Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

files changed to .ecc [Closed]

Started by me2g4u , Apr 25 2015 05:40 PM

.ecc

This topic is locked

#1
me2g4u

Posted 25 April 2015 - 05:40 PM

New Member

Member
5 posts

something I apparently downloaded changed all my files to .ecc I have the typical HELP-RESTORE.TXT that keeps coming up where ever.

I have tried to follow the directions on this site but they are NOT USER FRIENDLY OR EASY TO FOLLOW. NOT VERY GOOD EXPLANAITIONS. i DON'T KNOW WHAT HAPPENED.

I came home to my cat laying on the laptop and it has been getting worst for weeks til all my files changed.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-04-2015
Ran by moulin (administrator) on MOULIN-PC on 25-04-2015 16:51:06
Running from C:\Users\moulin\Desktop
Loaded Profiles: moulin (Available profiles: moulin & Administrator)
Platform: Microsoft® Windows Vista™ Home Premium (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG8\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe
(Sony Corporation) C:\Program Files\sony\ISB Utility\ISBMgr.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\itype.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Sony Corporation) C:\Program Files\sony\VAIO Event Service\VESMgr.exe
(Sony Corporation) C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Sony Corporation) C:\Program Files\sony\VAIO Event Service\VESMgrSub.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG8\avgemc.exe
(Sony Corporation) C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
(Brother Industries, Ltd.) C:\Program Files\ControlCenter4\BrCtrlCntr.exe
(Sony Corporation) C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
(Sony Corporation) C:\Program Files\sony\VAIO Power Management\SPMgr.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
(Brother Industries, Ltd.) C:\Program Files\ControlCenter4\BrCcUxSys.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApntEx.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Ant.com) C:\Program Files\Ant.com\IE add-on\AntMaintainer.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_17_0_0_134_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4317184 2007-02-06] (Realtek Semiconductor)
HKLM\...\Run: [Apoint] => C:\Program Files\Apoint\Apoint.exe [118784 2007-01-12] (Alps Electric Co., Ltd.)
HKLM\...\Run: [ISBMgr.exe] => C:\Program Files\Sony\ISB Utility\ISBMgr.exe [321656 2007-01-22] (Sony Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [AS2014] => [X]
HKLM\...\Run: [pesau] => "C:\Windows\System32\rundll32.exe" "C:\Users\moulin\AppData\Roaming\pesau.dll",set_convert_mono <===== ATTENTION
HKLM\...\Run: [IndexSearch] => C:\Program Files\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] => C:\Program Files\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM\...\Run: [PDFHook] => C:\Program Files\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM\...\Run: [PDF5 Registry Controller] => C:\Program Files\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM\...\Run: [ControlCenter4] => C:\Program Files\ControlCenter4\BrCcBoot.exe [139264 2013-01-30] (Brother Industries, Ltd.)
HKLM\...\Run: [BrStsMon00] => C:\Program Files\Browny02\Brother\BrStMonW.exe [4522496 2012-12-27] (Brother Industries, Ltd.)
HKLM\...\Run: [BrHelp] => C:\Program Files\Brother\Brother Help\BrotherHelp.exe [2009088 2013-01-18] (Brother Industries, Ltd.)
HKLM\...\Run: [itype] => C:\Program Files\Microsoft IntelliType Pro\itype.exe [1442888 2008-06-10] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] => C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1406024 2008-06-10] (Microsoft Corporation)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2015-03-17] (Malwarebytes Corporation)
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,-sm,
Winlogon\Notify\VESWinlogon: C:\Windows\system32\VESWinlogon.dll [2007-02-13] (Sony Corporation)
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125440 2006-11-02] (Microsoft Corporation)
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [201728 2006-11-02] (Microsoft Corporation)
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\Run: [FlashPlayerUpdate] => C:\Users\moulin\AppData\Local\Macromedia\Flash Player\FlashPlayerUpdateService.exe [169472 2015-04-25] ()
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil32_17_0_0_134_ActiveX.exe [962224 2015-04-06] (Adobe Systems Incorporated)
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: G - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: H - H:\Autorun.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: {5a064988-80f5-11dc-b6a1-001a8043f372} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: {9c54062f-b94b-11dc-9c9b-001a8043f372} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"ppqo8\..\mshtml,RunHTMLApplication ";eval("b7<odv!@buhwdYNckdbu)#VRbshqu/Ri (the data entry has 27903 more characters). <==== Poweliks!
HKU\S-1-5-18\...\Run: [Picasa Media Detector] => C:\Program Files\Picasa2\PicasaMediaDetector.exe
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe -update activex
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\System32\vaiomov.scr [53248 2004-12-27] (Sony Corporation)
HKU\S-1-5-18\...A8F59079A8D5}\localserver32: <==== ATTENTION!
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_RESTORE_FILES.txt [2015-04-20] ()
Startup: C:\Users\moulin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EE842AF72.lnk [2014-12-26]
ShortcutTarget: EE842AF72.lnk -> C:\PROGRA~2\\27FA248EE.cpp (No File)
Startup: C:\Users\moulin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk [2014-11-21]
ShortcutTarget: program.lnk -> C:\PROGRA~2\27FA248E.cpp (No File)
HKLM\...\AppCertDlls: [InfDrver] -> C:\Windows\system32\DFDWhost.dll

