Page 2 of 3 First 123 Last
  1. #21
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,479

    Re: Arte,is Trojan

    I'm going with just that one file so let's see what happens now. Let me know if you can boot to normal mode and, if so, in addition to the FRST log, please o ahead with the Malwarebytes Anti-Rootkit scan.

    • Click Start
    • Type notepad.exe in the search programs and files box and click Enter.
    • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.

    Code:
    S2 syshost32; C:\Windows\Installer\{269A4ED8-3094-6D54-48F0-3CC425AC5ECE}\syshost.exe [196923 2015-07-14] ()
    C:\Windows\Installer\{269A4ED8-3094-6D54-48F0-3CC425AC5ECE}
    • Save it to your USB flashdrive as fixlist.txt


    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

    Boot into Recovery Environment

    • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
      • Press the Fix button once and wait.
      • FRST will process fixlist.txt
      • When finished, it will produce a log fixlog.txt on your USB flashdrive.
    • Exit out of Recovery Environment and copy/paste the log please.
    Last edited by Corrine; 07-24-2015 at 08:45 PM.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.


    • Ad Bot

      advertising
      Beep.

        
       

  2. #22

    Re: Arte,is Trojan

    No joy I am afraid. I ran frst64 again.


    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
    Ran by SYSTEM on MININT-R9HO8RQ on 25-07-2015 10:48:49
    Running from C:\
    Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Recovery
    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
    Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum
    ==================== Registry (Whitelisted) ==================
    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
    HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
    HKLM\...\Run: [boinctray] => C:\Program Files\BOINC\boinctray.exe [68928 2015-03-09] (Space Sciences Laboratory)
    HKLM\...\Run: [boincmgr] => C:\Program Files\BOINC\boincmgr.exe [8926016 2015-03-09] (Space Sciences Laboratory)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
    HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
    HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
    HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [616272 2015-04-07] (McAfee, Inc.)
    HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-24] (Sonic Solutions)
    HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
    HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
    HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
    HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [719272 2015-04-02] (McAfee, Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
    HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2015-05-25] (Microsoft Corporation)
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    HKLM\...\Policies\Explorer: [NoControlPanel] 0
    HKLM\...\Policies\Explorer: [NoFolderOptions] 0
    HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKU\Orrin JNR\...\Run: [Google Update] => C:\Users\Orrin JNR\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-15] (Google Inc.)
    HKU\Thomas\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53282944 2015-06-16] (Skype Technologies S.A.)
    HKU\Thomas\...\Run: [Amazon Music] => C:\Users\Thomas\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-12-07] ()
    HKU\Thomas\...\Run: [OneDrive] => C:\Users\Thomas\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-05-22] (Microsoft Corporation)
    HKU\Thomas\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
    HKU\Thomas\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7451928 2015-03-13] (Piriform Ltd)
    ==================== Services (Whitelisted) =================
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
    S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
    S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2739888 2015-05-18] (Microsoft Corporation)
    S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-07-03] (McAfee, Inc.)
    S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
    S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
    S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
    S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
    S2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
    S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
    S2 mfevtp; C:\Windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
    S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
    ==================== Drivers (Whitelisted) ====================
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
    S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
    S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
    S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [76064 2015-03-27] (McAfee, Inc.)
    S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
    S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
    S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
    S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
    S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
    S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
    S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
    S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
    S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
    S0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-01-03] (Duplex Secure Ltd.)
    ==================== NetSvcs (Whitelisted) ===================
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    ==================== One Month Created files and folders ========
    (If an entry is included in the fixlist, the file/folder will be moved.)
    2015-07-24 11:40 - 2015-07-25 10:48 - 00000000 _____ C:\FRST.txt
    2015-07-24 11:36 - 2015-07-25 10:48 - 00000000 ____D C:\FRST
    2015-07-23 01:37 - 2015-07-23 01:37 - 02135552 _____ (Farbar) C:\frst64.exe
    2015-07-21 12:29 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Desktop\SFCFix.zip
    2015-07-21 12:24 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Downloads\SFCFix.zip
