newsfudge and sirefef infections

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

newsfudge and sirefef infections11th July 2012, 4:33 am

Greetings,
You really saved my wife (Jan) a couple of months back when she got a nasty bug, so let me start with a thank you. I'm pretty good at catching hijacked accounts and spam but after years pretty much trouble-free, some dirtball finally got me with "NewsFudge." I did a quick search and found several sites saying how to remove "random.exe" and then the "C" drive files and Registry edits. I couldn't find any of them and noticed it had disabled my Windows Security Essentials. I uninstalled that and reinstalled it which did enable it, it found sirefef.an and .ao and .ag, etc. and tried to remove them but from that point forward it kept shutting me down in one minute as soon as it booted up. I'd get a notice: "You are about to be logged off" and "Windows has encountered a critical problem and will restart automatically in one minute. Please save your work."

So after fighting with that for ten or 15 restarts I finally was able to uninstall MS-Sec-Ess in a couple of tries which stopped that behavior so I could run your files. See below. I've got a long business day tomorrow including 7 hours of driving to/from and long quarterly forecast meeting (ie will suck) and this has put me VERY far behind getting ready for that. I may not be able to do anything else until Thursday but will try to download anything I need and run any fixes I can while driving up there tomorrow until my battery dies.

OTL.txt
OTL logfile created on: 7/10/2012 10:01:03 PM - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Users\slamb\Documents\IT & Downloads
Professional (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.24 Gb Total Physical Memory | 2.21 Gb Available Physical Memory | 68.23% Memory free
6.48 Gb Paging File | 5.39 Gb Available in Paging File | 83.22% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 148.85 Gb Total Space | 8.80 Gb Free Space | 5.91% Space Free | Partition Type: NTFS
Drive E: | 965.72 Mb Total Space | 880.05 Mb Free Space | 91.13% Space Free | Partition Type: FAT

Computer Name: SLAMBA2436 | User Name: slamb | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========

PRC - [2012/07/10 21:46:35 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\slamb\Documents\IT & Downloads\OTL.com
PRC - [2012/06/19 17:32:30 | 003,048,136 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2012/02/23 12:30:40 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
PRC - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/07/22 00:07:38 | 000,718,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
PRC - [2011/07/16 00:31:12 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011/04/28 10:36:32 | 000,023,912 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Dynamics CRM\Client\bin\CrmSqlStartupSvc.exe
PRC - [2010/11/02 21:22:02 | 000,113,168 | ---- | M] (DEVGURU Co., LTD) -- C:\Windows\System32\ptumlcmsvc.exe
PRC - [2010/09/16 14:13:50 | 002,538,520 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
PRC - [2010/09/16 14:13:46 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
PRC - [2010/09/16 14:13:40 | 001,522,200 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
PRC - [2010/08/18 17:43:38 | 000,463,912 | R--- | M] (Ericsson AB) -- C:\Program Files\Dell\Dell WWAN\WMCore\mini_WMCore.exe
PRC - [2010/06/04 17:29:14 | 000,292,208 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2010/05/31 19:57:12 | 000,056,032 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2010/05/31 16:17:06 | 000,054,640 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2010/03/24 02:09:28 | 000,812,448 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
PRC - [2010/03/24 02:09:28 | 000,027,040 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
PRC - [2010/02/17 17:34:40 | 000,054,568 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2010/01/10 14:01:26 | 000,060,928 | ---- | M] () -- C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
PRC - [2009/11/01 22:30:00 | 002,508,104 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009/10/31 01:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/09/28 18:56:18 | 000,140,640 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
PRC - [2009/07/13 21:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/02/04 17:35:00 | 000,078,848 | ---- | M] (DameWare Development) -- C:\Windows\System32\DWRCST.EXE
PRC - [2009/02/04 17:34:46 | 000,234,496 | ---- | M] (DameWare Development LLC) -- C:\Windows\System32\DWRCS.EXE

