Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cryptowall 3.0


  • This topic is locked This topic is locked
12 replies to this topic

#1 maxiluka

maxiluka

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 25 March 2015 - 03:57 PM

cryptowall 3.0 encrypted thousands of files in a win server 2008R2, via a host that was identified and reformated. Files were retrieved from backups. Remaining issue is whether or not the server is still infected with this virus. Below is the output from running FRST on the mentioned server:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by Administrador (administrator) on EMI3 on 25-03-2015 12:30:59
Running from H:\FRST
Loaded Profiles: Administrador & SQLANYs_sem5 & semsrv & semwebsrv (Available profiles: Administrador & SQLANYs_sem5 & semsrv & semwebsrv)
Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) OS Language: Español (España, internacional)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Check Point Software Technologies Ltd.) C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
(Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
(Microsoft Corporation) C:\Windows\System32\dfsrs.exe
(Microsoft Corporation) C:\Windows\System32\dns.exe
(ESET) C:\Program Files\ESET\ESET File Security\x86\ekrn.exe
(Prosoftnet) C:\Program Files (x86)\IDriveWindows\id_service.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Microsoft Corporation) C:\Windows\System32\ismserv.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\SemLaunchSvc.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
(Apache Software Foundation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin\httpd.exe
(SAP AG or an SAP affiliate company) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv16.exe
(Check Point Software Technologies, Ltd.) C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
(Apache Software Foundation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin\httpd.exe
(Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe
(Oracle Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\bin\java.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(ESET) C:\Program Files\ESET\ESET File Security\egui.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Prosoftnet) C:\Program Files (x86)\IDriveWindows\id_bglaunch.exe
(Prosoftnet) C:\Program Files (x86)\IDriveWindows\id_tray.exe
(Check Point Software Technologies Ltd.) C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [37296 2011-06-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IDrive Background process] => C:\Program Files (x86)\IDriveWindows\id_bglaunch.exe [67616 2015-03-06] (Prosoftnet)
HKLM-x32\...\Run: [IDrive Tray] => C:\Program Files (x86)\IDriveWindows\id_tray.exe [1986592 2015-03-06] (Prosoftnet)
HKLM-x32\...\Run: [ZoneAlarm] => C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe [137352 2014-05-30] (Check Point Software Technologies Ltd.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
Lsa: [Notification Packages] scecli rassfm
SecurityProviders: credssp.dll, pwdssp.dll
ShellIconOverlayIdentifiers: [0001IDSIcon1] -> {0FA6DCC0-CF0B-427D-A8AF-97C466AB5769} => C:\Program Files (x86)\IDriveWindows\IDSyncIntIcon64.dll (Pro-Softnet Corporation, U.S.A)
ShellIconOverlayIdentifiers: [0001IDSIcon2] -> {66357BBE-D2E5-453C-95FF-8102EB32419D} => C:\Program Files (x86)\IDriveWindows\IDSyncIntIcon64.dll (Pro-Softnet Corporation, U.S.A)
ShellIconOverlayIdentifiers: [0001IDSIcon3] -> {904E6336-8B13-43FA-B4C3-5B62C1C91971} => C:\Program Files (x86)\IDriveWindows\IDSyncIntIcon64.dll (Pro-Softnet Corporation, U.S.A)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3523971679-748213085-3231806746-500\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.zonealarm.com/?src=hp&tbid=HFA5&Lan=ES&gu=06a505506a044220a38bf23dbe33eee8&tu=10G9y00Iv3D20F0&sku=&tstsId=&ver=&
SearchScopes: HKU\S-1-5-21-3523971679-748213085-3231806746-500 -> DefaultScope {931D18FD-3652-4B69-8881-7597E61B1DB5} URL = http://search.zonealarm.com/search?src=sp&tbid=HFA5&Lan=ES&q={searchTerms}&gu=06a505506a044220a38bf23dbe33eee8&tu=10G9y00Iv3D20F0&sku=&tstsId=&ver=&&r=104
SearchScopes: HKU\S-1-5-21-3523971679-748213085-3231806746-500 -> {931D18FD-3652-4B69-8881-7597E61B1DB5} URL = http://search.zonealarm.com/search?src=sp&tbid=HFA5&Lan=ES&q={searchTerms}&gu=06a505506a044220a38bf23dbe33eee8&tu=10G9y00Iv3D20F0&sku=&tstsId=&ver=&&r=104
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22] (Adobe Systems Incorporated)
Tcpip\..\Interfaces\{0792DCA3-EE83-4E9E-AD4D-6C1226B7C66A}: [NameServer] 200.69.193.1,200.69.193.2