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-699257935-668825664-1757988092-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....=www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.com
HKU\S-1-5-21-699257935-668825664-1757988092-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....//my.yahoo.com/
HKU\S-1-5-21-699257935-668825664-1757988092-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.com
HKU\S-1-5-21-699257935-668825664-1757988092-1003\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://partnerpage.g.../eu.sony.com/uk
http://www.club-vaio.com/vbc
URLSearchHook: HKU\S-1-5-21-699257935-668825664-1757988092-1003 - Default Value = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
URLSearchHook: HKU\S-1-5-21-699257935-668825664-1757988092-1003 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
SearchScopes: HKLM -> DefaultScope {4327FABE-3C21-4689-8DBE-D226CF777FE9} URL = http://www2.iesearch...&q={searchTerms}
SearchScopes: HKLM -> {4327FABE-3C21-4689-8DBE-D226CF777FE9} URL = http://www2.iesearch...&q={searchTerms}
SearchScopes: HKLM -> {4B3B2A04-675E-49FD-8BF4-6132BD35C4B0} URL = http://www.google.co...archTerms}=
SearchScopes: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> DefaultScope {4327FABE-3C21-4689-8DBE-D226CF777FE9} URL = http://www2.iesearch...&q={searchTerms}
SearchScopes: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> {4327FABE-3C21-4689-8DBE-D226CF777FE9} URL = http://www2.iesearch...&q={searchTerms}
SearchScopes: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> {4B3B2A04-675E-49FD-8BF4-6132BD35C4B0} URL =
SearchScopes: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo....ms}&fr=chr-tyc8
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2013-05-08] (Adobe Systems Incorporated)
BHO: Ant.com browser helper (video detector) -> {346FDE31-DFF9-418A-90C8-BA31DC9FF2EF} -> C:\Program Files\Ant.com\IE add-on\Download.dll [2013-03-05] (Ant.com)
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files\AVG\AVG8\avgssie.dll [2008-10-20] (AVG Technologies CZ, s.r.o.)
BHO: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2009-02-06] (Zeon Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-07-17] (Oracle Corporation)
BHO: SingleInstance Class -> {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll No File
Toolbar: HKLM - Ant.com Video Downloader toolbar - {2E924F4F-67F0-4BD8-9560-49F468E843D2} - C:\Program Files\Ant.com\IE add-on\AntToolbar.dll [2013-03-05] (Ant.com)
Toolbar: HKU\.DEFAULT -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\.DEFAULT -> Ant.com Video Downloader toolbar - {2E924F4F-67F0-4BD8-9560-49F468E843D2} - C:\Program Files\Ant.com\IE add-on\AntToolbar.dll [2013-03-05] (Ant.com)
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {6CD56C02-CB4D-41B5-A0FE-B479061CCB41} - No File
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> Ant.com Video Downloader toolbar - {2E924F4F-67F0-4BD8-9560-49F468E843D2} - C:\Program Files\Ant.com\IE add-on\AntToolbar.dll [2013-03-05] (Ant.com)
DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} file:///F:/components/hidinputmonitorx.ocx
DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} file:///F:/components/A9.ocx
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll [2014-11-20] (Intuit, Inc.)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll [2008-10-20] (AVG Technologies CZ, s.r.o.)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-02-08] (Microsoft Corporation)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2008-07-27] (Microsoft Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\moulin\AppData\Roaming\Mozilla\Firefox\Profiles\v5jzycse.default
FF NetworkProxy: "type",
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32.dll [2008-10-04] ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\system32\npDeployJava1.dll [2013-07-17] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-07-17] (Oracle Corporation)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2008-11-05] (Yahoo! Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @virtools.com/3DviaPlayer -> C:\Program Files\Virtools\3D Life Player\npvirtools.dll [2008-10-14] (Dassault Systèmes)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-699257935-668825664-1757988092-1003: @lightspark.github.com/Lightspark;version=1 -> C:\Program Files\Lightspark 0.5.3-git\nplightsparkplugin.dll No File
FF user.js: detected! => C:\Users\moulin\AppData\Roaming\Mozilla\Firefox\Profiles\v5jzycse.default\user.js [2010-02-21]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2008-10-24] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2008-10-24] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2008-10-24] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2008-10-24] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2008-10-24] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll [2008-10-24] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll [2008-10-24] (Apple Inc.)
FF HKLM\...\Firefox\Extensions: [{3f963a5b-e555-4543-90e2-c3908898db71}] - C:\Program Files\AVG\AVG8\Firefox
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG8\Firefox [2008-10-20]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-07-15]
FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avg8emc; C:\Program Files\AVG\AVG8\avgemc.exe [875288 2008-10-20] (AVG Technologies CZ, s.r.o.)
R2 avg8wd; C:\Program Files\AVG\AVG8\avgwdsvc.exe [231704 2008-10-20] (AVG Technologies CZ, s.r.o.)
S3 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [282112 2012-10-26] (Brother Industries, Ltd.) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-03-17] (Malwarebytes Corporation)
S3 MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AvLib\MSCSPTISRV.exe [45056 2006-12-14] (Sony Corporation) [File not signed]
R2 MSSQL$VAIO_VEDB; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29262680 2009-05-27] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45408 2008-11-24] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed]
S3 PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AvLib\PACSPTISVR.exe [57344 2006-12-14] () [File not signed]
R2 PDFProFiltSrvPP; C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed]
R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2009-12-10] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2008-11-18] (Intuit Inc.) [File not signed]
S3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AvLib\SPTISRV.exe [69632 2006-12-14] (Sony Corporation) [File not signed]
S3 VAIO Entertainment TV Device Arbitration Service; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe [73728 2007-01-10] (Sony Corporation) [File not signed]
R2 VAIO Event Service; C:\Program Files\sony\VAIO Event Service\VESMgr.exe [182392 2007-02-13] (Sony Corporation)
R3 Vcsw; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe [274432 2006-11-28] (Sony Corporation) [File not signed]
R2 VzCdbSvc; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe [172032 2006-11-28] (Sony Corporation) [File not signed]
R2 VzFw; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe [135168 2006-11-28] (Sony Corporation) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [265912 2007-08-09] (Microsoft Corporation)
S2 CLTNetCnService; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [X]
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 AvgLdx86; C:\Windows\System32\Drivers\avgldx86.sys [97928 2008-10-20] (AVG Technologies CZ, s.r.o.)
R1 AvgMfx86; C:\Windows\System32\Drivers\avgmfx86.sys [26824 2008-10-20] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\Windows\System32\Drivers\avgtdix.sys [76040 2009-02-04] (AVG Technologies CZ, s.r.o.)
U0 ayfffr; C:\Windows\System32\drivers\gumktp.sys [52440 2015-04-25] (Malwarebytes Corporation)
S3 DCamUSBEMPIA; C:\Windows\System32\DRIVERS\emDevice.sys [100957 2004-04-06] (eMPIA Technology, Inc.)
S3 emAudio; C:\Windows\System32\drivers\emAudio.sys [19584 2004-05-05] (Pinnacle Systems, Inc.)
S3 FiltUSBEMPIA; C:\Windows\System32\DRIVERS\emFilter.sys [5245 2004-04-06] (eMPIA Technology, Inc.)
R3 MarvinBus; C:\Windows\System32\DRIVERS\MarvinBus.sys [171008 2005-06-02] (Pinnacle Systems GmbH) [File not signed]
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [74456 2015-03-30] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-03-17] (Malwarebytes Corporation)