========== Modules (No Company Name) ==========

MOD - [2012/06/13 10:12:17 | 012,433,920 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\009c50fb69919b90fb233cb4c35d0ad7\System.Windows.Forms.ni.dll
MOD - [2012/06/13 10:12:09 | 001,591,808 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\ebefde27b0ef7f39bb49c493b34a602c\System.Drawing.ni.dll
MOD - [2012/05/11 10:02:41 | 005,453,312 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\5c85c9c42e1b8a8760de82ecb4c7d582\System.Xml.ni.dll
MOD - [2012/05/11 10:02:38 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cb079eab134fd1a752ad91db13274110\System.Configuration.ni.dll
MOD - [2012/05/11 10:02:37 | 007,952,384 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\2ebb3c259eab50af565e3a8dba6ad20e\System.ni.dll
MOD - [2012/05/11 10:02:29 | 011,490,816 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\5858678a79aae31262b0214424245d06\mscorlib.ni.dll
MOD - [2012/02/20 21:29:04 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/02/20 21:28:42 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/09/24 01:52:09 | 000,952,168 | ---- | M] () -- C:\windows\assembly\GAC_32\Microsoft.Crm\4.0.0.0__31bf3856ad364e35\Microsoft.Crm.dll
MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 15:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2010/04/15 00:20:46 | 000,473,704 | ---- | M] () -- C:\Windows\System32\nvShell.dll
MOD - [2010/04/15 00:20:44 | 001,612,392 | ---- | M] () -- C:\Windows\System32\nView.dll
MOD - [2009/07/13 21:15:51 | 000,232,448 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.DLL
MOD - [2009/07/13 21:15:51 | 000,232,448 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll

