[SOLVED] Arte,is Trojan

Corrine · Jul 24, 2015

I'm going with just that one file so let's see what happens now. Let me know if you can boot to normal mode and, if so, in addition to the FRST log, please o ahead with the Malwarebytes Anti-Rootkit scan.

Click Start
Type notepad.exe in the search programs and files box and click Enter.
A blank Notepad page should open.
Copy/Paste the contents of the code box below into Notepad.

Code:

S2 syshost32; C:\Windows\Installer\{269A4ED8-3094-6D54-48F0-3CC425AC5ECE}\syshost.exe [196923 2015-07-14] ()
C:\Windows\Installer\{269A4ED8-3094-6D54-48F0-3CC425AC5ECE}

Save it to your USB flashdrive as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt on your USB flashdrive.
Exit out of Recovery Environment and copy/paste the log please.

ot008239 · Jul 25, 2015

No joy I am afraid. I ran frst64 again.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
Ran by SYSTEM on MININT-R9HO8RQ on 25-07-2015 10:48:49
Running from C:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [boinctray] => C:\Program Files\BOINC\boinctray.exe [68928 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [boincmgr] => C:\Program Files\BOINC\boincmgr.exe [8926016 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [616272 2015-04-07] (McAfee, Inc.)
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-24] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [719272 2015-04-02] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2015-05-25] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\Orrin JNR\...\Run: [Google Update] => C:\Users\Orrin JNR\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-15] (Google Inc.)
HKU\Thomas\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53282944 2015-06-16] (Skype Technologies S.A.)
HKU\Thomas\...\Run: [Amazon Music] => C:\Users\Thomas\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-12-07] ()
HKU\Thomas\...\Run: [OneDrive] => C:\Users\Thomas\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-05-22] (Microsoft Corporation)
HKU\Thomas\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Thomas\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7451928 2015-03-13] (Piriform Ltd)
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2739888 2015-05-18] (Microsoft Corporation)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-07-03] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [76064 2015-03-27] (McAfee, Inc.)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-01-03] (Duplex Secure Ltd.)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-24 11:40 - 2015-07-25 10:48 - 00000000 _____ C:\FRST.txt
2015-07-24 11:36 - 2015-07-25 10:48 - 00000000 ____D C:\FRST
2015-07-23 01:37 - 2015-07-23 01:37 - 02135552 _____ (Farbar) C:\frst64.exe
2015-07-21 12:29 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Desktop\SFCFix.zip
2015-07-21 12:24 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Downloads\SFCFix.zip
2015-07-17 14:37 - 2015-07-21 12:51 - 00000000 ____D C:\Users\Thomas\AppData\Local\niemiro
2015-07-17 05:03 - 2015-07-17 05:03 - 00000387 _____ C:\Users\Thomas\Desktop\copy.txt
2015-07-17 04:56 - 2015-07-17 04:57 - 00000000 ____D C:\Users\Thomas\copy
2015-07-17 04:55 - 2015-07-17 04:55 - 00000000 ____D C:\Users\Thomas\Downloads\Copy
2015-07-17 03:11 - 2015-07-21 12:51 - 00003148 _____ C:\Users\Thomas\Desktop\SFCFix.txt
2015-07-17 03:11 - 2015-07-21 12:51 - 00000000 ____D C:\SFCFix
2015-07-17 02:50 - 2015-07-17 02:55 - 00003212 _____ C:\Users\Thomas\sfcdetails.txt
2015-07-15 23:06 - 2015-07-15 23:06 - 00000000 ____D C:\Quarantine
2015-07-15 22:56 - 2015-07-17 03:37 - 00000000 ____D C:\Program Files (x86)\stinger
2015-07-15 22:55 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\Downloads\stinger32-epo
2015-07-15 13:35 - 2015-07-15 13:35 - 00000000 ____D C:\Users\Thomas\Desktop\McAfee File Lock
2015-07-15 12:14 - 2015-07-15 13:18 - 00095802 _____ C:\Users\Thomas\Desktop\sfcdetails.txt
2015-07-15 11:58 - 2015-07-15 11:58 - 00000000 ____D C:\Users\Thomas\McAfee File Lock
2015-07-14 03:26 - 2015-07-14 03:26 - 00000342 _____ C:\Windows\PFRO.log
2015-07-13 12:45 - 2015-07-14 03:26 - 00000112 _____ C:\Windows\setupact.log
2015-07-13 12:45 - 2015-07-13 12:45 - 00000000 _____ C:\Windows\setuperr.log
2015-07-13 12:16 - 2015-07-13 12:16 - 00000000 ____D C:\Windows\System32\McAfee File Lock
2015-07-03 06:35 - 2015-07-12 10:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-28 10:52 - 2015-06-29 01:12 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\vlc
2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\Users\Public\Desktop\VLC media player.lnk
2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\ProgramData\Desktop\VLC media player.lnk
2015-06-28 10:49 - 2015-06-28 10:49 - 28849904 _____ C:\Users\Thomas\Downloads\vlc-2.2.1-win32.exe
