cqmgserv
23372 powershell
15180 EdgeTransport
956 csrss
10864 scanningprocess
4824 rotatelogs
16888 Microsoft.Exchange.Store.Worker
11284 MSExchangeMailboxReplication
22920 w3wp
1368 svchost
2656 nbdisco
15152 bpcd
14288 nfssvc
1784 hostcontrollerservice
4800 noderunner
9540 MSExchangeFrontendTransport
3504 smhstart
46020 ParserServer
4836 conhost
3496 ProLiantMonitor
27200 explorer
8120 vnetd
4348 hpsmhd
8224 MSExchangeDagMgmt
22444 Microsoft.Exchange.Store.Worker
3908 sftracing
12656 Microsoft.Exchange.ServiceHost
884 csrss
1744 svchost
33588 Microsoft.Exchange.Store.Worker
2600 Microsoft.Exchange.Diagnostics.Service
41916 ParserServer
25440 MonitoringHost
6044 cpqnimgt
12076 MSExchangeThrottling
9920 Microsoft.Exchange.Imap4Service
2160 SMSvcHost
4 System
4312 conhost
0 Idle
Performance Counters Layout information: A process is holding onto a transport performance counter. processId : 45020, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 45020 StartupTime: 133491633189419484, currentInstance : rpca-powershell-defaultdomain(4598AFAF) RefCount=1 SpinLock=0 Offset=43136, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 45020, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 45020 StartupTime: 133491633189419484, currentInstance : mb-powershell-defaultdomain(CC014C00) RefCount=1 SpinLock=0 Offset=42808, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 45020, counter : time in resource per second Value=29 SpinLock=0 Lifetime=Type: 1 ProcessId: 45020 StartupTime: 133491633189419484, currentInstance : ad-powershell-defaultdomain(95CC324A) RefCount=1 SpinLock=0 Offset=42480, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 34272, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 34272 StartupTime: 133491589729478267, currentInstance : rpca-monad-defaultdomain(EE460FE7) RefCount=0 SpinLock=0 Offset=42152, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 34272, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 34272 StartupTime: 133491589729478267, currentInstance : mb-monad-defaultdomain(2EC4A7E8) RefCount=0 SpinLock=0 Offset=41824, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 34272, counter : time in resource per second Value=1305 SpinLock=0 Lifetime=Type: 1 ProcessId: 34272 StartupTime: 133491589729478267, currentInstance : ad-monad-defaultdomain(A8C763E2) RefCount=0 SpinLock=0 Offset=41496, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27988, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27988 StartupTime: 133489071878927669, currentInstance : rpca-w3wp-msexchangerpcproxyapppool(8B7590B3) RefCount=1 SpinLock=0 Offset=41168, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27988, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27988 StartupTime: 133489071878927669, currentInstance : mb-w3wp-msexchangerpcproxyapppool(B190F21C) RefCount=1 SpinLock=0 Offset=40840, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27988, counter : time in resource per second Value=14 SpinLock=0 Lifetime=Type: 1 ProcessId: 27988 StartupTime: 133489071878927669, currentInstance : ad-w3wp-msexchangerpcproxyapppool(99BB8ED6) RefCount=1 SpinLock=0 Offset=40512, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27724, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27724 StartupTime: 133489070832560650, currentInstance : rpca-w3wp-msexchangeowacalendarapppool(8F10D1B5) RefCount=1 SpinLock=0 Offset=40184, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27724, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 27724 StartupTime: 133489070832560650, currentInstance : mb-w3wp-msexchangeowacalendarapppool(2D8C9EBA) RefCount=1 SpinLock=0 Offset=39856, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 27724, counter : time in resource per second Value=1754 SpinLock=0 Lifetime=Type: 1 ProcessId: 27724 StartupTime: 133489070832560650, currentInstance : ad-w3wp-msexchangeowacalendarapppool(D845E230) RefCount=1 SpinLock=0 Offset=39528, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19352, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 19352 StartupTime: 133489070772191067, currentInstance : rpca-w3wp-msexchangemapifrontendapppool(2C7F2005) RefCount=1 SpinLock=0 Offset=39200, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19352, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 19352 StartupTime: 133489070772191067, currentInstance : mb-w3wp-msexchangemapifrontendapppool(BE5C2DAA) RefCount=1 SpinLock=0 Offset=38872, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 19352, counter : time in resource per second Value=3847 SpinLock=0 Lifetime=Type: 1 ProcessId: 19352 StartupTime: 133489070772191067, currentInstance : ad-w3wp-msexchangemapifrontendapppool(C0FDFAE0) RefCount=1 SpinLock=0 Offset=38544, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6816, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6816 StartupTime: 133489070658647644, currentInstance : rpca-w3wp-msexchangesyncapppool(9F5D0139) RefCount=1 SpinLock=0 