========== Win32 Services (SafeList) ==========

SRV - [2012/06/19 17:32:30 | 003,048,136 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2012/05/03 08:31:10 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/06/12 11:15:00 | 031,125,880 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2011/04/28 10:36:32 | 000,023,912 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Dynamics CRM\Client\bin\CrmSqlStartupSvc.exe -- (CrmSqlStartupSvc)
SRV - [2010/11/02 21:22:02 | 000,113,168 | ---- | M] (DEVGURU Co., LTD) [Auto | Running] -- C:\Windows\System32\ptumlcmsvc.exe -- (ptumlcmsvc)
SRV - [2010/09/16 14:13:50 | 002,538,520 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
SRV - [2010/09/16 14:13:46 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
SRV - [2010/08/18 17:43:38 | 000,463,912 | R--- | M] (Ericsson AB) [Auto | Running] -- C:\Program Files\Dell\Dell WWAN\WMCore\mini_WMCore.exe -- (WMCoreService)
SRV - [2010/07/27 18:19:06 | 000,121,416 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe -- (ATTRcAppSvc)
SRV - [2010/07/27 18:17:00 | 000,125,512 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe -- (CAATT)
SRV - [2010/07/08 18:22:23 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/03/24 02:09:28 | 000,812,448 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe -- (Credential Vault Host Control Service)
SRV - [2010/03/24 02:09:28 | 000,027,040 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe -- (Credential Vault Host Storage)
SRV - [2010/01/10 14:01:26 | 000,060,928 | ---- | M] () [Auto | Running] -- C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe -- (InstallFilterService)
SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/02/04 17:34:46 | 000,234,496 | ---- | M] (DameWare Development LLC) [Auto | Running] -- C:\Windows\System32\DWRCS.EXE -- (DWMRCS)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\windows\system32\drivers\yqdphmul.sys -- (yqdphmul)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - [2010/11/02 11:07:04 | 000,168,208 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTUMLVsp.sys -- (PTUMLVsp)
DRV - [2010/11/02 11:07:02 | 000,168,848 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTUMLNVsp.sys -- (PTUMLNVsp)
DRV - [2010/11/02 11:07:02 | 000,084,496 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTUMLNET61.sys -- (PTUMLNET61) PANTECH UML290 WWAN (NDIS6.1)
DRV - [2010/11/02 11:07:02 | 000,060,432 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTUMLRMNET.sys -- (PTUMLRMNET)
DRV - [2010/11/02 11:07:00 | 000,168,208 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTUMLMdm.sys -- (PTUMLMdm)
DRV - [2010/11/02 11:07:00 | 000,168,208 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTUMLCVsp.sys -- (PTUMLCVsp)
DRV - [2010/11/02 11:07:00 | 000,059,664 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTUMLBUS.sys -- (PTUMLBUS)
DRV - [2010/07/27 18:12:04 | 000,024,192 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2010/07/27 18:12:04 | 000,013,184 | ---- | M] (Bytemobile, Inc.) [Kernel | Boot | Unknown] -- C:\Windows\System32\drivers\BMLoad.sys -- (BMLoad)
DRV - [2010/07/27 18:09:40 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2010/06/21 23:59:30 | 000,255,096 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2010/04/17 03:41:02 | 009,935,976 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/03/19 18:39:08 | 000,059,904 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\risdpe86.sys -- (risdpcie)
DRV - [2010/01/18 09:56:26 | 000,042,672 | ---- | M] (ST Microelectronics) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Accelern.sys -- (Acceler)
DRV - [2010/01/18 09:56:26 | 000,017,072 | ---- | M] (ST Microelectronics) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\stdfltn.sys -- (stdflt)
DRV - [2009/12/02 13:14:52 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\motmodem.sys -- (motmodem)
DRV - [2009/11/06 02:35:22 | 000,214,696 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1k6232.sys -- (e1kexpress) Intel(R)
DRV - [2009/11/03 19:40:42 | 000,033,832 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cvusbdrv.sys -- (cvusbdrv)
DRV - [2009/10/26 22:39:04 | 000,125,696 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Impcd.sys -- (Impcd)
DRV - [2009/09/17 16:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (HECI) Intel(R)
DRV - [2009/09/15 13:40:18 | 006,114,816 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5s32.sys -- (NETw5s32) Intel(R)
DRV - [2009/08/28 18:11:56 | 000,157,696 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtuhs62.sys -- (GTNDIS62)
DRV - [2009/08/12 14:14:22 | 000,067,840 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtuhsbus.sys -- (GTUHSBUS)
DRV - [2009/08/12 14:12:50 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\gtuhsser.sys -- (GTUHSSER)
DRV - [2009/07/23 16:02:56 | 000,043,008 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2009/07/13 21:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2009/07/13 21:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 21:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2009/07/13 19:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 19:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 19:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2008/08/22 12:05:42 | 000,026,760 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2008/06/04 16:14:00 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\PBADRV.sys -- (PBADRV)
DRV - [2007/02/15 08:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\Windows\System32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/07 08:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\DamewareMini.sys -- (DwMirror)