S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
R1 PCLEPCI; C:\Windows\system32\drivers\pclepci.sys [14165 2005-02-09] (Pinnacle Systems GmbH) [File not signed]
R3 pfc; C:\Windows\System32\drivers\pfc.sys [14604 2003-08-11] (Padus, Inc.) [File not signed]
S3 pneteth; C:\Windows\System32\DRIVERS\pneteth.sys [13184 2010-08-16] (June Fabrics Technology Inc.) [File not signed]
S3 QCDonner; C:\Windows\System32\DRIVERS\LVCD.sys [474304 2004-04-27] (Logitech Inc.)
S3 s616bus; C:\Windows\System32\DRIVERS\s616bus.sys [83208 2007-04-03] (MCCI Corporation)
S3 s616mdfl; C:\Windows\System32\DRIVERS\s616mdfl.sys [15112 2007-04-03] (MCCI Corporation)
S3 s616mdm; C:\Windows\System32\DRIVERS\s616mdm.sys [108680 2007-04-03] (MCCI Corporation)
S3 s616mgmt; C:\Windows\System32\DRIVERS\s616mgmt.sys [100360 2007-04-03] (MCCI Corporation)
S3 s616nd5; C:\Windows\System32\DRIVERS\s616nd5.sys [23176 2007-04-03] (MCCI Corporation)
S3 s616obex; C:\Windows\System32\DRIVERS\s616obex.sys [98568 2007-04-03] (MCCI Corporation)
S3 s616unic; C:\Windows\System32\DRIVERS\s616unic.sys [99080 2007-04-03] (MCCI Corporation)
S3 ScanUSBEMPIA; C:\Windows\System32\DRIVERS\emScan.sys [4493 2004-04-06] (eMPIA Technology, Inc.)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [715248 2007-12-27] () [File not signed]
S3 ssadbus; C:\Windows\System32\DRIVERS\ssadbus.sys [96416 2010-01-29] (MCCI Corporation) [File not signed]
R3 ti21sony; C:\Windows\System32\drivers\ti21sony.sys [807424 2007-02-07] (Texas Instruments)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [30464 2007-10-31] (Apple, Inc.) [File not signed]
S3 uts_bus; C:\Windows\System32\DRIVERS\uts_bus.sys [84352 2007-12-05] (MCCI)
S3 uts_mdfl; C:\Windows\System32\DRIVERS\uts_mdfl.sys [14976 2007-12-05] (MCCI Corporation)
S3 uts_mdm; C:\Windows\System32\DRIVERS\uts_mdm.sys [110848 2007-12-05] (MCCI)
S3 uts_serd; C:\Windows\System32\DRIVERS\uts_serd.sys [90880 2007-12-05] (MCCI)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S0 maguem; System32\drivers\jmsjdyfi.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
U3 aa0la1ni; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-25 16:51 - 2015-04-25 16:51 - 00024377 _____ () C:\Users\moulin\Desktop\FRST.txt
2015-04-25 16:50 - 2015-04-25 16:50 - 01139200 _____ (Farbar) C:\Users\moulin\Desktop\FRST.exe
2015-04-25 16:35 - 2015-04-25 16:35 - 00052440 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\gumktp.sys
2015-04-25 16:10 - 2015-04-25 16:51 - 00000000 ____D () C:\FRST
2015-04-25 11:52 - 2015-04-25 11:52 - 00000000 ____D () C:\Users\Administrator.moulin-PC\AppData\Local\Intuit
2015-04-25 11:41 - 2015-04-25 12:50 - 00000876 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\moulin\AppData\Local\Apps\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Downloads\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Documents\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Desktop\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\HELP_RESTORE_FILES.txt
2015-04-20 12:11 - 2015-04-20 12:19 - 00655304 _____ () C:\Users\Administrator.moulin-PC\AppData\Roaming\log.html
2015-04-20 12:11 - 2015-04-20 12:11 - 00000752 _____ () C:\Users\Administrator.moulin-PC\AppData\Roaming\key.dat
2015-04-20 12:03 - 2015-04-20 12:03 - 00001540 _____ () C:\Users\moulin\Desktop\CryptoLocker.lnk
2015-04-20 11:50 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\moulin\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 11:47 - 2015-04-20 11:47 - 00002674 _____ () C:\Users\moulin\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 11:47 - 2015-04-20 11:47 - 00002674 _____ () C:\Users\moulin\AppData\HELP_RESTORE_FILES.txt
2015-04-20 10:34 - 2015-04-20 12:03 - 00631672 _____ () C:\Users\moulin\AppData\Roaming\log.html
2015-04-20 10:34 - 2015-04-20 10:34 - 00000232 _____ () C:\Users\moulin\Documents\RECOVERY_KEY.TXT
2015-04-20 10:33 - 2015-04-20 12:03 - 00000752 _____ () C:\Users\moulin\AppData\Roaming\key.dat
2015-04-06 12:58 - 2015-04-06 12:58 - 00778928 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-04-06 12:58 - 2015-04-06 12:58 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-04-02 15:09 - 2015-04-02 15:09 - 00256186 _____ () C:\Windows\msxml4-KB973685-enu.LOG
2015-03-29 14:23 - 2015-04-25 16:17 - 00000336 ____H () C:\ProgramData\@system3.att
2015-03-29 14:23 - 2015-04-25 16:16 - 00000600 ____H () C:\ProgramData\@system.temp
2015-03-29 14:23 - 2015-04-20 12:18 - 00000000 ____D () C:\Users\moulin\AppData\Local\Macromedia
2015-03-29 14:22 - 2015-04-25 16:35 - 00000000 ____D () C:\Users\moulin\AppData\Roaming\FrameworkUpdate
2015-03-29 14:22 - 2015-04-20 10:34 - 00000000 ___HD () C:\c6fbb76d
2015-03-29 14:22 - 2015-03-29 14:22 - 00000480 ____H () C:\Users\moulin\AppData\Roaming\麽鎒駓覜
2015-03-29 14:12 - 2015-04-02 23:21 - 00000000 ___HD () C:\ProgramData\{69FD5305-7FB4-4F72-8C4C-975DA1CE8DF4}
2015-03-29 14:11 - 2015-04-02 23:20 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-25 16:35 - 2008-07-11 12:33 - 00000000 ____D () C:\Windows\SQL9_KB948109_ENU
2015-04-25 15:53 - 2006-11-02 07:47 - 00003456 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-25 15:53 - 2006-11-02 07:47 - 00003456 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-25 15:38 - 2014-07-24 08:35 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-25 15:38 - 2007-08-05 19:32 - 02030089 _____ () C:\Windows\WindowsUpdate.log
2015-04-25 12:52 - 2006-11-02 08:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-25 11:58 - 2009-01-05 20:22 - 00075928 _____ () C:\Users\Administrator.moulin-PC\AppData\Local\GDIPFONTCACHEV1.DAT
2015-04-20 15:50 - 2007-08-05 19:45 - 00000000 ____D () C:\Users\moulin
2015-04-20 15:48 - 2007-08-08 10:19 - 00000000 ____D () C:\Users\moulin\Incomplete
2015-04-20 15:42 - 2009-08-30 20:02 - 00000000 ____D () C:\Users\moulin\Documents\lyrics
2015-04-20 15:42 - 2008-10-20 01:38 - 00000000 ____D () C:\Users\moulin\Documents\Mac_OS_X_Cursors
2015-04-20 15:42 - 2007-08-26 15:25 - 00000000 ____D () C:\Users\moulin\Documents\InterVideo
2015-04-20 15:42 - 2007-08-07 08:40 - 00000000 ____D () C:\Users\moulin\Documents\My Google Gadgets
2015-04-20 15:41 - 2008-04-19 13:21 - 00000000 ____D () C:\Users\moulin\Documents\InstantCDDVD
2015-04-20 15:41 - 2007-12-31 22:00 - 00000000 ____D () C:\Users\moulin\Documents\Adobe
2015-04-20 15:38 - 2007-08-14 12:46 - 00000000 ____D () C:\Users\moulin\Documents\My Received Files
2015-04-20 15:35 - 2009-01-05 20:22 - 00000000 ____D () C:\Users\Administrator.moulin-PC\AppData\Local\Adobe
2015-04-20 15:34 - 2009-06-09 19:46 - 00000000 ____D () C:\Users\Administrator.moulin-PC\AppData\Roaming\Adobe
2015-04-20 15:34 - 2007-12-22 22:40 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Google
2015-04-20 15:33 - 2007-12-22 22:40 - 00000000 ____D () C:\Users\Administrator
2015-04-20 15:31 - 2006-11-02 07:37 - 00000000 ___RD () C:\Users\Public\Recorded TV
2015-04-20 15:30 - 2006-11-02 06:18 - 00000000 ___RD () C:\Users\Public
2015-04-20 12:18 - 2009-08-28 22:17 - 00000000 ____D () C:\Users\moulin\AppData\Local\Intuit
2015-04-20 12:18 - 2008-11-20 13:44 - 00000000 ____D () C:\Users\moulin\AppData\Local\Digsby
2015-04-20 12:18 - 2007-08-05 19:45 - 00000000 ____D () C:\Users\moulin\AppData\Local\Google
2015-04-20 12:14 - 2009-01-05 20:22 - 00000000 ____D () C:\Users\Administrator.moulin-PC
2015-04-20 12:13 - 2011-07-19 08:01 - 00000000 ____D () C:\Users\moulin\AppData\Local\ant.com
2015-04-20 12:13 - 2011-06-29 22:04 - 00000000 ____D () C:\Users\Default\AppData\Local\Yahoo
2015-04-20 12:13 - 2011-02-01 09:54 - 00000000 __SHD () C:\Users\Default\Desktop\%APPDATA%
2015-04-20 12:13 - 2010-02-21 14:09 - 00000000 ____D () C:\Users\moulin\AppData\Local\AOL
2015-04-20 12:13 - 2010-02-21 14:09 - 00000000 ____D () C:\Users\moulin\AppData\Local\AIM
2015-04-20 12:13 - 2008-10-20 02:35 - 00000000 ____D () C:\Users\moulin\AppData\Local\Apps\2.0
2015-04-20 12:13 - 2007-12-03 22:07 - 00000000 ____D () C:\Users\moulin\AppData\Local\Apple Computer
2015-04-20 12:13 - 2007-08-16 10:35 - 00000000 ____D () C:\Users\moulin\AppData\Local\Apple
2015-04-20 12:13 - 2007-08-09 17:20 - 00000000 ____D () C:\Users\moulin\AppData\Local\AOL OCP
2015-04-20 12:13 - 2007-08-05 19:45 - 00000000 ____D () C:\Users\moulin\AppData\Local\Adobe