FireFox:
========
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2011-06-07] (Adobe Systems Inc.)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [487424 2013-01-25] (Microsoft Corporation)
R2 Dfs; C:\Windows\system32\dfssvc.exe [377344 2010-11-21] (Microsoft Corporation)
R2 DFSR; C:\Windows\system32\DFSRs.exe [4518400 2010-11-21] (Microsoft Corporation)
R2 DNS; C:\Windows\system32\dns.exe [696832 2011-12-26] (Microsoft Corporation)
S3 EHttpSrv; C:\Program Files\ESET\ESET File Security\ehttpsrv.exe [41160 2015-02-17] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET File Security\x86\ekrn.exe [1566424 2015-02-17] (ESET)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
R2 IDriveService; C:\Program Files (x86)\IDriveWindows\id_service.exe [100384 2015-03-06] (Prosoftnet)
R2 IsmServ; C:\Windows\System32\ismserv.exe [59392 2010-11-21] (Microsoft Corporation)
R2 kdc; C:\Windows\System32\lsass.exe [30720 2013-09-24] (Microsoft Corporation)
S3 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE [3114464 2012-05-18] (Symantec Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
R2 NTDS; C:\Windows\System32\lsass.exe [30720 2013-09-24] (Microsoft Corporation)
S4 NtFrs; C:\Windows\system32\ntfrs.exe [1020416 2010-11-21] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
R2 semlaunchsrv; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\bin\SemLaunchSvc.exe [639328 2014-09-12] (Symantec Corporation)
R2 semsrv; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe [131424 2014-09-12] (Symantec Corporation)
R2 semwebsrv; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin\httpd.exe [28560 2014-09-12] (Apache Software Foundation)
R2 SQLANYs_sem5; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv16.exe [106840 2013-06-26] (SAP AG or an SAP affiliate company)
R2 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [3592120 2014-05-30] (Check Point Software Technologies Ltd.)
R2 ZAPrivacyService; C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [90936 2014-05-29] (Check Point Software Technologies, Ltd.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 ASTGraphics; C:\Windows\System32\DRIVERS\astgrp.sys [126464 2010-10-27] (ASPEED Technology Inc.)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [51776 2009-07-13] (Microsoft Corporation)
R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [66944 2010-11-21] (Microsoft Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [243464 2015-02-17] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [177032 2015-02-17] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [159992 2015-02-17] (ESET)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
R1 Vsdatant; C:\Windows\System32\DRIVERS\vsdatant.sys [450968 2014-05-30] (Check Point Software Technologies Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-25 12:30 - 2015-03-25 12:31 - 00000000 ____D () C:\FRST
2015-03-25 12:24 - 2015-03-25 12:31 - 00000000 ____D () C:\Users\Administrador\AppData\Local\Temp\1
2015-03-21 23:55 - 2015-03-24 23:55 - 00002149 _____ () C:\Users\SQLANYs_sem5\AppData\Local\Temp\sadiags.xml
2015-03-21 17:13 - 2015-03-21 17:13 - 00000000 ____D () C:\eScan
2015-03-21 17:11 - 2015-03-21 17:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2015-03-21 17:11 - 2015-03-21 17:11 - 00000000 ____D () C:\ProgramData\ESET
2015-03-21 17:11 - 2015-03-21 17:11 - 00000000 ____D () C:\Program Files\ESET
2015-03-21 14:50 - 2015-03-21 14:50 - 00000000 ____D () C:\Users\semwebsrv\AppData\Roaming\SQL Anywhere 16
2015-03-21 14:49 - 2015-03-21 14:49 - 00000000 ____D () C:\Users\Administrador\AppData\Roaming\Symantec
2015-03-21 14:48 - 2015-03-21 14:48 - 00000020 ___SH () C:\Users\semwebsrv\ntuser.ini
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\Reciente
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\Plantillas
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\Mis documentos
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\Menú Inicio
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\Impresoras
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\Entorno de red
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\Documents\Mis vídeos
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\Documents\Mis imágenes