Offset=38216, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6816, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6816 StartupTime: 133489070658647644, currentInstance : mb-w3wp-msexchangesyncapppool(37D39796) RefCount=1 SpinLock=0 Offset=37888, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6816, counter : time in resource per second Value=28456 SpinLock=0 Lifetime=Type: 1 ProcessId: 6816 StartupTime: 133489070658647644, currentInstance : ad-w3wp-msexchangesyncapppool(15C89D5C) RefCount=1 SpinLock=0 Offset=37560, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 25540, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 25540 StartupTime: 133489070590458216, currentInstance : rpca-w3wp-msexchangeautodiscoverapppool(6DABF262) RefCount=1 SpinLock=0 Offset=37232, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 25540, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 25540 StartupTime: 133489070590458216, currentInstance : mb-w3wp-msexchangeautodiscoverapppool(D1C6EF4D) RefCount=1 SpinLock=0 Offset=36904, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 25540, counter : time in resource per second Value=51504 SpinLock=0 Lifetime=Type: 1 ProcessId: 25540 StartupTime: 133489070590458216, currentInstance : ad-w3wp-msexchangeautodiscoverapppool(FD072087) RefCount=1 SpinLock=0 Offset=36576, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23844, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23844 StartupTime: 133489070521800629, currentInstance : rpca-w3wp-msexchangeecpapppool(57806648) RefCount=1 SpinLock=0 Offset=36248, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23844, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23844 StartupTime: 133489070521800629, currentInstance : mb-w3wp-msexchangeecpapppool(E27E6507) RefCount=1 SpinLock=0 Offset=35920, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23844, counter : time in resource per second Value=372 SpinLock=0 Lifetime=Type: 1 ProcessId: 23844 StartupTime: 133489070521800629, currentInstance : ad-w3wp-msexchangeecpapppool(B648688D) RefCount=1 SpinLock=0 Offset=35592, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23424 StartupTime: 133489070481919732, currentInstance : rpca-w3wp-msexchangepowershellfrontendapppool(E1115251) RefCount=1 SpinLock=0 Offset=35264, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23424, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 23424 StartupTime: 133489070481919732, currentInstance : mb-w3wp-msexchangepowershellfrontendapppool(34B9187E) RefCount=1 SpinLock=0 Offset=34936, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 23424, counter : time in resource per second Value=596 SpinLock=0 Lifetime=Type: 1 ProcessId: 23424 StartupTime: 133489070481919732, currentInstance : ad-w3wp-msexchangepowershellfrontendapppool(FAEFA1B4) RefCount=1 SpinLock=0 Offset=34608, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 20180, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 20180 StartupTime: 133489070480667789, currentInstance : rpca-w3wp-msexchangepowershellapppool(3CF18BF) RefCount=1 SpinLock=0 Offset=34280, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 20180, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 20180 StartupTime: 133489070480667789, currentInstance : mb-w3wp-msexchangepowershellapppool(A686C810) RefCount=1 SpinLock=0 Offset=33952, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 20180, counter : time in resource per second Value=633489 SpinLock=0 Lifetime=Type: 1 ProcessId: 20180 StartupTime: 133489070480667789, currentInstance : ad-w3wp-msexchangepowershellapppool(9E48CD5A) RefCount=1 SpinLock=0 Offset=33624, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4900, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4900 StartupTime: 133489070460649587, currentInstance : rpca-w3wp-msexchangeoabapppool(8149E8D2) RefCount=1 SpinLock=0 Offset=33296, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4900, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4900 StartupTime: 133489070460649587, currentInstance : mb-w3wp-msexchangeoabapppool(58D0A79D) RefCount=1 SpinLock=0 Offset=32968, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4900, counter : time in resource per second Value=9008 SpinLock=0 Lifetime=Type: 1 ProcessId: 4900 StartupTime: 133489070460649587, currentInstance : ad-w3wp-msexchangeoabapppool(CC31A917) RefCount=1 SpinLock=0 Offset=32640, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22920, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 22920 StartupTime: 133489070351797526, currentInstance : rpca-w3wp-msexchangerpcproxyfrontendapppool(903EFF5D) RefCount=1 SpinLock=0 Offset=32312, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22920, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 22920 StartupTime: 133489070351797526, currentInstance : mb-w3wp-msexchangerpcproxyfrontendapppool(87BE0D72) RefCount=1 SpinLock=0 Offset=31984, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 22920, counter : time in resource per second Value=6622 SpinLock=0 Lifetime=Type: 1 ProcessId: 22920 StartupTime: 