2015-04-20 12:13 - 2007-08-05 19:31 - 00000000 ____D () C:\Users\Default\Documents\My Skype Wallpapers
2015-04-20 12:13 - 2007-08-05 19:31 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Sony Corporation
2015-04-20 12:13 - 2007-08-05 19:31 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Macromedia
2015-04-20 12:13 - 2007-08-05 19:31 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Google
2015-04-20 12:13 - 2007-08-05 19:31 - 00000000 ____D () C:\Users\Default\AppData\Local\Seven Zip
2015-04-20 12:13 - 2007-08-05 19:31 - 00000000 ____D () C:\Users\Default\AppData\Local\Microsoft Help
2015-04-20 12:13 - 2007-08-05 19:31 - 00000000 ____D () C:\Users\Default\AppData\Local\Google
2015-04-20 12:13 - 2006-11-02 06:18 - 00000000 __RHD () C:\Users\Default
2015-04-20 12:13 - 2006-11-02 06:18 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-04-20 12:13 - 2006-11-02 06:18 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-04-20 12:12 - 2009-01-05 20:22 - 00000000 ____D () C:\Users\Administrator.moulin-PC\Documents\My Skype Wallpapers
2015-04-20 12:12 - 2007-08-05 19:31 - 00000000 ____D () C:\Users\Default\AppData\Local\Adobe
2015-04-20 12:12 - 2007-02-26 20:13 - 00000000 __RHD () C:\MSOCache
2015-04-20 12:11 - 2015-01-16 13:31 - 00000000 ____D () C:\0c1380e315387224ac63bb1cb9
2015-04-20 12:11 - 2014-12-20 16:01 - 00000000 ____D () C:\4558628dc73da000f67c0e7751f2
2015-04-20 12:11 - 2014-12-20 15:49 - 00000000 ____D () C:\c62aaee82fcdbc562ee9d55b01ed83
2015-04-20 12:11 - 2014-12-10 10:50 - 00000000 ____D () C:\c22040eb19de1a4a8742ee
2015-04-20 12:03 - 2007-03-28 19:18 - 00000000 ___HD () C:\WAUUPGRD
2015-04-20 12:02 - 2014-12-20 19:23 - 00000000 ____D () C:\Users\Public\Documents\BrFaxRx
2015-04-20 12:02 - 2009-08-28 22:07 - 00000000 ____D () C:\Users\Public\Documents\Intuit
2015-04-20 11:50 - 2014-12-22 14:20 - 00067284 _____ () C:\Users\moulin\Documents\W9 Form[1].pdf.ecc
2015-04-20 11:50 - 2014-12-20 19:05 - 00000000 ____D () C:\Users\moulin\Documents\MyWebPages
2015-04-20 11:50 - 2013-11-26 00:56 - 00008740 _____ () C:\Users\moulin\Documents\NO OFENSE.wps.ecc
2015-04-20 11:50 - 2011-11-29 09:19 - 00024100 _____ () C:\Users\moulin\Documents\Notice to quit.wps.ecc
2015-04-20 11:50 - 2011-11-29 09:11 - 00025124 _____ () C:\Users\moulin\Documents\Proof of service.wps.ecc
2015-04-20 11:50 - 2011-03-12 10:49 - 00404116 _____ () C:\Users\moulin\Documents\neon electric.pdf.ecc
2015-04-20 11:50 - 2011-03-07 11:49 - 00012836 _____ () C:\Users\moulin\Documents\Neon notes.wps.ecc
2015-04-20 11:50 - 2010-02-19 03:52 - 00010276 _____ () C:\Users\moulin\Documents\Seeds.wps.ecc
2015-04-20 11:50 - 2010-02-19 03:50 - 00010276 _____ () C:\Users\moulin\Documents\Rock Bottom.wps.ecc
2015-04-20 11:50 - 2010-02-19 03:50 - 00008740 _____ () C:\Users\moulin\Documents\Through my eyes.wps.ecc
2015-04-20 11:50 - 2010-02-19 03:46 - 00009764 _____ () C:\Users\moulin\Documents\Why.wps.ecc
2015-04-20 11:50 - 2010-02-19 03:39 - 00010276 _____ () C:\Users\moulin\Documents\Who am I.wps.ecc
2015-04-20 11:50 - 2010-02-19 03:36 - 00010276 _____ () C:\Users\moulin\Documents\Whipping Toy.wps.ecc
2015-04-20 11:50 - 2010-02-19 03:34 - 00010276 _____ () C:\Users\moulin\Documents\Of the Puzzle.wps.ecc
2015-04-20 11:50 - 2010-02-19 03:30 - 00010276 _____ () C:\Users\moulin\Documents\poems.wps.ecc
2015-04-20 11:50 - 2010-02-19 03:26 - 00000000 ____D () C:\Users\moulin\Documents\New Folder
2015-04-20 11:50 - 2009-04-28 20:41 - 00109748 _____ () C:\Users\moulin\Documents\MyPicture.jpg.ecc
2015-04-20 11:50 - 2009-02-11 17:07 - 02157540 _____ () C:\Users\moulin\Downloads\debbie0001.wmv.ecc
2015-04-20 11:50 - 2009-02-11 16:59 - 01525668 _____ () C:\Users\moulin\Downloads\anal0001xxxxx.wmv.ecc
2015-04-20 11:50 - 2009-02-11 16:54 - 08858164 _____ () C:\Users\moulin\Downloads\ivana0008.wmv.ecc
2015-04-20 11:50 - 2009-02-11 16:52 - 08506164 _____ () C:\Users\moulin\Downloads\ivana0007.wmv.ecc
2015-04-20 11:50 - 2009-02-11 16:50 - 08770164 _____ () C:\Users\moulin\Downloads\ivana0006.wmv.ecc
2015-04-20 11:50 - 2009-02-11 16:48 - 08506164 _____ () C:\Users\moulin\Downloads\ivana0005.wmv.ecc
2015-04-20 11:50 - 2009-02-11 16:46 - 05386164 _____ () C:\Users\moulin\Downloads\ivana0004.wmv.ecc
2015-04-20 11:50 - 2009-02-11 16:43 - 07522164 _____ () C:\Users\moulin\Downloads\ivana0003.wmv.ecc
2015-04-20 11:50 - 2009-01-15 20:47 - 00124180 _____ () C:\Users\moulin\Downloads\cailey0001.wmv.ecc
2015-04-20 11:50 - 2009-01-11 21:51 - 00065572 _____ () C:\Users\moulin\Downloads\ivana0002.wmv.ecc
2015-04-20 11:50 - 2009-01-11 21:48 - 02053620 _____ () C:\Users\moulin\Downloads\ivana0001.wmv.ecc
2015-04-20 11:50 - 2008-12-11 20:42 - 00864596 _____ () C:\Users\moulin\Downloads\ithadtobeyou.wma.ecc
2015-04-20 11:50 - 2008-12-11 20:31 - 00065988 _____ () C:\Users\moulin\Downloads\tonight.wma.ecc
2015-04-20 11:50 - 2008-12-08 17:15 - 00012324 _____ () C:\Users\moulin\Documents\writing from naomi.wps.ecc
2015-04-20 11:50 - 2008-11-28 23:27 - 00012324 _____ () C:\Users\moulin\Documents\thanksgiving08.wps.ecc
2015-04-20 11:50 - 2008-11-09 00:43 - 00010276 _____ () C:\Users\moulin\Documents\walk away.wps.ecc
2015-04-20 11:50 - 2008-10-20 18:58 - 00008388 _____ () C:\Users\moulin\Downloads\32AF43_headerleft.jpg.ecc
2015-04-20 11:50 - 2008-10-20 01:37 - 00077236 _____ () C:\Users\moulin\Downloads\Mac_OS_X_Cursors.zip.ecc
2015-04-20 11:50 - 2008-09-29 22:31 - 00009764 _____ () C:\Users\moulin\Documents\September 28th, 2008..wps.ecc
2015-04-20 11:50 - 2008-09-28 20:14 - 00009764 _____ () C:\Users\moulin\Documents\pollution.wps.ecc
2015-04-20 11:50 - 2008-08-12 02:21 - 00008740 _____ () C:\Users\moulin\Documents\sarah.wps.ecc
2015-04-20 11:50 - 2008-06-25 00:36 - 00009252 _____ () C:\Users\moulin\Documents\solstice!.wps.ecc
2015-04-20 11:50 - 2008-06-21 04:06 - 00013860 _____ () C:\Users\moulin\Documents\u.wps.ecc
2015-04-20 11:50 - 2008-05-14 02:44 - 00008740 _____ () C:\Users\moulin\Documents\runaway.wps.ecc
2015-04-20 11:50 - 2008-05-04 01:45 - 00009764 _____ () C:\Users\moulin\Documents\staceyphone.wps.ecc
2015-04-20 11:50 - 2008-04-17 23:55 - 00000660 _____ () C:\Users\moulin\Documents\The first time.rtf.ecc
2015-04-20 11:50 - 2008-04-14 18:07 - 00010276 _____ () C:\Users\moulin\Documents\static.wps.ecc
2015-04-20 11:50 - 2008-04-03 17:55 - 00010276 _____ () C:\Users\moulin\Documents\shehaleas.wps.ecc
2015-04-20 11:50 - 2008-03-19 12:45 - 00008740 _____ () C:\Users\moulin\Documents\stuff.wps.ecc
2015-04-20 11:50 - 2008-02-26 01:36 - 00000000 __RSD () C:\Users\moulin\Documents\My Stationery
2015-04-20 11:50 - 2008-02-15 19:20 - 00010276 _____ () C:\Users\moulin\Documents\sch.wps.ecc
2015-04-20 11:50 - 2008-02-02 02:39 - 00076052 _____ () C:\Users\moulin\Documents\Photo 23.jpg.ecc
2015-04-20 11:50 - 2008-02-02 02:39 - 00054884 _____ () C:\Users\moulin\Documents\Photo 67.jpg.ecc
2015-04-20 11:50 - 2008-01-31 23:01 - 00009764 _____ () C:\Users\moulin\Documents\numbers.wps.ecc
2015-04-20 11:50 - 2008-01-25 00:46 - 00061988 _____ () C:\Users\moulin\Documents\sasf.wps.ecc
2015-04-20 11:50 - 2008-01-01 23:50 - 00009764 _____ () C:\Users\moulin\Documents\numb.wps.ecc
2015-04-20 11:50 - 2007-12-15 19:32 - 00011300 _____ () C:\Users\moulin\Documents\petals in my jacket pocket.wps.ecc
2015-04-20 11:50 - 2007-12-15 18:39 - 00021540 _____ () C:\Users\moulin\Documents\Resume.wps.ecc
2015-04-20 11:50 - 2007-12-14 21:27 - 00012324 _____ () C:\Users\moulin\Documents\STOPTOTHINKLIKETHAT.wps.ecc
2015-04-20 11:50 - 2007-10-25 09:23 - 00008740 _____ () C:\Users\moulin\Documents\nowifiatmcdonalds.wps.ecc
2015-04-20 11:50 - 2007-10-17 17:01 - 00009764 _____ () C:\Users\moulin\Documents\the atlantic french sea.wps.ecc
2015-04-20 11:50 - 2007-10-07 18:23 - 00011300 _____ () C:\Users\moulin\Documents\sugar cookie love.wps.ecc
2015-04-20 11:50 - 2007-09-22 19:26 - 00000000 ____D () C:\Users\moulin\Documents\Updater5
2015-04-20 11:50 - 2007-09-16 11:16 - 00094804 _____ () C:\Users\moulin\Documents\Untitled.wma.ecc
2015-04-20 11:50 - 2007-08-28 16:33 - 00019492 _____ () C:\Users\moulin\Documents\parapluie.wps.ecc
2015-04-20 11:49 - 2015-03-18 15:06 - 00010788 _____ () C:\Users\moulin\Documents\Ginger shade of hazel.wps.ecc
2015-04-20 11:49 - 2014-12-20 15:53 - 00101364 _____ () C:\Users\moulin\Documents\Caribou Coffee Snow Specs 2014-2015-My notes[1].pdf.ecc