    2015-07-17 14:37 - 2015-07-21 12:51 - 00000000 ____D C:\Users\Thomas\AppData\Local\niemiro
    2015-07-17 05:03 - 2015-07-17 05:03 - 00000387 _____ C:\Users\Thomas\Desktop\copy.txt
    2015-07-17 04:56 - 2015-07-17 04:57 - 00000000 ____D C:\Users\Thomas\copy
    2015-07-17 04:55 - 2015-07-17 04:55 - 00000000 ____D C:\Users\Thomas\Downloads\Copy
    2015-07-17 03:11 - 2015-07-21 12:51 - 00003148 _____ C:\Users\Thomas\Desktop\SFCFix.txt
    2015-07-17 03:11 - 2015-07-21 12:51 - 00000000 ____D C:\SFCFix
    2015-07-17 02:50 - 2015-07-17 02:55 - 00003212 _____ C:\Users\Thomas\sfcdetails.txt
    2015-07-15 23:06 - 2015-07-15 23:06 - 00000000 ____D C:\Quarantine
    2015-07-15 22:56 - 2015-07-17 03:37 - 00000000 ____D C:\Program Files (x86)\stinger
    2015-07-15 22:55 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\Downloads\stinger32-epo
    2015-07-15 13:35 - 2015-07-15 13:35 - 00000000 ____D C:\Users\Thomas\Desktop\McAfee File Lock
    2015-07-15 12:14 - 2015-07-15 13:18 - 00095802 _____ C:\Users\Thomas\Desktop\sfcdetails.txt
    2015-07-15 11:58 - 2015-07-15 11:58 - 00000000 ____D C:\Users\Thomas\McAfee File Lock
    2015-07-14 03:26 - 2015-07-14 03:26 - 00000342 _____ C:\Windows\PFRO.log
    2015-07-13 12:45 - 2015-07-14 03:26 - 00000112 _____ C:\Windows\setupact.log
    2015-07-13 12:45 - 2015-07-13 12:45 - 00000000 _____ C:\Windows\setuperr.log
    2015-07-13 12:16 - 2015-07-13 12:16 - 00000000 ____D C:\Windows\System32\McAfee File Lock
    2015-07-03 06:35 - 2015-07-12 10:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2015-06-28 10:52 - 2015-06-29 01:12 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\vlc
    2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\Users\Public\Desktop\VLC media player.lnk
    2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\ProgramData\Desktop\VLC media player.lnk
    2015-06-28 10:49 - 2015-06-28 10:49 - 28849904 _____ C:\Users\Thomas\Downloads\vlc-2.2.1-win32.exe
    2015-06-28 10:49 - 2015-06-28 10:49 - 00000000 ____D C:\Program Files (x86)\VideoLAN
    ==================== One Month Modified files and folders ========
    (If an entry is included in the fixlist, the file/folder will be moved.)
    2015-07-23 23:28 - 2014-12-09 19:22 - 00000000 ____D C:\Windows\System32\appraiser
    2015-07-23 23:28 - 2014-08-09 05:12 - 00000000 ____D C:\users\Guest
    2015-07-23 23:28 - 2014-05-06 18:00 - 00000000 ___SD C:\Windows\System32\CompatTel
    2015-07-23 23:28 - 2012-07-15 07:50 - 00000000 ____D C:\users\Orrin JNR
    2015-07-23 23:28 - 2012-05-08 08:58 - 00000000 ____D C:\users\Thomas
    2015-07-23 23:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
    2015-07-23 23:27 - 2015-05-15 23:52 - 00000000 __RSD C:\Users\Thomas\Documents\McAfee Vaults
    2015-07-23 23:27 - 2015-04-04 18:00 - 00000000 ___SD C:\Windows\System32\GWX
    2015-07-23 23:27 - 2014-05-14 11:23 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Skype
    2015-07-23 23:27 - 2012-11-29 11:21 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\uTorrent
    2015-07-23 23:27 - 2012-05-09 12:20 - 00000000 ____D C:\ProgramData\McAfee Security Scan
    2015-07-23 23:27 - 2012-05-01 03:52 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
    2015-07-23 23:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
    2015-07-23 23:23 - 2012-05-08 09:19 - 00000000 ____D C:\ProgramData\BOINC
    2015-07-23 23:22 - 2015-04-04 02:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
    2015-07-23 23:22 - 2012-05-01 04:08 - 00000000 ____D C:\Program Files\mcafee
    2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
    2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
    2015-07-22 10:05 - 2013-10-23 06:27 - 00000000 ____D C:\ProgramData\boost_interprocess
    2015-07-21 12:57 - 2012-05-01 04:15 - 00000000 ____D C:\ProgramData\Sonic
    2015-07-15 19:47 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV
    2015-07-14 14:58 - 2012-05-08 09:00 - 00000422 _____ C:\Windows\Tasks\SystemToolsDailyTest.job
    2015-07-14 14:17 - 2013-03-28 13:55 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2015-07-14 14:06 - 2012-09-02 09:09 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-07-14 13:17 - 2013-03-28 13:55 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2015-07-14 13:17 - 2012-05-01 03:35 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2015-07-14 13:17 - 2012-05-01 03:35 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2015-07-14 12:49 - 2012-07-15 12:24 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3274687172-3602840966-2228239552-1006Core.job
    2015-07-14 09:06 - 2012-09-02 09:09 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-07-14 03:26 - 2009-07-13 21:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
    2015-07-14 03:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2015-07-13 19:42 - 2015-04-04 02:44 - 00004978 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for trustno1-Thomas trustno1
    2015-07-13 12:46 - 2012-12-22 03:26 - 00000000 ___RD C:\Users\Thomas\SkyDrive
    2015-07-13 10:53 - 2015-05-15 23:49 - 00000000 ____D C:\Program Files (x86)\McAfee
    2015-07-13 10:53 - 2014-08-21 12:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2015-07-13 05:00 - 2012-05-09 05:00 - 00003488 _____ C:\Windows\System32\Tasks\PCDEventLauncher
    2015-07-13 05:00 - 2012-05-08 09:00 - 00003450 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest
    2015-07-12 09:07 - 2009-07-13 21:13 - 00006506 _____ C:\Windows\System32\PerfStringBackup.INI
    2015-07-12 09:00 - 2012-05-08 09:00 - 00000564 _____ C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    2015-07-12 08:47 - 2014-11-12 00:47 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieBrowserModeList
    2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieUserList
    2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieSiteList
    2015-07-04 19:00 - 2012-05-08 09:00 - 00004268 _____ C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
    2015-07-02 12:51 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
    2015-06-26 03:30 - 2014-11-09 11:44 - 00000000 ___RD C:\Program Files (x86)\Skype
    2015-06-26 03:30 - 2012-05-01 03:54 - 00000000 ____D C:\ProgramData\Skype
    ==================== Known DLLs (Whitelisted) ================