133489070351797526, currentInstance : ad-w3wp-msexchangerpcproxyfrontendapppool(E0452238) RefCount=1 SpinLock=0 Offset=31656, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29692, counter : time in resource per second Value=64526 SpinLock=0 Lifetime=Type: 1 ProcessId: 29692 StartupTime: 133489071758746097, currentInstance : ad-w3wp-msexchangemapimailboxapppool(35491652) RefCount=1 SpinLock=0 Offset=31328, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 29692 StartupTime: 133489071758746097, currentInstance : mb-w3wp-msexchangemapimailboxapppool(F9439F58) RefCount=1 SpinLock=0 Offset=31000, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 29692, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 29692 StartupTime: 133489071758746097, currentInstance : rpca-w3wp-msexchangemapimailboxapppool(E28F3117) RefCount=1 SpinLock=0 Offset=30672, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21496, counter : time in resource per second Value=23233 SpinLock=0 Lifetime=Type: 1 ProcessId: 21496 StartupTime: 133489070263902919, currentInstance : ad-w3wp-msexchangeservicesapppool(E0DE475) RefCount=1 SpinLock=0 Offset=30344, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21496, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 21496 StartupTime: 133489070263902919, currentInstance : mb-w3wp-msexchangeservicesapppool(10FE94BF) RefCount=1 SpinLock=0 Offset=30016, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 21496, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 21496 StartupTime: 133489070263902919, currentInstance : rpca-w3wp-msexchangeservicesapppool(E8BBF810) RefCount=1 SpinLock=0 Offset=29688, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4672, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 4672 StartupTime: 133489068209114554, currentInstance : rpca-noderunner-contentenginenode1(316BF6E3) RefCount=1 SpinLock=0 Offset=29360, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4672, counter : time in resource per second Value=2126740 SpinLock=0 Lifetime=Type: 1 ProcessId: 4672 StartupTime: 133489068209114554, currentInstance : mb-noderunner-contentenginenode1(2EE8286C) RefCount=1 SpinLock=0 Offset=29032, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 4672, counter : time in resource per second Value=25505 SpinLock=0 Lifetime=Type: 1 ProcessId: 4672 StartupTime: 133489068209114554, currentInstance : ad-noderunner-contentenginenode1(61591E6) RefCount=1 SpinLock=0 Offset=28704, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16652, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 16652 StartupTime: 133489069273214413, currentInstance : rpca-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(ABB009B3) RefCount=1 SpinLock=0 Offset=28376, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16652, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 16652 StartupTime: 133489069273214413, currentInstance : mb-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(38BA31BC) RefCount=1 SpinLock=0 Offset=28048, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 16652, counter : time in resource per second Value=4824 SpinLock=0 Lifetime=Type: 1 ProcessId: 16652 StartupTime: 133489069273214413, currentInstance : ad-microsoft.exchange.store.worker-microsoft.exchange.store.worker.exe(11106236) RefCount=1 SpinLock=0 Offset=27720, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14576, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14576 StartupTime: 133489069033362178, currentInstance : rpca-umworkerprocess-umworkerprocess.exe(970CCE33) RefCount=1 SpinLock=0 Offset=27392, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14576, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14576 StartupTime: 133489069033362178, currentInstance : mb-umworkerprocess-umworkerprocess.exe(8A7F8A3C) RefCount=1 SpinLock=0 Offset=27064, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14576, counter : time in resource per second Value=152 SpinLock=0 Lifetime=Type: 1 ProcessId: 14576 StartupTime: 133489069033362178, currentInstance : ad-umworkerprocess-umworkerprocess.exe(95818B6) RefCount=1 SpinLock=0 Offset=26736, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 7120, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 7120 StartupTime: 133489069053362885, currentInstance : rpca-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(A07BD4F3) RefCount=1 SpinLock=0 Offset=26408, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 7120, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 7120 StartupTime: 133489069053362885, currentInstance : mb-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(4519AFC) RefCount=1 SpinLock=0 Offset=26080, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 7120, counter : time in resource per second Value=6102 SpinLock=0 Lifetime=Type: 1 ProcessId: 7120 StartupTime: 133489069053362885, currentInstance : ad-microsoft.exchange.store.service-microsoft.exchange.store.service.exe(6B0DD0F6) RefCount=1 SpinLock=0 Offset=25752, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 