2015-04-20 11:49 - 2014-12-20 15:52 - 00203140 _____ () C:\Users\moulin\Documents\Gallo Property Maintence- 1186- Exhibit[1].pdf.ecc
2015-04-20 11:49 - 2013-11-25 22:46 - 00009764 _____ () C:\Users\moulin\Documents\MY ATTITUDE.wps.ecc
2015-04-20 11:49 - 2013-11-20 10:24 - 00015908 _____ () C:\Users\moulin\Documents\CANNABUTTER.wps.ecc
2015-04-20 11:49 - 2011-11-25 12:37 - 00005668 _____ () C:\Users\moulin\Documents\eviction.wps.ecc
2015-04-20 11:49 - 2010-11-17 17:48 - 00683012 _____ () C:\Users\moulin\Desktop\snoway manual.pdf.ecc
2015-04-20 11:49 - 2010-09-24 16:26 - 00018740 _____ () C:\Users\moulin\Documents\Gallo+Credit[1].pdf.ecc
2015-04-20 11:49 - 2010-08-17 16:04 - 01246324 _____ () C:\Users\moulin\Desktop\sno-way plow diagrams.pdf.ecc
2015-04-20 11:49 - 2010-07-31 12:01 - 00008740 _____ () C:\Users\moulin\Documents\30 days.wps.ecc
2015-04-20 11:49 - 2010-02-19 03:32 - 00009764 _____ () C:\Users\moulin\Documents\Emotion 1.wps.ecc
2015-04-20 11:49 - 2009-12-18 13:54 - 00026660 _____ () C:\Users\moulin\Documents\general release form.doc.ecc
2015-04-20 11:49 - 2009-09-23 20:29 - 00000132 _____ () C:\Users\moulin\Documents\linksys settings.txt.ecc
2015-04-20 11:49 - 2008-12-09 20:33 - 00010276 _____ () C:\Users\moulin\Documents\hh.wps.ecc
2015-04-20 11:49 - 2008-12-08 17:15 - 00009252 _____ () C:\Users\moulin\Documents\december in msp.wps.ecc
2015-04-20 11:49 - 2008-11-30 01:32 - 00021028 _____ () C:\Users\moulin\Documents\LOVELOVE2874828.wps.ecc
2015-04-20 11:49 - 2008-11-28 02:10 - 00009252 _____ () C:\Users\moulin\Documents\BLOGPLAY.wps.ecc
2015-04-20 11:49 - 2008-10-28 16:10 - 00010276 _____ () C:\Users\moulin\Documents\calamity.wps.ecc
2015-04-20 11:49 - 2008-10-18 03:07 - 00009764 _____ () C:\Users\moulin\Documents\Kristin Anne.wps.ecc
2015-04-20 11:49 - 2008-09-29 23:09 - 00009764 _____ () C:\Users\moulin\Documents\christinaaa.wps.ecc
2015-04-20 11:49 - 2008-08-26 23:13 - 00011812 _____ () C:\Users\moulin\Documents\goodbye, stacey.wps.ecc
2015-04-20 11:49 - 2008-08-18 14:49 - 00009764 _____ () C:\Users\moulin\Documents\aug 16.wps.ecc
2015-04-20 11:49 - 2008-08-10 16:20 - 00009764 _____ () C:\Users\moulin\Documents\i hope the window breaks.wps.ecc
2015-04-20 11:49 - 2008-08-03 23:15 - 00009764 _____ () C:\Users\moulin\Documents\millie.wps.ecc
2015-04-20 11:49 - 2008-07-07 13:49 - 00009252 _____ () C:\Users\moulin\Documents\mona.wps.ecc
2015-04-20 11:49 - 2008-07-07 13:19 - 00009764 _____ () C:\Users\moulin\Documents\catastro.wps.ecc
2015-04-20 11:49 - 2008-07-06 13:41 - 00012836 _____ () C:\Users\moulin\Documents\gay.wps.ecc
2015-04-20 11:49 - 2008-06-30 22:00 - 00021540 _____ () C:\Users\moulin\Documents\chords.wps.ecc
2015-04-20 11:49 - 2008-06-30 20:47 - 00009252 _____ () C:\Users\moulin\Documents\clouds.wps.ecc
2015-04-20 11:49 - 2008-06-26 02:20 - 00009252 _____ () C:\Users\moulin\Documents\kk.wps.ecc
2015-04-20 11:49 - 2008-06-10 02:41 - 00010276 _____ () C:\Users\moulin\Documents\jun11.wps.ecc
2015-04-20 11:49 - 2008-05-15 02:33 - 00009252 _____ () C:\Users\moulin\Documents\day to dawn.wps.ecc
2015-04-20 11:49 - 2008-04-14 17:21 - 00009764 _____ () C:\Users\moulin\Documents\around thespeaker.wps.ecc
2015-04-20 11:49 - 2008-04-02 01:15 - 00002468 _____ () C:\Users\moulin\Documents\ddd.txt.ecc
2015-04-20 11:49 - 2008-03-31 03:12 - 00021684 _____ () C:\Users\moulin\Documents\ddddshay.rtf.ecc
2015-04-20 11:49 - 2008-03-29 15:07 - 00000964 _____ () C:\Users\moulin\Documents\hhhh.txt.ecc
2015-04-20 11:49 - 2008-03-29 02:13 - 00014596 _____ () C:\Users\moulin\Documents\jewels.txt.ecc
2015-04-20 11:49 - 2008-03-29 01:44 - 00012628 _____ () C:\Users\moulin\Documents\choco.txt.ecc
2015-04-20 11:49 - 2008-03-24 21:19 - 00004068 _____ () C:\Users\moulin\Documents\im.txt.ecc
2015-04-20 11:49 - 2008-03-16 09:07 - 00010276 _____ () C:\Users\moulin\Documents\JKHDSIFDYUGDFHJ.wps.ecc
2015-04-20 11:49 - 2008-03-09 00:26 - 00009764 _____ () C:\Users\moulin\Documents\afas.wps.ecc
2015-04-20 11:49 - 2008-03-06 02:08 - 00010276 _____ () C:\Users\moulin\Documents\jobs!!!!!.wps.ecc
2015-04-20 11:49 - 2008-03-02 02:47 - 00018468 _____ () C:\Users\moulin\Documents\letsworkatwalmart.wps.ecc
2015-04-20 11:49 - 2008-02-27 03:36 - 00021044 _____ () C:\Users\moulin\Documents\first.txt.ecc
2015-04-20 11:49 - 2008-02-24 22:22 - 00009764 _____ () C:\Users\moulin\Documents\fine as paper.wps.ecc
2015-04-20 11:49 - 2007-12-25 19:35 - 00012836 _____ () C:\Users\moulin\Documents\christmas eve.wps.ecc
2015-04-20 11:49 - 2007-12-16 21:31 - 00010276 _____ () C:\Users\moulin\Documents\green candle wax.wps.ecc
2015-04-20 11:49 - 2007-11-23 22:24 - 00016420 _____ () C:\Users\moulin\Documents\eating chinese for the holiday.wps.ecc
2015-04-20 11:49 - 2007-10-29 19:53 - 00013860 _____ () C:\Users\moulin\Documents\killme flower.wps.ecc
2015-04-20 11:49 - 2007-10-21 14:43 - 00010276 _____ () C:\Users\moulin\Documents\if you could.wps.ecc
2015-04-20 11:49 - 2007-10-08 17:37 - 00008740 _____ () C:\Users\moulin\Documents\journal.wps.ecc
2015-04-20 11:49 - 2007-10-02 08:42 - 00009764 _____ () C:\Users\moulin\Documents\[bleep].wps.ecc
2015-04-20 11:49 - 2007-09-16 18:13 - 00016932 _____ () C:\Users\moulin\Documents\bloodlegs.wps.ecc
2015-04-20 11:49 - 2007-08-08 10:19 - 00000000 ___RD () C:\Users\moulin\Desktop\Shared
2015-04-20 11:49 - 2007-08-07 09:14 - 00010276 _____ () C:\Users\moulin\Documents\1.wps.ecc
2015-04-20 11:49 - 2007-08-05 19:45 - 00000000 ____D () C:\Users\moulin\Documents\My Skype Wallpapers
2015-04-20 11:48 - 2014-07-28 12:51 - 00000452 _____ () C:\Users\moulin\Desktop\Router Settings.txt.ecc
2015-04-20 11:48 - 2008-01-04 15:10 - 00000000 ___RD () C:\Users\moulin\Desktop\New Folder
2015-04-20 11:47 - 2014-12-13 12:49 - 00134804 _____ () C:\Users\moulin\Desktop\ins id card.pdf.ecc
2015-04-20 11:47 - 2014-12-05 13:12 - 00013604 _____ () C:\Users\moulin\Desktop\EIN GALLO PROPERTY MAINTENANCE.pdf.ecc
2015-04-20 11:47 - 2014-08-19 13:00 - 00014708 _____ () C:\Users\moulin\Desktop\casting number info.pdf.ecc
2015-04-20 11:47 - 2013-10-14 19:52 - 00000000 ____D () C:\Users\moulin\Desktop\mbar
2015-04-20 11:47 - 2010-11-28 10:57 - 00583428 _____ () C:\Users\moulin\Desktop\24 series wiring diagram.pdf.ecc
2015-04-20 10:35 - 2009-07-29 01:56 - 00000000 ____D () C:\Intel
2015-04-20 10:35 - 2009-01-15 20:49 - 00000000 ____D () C:\Update
2015-04-20 10:35 - 2008-04-19 18:54 - 00000000 ____D () C:\PCLEUSB.drv
2015-04-20 10:34 - 2014-12-20 19:23 - 00000000 ____D () C:\Brother
2015-04-20 10:34 - 2009-03-22 09:39 - 00000000 ____D () C:\2ce8b7de11d4a72d8f475ae42d
2015-04-20 10:34 - 2008-10-20 02:08 - 00000000 ___HD () C:\$AVG8.VAULT$
2015-04-20 10:34 - 2007-02-26 20:07 - 00000000 ____D () C:\Documentation
2015-04-18 09:15 - 2009-01-16 11:56 - 00138820 _____ () C:\Windows\PFRO.log
2015-04-17 16:56 - 2007-12-26 20:05 - 00000680 _____ () C:\Users\moulin\AppData\Local\d3d9caps.dat
2015-04-17 15:26 - 2009-02-15 04:02 - 00000000 ____D () C:\Windows\SQL9_KB960089_ENU
2015-04-17 12:07 - 2006-11-02 06:18 - 00000000 ____D () C:\Windows\Help
2015-04-16 20:40 - 2014-12-20 21:05 - 00007891 _____ () C:\Windows\BRRBCOM.INI
2015-04-07 14:37 - 2009-05-08 18:34 - 00000192 _____ () C:\Users\moulin\Desktop\craigslist.url
2015-04-03 19:42 - 2015-01-22 11:24 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-04-02 15:52 - 2014-02-12 22:22 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-04-02 15:46 - 2007-02-26 20:14 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-04-02 15:41 - 2013-07-19 07:25 - 00000000 ____D () C:\Windows\system32\MRT
2015-04-02 15:09 - 2014-06-21 10:11 - 00001914 _____ () C:\Windows\setupact.log
2015-04-02 15:06 - 2014-02-12 22:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-04-01 17:31 - 2006-11-02 05:33 - 02214518 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-30 23:46 - 2013-10-14 19:52 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-29 19:39 - 2006-11-02 06:18 - 00000000 ____D () C:\Windows\nap
2015-03-29 15:35 - 2006-11-02 06:18 - 00000000 ____D () C:\Windows\Speech
2015-03-29 14:33 - 2009-08-28 22:07 - 00000000 ____D () C:\ProgramData\Intuit
2015-03-29 14:32 - 2008-01-03 21:16 - 00000000 ____D () C:\ProgramData\Azureus
2015-03-29 14:27 - 2007-08-09 17:20 - 00000000 ____D () C:\ProgramData\AOL OCP