Re: newsfudge and sirefef infections11th July 2012, 4:35 am

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.amx.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://portal.amx.com/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7C 59 42 E6 E6 1E CB 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {6AB1E815-D618-4F7C-9C24-AE5BFC2E2A80}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{424F77C3-ABAD-4D13-9F14-8269535001DC}: "URL" = http://rover.ebay.com/rover/1/711-43047-14818-1/4?satitle={searchTerms}
IE - HKCU\..\SearchScopes\{46023A6C-7CBB-41CC-AB59-CD026B48F87A}: "URL" = http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&camp=1789&creative=9325&keywords={searchTerms}
IE - HKCU\..\SearchScopes\{6AB1E815-D618-4F7C-9C24-AE5BFC2E2A80}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKCU\..\SearchScopes\{9CE3A70E-C7DD-431D-BB16-CC726A7EA035}: "URL" = http://cnet.search.com/search?chkpt=astg.cnet.fd.search.cnet&q={searchTerms}&tag=srch
IE - HKCU\..\SearchScopes\{DA133CF3-060D-4114-94C8-97943328CE96}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\slamb\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\slamb\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms},
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\slamb\AppData\Local\Google\Chrome\Application\18.0.1025.162\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\slamb\AppData\Local\Google\Chrome\Application\18.0.1025.162\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\slamb\AppData\Local\Google\Chrome\Application\18.0.1025.162\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\slamb\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL
CHR - plugin: CANON iMAGE GATEWAY Album Plugin Utility (Enabled) = C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - Extension: YouTube = C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Gmail = C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AT&T Communication Manager] C:\Program Files\AT&T\Communication Manager\ATTCM.exe (ATT)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [DameWare MRC Agent] C:\Windows\System32\DWRCST.EXE (DameWare Development)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [IMSS] C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe (Intel Corporation)
O4 - HKLM..\Run: [MSCRM] c:\Program Files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\windows\System32\nvHotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\windows\System32\nwiz.exe ()
O4 - HKCU..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKCU..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: amx.com ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: amx.internal ([]* in Local intranet)
O15 - HKCU\..Trusted Domains: amxcrm4 ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: localhost ([]http in Trusted sites)
O16 - DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} http://reporting.amx.com/ReportServer/Reserved.ReportViewerWebControl.axd?ExecutionID=suf5cuiq4oirt045avimvr30&Culture=1033&CultureOverrides=False&UICulture=9&UICultureOverrides=False&ReportStack=1&ControlID=77c99ff0c10b461fa9456fb5ac0a8f36&OpType=PrintCab&Arch=X86 (RSClientPrint 2008 Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP25-10481/webex/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.242.0.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amx.internal
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0009E5B0-5AAD-465D-AC20-689742D989C1}: NameServer = 209.183.54.151 209.183.54.151
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2AB19DC5-0502-4C4D-8D98-E2DBF8E3EE68}: DhcpNameServer = 192.168.20.6 192.168.20.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3A371C06-0134-4901-B2C5-D5DD11942ADD}: DhcpNameServer = 66.174.71.33 69.78.96.14
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{50D594D0-DA95-4F83-91F0-E9D59E01E2FB}: NameServer = 209.183.33.23 209.183.35.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B862B451-AE99-4F2F-AF13-287D8558FFD9}: NameServer = 209.183.33.23 209.183.35.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D468AAD5-C53D-4A4F-843E-C026751D2C48}: NameServer = 209.183.33.23 209.183.35.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D9929A16-4C50-407B-8FF0-AE13983A6FFA}: DhcpNameServer = 192.168.1.1 71.242.0.12
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{92e1da99-8b5b-11df-a9ba-b8ac6f39f278}\Shell - "" = AutoRun
O33 - MountPoints2\{92e1da99-8b5b-11df-a9ba-b8ac6f39f278}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{f0554932-5150-11e1-924c-1c659df52a0f}\Shell - "" = AutoRun
O33 - MountPoints2\{f0554932-5150-11e1-924c-1c659df52a0f}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - File not found
MsConfig - StartUpReg: HotKeysCmds - hkey= - key= - File not found
MsConfig - StartUpReg: IgfxTray - hkey= - key= - File not found
MsConfig - StartUpReg: Persistence - hkey= - key= - File not found
MsConfig - StartUpReg: picon - hkey= - key= - C:\Program Files\Common Files\Intel\Privacy Icon\PIconStartup.exe ()
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - File not found
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: WinDefend - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