15180, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 15180 StartupTime: 133489069047425174, currentInstance : rpca-edgetransport-edgetransport.exe(911B6EB3) RefCount=1 SpinLock=0 Offset=25424, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 15180, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 15180 StartupTime: 133489069047425174, currentInstance : mb-edgetransport-edgetransport.exe(A5AF4BBC) RefCount=1 SpinLock=0 Offset=25096, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 15180, counter : time in resource per second Value=103959 SpinLock=0 Lifetime=Type: 1 ProcessId: 15180 StartupTime: 133489069047425174, currentInstance : ad-edgetransport-edgetransport.exe(E79D4A36) RefCount=1 SpinLock=0 Offset=24768, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14652, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14652 StartupTime: 133489069035393504, currentInstance : rpca-msexchangetransport-msexchangetransport.exe(24F56C33) RefCount=1 SpinLock=0 Offset=24440, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14652, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 14652 StartupTime: 133489069035393504, currentInstance : mb-msexchangetransport-msexchangetransport.exe(92FB3D3C) RefCount=1 SpinLock=0 Offset=24112, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 14652, counter : time in resource per second Value=477 SpinLock=0 Lifetime=Type: 1 ProcessId: 14652 StartupTime: 133489069035393504, currentInstance : ad-msexchangetransport-msexchangetransport.exe(2447ECB6) RefCount=1 SpinLock=0 Offset=23784, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13420, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13420 StartupTime: 133489068984922968, currentInstance : rpca-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(E8475353) RefCount=1 SpinLock=0 Offset=23456, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13420, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13420 StartupTime: 133489068984922968, currentInstance : mb-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(8F65881C) RefCount=1 SpinLock=0 Offset=23128, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13420, counter : time in resource per second Value=26 SpinLock=0 Lifetime=Type: 1 ProcessId: 13420 StartupTime: 133489068984922968, currentInstance : ad-microsoft.exchange.um.callrouter-microsoft.exchange.um.callrouter.exe(78F52196) RefCount=1 SpinLock=0 Offset=22800, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13708, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13708 StartupTime: 133489068927264688, currentInstance : rpca-umservice-umservice.exe(E39A1133) RefCount=1 SpinLock=0 Offset=22472, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13708, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 13708 StartupTime: 133489068927264688, currentInstance : mb-umservice-umservice.exe(FFBB273C) RefCount=1 SpinLock=0 Offset=22144, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 13708, counter : time in resource per second Value=27 SpinLock=0 Lifetime=Type: 1 ProcessId: 13708 StartupTime: 133489068927264688, currentInstance : ad-umservice-umservice.exe(9A8AC6B6) RefCount=1 SpinLock=0 Offset=21816, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6284, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6284 StartupTime: 133489068910857861, currentInstance : rpca-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(EF66F2D3) RefCount=1 SpinLock=0 Offset=21488, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6284, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 6284 StartupTime: 133489068910857861, currentInstance : mb-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(B020391C) RefCount=1 SpinLock=0 Offset=21160, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 6284, counter : time in resource per second Value=697 SpinLock=0 Lifetime=Type: 1 ProcessId: 6284 StartupTime: 133489068910857861, currentInstance : ad-msexchangetransportlogsearch-msexchangetransportlogsearch.exe(20578116) RefCount=1 SpinLock=0 Offset=20832, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 12076 StartupTime: 133489068904451392, currentInstance : rpca-msexchangethrottling-msexchangethrottling.exe(8C1DA893) RefCount=1 SpinLock=0 Offset=20504, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12076, counter : time in resource per second Value=0 SpinLock=0 Lifetime=Type: 1 ProcessId: 12076 StartupTime: 133489068904451392, currentInstance : mb-msexchangethrottling-msexchangethrottling.exe(AB2BADDC) RefCount=1 SpinLock=0 Offset=20176, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12076, counter : time in resource per second Value=14 SpinLock=0 Lifetime=Type: 1 ProcessId: 12076 StartupTime: 133489068904451392, currentInstance : ad-msexchangethrottling-msexchangethrottling.exe(8962F4D6) RefCount=1 SpinLock=0 Offset=19848, categoryName: MSExchange Activity Context Resources
A process is holding onto a transport performance counter. processId : 12784, counter : time in resource per second Value=0 Spin...