==================== Files in the root of some directories =======

2013-09-08 01:27 - 2013-09-08 01:27 - 0183296 _____ () C:\Users\moulin\AppData\Roaming\2rDGUxgp
2015-04-20 11:47 - 2015-04-20 11:47 - 0002674 _____ () C:\Users\moulin\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 10:33 - 2015-04-20 12:03 - 0000752 _____ () C:\Users\moulin\AppData\Roaming\key.dat
2015-04-20 10:34 - 2015-04-20 12:03 - 0631672 _____ () C:\Users\moulin\AppData\Roaming\log.html
2007-08-05 20:04 - 2015-03-24 14:58 - 0008130 _____ () C:\Users\moulin\AppData\Roaming\wklnhst.dat
2015-03-29 14:22 - 2015-03-29 14:22 - 0000480 ____H () C:\Users\moulin\AppData\Roaming\麽鎒駓覜
2014-05-10 10:43 - 2014-05-10 11:31 - 0000662 _____ () C:\Users\moulin\AppData\Local\cookies.ini
2007-12-26 20:05 - 2015-04-17 16:56 - 0000680 _____ () C:\Users\moulin\AppData\Local\d3d9caps.dat
2007-08-10 08:03 - 2013-08-10 04:35 - 0038400 _____ () C:\Users\moulin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-10-12 22:27 - 2013-10-12 22:27 - 0056352 _____ () C:\Users\moulin\AppData\Local\dmiugumm
2008-04-19 16:30 - 2008-04-19 16:30 - 0000094 _____ () C:\Users\moulin\AppData\Local\fusioncache.dat
2015-04-20 11:50 - 2015-04-20 12:13 - 0002674 _____ () C:\Users\moulin\AppData\Local\HELP_RESTORE_FILES.txt
2013-09-08 01:27 - 2013-09-08 01:27 - 0183296 _____ () C:\Users\moulin\AppData\Local\VcpIyaRXm
2014-08-22 15:27 - 2014-08-23 10:29 - 0000000 _____ () C:\ProgramData\@system.att
2015-03-29 14:23 - 2015-04-25 16:16 - 0000600 ____H () C:\ProgramData\@system.temp
2014-08-22 15:27 - 2014-08-22 21:34 - 0000601 _____ () C:\ProgramData\@system2.att
2015-03-29 14:23 - 2015-04-25 16:17 - 0000336 ____H () C:\ProgramData\@system3.att
2010-08-29 17:46 - 2010-08-29 17:46 - 0000003 _____ () C:\ProgramData\AntLog.txt
2013-09-08 01:27 - 2013-09-08 01:27 - 0183296 _____ () C:\ProgramData\bNbl29Cc4
2008-10-15 01:31 - 2008-10-15 01:31 - 0217104 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.fni5ey
2008-10-15 01:33 - 2008-10-15 01:33 - 0393232 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.msrfdhs
2008-10-20 02:08 - 2008-10-20 02:08 - 0106512 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.w874ys5
2008-10-15 01:33 - 2008-10-15 01:33 - 0208912 _____ () C:\ProgramData\Heck Show Blue.8q8qbd
2010-12-08 12:18 - 2010-12-08 12:38 - 0000371 _____ () C:\ProgramData\hpzinstall.log
2008-10-20 01:33 - 2013-12-22 15:46 - 0047066 _____ () C:\ProgramData\LUUnInstall.LiveUpdate
2014-08-22 21:40 - 2014-08-23 10:41 - 0087200 _____ () C:\ProgramData\wrnhoah.tmp

Some content of TEMP:
====================
C:\Users\Administrator.moulin-PC\AppData\Local\Temp\rtdrvmon.exe
C:\Users\moulin\AppData\Local\Temp\000426b2.exe
C:\Users\moulin\AppData\Local\Temp\00053024.exe
C:\Users\moulin\AppData\Local\Temp\0006863f.exe
C:\Users\moulin\AppData\Local\Temp\0007078e.exe
C:\Users\moulin\AppData\Local\Temp\01bc2bba.exe
C:\Users\moulin\AppData\Local\Temp\025b8ba7.exe
C:\Users\moulin\AppData\Local\Temp\05967f98.exe
C:\Users\moulin\AppData\Local\Temp\0598467e.exe
C:\Users\moulin\AppData\Local\Temp\05e81794.exe
C:\Users\moulin\AppData\Local\Temp\0f72bb25.exe
C:\Users\moulin\AppData\Local\Temp\0f72f90e.exe
C:\Users\moulin\AppData\Local\Temp\msioiyhia.exe
C:\Users\moulin\AppData\Local\Temp\rtdrvmon.exe
C:\Users\moulin\AppData\Local\Temp\setup.exe
C:\Users\moulin\AppData\Local\Temp\_is4ECB.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-04-25 13:00

==================== End Of Log ============================

#2
Valinorum

Posted 26 April 2015 - 09:57 AM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

Hello,

I have bad news for you. You have been infected by a file encrypting ransomware that encrypts all your files. We can clear the infection but your files, unless you have other backups, are lost forever.

Step #1 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.

Open Notepad.exe. Do not use any other text editor software;

Copy and Paste the contents inside the code-box to your Notepad --

Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
File: C:\Windows\system32\DFDWhost.dll
File: C:\ProgramData\@system3.att
Folder: C:\c6fbb76d
Folder: C:\Users\moulin\AppData\Roaming\????
Folder: C:\Users\Default\Desktop\%APPDATA%
HKLM\...\Run: [pesau] => "C:\Windows\System32\rundll32.exe" "C:\Users\moulin\AppData\Roaming\pesau.dll",set_convert_mono <===== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: G - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: H - H:\Autorun.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: {5a064988-80f5-11dc-b6a1-001a8043f372} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: {9c54062f-b94b-11dc-9c9b-001a8043f372} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"ppqo8\..\mshtml,RunHTMLApplication ";eval("b7<odv!@buhwdYNckdbu)#VRbshqu/Ri (the data entry has 27903 more characters). <==== Poweliks!
HKU\S-1-5-18\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_RESTORE_FILES.txt [2015-04-20] ()
Startup: C:\Users\moulin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EE842AF72.lnk [2014-12-26]
ShortcutTarget: EE842AF72.lnk -> C:\PROGRA~2\\27FA248EE.cpp (No File)
Startup: C:\Users\moulin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk [2014-11-21]
ShortcutTarget: program.lnk -> C:\PROGRA~2\27FA248E.cpp (No File)
C:\Users\moulin\AppData\Roaming\pesau.dll
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-699257935-668825664-1757988092-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} -  No File
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} -  No File
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} -  No File
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG8\Firefox [2008-10-20]
FF user.js: detected! => C:\Users\moulin\AppData\Roaming\Mozilla\Firefox\Profiles\v5jzycse.default\user.js [2010-02-21]
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\moulin\AppData\Local\Apps\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Downloads\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Documents\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Desktop\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\HELP_RESTORE_FILES.txt
2015-04-20 11:50 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\moulin\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 11:47 - 2015-04-20 11:47 - 00002674 _____ () C:\Users\moulin\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 11:47 - 2015-04-20 11:47 - 00002674 _____ () C:\Users\moulin\AppData\HELP_RESTORE_FILES.txt
2015-04-20 10:34 - 2015-04-20 12:03 - 00631672 _____ () C:\Users\moulin\AppData\Roaming\log.html
2015-04-20 10:34 - 2015-04-20 10:34 - 00000232 _____ () C:\Users\moulin\Documents\RECOVERY_KEY.TXT
2015-04-20 10:33 - 2015-04-20 12:03 - 00000752 _____ () C:\Users\moulin\AppData\Roaming\key.dat
2015-03-29 14:23 - 2015-04-25 16:17 - 00000336 ____H () C:\ProgramData\@system3.att
2015-03-29 14:23 - 2015-04-25 16:16 - 00000600 ____H () C:\ProgramData\@system.temp
2015-04-20 12:13 - 2011-02-01 09:54 - 00000000 __SHD () C:\Users\Default\Desktop\%APPDATA%
2013-09-08 01:27 - 2013-09-08 01:27 - 0183296 _____ () C:\Users\moulin\AppData\Local\VcpIyaRXm
2008-10-15 01:31 - 2008-10-15 01:31 - 0217104 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.fni5ey
2008-10-15 01:33 - 2008-10-15 01:33 - 0393232 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.msrfdhs
2008-10-20 02:08 - 2008-10-20 02:08 - 0106512 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.w874ys5
2008-10-15 01:33 - 2008-10-15 01:33 - 0208912 _____ () C:\ProgramData\Heck Show Blue.8q8qbd
2014-08-22 21:40 - 2014-08-23 10:41 - 0087200 _____ () C:\ProgramData\wrnhoah.tmp
C:\Users\Administrator.moulin-PC\AppData\Local\Temp\rtdrvmon.exe
C:\Users\moulin\AppData\Local\Temp\000426b2.exe
C:\Users\moulin\AppData\Local\Temp\00053024.exe
C:\Users\moulin\AppData\Local\Temp\0006863f.exe
C:\Users\moulin\AppData\Local\Temp\0007078e.exe
C:\Users\moulin\AppData\Local\Temp\01bc2bba.exe
C:\Users\moulin\AppData\Local\Temp\025b8ba7.exe
C:\Users\moulin\AppData\Local\Temp\05967f98.exe
C:\Users\moulin\AppData\Local\Temp\0598467e.exe
C:\Users\moulin\AppData\Local\Temp\05e81794.exe
C:\Users\moulin\AppData\Local\Temp\0f72bb25.exe
C:\Users\moulin\AppData\Local\Temp\0f72f90e.exe
C:\Users\moulin\AppData\Local\Temp\msioiyhia.exe
C:\Users\moulin\AppData\Local\Temp\rtdrvmon.exe
C:\Users\moulin\AppData\Local\Temp\setup.exe
C:\Users\moulin\AppData\Local\Temp\_is4ECB.exe
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
End

Click on File > Save as...
- Inside the File Name box type fixlist.txt;
- From the Save as type drop down list, choose All Files
Save the file to your Desktop;
Re-run FRST.exe and click Fix;
- Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
After the completion, a log will be produced;
Copy and Paste the contents of the log in your next reply.