2015-06-28 10:49 - 2015-06-28 10:49 - 00000000 ____D C:\Program Files (x86)\VideoLAN
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-23 23:28 - 2014-12-09 19:22 - 00000000 ____D C:\Windows\System32\appraiser
2015-07-23 23:28 - 2014-08-09 05:12 - 00000000 ____D C:\users\Guest
2015-07-23 23:28 - 2014-05-06 18:00 - 00000000 ___SD C:\Windows\System32\CompatTel
2015-07-23 23:28 - 2012-07-15 07:50 - 00000000 ____D C:\users\Orrin JNR
2015-07-23 23:28 - 2012-05-08 08:58 - 00000000 ____D C:\users\Thomas
2015-07-23 23:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2015-07-23 23:27 - 2015-05-15 23:52 - 00000000 __RSD C:\Users\Thomas\Documents\McAfee Vaults
2015-07-23 23:27 - 2015-04-04 18:00 - 00000000 ___SD C:\Windows\System32\GWX
2015-07-23 23:27 - 2014-05-14 11:23 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Skype
2015-07-23 23:27 - 2012-11-29 11:21 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\uTorrent
2015-07-23 23:27 - 2012-05-09 12:20 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2015-07-23 23:27 - 2012-05-01 03:52 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2015-07-23 23:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2015-07-23 23:23 - 2012-05-08 09:19 - 00000000 ____D C:\ProgramData\BOINC
2015-07-23 23:22 - 2015-04-04 02:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-07-23 23:22 - 2012-05-01 04:08 - 00000000 ____D C:\Program Files\mcafee
2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2015-07-22 10:05 - 2013-10-23 06:27 - 00000000 ____D C:\ProgramData\boost_interprocess
2015-07-21 12:57 - 2012-05-01 04:15 - 00000000 ____D C:\ProgramData\Sonic
2015-07-15 19:47 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV
2015-07-14 14:58 - 2012-05-08 09:00 - 00000422 _____ C:\Windows\Tasks\SystemToolsDailyTest.job
2015-07-14 14:17 - 2013-03-28 13:55 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-14 14:06 - 2012-09-02 09:09 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-14 13:17 - 2013-03-28 13:55 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-14 13:17 - 2012-05-01 03:35 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-14 13:17 - 2012-05-01 03:35 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-14 12:49 - 2012-07-15 12:24 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3274687172-3602840966-2228239552-1006Core.job
2015-07-14 09:06 - 2012-09-02 09:09 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-14 03:26 - 2009-07-13 21:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-14 03:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-13 19:42 - 2015-04-04 02:44 - 00004978 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for trustno1-Thomas trustno1
2015-07-13 12:46 - 2012-12-22 03:26 - 00000000 ___RD C:\Users\Thomas\SkyDrive
2015-07-13 10:53 - 2015-05-15 23:49 - 00000000 ____D C:\Program Files (x86)\McAfee
2015-07-13 10:53 - 2014-08-21 12:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-07-13 05:00 - 2012-05-09 05:00 - 00003488 _____ C:\Windows\System32\Tasks\PCDEventLauncher
2015-07-13 05:00 - 2012-05-08 09:00 - 00003450 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest
2015-07-12 09:07 - 2009-07-13 21:13 - 00006506 _____ C:\Windows\System32\PerfStringBackup.INI
2015-07-12 09:00 - 2012-05-08 09:00 - 00000564 _____ C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2015-07-12 08:47 - 2014-11-12 00:47 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieBrowserModeList
2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieUserList
2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieSiteList
2015-07-04 19:00 - 2012-05-08 09:00 - 00004268 _____ C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
2015-07-02 12:51 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-06-26 03:30 - 2014-11-09 11:44 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-06-26 03:30 - 2012-05-01 03:54 - 00000000 ____D C:\ProgramData\Skype
==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
Restore point made on: 2015-07-14 15:00:12
==================== Memory info ===========================
Percentage of memory in use: 10%
Total physical RAM: 8104.63 MB
Available physical RAM: 7238.35 MB
Total Virtual: 8102.83 MB
Available Virtual: 7211.47 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:145.41 GB) NTFS
Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
Drive g: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive h: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:462.85 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACEA298C)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=14.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450.9 GB) - (Type=07 NTFS)
========================================================
Disk: 2 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 35E8B3A5)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