Error: (01/08/2024 08:51:17 AM) (Source: MSExchangeFrontEndTransport) (EventID: 12018) (User: )
Description: The STARTTLS certificate will expire soon: subject: C11-EX-SVR-MBX4.gov.mu, thumbprint: 7D5ADF3BE38AF11C38D64BCB645B5D6E9DC78B19, hours remaining: 223. Run the New-ExchangeCertificate cmdlet to create a new certificate.


System errors:
=============
Error: (01/08/2024 09:10:16 AM) (Source: DCOM) (EventID: 10010) (User: GOM)
Description: The server {BB6DF56B-CACE-11DC-9992-0019B93A3A84} did not register with DCOM within the required timeout.

Error: (01/08/2024 09:10:04 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/08/2024 09:10:04 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/08/2024 09:10:04 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/08/2024 09:09:29 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/08/2024 09:08:49 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/08/2024 09:08:43 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Error: (01/08/2024 09:08:29 AM) (Source: Schannel) (EventID: 4103) (User: NT AUTHORITY)
Description: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.


==================== Memory info ===========================

BIOS: HP I25 07/01/2013
Processor: Intel® Xeon® CPU E7- 4820 @ 2.00GHz
Percentage of memory in use: 21%
Total physical RAM: 131061.66 MB
Available physical RAM: 102256.55 MB
Total Virtual: 163829.66 MB
Available Virtual: 130164.76 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:279.36 GB) (Free:84.71 GB) (Model: HP LOGICAL VOLUME SCSI Disk Device) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (B_MBX4_VOL1) (Fixed) (Total:2764.67 GB) (Free:1416.69 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive e: (B_MBX4_VOL2) (Fixed) (Total:2764.67 GB) (Free:1197.3 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive f: (B_MBX4_VOL3) (Fixed) (Total:2764.67 GB) (Free:626.24 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive h: (B_MBX4_VOL5) (Fixed) (Total:2764.67 GB) (Free:1117.44 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive i: (B_MBX4_VOL6) (Fixed) (Total:2764.67 GB) (Free:1422.62 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive j: (B_MBX4_VOL7) (Fixed) (Total:2764.67 GB) (Free:1582.83 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS
Drive k: (LOGSMBX4) (Fixed) (Total:500 GB) (Free:127.46 GB) (Model: 3PARdata VV  Multi-Path Disk Device) NTFS
Drive n: (B_MBX4_VOL4) (Fixed) (Total:2764.67 GB) (Free:2683.08 GB) (Model: IBM 2145  Multi-Path Disk Device) NTFS


==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 279.4 GB) (Disk ID: D305A9FA)
Partition 1: (Active) - (Size=279.4 GB) - (Type=07 NTFS)

==========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 500 GB) (Disk ID: 09D0C734)
Partition 1: (Active) - (Size=500 GB) - (Type=07 NTFS)

==========================================================
Disk: 2 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 3 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 4 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 5 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 6 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 7 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==========================================================
Disk: 8 (Protective MBR) (Size: 2764.8 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt =======================






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users