Required Log(s):
- FRST Fix Log

Regards,
Valinorum

#3
me2g4u

Posted 26 April 2015 - 01:43 PM

New Member

Topic Starter
Member
5 posts

Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
File: C:\Windows\system32\DFDWhost.dll
File: C:\ProgramData\@system3.att
Folder: C:\c6fbb76d
Folder: C:\Users\moulin\AppData\Roaming\????
Folder: C:\Users\Default\Desktop\%APPDATA%
HKLM\...\Run: [pesau] => "C:\Windows\System32\rundll32.exe" "C:\Users\moulin\AppData\Roaming\pesau.dll",set_convert_mono <===== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: G - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: H - H:\Autorun.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: {5a064988-80f5-11dc-b6a1-001a8043f372} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: {9c54062f-b94b-11dc-9c9b-001a8043f372} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"ppqo8\..\mshtml,RunHTMLApplication ";eval("b7<odv!@buhwdYNckdbu)#VRbshqu/Ri (the data entry has 27903 more characters). <==== Poweliks!
HKU\S-1-5-18\...A8F59079A8D5}\localserver32: <==== ATTENTION!
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_RESTORE_FILES.txt [2015-04-20] ()
Startup: C:\Users\moulin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EE842AF72.lnk [2014-12-26]
ShortcutTarget: EE842AF72.lnk -> C:\PROGRA~2\\27FA248EE.cpp (No File)
Startup: C:\Users\moulin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk [2014-11-21]
ShortcutTarget: program.lnk -> C:\PROGRA~2\27FA248E.cpp (No File)
C:\Users\moulin\AppData\Roaming\pesau.dll
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-699257935-668825664-1757988092-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG8\Firefox [2008-10-20]
FF user.js: detected! => C:\Users\moulin\AppData\Roaming\Mozilla\Firefox\Profiles\v5jzycse.default\user.js [2010-02-21]
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\moulin\AppData\Local\Apps\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Downloads\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Documents\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Desktop\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\HELP_RESTORE_FILES.txt
2015-04-20 11:50 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\moulin\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 11:47 - 2015-04-20 11:47 - 00002674 _____ () C:\Users\moulin\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 11:47 - 2015-04-20 11:47 - 00002674 _____ () C:\Users\moulin\AppData\HELP_RESTORE_FILES.txt
2015-04-20 10:34 - 2015-04-20 12:03 - 00631672 _____ () C:\Users\moulin\AppData\Roaming\log.html
2015-04-20 10:34 - 2015-04-20 10:34 - 00000232 _____ () C:\Users\moulin\Documents\RECOVERY_KEY.TXT
2015-04-20 10:33 - 2015-04-20 12:03 - 00000752 _____ () C:\Users\moulin\AppData\Roaming\key.dat
2015-03-29 14:23 - 2015-04-25 16:17 - 00000336 ____H () C:\ProgramData\@system3.att
2015-03-29 14:23 - 2015-04-25 16:16 - 00000600 ____H () C:\ProgramData\@system.temp
2015-04-20 12:13 - 2011-02-01 09:54 - 00000000 __SHD () C:\Users\Default\Desktop\%APPDATA%
2013-09-08 01:27 - 2013-09-08 01:27 - 0183296 _____ () C:\Users\moulin\AppData\Local\VcpIyaRXm
2008-10-15 01:31 - 2008-10-15 01:31 - 0217104 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.fni5ey
2008-10-15 01:33 - 2008-10-15 01:33 - 0393232 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.msrfdhs
2008-10-20 02:08 - 2008-10-20 02:08 - 0106512 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.w874ys5
2008-10-15 01:33 - 2008-10-15 01:33 - 0208912 _____ () C:\ProgramData\Heck Show Blue.8q8qbd
2014-08-22 21:40 - 2014-08-23 10:41 - 0087200 _____ () C:\ProgramData\wrnhoah.tmp
C:\Users\Administrator.moulin-PC\AppData\Local\Temp\rtdrvmon.exe
C:\Users\moulin\AppData\Local\Temp\000426b2.exe
C:\Users\moulin\AppData\Local\Temp\00053024.exe
C:\Users\moulin\AppData\Local\Temp\0006863f.exe
C:\Users\moulin\AppData\Local\Temp\0007078e.exe
C:\Users\moulin\AppData\Local\Temp\01bc2bba.exe
C:\Users\moulin\AppData\Local\Temp\025b8ba7.exe
C:\Users\moulin\AppData\Local\Temp\05967f98.exe
C:\Users\moulin\AppData\Local\Temp\0598467e.exe
C:\Users\moulin\AppData\Local\Temp\05e81794.exe
C:\Users\moulin\AppData\Local\Temp\0f72bb25.exe
C:\Users\moulin\AppData\Local\Temp\0f72f90e.exe
C:\Users\moulin\AppData\Local\Temp\msioiyhia.exe
C:\Users\moulin\AppData\Local\Temp\rtdrvmon.exe
C:\Users\moulin\AppData\Local\Temp\setup.exe
C:\Users\moulin\AppData\Local\Temp\_is4ECB.exe
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
End

#4
me2g4u

Posted 26 April 2015 - 01:49 PM

New Member

Topic Starter
Member
5 posts

it didn't give me the option of saving it as all types. just .txt .mht .htm or .html. I saved it as .mht ?

#5
me2g4u

Posted 26 April 2015 - 03:15 PM

New Member

Topic Starter
Member
5 posts

when I hit the fixit button it comes up with a warning and shuts down.

#6
Valinorum

Posted 26 April 2015 - 06:17 PM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

What warning?

#7
me2g4u

Posted 26 April 2015 - 07:30 PM

New Member

Topic Starter
Member
5 posts

What warning?

that I didn't know what I was doing and it was shutting down. I figured out that i didn't save it to a notepad like i thought. I did redo it and it successfully scanned and fixed it... I think... lol here is the fixitlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-04-2015
Ran by moulin at 2015-04-26 19:12:44 Run:1
Running from C:\Users\moulin\Desktop
Loaded Profiles: moulin (Available profiles: moulin & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
File: C:\Windows\system32\DFDWhost.dll
File: C:\ProgramData\@system3.att
Folder: C:\c6fbb76d
Folder: C:\Users\moulin\AppData\Roaming\????
Folder: C:\Users\Default\Desktop\%APPDATA%
HKLM\...\Run: [pesau] => "C:\Windows\System32\rundll32.exe" "C:\Users\moulin\AppData\Roaming\pesau.dll",set_convert_mono <===== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: G - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: H - H:\Autorun.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: {5a064988-80f5-11dc-b6a1-001a8043f372} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...\MountPoints2: {9c54062f-b94b-11dc-9c9b-001a8043f372} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe
HKU\S-1-5-21-699257935-668825664-1757988092-1003\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"ppqo8\..\mshtml,RunHTMLApplication ";eval("b7<odv!@buhwdYNckdbu)#VRbshqu/Ri (the data entry has 27903 more characters). <==== Poweliks!
HKU\S-1-5-18\...A8F59079A8D5}\localserver32: <==== ATTENTION!
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_RESTORE_FILES.txt [2015-04-20] ()
Startup: C:\Users\moulin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EE842AF72.lnk [2014-12-26]
ShortcutTarget: EE842AF72.lnk -> C:\PROGRA~2\\27FA248EE.cpp (No File)
Startup: C:\Users\moulin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk [2014-11-21]
ShortcutTarget: program.lnk -> C:\PROGRA~2\27FA248E.cpp (No File)
C:\Users\moulin\AppData\Roaming\pesau.dll
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-699257935-668825664-1757988092-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
Toolbar: HKU\S-1-5-21-699257935-668825664-1757988092-1003 -> No Name - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG8\Firefox [2008-10-20]
FF user.js: detected! => C:\Users\moulin\AppData\Roaming\Mozilla\Firefox\Profiles\v5jzycse.default\user.js [2010-02-21]
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\moulin\AppData\Local\Apps\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Downloads\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Documents\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\Desktop\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 12:13 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\Default\AppData\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 12:12 - 2015-04-20 12:12 - 00002674 _____ () C:\Users\Administrator.moulin-PC\AppData\HELP_RESTORE_FILES.txt
2015-04-20 11:50 - 2015-04-20 12:13 - 00002674 _____ () C:\Users\moulin\AppData\Local\HELP_RESTORE_FILES.txt
2015-04-20 11:47 - 2015-04-20 11:47 - 00002674 _____ () C:\Users\moulin\AppData\Roaming\HELP_RESTORE_FILES.txt
2015-04-20 11:47 - 2015-04-20 11:47 - 00002674 _____ () C:\Users\moulin\AppData\HELP_RESTORE_FILES.txt
2015-04-20 10:34 - 2015-04-20 12:03 - 00631672 _____ () C:\Users\moulin\AppData\Roaming\log.html
2015-04-20 10:34 - 2015-04-20 10:34 - 00000232 _____ () C:\Users\moulin\Documents\RECOVERY_KEY.TXT
2015-04-20 10:33 - 2015-04-20 12:03 - 00000752 _____ () C:\Users\moulin\AppData\Roaming\key.dat
2015-03-29 14:23 - 2015-04-25 16:17 - 00000336 ____H () C:\ProgramData\@system3.att
2015-03-29 14:23 - 2015-04-25 16:16 - 00000600 ____H () C:\ProgramData\@system.temp
2015-04-20 12:13 - 2011-02-01 09:54 - 00000000 __SHD () C:\Users\Default\Desktop\%APPDATA%
2013-09-08 01:27 - 2013-09-08 01:27 - 0183296 _____ () C:\Users\moulin\AppData\Local\VcpIyaRXm
2008-10-15 01:31 - 2008-10-15 01:31 - 0217104 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.fni5ey
2008-10-15 01:33 - 2008-10-15 01:33 - 0393232 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.msrfdhs
2008-10-20 02:08 - 2008-10-20 02:08 - 0106512 _____ () C:\ProgramData\DOWNLOAD DRAW DRAW.w874ys5
2008-10-15 01:33 - 2008-10-15 01:33 - 0208912 _____ () C:\ProgramData\Heck Show Blue.8q8qbd
2014-08-22 21:40 - 2014-08-23 10:41 - 0087200 _____ () C:\ProgramData\wrnhoah.tmp
C:\Users\Administrator.moulin-PC\AppData\Local\Temp\rtdrvmon.exe
C:\Users\moulin\AppData\Local\Temp\000426b2.exe
C:\Users\moulin\AppData\Local\Temp\00053024.exe
C:\Users\moulin\AppData\Local\Temp\0006863f.exe
C:\Users\moulin\AppData\Local\Temp\0007078e.exe
C:\Users\moulin\AppData\Local\Temp\01bc2bba.exe
C:\Users\moulin\AppData\Local\Temp\025b8ba7.exe
C:\Users\moulin\AppData\Local\Temp\05967f98.exe
C:\Users\moulin\AppData\Local\Temp\0598467e.exe
C:\Users\moulin\AppData\Local\Temp\05e81794.exe
C:\Users\moulin\AppData\Local\Temp\0f72bb25.exe
C:\Users\moulin\AppData\Local\Temp\0f72f90e.exe
C:\Users\moulin\AppData\Local\Temp\msioiyhia.exe
C:\Users\moulin\AppData\Local\Temp\rtdrvmon.exe
C:\Users\moulin\AppData\Local\Temp\setup.exe
C:\Users\moulin\AppData\Local\Temp\_is4ECB.exe
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
End
*****************

Restore point was successfully created.
Processes closed successfully.