Re: newsfudge and sirefef infections11th July 2012, 4:35 am

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\windows\System32\iccvid.dll (Radius Inc.)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sharedaccess - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/07/10 21:19:52 | 000,043,480 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\drivers\hqsqinzl.sys
[2012/07/10 21:11:22 | 000,043,480 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\drivers\pgakyaic.sys
[2012/07/08 16:48:25 | 000,000,000 | -HSD | C] -- C:\windows\System32\%APPDATA%
[2012/06/19 10:15:07 | 002,422,272 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\wucltux.dll
[2012/06/19 10:15:07 | 000,045,080 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\wups2.dll
[2012/06/19 10:14:48 | 000,035,864 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\wups.dll
[2012/06/19 10:14:47 | 000,577,048 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\wuapi.dll
[2012/06/19 10:14:47 | 000,088,576 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\wudriver.dll
[2012/06/19 10:14:22 | 000,171,904 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\wuwebv.dll
[2012/06/19 10:14:22 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\wuapp.exe
[2012/06/17 15:36:09 | 000,000,000 | ---D | C] -- C:\Users\slamb\AppData\Local\{A2DAB419-123A-4ECC-A334-BB84B1256305}
[2012/06/13 01:02:12 | 000,627,200 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msfeeds.dll
[2012/06/13 01:02:08 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\mstime.dll
[2012/06/13 01:02:08 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iedkcs32.dll
[2012/06/13 01:02:08 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\iepeers.dll
[2012/06/13 01:02:08 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\ieui.dll
[2012/06/13 01:02:08 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msfeedsbs.dll
[2012/06/13 01:02:07 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\html.iec
[2012/06/13 01:02:07 | 000,132,096 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\url.dll
[2012/06/13 01:02:07 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\jsproxy.dll
[2012/06/13 01:02:07 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\licmgr10.dll
[2012/06/13 01:02:07 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\msfeedssync.exe
[2012/06/13 01:02:06 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\mshtml.tlb
[2012/06/13 01:01:30 | 002,342,400 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\win32k.sys
[2012/06/13 01:01:28 | 000,129,536 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\rdpcorekmts.dll
[2012/06/13 01:01:28 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\rdpwsx.dll
[2012/06/13 01:01:28 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\rdrmemptylst.exe
[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/10 22:02:36 | 000,022,992 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/10 22:02:36 | 000,022,992 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/10 21:59:57 | 000,685,762 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2012/07/10 21:59:57 | 000,131,014 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2012/07/10 21:57:49 | 000,001,945 | ---- | M] () -- C:\windows\epplauncher.mif
[2012/07/10 21:55:26 | 000,000,880 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/10 21:55:01 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/07/10 21:54:57 | 2609,246,208 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/10 21:19:52 | 000,043,480 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\drivers\hqsqinzl.sys
[2012/07/10 21:11:24 | 000,043,480 | ---- | M] (Microsoft Corporation) -- C:\windows\System32\drivers\pgakyaic.sys
[2012/07/10 20:21:05 | 000,000,908 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-415701840-2084708928-925700815-16464UA.job
[2012/07/10 17:16:01 | 000,000,884 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/10 17:05:32 | 000,285,636 | ---- | M] () -- C:\Users\slamb\AppData\Local\census.cache
[2012/07/10 17:05:21 | 000,144,561 | ---- | M] () -- C:\Users\slamb\AppData\Local\ars.cache
[2012/07/09 22:21:00 | 000,000,856 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-415701840-2084708928-925700815-16464Core.job