LastRegBack: 2015-07-14 03:56
==================== End of log ============================

ot008239 · Jul 25, 2015

I was wondering about this entry, trying to understand why it would be required to run?

HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2015-05-25] (Microsoft Corporation)

Corrine · Jul 25, 2015

Dang! Is it the same "Problem Signature 07: CorruptFile" error as before? I'm consulting with others to see if they have any additional suggestions.

ot008239 · Jul 25, 2015

Yes it is still reporting Signature 07 etc. However, apologies as this probably has nothing to do with my ongoing issues; what is this entries function?

HKLM\...\RunOnce: [*Restore] => C:\Windows\system32\rstrui.exe [296960 2015-05-25] (Microsoft Corporation)

What is being restored?

Corrine · Jul 25, 2015

Based on the "Problem Signature 07: CorruptFile" error, I do not believe that System Restore will work based on what I've found so far. However, you can most certainly give it a try. In the Recovery Environment, you would select System Restore. You need a restore date on or before 14 July 2015, which appears to be the beginning of the malware issues. The restore point shown is from 25 May 2015 which is well before the infection.

In the meantime, I'm waiting for a reply from DonnaB (another member of the team) as to what she thinks about what I thought might work.

ot008239 · Jul 25, 2015

I have deleted that entry but the loop continues signature 07. Latest report:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
Ran by SYSTEM on MININT-2IIKUDD on 25-07-2015 17:37:01
Running from C:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [boinctray] => C:\Program Files\BOINC\boinctray.exe [68928 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [boincmgr] => C:\Program Files\BOINC\boincmgr.exe [8926016 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [616272 2015-04-07] (McAfee, Inc.)
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-24] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [719272 2015-04-02] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\Orrin JNR\...\Run: [Google Update] => C:\Users\Orrin JNR\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-15] (Google Inc.)
HKU\Thomas\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53282944 2015-06-16] (Skype Technologies S.A.)
HKU\Thomas\...\Run: [Amazon Music] => C:\Users\Thomas\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-12-07] ()
HKU\Thomas\...\Run: [OneDrive] => C:\Users\Thomas\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-05-22] (Microsoft Corporation)
HKU\Thomas\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Thomas\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7451928 2015-03-13] (Piriform Ltd)
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2739888 2015-05-18] (Microsoft Corporation)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-07-03] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [76064 2015-03-27] (McAfee, Inc.)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-01-03] (Duplex Secure Ltd.)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-24 11:40 - 2015-07-25 17:37 - 00000000 _____ C:\FRST.txt
2015-07-24 11:36 - 2015-07-25 17:37 - 00000000 ____D C:\FRST
2015-07-23 01:37 - 2015-07-23 01:37 - 02135552 _____ (Farbar) C:\frst64.exe
2015-07-21 12:29 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Desktop\SFCFix.zip
2015-07-21 12:24 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Downloads\SFCFix.zip
2015-07-17 14:37 - 2015-07-21 12:51 - 00000000 ____D C:\Users\Thomas\AppData\Local\niemiro
2015-07-17 05:03 - 2015-07-17 05:03 - 00000387 _____ C:\Users\Thomas\Desktop\copy.txt
2015-07-17 04:56 - 2015-07-17 04:57 - 00000000 ____D C:\Users\Thomas\copy
2015-07-17 04:55 - 2015-07-17 04:55 - 00000000 ____D C:\Users\Thomas\Downloads\Copy
2015-07-17 03:11 - 2015-07-21 12:51 - 00003148 _____ C:\Users\Thomas\Desktop\SFCFix.txt
2015-07-17 03:11 - 2015-07-21 12:51 - 00000000 ____D C:\SFCFix
2015-07-17 02:50 - 2015-07-17 02:55 - 00003212 _____ C:\Users\Thomas\sfcdetails.txt
2015-07-15 23:06 - 2015-07-15 23:06 - 00000000 ____D C:\Quarantine
2015-07-15 22:56 - 2015-07-17 03:37 - 00000000 ____D C:\Program Files (x86)\stinger
2015-07-15 22:55 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\Downloads\stinger32-epo
2015-07-15 13:35 - 2015-07-15 13:35 - 00000000 ____D C:\Users\Thomas\Desktop\McAfee File Lock
2015-07-15 12:14 - 2015-07-15 13:18 - 00095802 _____ C:\Users\Thomas\Desktop\sfcdetails.txt
2015-07-15 11:58 - 2015-07-15 11:58 - 00000000 ____D C:\Users\Thomas\McAfee File Lock
2015-07-14 03:26 - 2015-07-14 03:26 - 00000342 _____ C:\Windows\PFRO.log
2015-07-13 12:45 - 2015-07-14 03:26 - 00000112 _____ C:\Windows\setupact.log
2015-07-13 12:45 - 2015-07-13 12:45 - 00000000 _____ C:\Windows\setuperr.log
2015-07-13 12:16 - 2015-07-13 12:16 - 00000000 ____D C:\Windows\System32\McAfee File Lock
2015-07-03 06:35 - 2015-07-12 10:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-28 10:52 - 2015-06-29 01:12 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\vlc