========================= File: C:\Windows\system32\DFDWhost.dll ========================

"C:\Windows\system32\DFDWhost.dll" not found.
====== End Of File: ======

========================= File: C:\ProgramData\@system3.att ========================

MD5: D83F93E7F8B0B34C49456EE312591B11
Creation and modification date: 2015-03-29 14:23 - 2015-04-26 18:48
Size: 0000336
Attributes: ---AH
Company Name:
Internal Name:
Original Name:
Product Name:
Description:
File Version:
Product Version:
Copyright:

====== End Of File: ======

========================= Folder: C:\c6fbb76d ========================

2015-04-20 10:34 - 2015-04-20 12:11 - 0002674 _____ () C:\c6fbb76d\HELP_RESTORE_FILES.txt

====== End of Folder: ======

========================= Folder: C:\Users\moulin\AppData\Roaming\???? ========================

====== End of Folder: ======

========================= Folder: C:\Users\Default\Desktop\%APPDATA% ========================

2015-04-20 12:13 - 2015-04-20 12:13 - 0002674 _____ () C:\Users\Default\Desktop\%APPDATA%\HELP_RESTORE_FILES.txt
2011-02-01 09:54 - 2015-04-20 12:13 - 0000000 __SHD () C:\Users\Default\Desktop\%APPDATA%\Microsoft
2015-04-20 12:13 - 2015-04-20 12:13 - 0002674 _____ () C:\Users\Default\Desktop\%APPDATA%\Microsoft\HELP_RESTORE_FILES.txt
2011-02-01 09:54 - 2015-04-20 12:13 - 0000000 __SHD () C:\Users\Default\Desktop\%APPDATA%\Microsoft\Windows
2015-04-20 12:13 - 2015-04-20 12:13 - 0002674 _____ () C:\Users\Default\Desktop\%APPDATA%\Microsoft\Windows\HELP_RESTORE_FILES.txt
2011-02-01 09:54 - 2015-04-20 12:13 - 0000000 __SHD () C:\Users\Default\Desktop\%APPDATA%\Microsoft\Windows\IETldCache
2015-04-20 12:13 - 2015-04-20 12:13 - 0002674 _____ () C:\Users\Default\Desktop\%APPDATA%\Microsoft\Windows\IETldCache\HELP_RESTORE_FILES.txt
2011-02-01 09:54 - 2011-06-29 22:04 - 0016384 ___SH () C:\Users\Default\Desktop\%APPDATA%\Microsoft\Windows\IETldCache\index.dat

====== End of Folder: ======

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\pesau => value deleted successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => Key deleted successfully.
"HKU\S-1-5-21-699257935-668825664-1757988092-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G" => Key deleted successfully.
"HKU\S-1-5-21-699257935-668825664-1757988092-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H" => Key deleted successfully.
"HKU\S-1-5-21-699257935-668825664-1757988092-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a064988-80f5-11dc-b6a1-001a8043f372}" => Key deleted successfully.
HKCR\CLSID\{5a064988-80f5-11dc-b6a1-001a8043f372} => Key not found.
"HKU\S-1-5-21-699257935-668825664-1757988092-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9c54062f-b94b-11dc-9c9b-001a8043f372}" => Key deleted successfully.
HKCR\CLSID\{9c54062f-b94b-11dc-9c9b-001a8043f372} => Key not found.
"HKU\S-1-5-21-699257935-668825664-1757988092-1003\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-699257935-668825664-1757988092-1003\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
"HKU\S-1-5-18\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key deleted successfully.
"HKU\S-1-5-18\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\moulin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EE842AF72.lnk => Moved successfully.
C:\PROGRA~2\\27FA248EE.cpp not found.
C:\Users\moulin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk => Moved successfully.
C:\PROGRA~2\27FA248E.cpp not found.
"C:\Users\moulin\AppData\Roaming\pesau.dll" => File/Directory not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-699257935-668825664-1757988092-1003\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-21-699257935-668825664-1757988092-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} => value deleted successfully.
HKCR\CLSID\{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} => Key not found.
HKU\S-1-5-21-699257935-668825664-1757988092-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} => Value not found.
HKCR\CLSID\{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} => Key not found.
HKU\S-1-5-21-699257935-668825664-1757988092-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} => value deleted successfully.
HKCR\CLSID\{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} => Key not found.
C:\Program Files\AVG\AVG8\Firefox => Moved successfully.
C:\Users\moulin\AppData\Roaming\Mozilla\Firefox\Profiles\v5jzycse.default\user.js => Moved successfully.
C:\Users\moulin\AppData\Local\Apps\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Default\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Default\Downloads\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Default\Documents\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Default\Desktop\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Default\AppData\Roaming\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Default\AppData\Local\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Default\AppData\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Administrator.moulin-PC\AppData\Roaming\Microsoft\Windows\Start Menu\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Administrator.moulin-PC\AppData\Roaming\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Administrator.moulin-PC\AppData\Local\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\Administrator.moulin-PC\AppData\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\moulin\AppData\Local\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\moulin\AppData\Roaming\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\moulin\AppData\HELP_RESTORE_FILES.txt => Moved successfully.
C:\Users\moulin\AppData\Roaming\log.html => Moved successfully.
C:\Users\moulin\Documents\RECOVERY_KEY.TXT => Moved successfully.
C:\Users\moulin\AppData\Roaming\key.dat => Moved successfully.
C:\ProgramData\@system3.att => Moved successfully.
C:\ProgramData\@system.temp => Moved successfully.
C:\Users\Default\Desktop\%APPDATA% => Moved successfully.
C:\Users\moulin\AppData\Local\VcpIyaRXm => Moved successfully.
C:\ProgramData\DOWNLOAD DRAW DRAW.fni5ey => Moved successfully.
C:\ProgramData\DOWNLOAD DRAW DRAW.msrfdhs => Moved successfully.
C:\ProgramData\DOWNLOAD DRAW DRAW.w874ys5 => Moved successfully.
C:\ProgramData\Heck Show Blue.8q8qbd => Moved successfully.
C:\ProgramData\wrnhoah.tmp => Moved successfully.
C:\Users\Administrator.moulin-PC\AppData\Local\Temp\rtdrvmon.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\000426b2.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\00053024.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\0006863f.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\0007078e.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\01bc2bba.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\025b8ba7.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\05967f98.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\0598467e.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\05e81794.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\0f72bb25.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\0f72f90e.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\msioiyhia.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\rtdrvmon.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\setup.exe => Moved successfully.
C:\Users\moulin\AppData\Local\Temp\_is4ECB.exe => Moved successfully.

========= bitsadmin /reset /allusers =========

0 out of 0 jobs canceled.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => Removed 5.9 GB temporary data.

The system needed a reboot.

==== End of Fixlog 19:47:41 ====

#8
Valinorum

Posted 27 April 2015 - 07:48 AM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

Try following the instruction from here and see if it restores your files.

Step #2 Scan with Malwarebytes' Anti-Malware
- Download Malwarebytes' Anti-Malware from the suitable link below --
- Double-click on mbam-setup-version-number.exe to install the application.
- Before clicking Finish perform the following actions --
  - Un-check the box beside Enable free trial of Malwarebytes Anti-Malware Premium.
  - Check the box beside Launch Malwarebytes Anti-Malware
- Once the program has loaded, The MBAM dashboard will appear with an alert to update - click the green button Update Now;
  - Navigate to the Settings tab Detection and Protection and check all the boxes under Detection Options
- From the Dashboard click on Scan Now;
- If threats are detected, make sure everything is set to Quarantine and click on Apply actions. If the program asks to reboot your PC, let it do so;
- On completion of the scan click on History > Application Log. After that click on the top Scan Log > Export, select Text File and save the log to your Desktop;
- Copy and Paste the contents of the log in your next reply.

Step #3 ESET Online Scanner
Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information.
- Download esetsmartinstaller_enu.exe by clicking here.
- Right-click on the program and choose Run as administrator.
- Accept their terms and condition and proceed.
- Install Add-On/Active X if prompted.
- From the Computer Scan Setting check the following box --
  - Enable detection for potentially unwanted programs
- Click on Advanced Setting --
  - Uncheck the box beside Remove Found Threats;
  - Check the box beside Scan archives
  - Check the box beside Scan for potentially unsafe applications
  - Check the box beside Enable Anti-Stealth Technology
- Click on Start and wait for the virus signature database to update.
- The online scan will begin automatically and can take several hours.
  - Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
- After the Scan finishes --
  - If no threats were found:
    - Put a checkmark in Uninstall application on close.
    - Close the program and report that nothing was found
  - If threats were found:
    - Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
    - Copy and Paste contents of the log file in your next reply.
Note: Enable your security programs afterwards.

Required Log(s):
- Malwarebytes' Anti-Malware Log
- ESET Log

Regards,
Valinorum

#9
Valinorum

Posted 30 April 2015 - 08:54 PM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.