    ==================== Bamital & volsnap Check =================
    (There is no automatic fix for files that do not pass verification.)
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== Restore Points =========================
    Restore point made on: 2015-07-14 15:00:12
    ==================== Memory info ===========================
    Percentage of memory in use: 10%
    Total physical RAM: 8104.63 MB
    Available physical RAM: 7238.35 MB
    Total Virtual: 8102.83 MB
    Available Virtual: 7211.47 MB
    ==================== Drives ================================
    Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:145.41 GB) NTFS
    Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
    Drive g: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]
    Drive h: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:462.85 GB) NTFS
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    ==================== MBR & Partition Table ==================
    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACEA298C)
    Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
    Partition 2: (Active) - (Size=14.8 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=450.9 GB) - (Type=07 NTFS)
    ========================================================
    Disk: 2 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 35E8B3A5)
    Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

    LastRegBack: 2015-07-14 03:56
    ==================== End of log ============================

  3. #23

    Re: Arte,is Trojan

    I was wondering about this entry, trying to understand why it would be required to run?

    HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2015-05-25] (Microsoft Corporation)

  4. #24
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,479

    Re: Arte,is Trojan

    Dang! Is it the same "Problem Signature 07: CorruptFile" error as before? I'm consulting with others to see if they have any additional suggestions.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  5. #25

    Re: Arte,is Trojan

    Yes it is still reporting Signature 07 etc. However, apologies as this probably has nothing to do with my ongoing issues; what is this entries function?

    HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2015-05-25] (Microsoft Corporation)

    What is being restored?

  6. #26
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,479

    Re: Arte,is Trojan

    Based on the "Problem Signature 07: CorruptFile" error, I do not believe that System Restore will work based on what I've found so far. However, you can most certainly give it a try. In the Recovery Environment, you would select System Restore. You need a restore date on or before 14 July 2015, which appears to be the beginning of the malware issues. The restore point shown is from 25 May 2015 which is well before the infection.



    In the meantime, I'm waiting for a reply from DonnaB (another member of the team) as to what she thinks about what I thought might work.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  7. #27

    Re: Arte,is Trojan

    I have deleted that entry but the loop continues signature 07. Latest report:

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
    Ran by SYSTEM on MININT-2IIKUDD on 25-07-2015 17:37:01
    Running from C:\
    Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Recovery
    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
    Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum
    ==================== Registry (Whitelisted) ==================
    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
    HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
    HKLM\...\Run: [boinctray] => C:\Program Files\BOINC\boinctray.exe [68928 2015-03-09] (Space Sciences Laboratory)
    HKLM\...\Run: [boincmgr] => C:\Program Files\BOINC\boincmgr.exe [8926016 2015-03-09] (Space Sciences Laboratory)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
    HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
    HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
    HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [616272 2015-04-07] (McAfee, Inc.)
    HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-24] (Sonic Solutions)
    HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
    HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
    HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
    HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [719272 2015-04-02] (McAfee, Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    HKLM\...\Policies\Explorer: [NoControlPanel] 0
    HKLM\...\Policies\Explorer: [NoFolderOptions] 0
    HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKU\Orrin JNR\...\Run: [Google Update] => C:\Users\Orrin JNR\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-15] (Google Inc.)
    HKU\Thomas\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53282944 2015-06-16] (Skype Technologies S.A.)
    HKU\Thomas\...\Run: [Amazon Music] => C:\Users\Thomas\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-12-07] ()
    HKU\Thomas\...\Run: [OneDrive] => C:\Users\Thomas\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-05-22] (Microsoft Corporation)
    HKU\Thomas\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
    HKU\Thomas\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7451928 2015-03-13] (Piriform Ltd)
    ==================== Services (Whitelisted) =================
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
    S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
    S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2739888 2015-05-18] (Microsoft Corporation)
    S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-07-03] (McAfee, Inc.)
    S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
    S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
    S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
    S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
    S2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
    S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
    S2 mfevtp; C:\Windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
    S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
    ==================== Drivers (Whitelisted) ====================
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
    S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
    S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
    S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [76064 2015-03-27] (McAfee, Inc.)
    S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
    S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
    S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
    S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
    S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
    S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
    S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
    S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
    S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
    S0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-01-03] (Duplex Secure Ltd.)
    ==================== NetSvcs (Whitelisted) ===================
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    ==================== One Month Created files and folders ========
    (If an entry is included in the fixlist, the file/folder will be moved.)
    2015-07-24 11:40 - 2015-07-25 17:37 - 00000000 _____ C:\FRST.txt
    2015-07-24 11:36 - 2015-07-25 17:37 - 00000000 ____D C:\FRST
    2015-07-23 01:37 - 2015-07-23 01:37 - 02135552 _____ (Farbar) C:\frst64.exe
    2015-07-21 12:29 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Desktop\SFCFix.zip
    2015-07-21 12:24 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Downloads\SFCFix.zip
    2015-07-17 14:37 - 2015-07-21 12:51 - 00000000 ____D C:\Users\Thomas\AppData\Local\niemiro
    2015-07-17 05:03 - 2015-07-17 05:03 - 00000387 _____ C:\Users\Thomas\Desktop\copy.txt
    2015-07-17 04:56 - 2015-07-17 04:57 - 00000000 ____D C:\Users\Thomas\copy
    2015-07-17 04:55 - 2015-07-17 04:55 - 00000000 ____D C:\Users\Thomas\Downloads\Copy
    2015-07-17 03:11 - 2015-07-21 12:51 - 00003148 _____ C:\Users\Thomas\Desktop\SFCFix.txt
    2015-07-17 03:11 - 2015-07-21 12:51 - 00000000 ____D C:\SFCFix
    2015-07-17 02:50 - 2015-07-17 02:55 - 00003212 _____ C:\Users\Thomas\sfcdetails.txt
    2015-07-15 23:06 - 2015-07-15 23:06 - 00000000 ____D C:\Quarantine
    2015-07-15 22:56 - 2015-07-17 03:37 - 00000000 ____D C:\Program Files (x86)\stinger
    2015-07-15 22:55 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\Downloads\stinger32-epo
    2015-07-15 13:35 - 2015-07-15 13:35 - 00000000 ____D C:\Users\Thomas\Desktop\McAfee File Lock
    2015-07-15 12:14 - 2015-07-15 13:18 - 00095802 _____ C:\Users\Thomas\Desktop\sfcdetails.txt
    2015-07-15 11:58 - 2015-07-15 11:58 - 00000000 ____D C:\Users\Thomas\McAfee File Lock
    2015-07-14 03:26 - 2015-07-14 03:26 - 00000342 _____ C:\Windows\PFRO.log
    2015-07-13 12:45 - 2015-07-14 03:26 - 00000112 _____ C:\Windows\setupact.log
    2015-07-13 12:45 - 2015-07-13 12:45 - 00000000 _____ C:\Windows\setuperr.log
    2015-07-13 12:16 - 2015-07-13 12:16 - 00000000 ____D C:\Windows\System32\McAfee File Lock
    2015-07-03 06:35 - 2015-07-12 10:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2015-06-28 10:52 - 2015-06-29 01:12 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\vlc
    2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\Users\Public\Desktop\VLC media player.lnk
    2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\ProgramData\Desktop\VLC media player.lnk
    2015-06-28 10:49 - 2015-06-28 10:49 - 28849904 _____ C:\Users\Thomas\Downloads\vlc-2.2.1-win32.exe
    2015-06-28 10:49 - 2015-06-28 10:49 - 00000000 ____D C:\Program Files (x86)\VideoLAN
    ==================== One Month Modified files and folders ========
    (If an entry is included in the fixlist, the file/folder will be moved.)
    2015-07-23 23:28 - 2014-12-09 19:22 - 00000000 ____D C:\Windows\System32\appraiser
    2015-07-23 23:28 - 2014-08-09 05:12 - 00000000 ____D C:\users\Guest
    2015-07-23 23:28 - 2014-05-06 18:00 - 00000000 ___SD C:\Windows\System32\CompatTel
    2015-07-23 23:28 - 2012-07-15 07:50 - 00000000 ____D C:\users\Orrin JNR
    2015-07-23 23:28 - 2012-05-08 08:58 - 00000000 ____D C:\users\Thomas
    2015-07-23 23:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
    2015-07-23 23:27 - 2015-05-15 23:52 - 00000000 __RSD C:\Users\Thomas\Documents\McAfee Vaults
    2015-07-23 23:27 - 2015-04-04 18:00 - 00000000 ___SD C:\Windows\System32\GWX
    2015-07-23 23:27 - 2014-05-14 11:23 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Skype
    2015-07-23 23:27 - 2012-11-29 11:21 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\uTorrent
    2015-07-23 23:27 - 2012-05-09 12:20 - 00000000 ____D C:\ProgramData\McAfee Security Scan
    2015-07-23 23:27 - 2012-05-01 03:52 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
    2015-07-23 23:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
    2015-07-23 23:23 - 2012-05-08 09:19 - 00000000 ____D C:\ProgramData\BOINC
    2015-07-23 23:22 - 2015-04-04 02:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
    2015-07-23 23:22 - 2012-05-01 04:08 - 00000000 ____D C:\Program Files\mcafee
    2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
    2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
    2015-07-22 10:05 - 2013-10-23 06:27 - 00000000 ____D C:\ProgramData\boost_interprocess
    2015-07-21 12:57 - 2012-05-01 04:15 - 00000000 ____D C:\ProgramData\Sonic
    2015-07-15 19:47 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV
    2015-07-14 14:58 - 2012-05-08 09:00 - 00000422 _____ C:\Windows\Tasks\SystemToolsDailyTest.job
    2015-07-14 14:17 - 2013-03-28 13:55 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2015-07-14 14:06 - 2012-09-02 09:09 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-07-14 13:17 - 2013-03-28 13:55 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2015-07-14 13:17 - 2012-05-01 03:35 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2015-07-14 13:17 - 2012-05-01 03:35 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2015-07-14 12:49 - 2012-07-15 12:24 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3274687172-3602840966-2228239552-1006Core.job
    2015-07-14 09:06 - 2012-09-02 09:09 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-07-14 03:26 - 2009-07-13 21:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
    2015-07-14 03:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2015-07-13 19:42 - 2015-04-04 02:44 - 00004978 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for trustno1-Thomas trustno1
    2015-07-13 12:46 - 2012-12-22 03:26 - 00000000 ___RD C:\Users\Thomas\SkyDrive
    2015-07-13 10:53 - 2015-05-15 23:49 - 00000000 ____D C:\Program Files (x86)\McAfee
    2015-07-13 10:53 - 2014-08-21 12:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2015-07-13 05:00 - 2012-05-09 05:00 - 00003488 _____ C:\Windows\System32\Tasks\PCDEventLauncher
    2015-07-13 05:00 - 2012-05-08 09:00 - 00003450 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest
    2015-07-12 09:07 - 2009-07-13 21:13 - 00006506 _____ C:\Windows\System32\PerfStringBackup.INI
    2015-07-12 09:00 - 2012-05-08 09:00 - 00000564 _____ C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    2015-07-12 08:47 - 2014-11-12 00:47 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieBrowserModeList
    2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieUserList
    2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieSiteList
    2015-07-04 19:00 - 2012-05-08 09:00 - 00004268 _____ C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
    2015-07-02 12:51 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
    2015-06-26 03:30 - 2014-11-09 11:44 - 00000000 ___RD C:\Program Files (x86)\Skype
    2015-06-26 03:30 - 2012-05-01 03:54 - 00000000 ____D C:\ProgramData\Skype
    ==================== Known DLLs (Whitelisted) ================