2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\Users\Public\Desktop\VLC media player.lnk
2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\ProgramData\Desktop\VLC media player.lnk
2015-06-28 10:49 - 2015-06-28 10:49 - 28849904 _____ C:\Users\Thomas\Downloads\vlc-2.2.1-win32.exe
2015-06-28 10:49 - 2015-06-28 10:49 - 00000000 ____D C:\Program Files (x86)\VideoLAN
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-23 23:28 - 2014-12-09 19:22 - 00000000 ____D C:\Windows\System32\appraiser
2015-07-23 23:28 - 2014-08-09 05:12 - 00000000 ____D C:\users\Guest
2015-07-23 23:28 - 2014-05-06 18:00 - 00000000 ___SD C:\Windows\System32\CompatTel
2015-07-23 23:28 - 2012-07-15 07:50 - 00000000 ____D C:\users\Orrin JNR
2015-07-23 23:28 - 2012-05-08 08:58 - 00000000 ____D C:\users\Thomas
2015-07-23 23:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2015-07-23 23:27 - 2015-05-15 23:52 - 00000000 __RSD C:\Users\Thomas\Documents\McAfee Vaults
2015-07-23 23:27 - 2015-04-04 18:00 - 00000000 ___SD C:\Windows\System32\GWX
2015-07-23 23:27 - 2014-05-14 11:23 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Skype
2015-07-23 23:27 - 2012-11-29 11:21 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\uTorrent
2015-07-23 23:27 - 2012-05-09 12:20 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2015-07-23 23:27 - 2012-05-01 03:52 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2015-07-23 23:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2015-07-23 23:23 - 2012-05-08 09:19 - 00000000 ____D C:\ProgramData\BOINC
2015-07-23 23:22 - 2015-04-04 02:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-07-23 23:22 - 2012-05-01 04:08 - 00000000 ____D C:\Program Files\mcafee
2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2015-07-22 10:05 - 2013-10-23 06:27 - 00000000 ____D C:\ProgramData\boost_interprocess
2015-07-21 12:57 - 2012-05-01 04:15 - 00000000 ____D C:\ProgramData\Sonic
2015-07-15 19:47 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV
2015-07-14 14:58 - 2012-05-08 09:00 - 00000422 _____ C:\Windows\Tasks\SystemToolsDailyTest.job
2015-07-14 14:17 - 2013-03-28 13:55 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-14 14:06 - 2012-09-02 09:09 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-14 13:17 - 2013-03-28 13:55 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-14 13:17 - 2012-05-01 03:35 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-14 13:17 - 2012-05-01 03:35 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-14 12:49 - 2012-07-15 12:24 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3274687172-3602840966-2228239552-1006Core.job
2015-07-14 09:06 - 2012-09-02 09:09 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-14 03:26 - 2009-07-13 21:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-14 03:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-13 19:42 - 2015-04-04 02:44 - 00004978 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for trustno1-Thomas trustno1
2015-07-13 12:46 - 2012-12-22 03:26 - 00000000 ___RD C:\Users\Thomas\SkyDrive
2015-07-13 10:53 - 2015-05-15 23:49 - 00000000 ____D C:\Program Files (x86)\McAfee
2015-07-13 10:53 - 2014-08-21 12:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-07-13 05:00 - 2012-05-09 05:00 - 00003488 _____ C:\Windows\System32\Tasks\PCDEventLauncher
2015-07-13 05:00 - 2012-05-08 09:00 - 00003450 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest
2015-07-12 09:07 - 2009-07-13 21:13 - 00006506 _____ C:\Windows\System32\PerfStringBackup.INI
2015-07-12 09:00 - 2012-05-08 09:00 - 00000564 _____ C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2015-07-12 08:47 - 2014-11-12 00:47 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieBrowserModeList
2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieUserList
2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieSiteList
2015-07-04 19:00 - 2012-05-08 09:00 - 00004268 _____ C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
2015-07-02 12:51 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-06-26 03:30 - 2014-11-09 11:44 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-06-26 03:30 - 2012-05-01 03:54 - 00000000 ____D C:\ProgramData\Skype
==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
Restore point made on: 2015-07-14 15:00:12
==================== Memory info ===========================
Percentage of memory in use: 10%
Total physical RAM: 8104.63 MB
Available physical RAM: 7231.77 MB
Total Virtual: 8102.83 MB
Available Virtual: 7208.61 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:145.41 GB) NTFS
Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
Drive g: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive h: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:462.82 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACEA298C)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=14.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450.9 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 35E8B3A5)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