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\Documents\Mi música
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\Datos de programa
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 _SHDL () C:\Users\semwebsrv\AppData\Roaming\Microsoft\Windows\Start Menu\Programas
2015-03-21 14:48 - 2015-03-21 14:48 - 00000000 ____D () C:\Users\semwebsrv
2015-03-21 14:48 - 2009-07-14 01:58 - 00000000 ___RD () C:\Users\semwebsrv\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-21 14:48 - 2009-07-14 01:53 - 00000000 ___RD () C:\Users\semwebsrv\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-03-21 14:47 - 2015-03-25 12:21 - 01646592 _____ () C:\Users\SQLANYs_sem5\AppData\Local\Temp\sqla0000.tmp
2015-03-21 14:47 - 2015-03-25 12:19 - 00000000 ____D () C:\Users\semsrv\AppData\Local\Temp\hsperfdata_semsrv
2015-03-21 14:47 - 2015-03-21 14:47 - 00000020 ___SH () C:\Users\SQLANYs_sem5\ntuser.ini
2015-03-21 14:47 - 2015-03-21 14:47 - 00000020 ___SH () C:\Users\semsrv\ntuser.ini
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\Reciente
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\Plantillas
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\Mis documentos
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\Menú Inicio
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\Impresoras
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\Entorno de red
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\Documents\Mis vídeos
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\Documents\Mis imágenes
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\Documents\Mi música
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\Datos de programa
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\SQLANYs_sem5\AppData\Roaming\Microsoft\Windows\Start Menu\Programas
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\Reciente
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\Plantillas
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\Mis documentos
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\Menú Inicio
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\Impresoras
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\Entorno de red
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\Documents\Mis vídeos
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\Documents\Mis imágenes
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\Documents\Mi música
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\Datos de programa
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 _SHDL () C:\Users\semsrv\AppData\Roaming\Microsoft\Windows\Start Menu\Programas
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 ____D () C:\Users\SQLANYs_sem5
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 ____D () C:\Users\semsrv\AppData\Roaming\SQL Anywhere 16
2015-03-21 14:47 - 2015-03-21 14:47 - 00000000 ____D () C:\Users\semsrv
2015-03-21 14:47 - 2009-07-14 01:58 - 00000000 ___RD () C:\Users\SQLANYs_sem5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-21 14:47 - 2009-07-14 01:58 - 00000000 ___RD () C:\Users\semsrv\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-21 14:47 - 2009-07-14 01:53 - 00000000 ___RD () C:\Users\SQLANYs_sem5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-03-21 14:47 - 2009-07-14 01:53 - 00000000 ___RD () C:\Users\semsrv\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-03-21 14:46 - 2015-03-21 14:46 - 00000215 _____ () C:\Windows\ODBC.INI
2015-03-21 14:46 - 2015-03-21 14:46 - 00000000 ____D () C:\Users\Administrador\AppData\Roaming\SQL Anywhere 16
2015-03-21 14:46 - 2015-03-21 14:46 - 00000000 ____D () C:\ProgramData\SQL Anywhere 16
2015-03-21 14:19 - 2015-03-21 14:19 - 00000000 ____D () C:\ProgramData\Symantec Shared
2015-03-21 14:15 - 2015-03-21 15:01 - 00000000 ____D () C:\ProgramData\Symantec
2015-03-21 14:15 - 2015-03-21 14:15 - 00000875 _____ () C:\Users\Administrador\AppData\Local\Temp\a43c4c6b-1e53-4340-a127-920aafece8aa.zip
2015-03-21 14:15 - 2015-03-21 14:15 - 00000000 ____D () C:\ProgramData\regid.1992-12.com.symantec
2015-03-21 14:15 - 2015-03-21 14:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Symantec Endpoint Protection Manager
2015-03-21 14:15 - 2015-03-21 14:15 - 00000000 ____D () C:\Program Files (x86)\Symantec