    ==================== Bamital & volsnap Check =================
    (There is no automatic fix for files that do not pass verification.)
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== Restore Points =========================
    Restore point made on: 2015-07-14 15:00:12
    ==================== Memory info ===========================
    Percentage of memory in use: 10%
    Total physical RAM: 8104.63 MB
    Available physical RAM: 7231.77 MB
    Total Virtual: 8102.83 MB
    Available Virtual: 7208.61 MB
    ==================== Drives ================================
    Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:145.41 GB) NTFS
    Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
    Drive g: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]
    Drive h: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:462.82 GB) NTFS
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    ==================== MBR & Partition Table ==================
    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACEA298C)
    Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
    Partition 2: (Active) - (Size=14.8 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=450.9 GB) - (Type=07 NTFS)
    ========================================================
    Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 35E8B3A5)
    Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

    LastRegBack: 2015-07-14 03:56
    ==================== End of log ============================

  8. #28
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,479

    Re: Arte,is Trojan

    We seem to have cross-posted. See my reply from just a minute before you posted your log.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  9. #29

    Re: Arte,is Trojan

    Sorry our post did cross. It appears this virus is being respawned via the boot process as random files are appearing each time I boot. fixing the MBR via the usual method doesn't have the desired affect.

  10. #30
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,479

    Re: Arte,is Trojan

    Do you have any examples of the random file names? Neither DonnaB nor I are seeing what might appear to be malicious files re-appearing in your log. A comment Donna made is that most computers will attempt to boot the DVD drive and if no disk is found will boot straight to the HDD, unless the boot setting in BIOS are set otherwise.

    Remove the DVD from Drive D. You need Drives c and g. What are drives h and x?

    Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:145.41 GB) NTFS
    Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
    Drive g: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]
    Drive h: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:462.82 GB) NTFS
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  11. #31

    Re: Artemis Trojan

    Suspect and or respawning files are highlighted below, I have removed via frst64.

    Not sure what X: is; the toshiba is my portable disk.