LastRegBack: 2015-07-14 03:56
==================== End of log ============================

Corrine · Jul 25, 2015

We seem to have cross-posted. See my reply from just a minute before you posted your log.

ot008239 · Jul 25, 2015

Sorry our post did cross. It appears this virus is being respawned via the boot process as random files are appearing each time I boot. fixing the MBR via the usual method doesn't have the desired affect.

Corrine · Jul 25, 2015

Do you have any examples of the random file names? Neither DonnaB nor I are seeing what might appear to be malicious files re-appearing in your log. A comment Donna made is that most computers will attempt to boot the DVD drive and if no disk is found will boot straight to the HDD, unless the boot setting in BIOS are set otherwise.

Remove the DVD from Drive D. You need Drives c and g. What are drives h and x?

Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:145.41 GB) NTFS
Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
Drive g: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive h: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:462.82 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

ot008239 · Jul 25, 2015

Re: Artemis Trojan

Suspect and or respawning files are highlighted below, I have removed via frst64.

Not sure what X: is; the toshiba is my portable disk.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
Ran by SYSTEM on MININT-2IIKUDD on 25-07-2015 17:37:01
Running from C:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [Stage Remote] => C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [boinctray] => C:\Program Files\BOINC\boinctray.exe [68928 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [boincmgr] => C:\Program Files\BOINC\boincmgr.exe [8926016 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [616272 2015-04-07] (McAfee, Inc.)
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-24] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe [719272 2015-04-02] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\Orrin JNR\...\Run: [Google Update] => C:\Users\Orrin JNR\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-15] (Google Inc.)
HKU\Thomas\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53282944 2015-06-16] (Skype Technologies S.A.)
HKU\Thomas\...\Run: [Amazon Music] => C:\Users\Thomas\AppData\Local\Amazon Music\Amazon Music Helper.exe [6277952 2014-12-07] ()
HKU\Thomas\...\Run: [OneDrive] => C:\Users\Thomas\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-05-22] (Microsoft Corporation)
HKU\Thomas\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Thomas\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7451928 2015-03-13] (Piriform Ltd)
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2739888 2015-05-18] (Microsoft Corporation)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [155368 2015-07-03] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [753768 2015-04-07] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.5.450.0\McCSPServiceHost.exe [207344 2015-04-08] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [612688 2015-04-09] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232656 2015-02-17] (McAfee, Inc.)
S2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [372144 2015-04-06] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [250672 2015-02-17] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [340744 2015-04-02] (McAfee, Inc.)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [68784 2015-02-17] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [76064 2015-03-27] (McAfee, Inc.)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [401736 2015-02-17] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [337888 2015-02-17] (McAfee, Inc.)