2015-03-21 14:15 - 2012-05-18 19:56 - 00511328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capicom.dll
2015-03-21 14:15 - 2007-03-21 20:39 - 01060864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MFC71.DLL
2015-03-21 14:15 - 2007-03-21 20:33 - 00503808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSVCP71.DLL
2015-03-21 14:15 - 2007-03-21 20:33 - 00348160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSVCR71.DLL
2015-03-19 13:40 - 2015-03-19 13:40 - 02998656 _____ (Enigma Software Group USA, LLC.) C:\Users\Administrador\Downloads\SpyHunter-Installer.exe
2015-03-19 12:43 - 2015-03-19 12:43 - 00431135 _____ () C:\Windows\system32\Drivers\vsconfig.xml
2015-03-19 12:43 - 2015-03-19 12:43 - 00014968 _____ () C:\Users\Administrador\AppData\Local\Temp\dd_vcredistUI33F0.txt
2015-03-19 12:43 - 2015-03-19 12:43 - 00000762 _____ () C:\Users\Public\Desktop\ZoneAlarm Security.lnk
2015-03-19 12:43 - 2015-03-19 12:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Check Point
2015-03-19 12:42 - 2015-03-19 12:43 - 00015208 _____ () C:\Users\Administrador\AppData\Local\Temp\dd_vcredistUI33DF.txt
2015-03-19 12:40 - 2015-03-19 12:43 - 00000000 ____D () C:\Program Files (x86)\CheckPoint
2015-03-19 12:40 - 2015-03-19 12:40 - 00000000 ____D () C:\Users\Administrador\AppData\Roaming\Check Point Software Technologies LTD
2015-03-19 12:40 - 2015-03-19 12:40 - 00000000 ____D () C:\ProgramData\CheckPoint
2015-03-19 12:40 - 2015-03-19 12:40 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-03-19 12:40 - 2015-03-19 12:40 - 00000000 ____D () C:\Program Files (x86)\Check Point Software Technologies LTD
2015-03-12 18:12 - 2015-03-12 18:38 - 00041472 _____ () C:\Users\Administrador\Desktop\SI-siat yoder ut 2015.xls
2015-03-12 17:07 - 2015-03-21 19:25 - 00000000 ____D () C:\ProgramData\IDrive
2015-03-12 17:07 - 2015-03-12 17:14 - 00000000 ____D () C:\Program Files (x86)\IDriveWindows
2015-03-12 17:07 - 2015-03-12 17:07 - 00392952 _____ () C:\Users\Administrador\AppData\Local\Temp\dd_vcredistMSI5B8C.txt
2015-03-12 17:07 - 2015-03-12 17:07 - 00011398 _____ () C:\Users\Administrador\AppData\Local\Temp\dd_vcredistUI5B8C.txt
2015-03-12 17:07 - 2015-03-12 17:07 - 00001930 _____ () C:\Users\Public\Desktop\IDrive.lnk
2015-03-12 17:07 - 2015-03-12 17:07 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IDrive
2015-03-12 17:07 - 2015-01-27 19:18 - 00533776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml.dll
2015-03-12 17:07 - 2015-01-27 19:18 - 00024064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3a.dll
2015-03-12 16:56 - 2015-03-12 16:56 - 00052652 _____ () C:\Users\Administrador\AppData\Local\Temp\Uninstall_2015-03-12-16-56-06-543.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-25 12:29 - 2011-08-03 19:10 - 01658750 _____ () C:\Windows\WindowsUpdate.log
2015-03-25 12:27 - 2011-08-04 10:09 - 00006448 _____ () C:\Windows\system32\config\netlogon.dnb
2015-03-25 12:27 - 2011-08-04 10:09 - 00002353 _____ () C:\Windows\system32\config\netlogon.dns
2015-03-25 12:23 - 2010-11-21 05:16 - 00721558 _____ () C:\Windows\system32\perfh00A.dat
2015-03-25 12:23 - 2010-11-21 05:16 - 00145908 _____ () C:\Windows\system32\perfc00A.dat
2015-03-25 12:23 - 2009-07-14 02:10 - 01605896 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-25 12:21 - 2009-07-14 01:49 - 00021344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-25 12:21 - 2009-07-14 01:49 - 00021344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-25 12:18 - 2011-08-04 10:05 - 00000000 ____D () C:\Windows\system32\dns
2015-03-25 12:18 - 2009-07-14 02:06 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-25 12:17 - 2010-11-21 00:47 - 00047702 _____ () C:\Windows\PFRO.log
2015-03-25 12:17 - 2009-07-14 01:49 - 00273536 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-21 14:57 - 2009-07-14 00:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-03-21 14:45 - 2014-06-27 12:48 - 00000000 ____D () C:\Users\Administrador\Documents\My Data Files
2015-03-21 14:09 - 2011-08-04 16:48 - 00000000 ____D () C:\download
2015-03-19 12:43 - 2009-07-14 00:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-03-19 10:55 - 2009-07-14 01:56 - 00020214 _____ () C:\Windows\setupact.log
2015-03-12 16:56 - 2011-11-21 16:24 - 00000000 ____D () C:\ProgramData\SOS Online Backup