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
    Ran by SYSTEM on MININT-2IIKUDD on 25-07-2015 17:37:01
    Running from C:\
    Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Recovery
    The current controlset is ControlSet001
    ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
    Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum
    ==================== Registry (Whitelisted) ==================
    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
    HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
    HKLM\...\Run: [boinctray] => C:\Program Files\BOINC\boinctray.exe [68928 2015-03-09] (Space Sciences Laboratory)
    HKLM\...\Run: [boincmgr] => C:\Program Files\BOINC\boincmgr.exe [8926016 2015-03-09] (Space Sciences Laboratory)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
    HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
    HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
    HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [616272 2015-04-07] (McAfee, Inc.)
    HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-24] (Sonic Solutions)
    HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
    HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
    HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
    HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [719272 2015-04-02] (McAfee, Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    HKLM\...\Policies\Explorer: [NoControlPanel] 0
    HKLM\...\Policies\Explorer: [NoFolderOptions] 0
    HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKU\Orrin JNR\...\Run: [Google Update] => C:\Users\Orrin JNR\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-15] (Google Inc.)
    HKU\Thomas\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53282944 2015-06-16] (Skype Technologies S.A.)
    HKU\Thomas\...\Run: [Amazon Music] => C:\Users\Thomas\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-12-07] ()
    HKU\Thomas\...\Run: [OneDrive] => C:\Users\Thomas\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-05-22] (Microsoft Corporation)
    HKU\Thomas\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
    HKU\Thomas\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7451928 2015-03-13] (Piriform Ltd)
    ==================== Services (Whitelisted) =================
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
    S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
    S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2739888 2015-05-18] (Microsoft Corporation)
    S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-07-03] (McAfee, Inc.)
    S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
    S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
    S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
    S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
    S2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
    S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
    S2 mfevtp; C:\Windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
    S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
    S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
    ==================== Drivers (Whitelisted) ====================
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
    S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
    S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
    S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [76064 2015-03-27] (McAfee, Inc.)
    S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
    S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
    S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
    S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
    S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
    S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
    S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
    S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
    S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
    S0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-01-03] (Duplex Secure Ltd.)
    ==================== NetSvcs (Whitelisted) ===================
    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    ==================== One Month Created files and folders ========
    (If an entry is included in the fixlist, the file/folder will be moved.)
    2015-07-24 11:40 - 2015-07-25 17:37 - 00000000 _____ C:\FRST.txt
    2015-07-24 11:36 - 2015-07-25 17:37 - 00000000 ____D C:\FRST
    2015-07-23 01:37 - 2015-07-23 01:37 - 02135552 _____ (Farbar) C:\frst64.exe
    2015-07-21 12:29 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Desktop\SFCFix.zip
    2015-07-21 12:24 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Downloads\SFCFix.zip
    2015-07-17 14:37 - 2015-07-21 12:51 - 00000000 ____D C:\Users\Thomas\AppData\Local\niemiro
    2015-07-17 05:03 - 2015-07-17 05:03 - 00000387 _____ C:\Users\Thomas\Desktop\copy.txt
    2015-07-17 04:56 - 2015-07-17 04:57 - 00000000 ____D C:\Users\Thomas\copy
    2015-07-17 04:55 - 2015-07-17 04:55 - 00000000 ____D C:\Users\Thomas\Downloads\Copy
    2015-07-17 03:11 - 2015-07-21 12:51 - 00003148 _____ C:\Users\Thomas\Desktop\SFCFix.txt
    2015-07-17 03:11 - 2015-07-21 12:51 - 00000000 ____D C:\SFCFix
    2015-07-17 02:50 - 2015-07-17 02:55 - 00003212 _____ C:\Users\Thomas\sfcdetails.txt
    2015-07-15 23:06 - 2015-07-15 23:06 - 00000000 ____D C:\Quarantine
    2015-07-15 22:56 - 2015-07-17 03:37 - 00000000 ____D C:\Program Files (x86)\stinger