S0 mfedisk; C:\Windows\System32\DRIVERS\mfedisk.sys [101872 2015-02-17] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [488000 2015-02-17] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-02-17] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2015-01-15] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2015-01-15] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340448 2015-02-17] (McAfee, Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S0 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2013-01-03] (Duplex Secure Ltd.)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-24 11:40 - 2015-07-25 17:37 - 00000000 _____ C:\FRST.txt
2015-07-24 11:36 - 2015-07-25 17:37 - 00000000 ____D C:\FRST
2015-07-23 01:37 - 2015-07-23 01:37 - 02135552 _____ (Farbar) C:\frst64.exe
2015-07-21 12:29 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Desktop\SFCFix.zip
2015-07-21 12:24 - 2015-07-21 12:25 - 00002289 _____ C:\Users\Thomas\Downloads\SFCFix.zip
2015-07-17 14:37 - 2015-07-21 12:51 - 00000000 ____D C:\Users\Thomas\AppData\Local\niemiro
2015-07-17 05:03 - 2015-07-17 05:03 - 00000387 _____ C:\Users\Thomas\Desktop\copy.txt
2015-07-17 04:56 - 2015-07-17 04:57 - 00000000 ____D C:\Users\Thomas\copy
2015-07-17 04:55 - 2015-07-17 04:55 - 00000000 ____D C:\Users\Thomas\Downloads\Copy
2015-07-17 03:11 - 2015-07-21 12:51 - 00003148 _____ C:\Users\Thomas\Desktop\SFCFix.txt
2015-07-17 03:11 - 2015-07-21 12:51 - 00000000 ____D C:\SFCFix
2015-07-17 02:50 - 2015-07-17 02:55 - 00003212 _____ C:\Users\Thomas\sfcdetails.txt
2015-07-15 23:06 - 2015-07-15 23:06 - 00000000 ____D C:\Quarantine
2015-07-15 22:56 - 2015-07-17 03:37 - 00000000 ____D C:\Program Files (x86)\stinger
2015-07-15 22:55 - 2015-07-22 19:41 - 00000000 ____D C:\Users\Thomas\Downloads\stinger32-epo
2015-07-15 13:35 - 2015-07-15 13:35 - 00000000 ____D C:\Users\Thomas\Desktop\McAfee File Lock
2015-07-15 12:14 - 2015-07-15 13:18 - 00095802 _____ C:\Users\Thomas\Desktop\sfcdetails.txt
2015-07-15 11:58 - 2015-07-15 11:58 - 00000000 ____D C:\Users\Thomas\McAfee File Lock
2015-07-14 03:26 - 2015-07-14 03:26 - 00000342 _____ C:\Windows\PFRO.log
2015-07-13 12:45 - 2015-07-14 03:26 - 00000112 _____ C:\Windows\setupact.log
2015-07-13 12:45 - 2015-07-13 12:45 - 00000000 _____ C:\Windows\setuperr.log
2015-07-13 12:16 - 2015-07-13 12:16 - 00000000 ____D C:\Windows\System32\McAfee File Lock
2015-07-03 06:35 - 2015-07-12 10:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-28 10:52 - 2015-06-29 01:12 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\vlc
2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\Users\Public\Desktop\VLC media player.lnk
2015-06-28 10:50 - 2015-06-28 10:50 - 00001032 _____ C:\ProgramData\Desktop\VLC media player.lnk
2015-06-28 10:49 - 2015-06-28 10:49 - 28849904 _____ C:\Users\Thomas\Downloads\vlc-2.2.1-win32.exe
2015-06-28 10:49 - 2015-06-28 10:49 - 00000000 ____D C:\Program Files (x86)\VideoLAN
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-07-23 23:28 - 2014-12-09 19:22 - 00000000 ____D C:\Windows\System32\appraiser
2015-07-23 23:28 - 2014-08-09 05:12 - 00000000 ____D C:\users\Guest
2015-07-23 23:28 - 2014-05-06 18:00 - 00000000 ___SD C:\Windows\System32\CompatTel
2015-07-23 23:28 - 2012-07-15 07:50 - 00000000 ____D C:\users\Orrin JNR
2015-07-23 23:28 - 2012-05-08 08:58 - 00000000 ____D C:\users\Thomas
2015-07-23 23:28 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2015-07-23 23:27 - 2015-05-15 23:52 - 00000000 __RSD C:\Users\Thomas\Documents\McAfee Vaults
2015-07-23 23:27 - 2015-04-04 18:00 - 00000000 ___SD C:\Windows\System32\GWX
2015-07-23 23:27 - 2014-05-14 11:23 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Skype
2015-07-23 23:27 - 2012-11-29 11:21 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\uTorrent
2015-07-23 23:27 - 2012-05-09 12:20 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2015-07-23 23:27 - 2012-05-01 03:52 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2015-07-23 23:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2015-07-23 23:23 - 2012-05-08 09:19 - 00000000 ____D C:\ProgramData\BOINC