==================== Files in the root of some directories =======

2011-08-05 14:44 - 2011-08-05 14:44 - 0000017 _____ () C:\Users\Administrador\AppData\Local\resmon.resmoncfg
2008-02-05 13:28 - 2008-02-05 13:28 - 0000051 _____ () C:\Users\Administrador\AppData\Local\setup.txt

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-03-25 01:21

==================== End Of Log ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-03-2015
Ran by Administrador at 2015-03-25 12:32:37
Running from H:\FRST
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 8.2.2 - Hewlett-Packard) Hidden
Adobe Reader 9.4.5 - Español (HKLM-x32\...\{AC76BA86-7AD7-1034-7B44-A94000000001}) (Version: 9.4.5 - Adobe Systems Incorporated)
ASPEED Graphics WinS08R2_x64 v.0.92 (HKLM-x32\...\{F9A6232C-3F26-4C3C-92DE-2EB3158FA1AC}) (Version: 0.92 - ASPEED Technology Inc.)
Compresor WinRAR (HKLM-x32\...\WinRAR archiver) (Version:  - )
ESET File Security (HKLM\...\{74FAA6E3-00E3-4082-824E-E2D4B523A028}) (Version: 6.0.12032.2 - ESET, spol. s r.o.)
HP Designjet 510 Printer Series (HKLM-x32\...\HP Designjet 510 Printer Series) (Version:  - Hewlett-Packard Co.)
IDrive Version - 6.0 (HKLM-x32\...\IDrive_is1) (Version: 6.0 - Pro Softnet Corp)
Intel® Network Connections 16.1.53.0 (HKLM\...\PROSetDX) (Version: 16.1.53.0 - Intel)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.0.1008 - Intel Corporation)
LiveUpdate 3.3 (Symantec Corporation) (HKLM-x32\...\LiveUpdate) (Version: 3.3.100.15 - Symantec Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Registro web de HP (x32 Version: 1.0.0.0 - Hewlett Packard, Co.) Hidden
Symantec Endpoint Protection Manager (HKLM-x32\...\{1EF6B398-E449-55C0-9A52-3C6F2774FD1B}) (Version: 12.1.5337.5000 - Symantec Corporation)
Windows Driver Package - ASPEED (ASTGraphics) Display  (08/16/2010 6.00.10.0092) (HKLM\...\9E32ECCCE11CB8D7310015CF301016F0FD7263CC) (Version: 08/16/2010 6.00.10.0092 - ASPEED)
Wondershare Data Recovery(Build 4.6.1.3) (HKLM-x32\...\{FEA3976F-D621-45F3-AFBD-E812A1F2F00D}_is1) (Version: 4.6.1.3 - Wondershare Software Co.,Ltd.)
ZoneAlarm Firewall (x32 Version: 13.2.015.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Free Firewall (HKLM-x32\...\ZoneAlarm Free Firewall) (Version: 13.2.015.000 - Check Point)
ZoneAlarm Security (x32 Version: 13.2.015.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Security Toolbar  (HKLM-x32\...\zonealarm) (Version: 1.8.29.17 - Check Point Software Technologies LTD)
ZoneAlarm Security Toolbar  (HKU\S-1-5-21-3523971679-748213085-3231806746-500\...\zonealarm) (Version: 1.8.29.17 - Check Point Software Technologies LTD)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

ATTENTION: System Restore is disabled.
Check "winmgmt" service or repair WMI.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 23:34 - 2009-06-10 18:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-13] (Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-21] (Microsoft Corporation)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-21] (Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-21] (Microsoft Corporation)