    2015-07-15 22:55 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\Downloads\stinger32-epo
    2015-07-15 13:35 - 2015-07-15 13:35 - 00000000 ____D C:\Users\Thomas\Desktop\McAfee File Lock
    2015-07-15 12:14 - 2015-07-15 13:18 - 00095802 _____ C:\Users\Thomas\Desktop\sfcdetails.txt
    2015-07-15 11:58 - 2015-07-15 11:58 - 00000000 ____D C:\Users\Thomas\McAfee File Lock
    2015-07-14 03:26 - 2015-07-14 03:26 - 00000342 _____ C:\Windows\PFRO.log
    2015-07-13 12:45 - 2015-07-14 03:26 - 00000112 _____ C:\Windows\setupact.log
    2015-07-13 12:45 - 2015-07-13 12:45 - 00000000 _____ C:\Windows\setuperr.log
    2015-07-13 12:16 - 2015-07-13 12:16 - 00000000 ____D C:\Windows\System32\McAfee File Lock
    2015-07-03 06:35 - 2015-07-12 10:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2015-06-28 10:52 - 2015-06-29 01:12 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\vlc
    2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\Users\Public\Desktop\VLC media player.lnk
    2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\ProgramData\Desktop\VLC media player.lnk
    2015-06-28 10:49 - 2015-06-28 10:49 - 28849904 _____ C:\Users\Thomas\Downloads\vlc-2.2.1-win32.exe
    2015-06-28 10:49 - 2015-06-28 10:49 - 00000000 ____D C:\Program Files (x86)\VideoLAN
    ==================== One Month Modified files and folders ========
    (If an entry is included in the fixlist, the file/folder will be moved.)
    2015-07-23 23:28 - 2014-12-09 19:22 - 00000000 ____D C:\Windows\System32\appraiser
    2015-07-23 23:28 - 2014-08-09 05:12 - 00000000 ____D C:\users\Guest
    2015-07-23 23:28 - 2014-05-06 18:00 - 00000000 ___SD C:\Windows\System32\CompatTel
    2015-07-23 23:28 - 2012-07-15 07:50 - 00000000 ____D C:\users\Orrin JNR
    2015-07-23 23:28 - 2012-05-08 08:58 - 00000000 ____D C:\users\Thomas
    2015-07-23 23:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
    2015-07-23 23:27 - 2015-05-15 23:52 - 00000000 __RSD C:\Users\Thomas\Documents\McAfee Vaults
    2015-07-23 23:27 - 2015-04-04 18:00 - 00000000 ___SD C:\Windows\System32\GWX
    2015-07-23 23:27 - 2014-05-14 11:23 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Skype
    2015-07-23 23:27 - 2012-11-29 11:21 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\uTorrent
    2015-07-23 23:27 - 2012-05-09 12:20 - 00000000 ____D C:\ProgramData\McAfee Security Scan
    2015-07-23 23:27 - 2012-05-01 03:52 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
    2015-07-23 23:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
    2015-07-23 23:23 - 2012-05-08 09:19 - 00000000 ____D C:\ProgramData\BOINC
    2015-07-23 23:22 - 2015-04-04 02:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
    2015-07-23 23:22 - 2012-05-01 04:08 - 00000000 ____D C:\Program Files\mcafee
    2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
    2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
    2015-07-22 10:05 - 2013-10-23 06:27 - 00000000 ____D C:\ProgramData\boost_interprocess
    2015-07-21 12:57 - 2012-05-01 04:15 - 00000000 ____D C:\ProgramData\Sonic
    2015-07-15 19:47 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV
    2015-07-14 14:58 - 2012-05-08 09:00 - 00000422 _____ C:\Windows\Tasks\SystemToolsDailyTest.job
    2015-07-14 14:17 - 2013-03-28 13:55 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2015-07-14 14:06 - 2012-09-02 09:09 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-07-14 13:17 - 2013-03-28 13:55 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2015-07-14 13:17 - 2012-05-01 03:35 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2015-07-14 13:17 - 2012-05-01 03:35 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2015-07-14 12:49 - 2012-07-15 12:24 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3274687172-3602840966-2228239552-1006Core.job
    2015-07-14 09:06 - 2012-09-02 09:09 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-07-14 03:26 - 2009-07-13 21:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
    2015-07-14 03:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2015-07-13 19:42 - 2015-04-04 02:44 - 00004978 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for trustno1-Thomas trustno1
    2015-07-13 12:46 - 2012-12-22 03:26 - 00000000 ___RD C:\Users\Thomas\SkyDrive
    2015-07-13 10:53 - 2015-05-15 23:49 - 00000000 ____D C:\Program Files (x86)\McAfee
    2015-07-13 10:53 - 2014-08-21 12:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2015-07-13 05:00 - 2012-05-09 05:00 - 00003488 _____ C:\Windows\System32\Tasks\PCDEventLauncher
    2015-07-13 05:00 - 2012-05-08 09:00 - 00003450 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest
    2015-07-12 09:07 - 2009-07-13 21:13 - 00006506 _____ C:\Windows\System32\PerfStringBackup.INI
    2015-07-12 09:00 - 2012-05-08 09:00 - 00000564 _____ C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
    2015-07-12 08:47 - 2014-11-12 00:47 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieBrowserModeList
    2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieUserList
    2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieSiteList
    2015-07-04 19:00 - 2012-05-08 09:00 - 00004268 _____ C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
    2015-07-02 12:51 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
    2015-06-26 03:30 - 2014-11-09 11:44 - 00000000 ___RD C:\Program Files (x86)\Skype
    2015-06-26 03:30 - 2012-05-01 03:54 - 00000000 ____D C:\ProgramData\Skype
    ==================== Known DLLs (Whitelisted) ================