2015-07-23 23:22 - 2015-04-04 02:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-07-23 23:22 - 2012-05-01 04:08 - 00000000 ____D C:\Program Files\mcafee
2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2015-07-22 10:20 - 2012-05-01 04:26 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2015-07-22 10:05 - 2013-10-23 06:27 - 00000000 ____D C:\ProgramData\boost_interprocess
2015-07-21 12:57 - 2012-05-01 04:15 - 00000000 ____D C:\ProgramData\Sonic
2015-07-15 19:47 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV
2015-07-14 14:58 - 2012-05-08 09:00 - 00000422 _____ C:\Windows\Tasks\SystemToolsDailyTest.job
2015-07-14 14:17 - 2013-03-28 13:55 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-14 14:06 - 2012-09-02 09:09 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-14 13:17 - 2013-03-28 13:55 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-14 13:17 - 2012-05-01 03:35 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-14 13:17 - 2012-05-01 03:35 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-14 12:49 - 2012-07-15 12:24 - 00000872 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3274687172-3602840966-2228239552-1006Core.job
2015-07-14 09:06 - 2012-09-02 09:09 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-14 03:42 - 2009-07-13 20:45 - 00028352 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-14 03:26 - 2009-07-13 21:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-14 03:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-13 19:42 - 2015-04-04 02:44 - 00004978 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for trustno1-Thomas trustno1
2015-07-13 12:46 - 2012-12-22 03:26 - 00000000 ___RD C:\Users\Thomas\SkyDrive
2015-07-13 10:53 - 2015-05-15 23:49 - 00000000 ____D C:\Program Files (x86)\McAfee
2015-07-13 10:53 - 2014-08-21 12:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-07-13 05:00 - 2012-05-09 05:00 - 00003488 _____ C:\Windows\System32\Tasks\PCDEventLauncher
2015-07-13 05:00 - 2012-05-08 09:00 - 00003450 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest
2015-07-12 09:07 - 2009-07-13 21:13 - 00006506 _____ C:\Windows\System32\PerfStringBackup.INI
2015-07-12 09:00 - 2012-05-08 09:00 - 00000564 _____ C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2015-07-12 08:47 - 2014-11-12 00:47 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieBrowserModeList
2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieUserList
2015-07-12 08:47 - 2014-04-30 09:30 - 00000000 __SHD C:\Users\Thomas\AppData\Local\EmieSiteList
2015-07-04 19:00 - 2012-05-08 09:00 - 00004268 _____ C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
2015-07-02 12:51 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-06-26 03:30 - 2014-11-09 11:44 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-06-26 03:30 - 2012-05-01 03:54 - 00000000 ____D C:\ProgramData\Skype
==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
Restore point made on: 2015-07-14 15:00:12
==================== Memory info ===========================
Percentage of memory in use: 10%
Total physical RAM: 8104.63 MB
Available physical RAM: 7231.77 MB
Total Virtual: 8102.83 MB
Available Virtual: 7208.61 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:450.91 GB) (Free:145.41 GB) NTFS
Drive d: (GSP1RMCHPXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
Drive g: (RECOVERY) (Fixed) (Total:14.81 GB) (Free:5.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive h: (TOSHIBA EXT) (Fixed) (Total:465.76 GB) (Free:462.82 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: ACEA298C)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=14.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450.9 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 35E8B3A5)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