==================== Loaded Modules (whitelisted) ==============

2015-03-12 17:07 - 2015-03-06 20:00 - 00013312 _____ () C:\Program Files (x86)\IDriveWindows\SqliteWrapper.dll
2015-03-12 17:07 - 2015-01-27 19:16 - 00834048 _____ () C:\Program Files (x86)\IDriveWindows\sqlite3.dll
2015-03-12 17:07 - 2015-01-27 19:18 - 00225280 _____ () C:\Program Files (x86)\IDriveWindows\Sync.dll
2014-09-12 21:13 - 2014-09-12 21:13 - 00074640 _____ () C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin\pcre.dll
2014-04-14 17:41 - 2014-04-14 17:41 - 00169472 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\0a0467413a424068d1471448ff6ca6cc\IsdiInterop.ni.dll
2011-08-05 13:04 - 2010-11-05 23:50 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service"

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3523971679-748213085-3231806746-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 200.69.193.1 - 200.69.193.2

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== Accounts: =============================

Administrador (S-1-5-21-338390002-1835066212-1108570050-500 - Administrator - Enabled)
Invitado (S-1-5-21-338390002-1835066212-1108570050-501 - Limited - Disabled)
krbtgt (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
pal (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
lucas (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
iso (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mij (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mca (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
plo (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ala (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mlc (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
luka (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
EMI3$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile

==================== Faulty Device Manager Devices =============

Name: Teclado PS/2 estándar
Description: Teclado PS/2 estándar
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Teclados estándar)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (03/25/2015 00:19:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/25/2015 07:11:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nombre de la aplicación con errores: dns.exe, versión: 6.1.7601.17750, marca de tiempo: 0x4ef7cfe4
Nombre del módulo con errores: ntdll.dll, versión: 6.1.7601.18247, marca de tiempo: 0x521eaf24
Código de excepción: 0xc0000005
Desplazamiento de errores: 0x000000000004e4e4
Id. del proceso con errores: 0x6c4
Hora de inicio de la aplicación con errores: 0xdns.exe0
Ruta de acceso de la aplicación con errores: dns.exe1
Ruta de acceso del módulo con errores: dns.exe2
Id. del informe: dns.exe3

Error: (03/21/2015 01:01:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/19/2015 01:59:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/19/2015 11:38:10 AM) (Source: MsiInstaller) (EventID: 10005) (User: TITAN)
Description: Product: ESET NOD32 Antivirus -- Error 5003. Esta versión del producto no está destinada para los sistemas operativos de servidores.

Error: (03/19/2015 11:30:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/19/2015 10:56:37 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/19/2015 10:41:27 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/18/2015 08:57:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/18/2015 02:58:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

System errors:
=============
Error: (03/25/2015 00:17:56 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: El cierre anterior del sistema a las 12:13:30 p.m. del ‎25/‎03/‎2015 resultó inesperado.

Error: (03/25/2015 07:22:45 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: No se puede procesar la directiva de grupo debido a que no se puede conectar a un controlador de dominio a través de la red. Esta condición puede ser temporal. Se podría generar un mensaje de operación correcta una vez que el equipo se conecte al controlador de dominio y la directiva de grupo se procese correctamente. Póngase en contacto con el administrador si no ve un mensaje de operación correcta en un algún par de horas.

Error: (03/25/2015 07:17:12 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: El servicio Servidor DNS terminó inesperadamente. Esto se ha repetido 1 veces. Se realizará la siguiente acción correctora en 120000 milisegundos: Reiniciar el servicio.

Error: (03/25/2015 07:07:38 AM) (Source: NETLOGON) (EventID: 5774) (User: )
Description: Error en el registro dinámico del registro DNS '_ldap._tcp.Default-First-Site-Name._sites.TITAN.JUPITER.EMI. 600 IN SRV 0 100 389 EMI3.TITAN.JUPITER.EMI.' en el siguiente servidor DNS:

 

Dirección IP del servidor DNS: 192.168.1.3

Código de respuesta devuelto (RCODE): 0

Código de estado devuelto: 10054

 

Para que los equipos y usuarios puedan localizar este controlador de dominio, este registro deberá
registrarse en DNS.