    ==================== Bamital & volsnap Check =================
    (There is no automatic fix for files that do not pass verification.)
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== Restore Points =========================
    Restore point made on: 2015-07-14 15:00:12
    ==================== Memory info ===========================
    Percentage of memory in use: 10%
    Total physical RAM: 8104.63 MB
    Available physical RAM: 7231.77 MB
    Total Virtual: 8102.83 MB
    Available Virtual: 7208.61 MB
    ==================== Drives ================================
    Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:145.41 GB) NTFS
    Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
    Drive g: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]
    Drive h: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:462.82 GB) NTFS
    Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    ==================== MBR & Partition Table ==================
    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACEA298C)
    Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
    Partition 2: (Active) - (Size=14.8 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=450.9 GB) - (Type=07 NTFS)
    ========================================================
    Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 35E8B3A5)
    Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

    LastRegBack: 2015-07-14 03:56
    ==================== End of log ============================
    Last edited by ot008239; 07-25-2015 at 03:40 PM. Reason: ETA

  12. #32
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,479

    Re: Arte,is Trojan

    From what I can find, those are both Microsoft files.

    C:\Windows\System32\appraiser is the folder for the appraiser.dll which the Microsoft Compatibility Appraiser.
    Search results for C:\Windows\System32\CompatTel directs to QueryAppBlock.exe which is part of KB2952664.

    Have you tried removing the DVD and booting?


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  13. #33
    DonnaB's Avatar
    Join Date
    Jun 2012
    Location
    Illiana area, Ill. USA
    Posts
    454
    • specs System Specs
      • Operating System:
        Vista Home Premium / XP Home Edition / XP Pro / Win7 Home Premium 64-bit / VM-W2K SP4 IE6

    Re: Arte,is Trojan

    Hi ot008239,

    Pleasure to meet you! :)

    The files you removed are legitimate. The c:\Windows\System32\appraiser file is present on my W7 system and I do believe is associated with one of the recent Windows Updates concerning the free upgrade for Windows 10.

    I do know that the C:\Windows\System32\CompatTel is definitely associated with the KB2952664 update.
    See here

    Ooops! Ignore that..... I see Corrine beat me to it.

    Please the disc in your CD Rom drive and try booting the computer into normal. Let us know the results. :)




    “What we do for ourselves dies with us. What we do for others and the world remains and is immortal.” - Albert Pine

  14. #34

    Re: Arte,is Trojan

    Corrine\DonnaB

    Oh Gawd!! Thought they were dodgy files, I guess that explains why they have re-appeared. Excuse the Brit slang!!

    ETA:- I have tried booting from Windows DVD and tried restoring to no avail.
    Last edited by ot008239; 07-25-2015 at 04:14 PM. Reason: ETA

  15. #35
    DonnaB's Avatar
    Join Date
    Jun 2012
    Location
    Illiana area, Ill. USA
    Posts
    454
    • specs System Specs
      • Operating System:
        Vista Home Premium / XP Home Edition / XP Pro / Win7 Home Premium 64-bit / VM-W2K SP4 IE6

    Re: Arte,is Trojan

    Take the DVD out and try to boot the computer. What happens then?

    While you're at it, remove all the other devices and see what happens.
    “What we do for ourselves dies with us. What we do for others and the world remains and is immortal.” - Albert Pine

  16. #36

    Re: Arte,is Trojan

    Not sure what the other devices are, this could relate to Dell desktop PC default setup, not sure. Portable drives and DVD were removed but x:\ still exist. No change in boot process.

    Command prompt after reboot is always x:\ not C:\
    Last edited by ot008239; 07-25-2015 at 04:50 PM. Reason: ETA

  17. #37
    DonnaB's Avatar
    Join Date
    Jun 2012
    Location
    Illiana area, Ill. USA
    Posts
    454
    • specs System Specs
      • Operating System:
        Vista Home Premium / XP Home Edition / XP Pro / Win7 Home Premium 64-bit / VM-W2K SP4 IE6

    Re: Arte,is Trojan

    What happens when you try to access one of the safe modes now? Anything??
    “What we do for ourselves dies with us. What we do for others and the world remains and is immortal.” - Albert Pine

  18. #38

    Re: Arte,is Trojan

    No difference; Signature 07: Corrupt file.

  19. #39
    zcomputerwiz's Avatar
    Join Date
    Jan 2015
    Location
    USA
    Posts
    4,624

    Re: Arte,is Trojan

    Does it list a specific file?
    DonnaB says thanks for this.
    I am usually online 1PM - 4PM CST Monday - Friday.
    If your thread has not received a new reply within 3 days, please make a post here: Not Received Help? so another helper can continue to assist you.

  20. #40

    Re: Arte,is Trojan

    No just the standard Signatre 07: Corrupt file

Page 2 of 3 First 123 Last

Similar Threads

  1. Sabpab, New Mac OS X Backdoor Trojan
    By Corrine in forum Security News
    Replies: 0
    Last Post: 04-13-2012, 08:35 PM
  2. OSX/Flashback Trojan
    By Corrine in forum Security News
    Replies: 1
    Last Post: 04-13-2012, 08:30 PM

Log in

Log in