LastRegBack: 2015-07-14 03:56
==================== End of log ============================

Corrine · Jul 25, 2015

From what I can find, those are both Microsoft files.

C:\Windows\System32\appraiser is the folder for the appraiser.dll which the Microsoft Compatibility Appraiser.
Search results for C:\Windows\System32\CompatTel directs to QueryAppBlock.exe which is part of KB2952664.

Have you tried removing the DVD and booting?

DonnaB · Jul 25, 2015

Hi ot008239,

Pleasure to meet you! :)

The files you removed are legitimate. The c:\Windows\System32\appraiser file is present on my W7 system and I do believe is associated with one of the recent Windows Updates concerning the free upgrade for Windows 10.

I do know that the C:\Windows\System32\CompatTel is definitely associated with the KB2952664 update.
See here

Ooops! Ignore that..... I see Corrine beat me to it.

Please the disc in your CD Rom drive and try booting the computer into normal. Let us know the results. :)

ot008239 · Jul 25, 2015

Corrine\DonnaB

Oh Gawd!! Thought they were dodgy files, I guess that explains why they have re-appeared. Excuse the Brit slang!!

ETA:- I have tried booting from Windows DVD and tried restoring to no avail.

DonnaB · Jul 25, 2015

Take the DVD out and try to boot the computer. What happens then?

While you're at it, remove all the other devices and see what happens.

ot008239 · Jul 25, 2015

Not sure what the other devices are, this could relate to Dell desktop PC default setup, not sure. Portable drives and DVD were removed but x:\ still exist. No change in boot process.

Command prompt after reboot is always x:\ not C:\

DonnaB · Jul 25, 2015

What happens when you try to access one of the safe modes now? Anything??

ot008239 · Jul 25, 2015

No difference; Signature 07: Corrupt file.

zcomputerwiz · Jul 25, 2015

Does it list a specific file?

ot008239 · Jul 26, 2015

No just the standard Signatre 07: Corrupt file

[SOLVED] Arte,is Trojan

Administrator, Microsoft MVP, Security Analyst

Contributor

Contributor

Administrator, Microsoft MVP, Security Analyst

Contributor

Administrator, Microsoft MVP, Security Analyst

Contributor

Administrator, Microsoft MVP, Security Analyst

Contributor

Administrator, Microsoft MVP, Security Analyst

Contributor

Administrator, Microsoft MVP, Security Analyst

Sysnative Staff, Security Analyst

Contributor

Sysnative Staff, Security Analyst

Contributor

Sysnative Staff, Security Analyst

Contributor

Windows Update Expert

Contributor

Administrator,
Microsoft MVP,
Security Analyst

Administrator,
Microsoft MVP,
Security Analyst

Administrator,
Microsoft MVP,
Security Analyst

Administrator,
Microsoft MVP,
Security Analyst

Administrator,
Microsoft MVP,
Security Analyst

Administrator,
Microsoft MVP,
Security Analyst