 

ACCIÓN DEL USUARIO

Determine la causa del error, solucione el problema e inicie el registro de los
registros DNS mediante el controlador de dominio. Para determinar la causa del
error, ejecute DCDiag.exe. Para obtener más información acerca de DCDiag.exe, consulte el Centro de ayuda
y soporte técnico. Para iniciar el registro de los registros DNS mediante este controlador de
dominio, ejecute 'nltest.exe /dsregdns' desde el símbolo del sistema en el controlador de dominio
o reinicie el servicio de Net Logon.
  También puede agregar manualmente este registro a DNS, pero
no se recomienda.

 

DATOS ADICIONALES

Valor del error: %%10054

Error: (03/25/2015 06:59:31 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: NT AUTHORITY)
Description: No se pudo procesar la directiva de grupo. Windows no pudo obtener el nombre del controlador de dominio. Esto se puede deber a un error en la resolución de nombres. Compruebe que el Sistema de nombres de dominio (DNS) esté configurado y que funcione correctamente.

Error: (03/25/2015 06:30:30 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: NT AUTHORITY)
Description: No se pudo procesar la directiva de grupo. Windows no pudo obtener el nombre del controlador de dominio. Esto se puede deber a un error en la resolución de nombres. Compruebe que el Sistema de nombres de dominio (DNS) esté configurado y que funcione correctamente.

Error: (03/25/2015 06:07:08 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: NT AUTHORITY)
Description: No se pudo procesar la directiva de grupo. Windows no pudo obtener el nombre del controlador de dominio. Esto se puede deber a un error en la resolución de nombres. Compruebe que el Sistema de nombres de dominio (DNS) esté configurado y que funcione correctamente.

Error: (03/25/2015 05:38:06 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: NT AUTHORITY)
Description: No se pudo procesar la directiva de grupo. Windows no pudo obtener el nombre del controlador de dominio. Esto se puede deber a un error en la resolución de nombres. Compruebe que el Sistema de nombres de dominio (DNS) esté configurado y que funcione correctamente.

Error: (03/25/2015 05:09:05 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: NT AUTHORITY)
Description: No se pudo procesar la directiva de grupo. Windows no pudo obtener el nombre del controlador de dominio. Esto se puede deber a un error en la resolución de nombres. Compruebe que el Sistema de nombres de dominio (DNS) esté configurado y que funcione correctamente.

Error: (03/25/2015 04:40:04 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: NT AUTHORITY)
Description: No se pudo procesar la directiva de grupo. Windows no pudo obtener el nombre del controlador de dominio. Esto se puede deber a un error en la resolución de nombres. Compruebe que el Sistema de nombres de dominio (DNS) esté configurado y que funcione correctamente.

Microsoft Office Sessions:
=========================
Error: (03/25/2015 00:19:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/25/2015 07:11:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: dns.exe6.1.7601.177504ef7cfe4ntdll.dll6.1.7601.18247521eaf24c0000005000000000004e4e46c401d063f031ce2d6aC:\Windows\system32\dns.exeC:\Windows\SYSTEM32\ntdll.dll452a8e9b-d2d7-11e4-8cd7-f46d0437404e

Error: (03/21/2015 01:01:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/19/2015 01:59:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/19/2015 11:38:10 AM) (Source: MsiInstaller) (EventID: 10005) (User: TITAN)
Description: Product: ESET NOD32 Antivirus -- Error 5003. Esta versión del producto no está destinada para los sistemas operativos de servidores.(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (03/19/2015 11:30:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/19/2015 10:56:37 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/19/2015 10:41:27 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/18/2015 08:57:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (03/18/2015 02:58:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

==================== Memory info ===========================

Processor: Intel® Xeon® CPU E31240 @ 3.30GHz
Percentage of memory in use: 31%
Total physical RAM: 8182.15 MB
Available physical RAM: 5605.1 MB
Total Pagefile: 16362.48 MB
Available Pagefile: 13681.91 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:79.9 GB) (Free:33.15 GB) NTFS
Drive d: (disco_D_39GB_pres) (Fixed) (Total:39 GB) (Free:8.01 GB) NTFS
Drive e: (disco_E_40GB_correo) (Fixed) (Total:40 GB) (Free:39.71 GB) NTFS
Drive g: (disco_G_proyectos) (Fixed) (Total:399.91 GB) (Free:196.6 GB) NTFS
Drive h: (KINGSTON) (Removable) (Total:29.06 GB) (Free:27.39 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 558.9 GB) (Disk ID: 2E252B8E)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=79.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=39 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=439.9 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 29.1 GB) (Disk ID: C3A8DC72)
Partition 1: (Not Active) - (Size=29.1 GB) - (Type=0C)

==================== End Of Log ============================

Attached File  FRST_TOTAL.txt   41.75KB   2 downloads

 



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:48 AM

Posted 27 March 2015 - 09:37 AM

Greetings maxiluka and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. I am not seeing any signs of active malware but I do want to bring to your attention just a few items for you to evaluate.

The line below seems to possiby be related to FRST but it is worthy of you taking a look:
 

2015-03-25 12:24 - 2015-03-25 12:31 - 00000000 ____D () C:\Users\Administrador\AppData\Local\Temp\1


----------

Regarding the below, this seems to be related to Symantec but the second line is a bit strange. I can find no other instance of that name when I research it. You may want to check the contents of that directory.
 

2015-03-21 14:47 - 2015-03-25 12:21 - 01646592 _____ () C:\Users\SQLANYs_sem5\AppData\Local\Temp\sqla0000.tmp
2015-03-21 14:47 - 2015-03-25 12:19 - 00000000 ____D () C:\Users\semsrv\AppData\Local\Temp\hsperfdata_semsrv


----------

Are you aware of this?
 

ATTENTION: System Restore is disabled.


===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Responses to issues
  • Are you experiencing any symptoms?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 maxiluka

maxiluka
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 30 March 2015 - 08:10 AM

Hi Gary!

Thanks for your response, since I´m no specialist in Windows server administration,, I´ll beg for your patience.

 

C:\Users\Administrador\AppData\Local\Temp\1

It seems folder 1 does not exist any more.

 

 C:\Users\semsrv\AppData\Local\Temp\hsperfdata_semsrv

This folder is emty

 

ATTENTION: System Restore is disabled

No idea what is this for

 

Regards



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:48 AM

Posted 30 March 2015 - 09:12 AM

Good morning.

I am not a specialist in Wondows Server either but we will see what we can do.

Are you experiencing any issues right now?

Please do this.

===================================================

Farbar's Service Scanner

--------------------
  • Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Are you having any current issues?
  • FSS log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 maxiluka

maxiluka
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 30 March 2015 - 12:23 PM

Hi Gary,
So far so long the system is running without troubles,
this is the output of FSS:

Farbar Service Scanner Version: 17-01-2015
Ran by Administrador (administrator) on 30-03-2015 at 13:51:59
Running from "C:\Users\Administrador\Desktop"
Microsoft Windows Server 2008 R2 Standard Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed

ATTENTION!=====> C:\Windows\System32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\Windows\System32\vssvc.exe => File is digitally signed

ATTENTION!=====> C:\Windows\System32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\Program Files\Windows Defender\MsMpEng.exe FILE IS MISSING AND SHOULD BE RESTORED.

C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:48 AM

Posted 30 March 2015 - 01:36 PM

Thanks, can you tell me if you have access to another Server 2008 computer?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 maxiluka

maxiluka
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 30 March 2015 - 04:16 PM

Unfortunately not, there is only that one

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:48 AM

Posted 30 March 2015 - 04:21 PM

OK please allow me some time to look into this. I need to be careful because I don't think the tools we use are designed with Server 2008 in mind so some of the warnings may or may not be applicable. I don't want to inadvertently make things worse.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:48 AM

Posted 30 March 2015 - 04:42 PM

Are you familiar with Desktop Experience Pack?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 maxiluka

maxiluka
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 31 March 2015 - 06:24 PM

Hi Gary,

not familiar with DEP, but if you want me to try i will try to take a look. Just wait a few days, I am now out of office.

Thanks



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:48 AM

Posted 31 March 2015 - 07:30 PM

No problem. I think the best thing to do is reinstall Windows Defender and it is done via Desktop Experience Pack.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:48 AM

Posted 05 April 2015 - 05:52 PM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:48 AM

Posted 07 April 2015 - 09:10 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users