[2012/07/03 12:37:40 | 235,870,959 | ---- | M] () -- C:\windows\MEMORY.DMP
[2012/07/01 22:53:40 | 000,002,359 | ---- | M] () -- C:\Users\slamb\Desktop\Google Chrome.lnk
[2012/06/28 00:04:46 | 000,034,268 | ---- | M] () -- C:\Users\slamb\Desktop\CRM Stages 2012.jpg
[2012/06/27 11:37:59 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\System32\FlashPlayerApp.exe
[2012/06/27 11:37:59 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\System32\FlashPlayerCPLApp.cpl
[2012/06/26 12:10:07 | 000,005,513 | ---- | M] () -- C:\Users\slamb\Desktop\Quote Questions.pdf
[2012/06/13 10:10:05 | 000,421,456 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/10 21:55:25 | 000,232,960 | ---- | C] () -- C:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\00000008.@
[2012/07/10 21:55:24 | 000,095,744 | ---- | C] () -- C:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\80000032.@
[2012/07/10 21:55:24 | 000,012,288 | ---- | C] () -- C:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\80000000.@
[2012/07/10 21:55:24 | 000,002,048 | ---- | C] () -- C:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\00000004.@
[2012/07/10 21:55:24 | 000,001,632 | ---- | C] () -- C:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\000000cb.@
[2012/07/10 17:05:32 | 000,285,636 | ---- | C] () -- C:\Users\slamb\AppData\Local\census.cache
[2012/07/10 17:05:21 | 000,144,561 | ---- | C] () -- C:\Users\slamb\AppData\Local\ars.cache
[2012/07/08 16:37:40 | 000,000,804 | ---- | C] () -- C:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\L\00000004.@
[2012/06/28 00:04:46 | 000,034,268 | ---- | C] () -- C:\Users\slamb\Desktop\CRM Stages 2012.jpg
[2012/06/26 12:10:18 | 000,005,513 | ---- | C] () -- C:\Users\slamb\Desktop\Quote Questions.pdf
[2012/03/12 17:50:24 | 000,038,543 | ---- | C] () -- C:\Users\slamb\AppData\Roaming\Tab Separated Values (Windows).ADR
[2012/03/12 17:49:17 | 000,038,541 | ---- | C] () -- C:\Users\slamb\AppData\Roaming\Comma Separated Values (Windows).ADR
[2012/01/20 02:02:18 | 000,000,218 | ---- | C] () -- C:\Users\slamb\.recently-used.xbel
[2012/01/11 10:07:31 | 000,002,048 | -HS- | C] () -- C:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\@
[2012/01/11 10:07:31 | 000,002,048 | -HS- | C] () -- C:\Users\slamb\AppData\Local\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\@
[2011/11/20 01:59:39 | 000,206,336 | ---- | C] () -- C:\windows\PCDLIB32.DLL
[2011/09/27 12:55:23 | 000,003,584 | ---- | C] () -- C:\Users\slamb\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/12 10:01:26 | 000,072,080 | ---- | C] () -- C:\Users\slamb\g2mdlhlpx.exe
[2011/03/12 19:53:48 | 000,000,000 | ---- | C] () -- C:\windows\HPMProp.INI
[2011/03/12 02:02:19 | 001,731,176 | ---- | C] () -- C:\windows\System32\nvwdmcpl.dll
[2011/03/12 02:02:19 | 001,657,448 | ---- | C] () -- C:\windows\System32\nwiz.exe
[2011/03/12 02:02:19 | 001,612,392 | ---- | C] () -- C:\windows\System32\nView.dll
[2011/03/12 02:02:19 | 001,108,584 | ---- | C] () -- C:\windows\System32\nvwimg.dll
[2011/03/12 02:02:19 | 000,473,704 | ---- | C] () -- C:\windows\System32\nvShell.dll
[2011/03/12 02:02:19 | 000,449,128 | ---- | C] () -- C:\windows\System32\nvAppBar.exe
[2011/03/12 02:02:19 | 000,262,248 | ---- | C] () -- C:\windows\System32\nViewSetup.exe
[2011/03/09 09:52:41 | 000,087,552 | ---- | C] () -- C:\windows\System32\cpwmon2k.dll
[2011/03/07 12:38:54 | 000,113,538 | ---- | C] () -- C:\ProgramData\EnvironmentDiagnostics.chm
[2011/03/07 11:57:06 | 000,000,480 | RHS- | C] () -- C:\Users\slamb\ntuser.pol
[2011/03/07 11:55:12 | 000,009,536 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/03/07 11:13:29 | 000,308,624 | ---- | C] () -- C:\windows\System32\brcmbsp.dll
[2011/03/07 11:13:29 | 000,206,216 | ---- | C] () -- C:\windows\System32\bipbsp.dll
[2011/03/07 11:13:04 | 000,080,368 | ---- | C] () -- C:\windows\System32\pbadrvdll.dll

========== Custom Scans ==========

< %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5 >

< %AppData%\Local\ >

< %systemroot%\system32\sysprep >
[1 C:\windows\system32\*.tmp files -> C:\windows\system32\*.tmp -> ]

< *.xpi /md5 >

< %systemroot%\Downloaded Program Files\ >

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Users\slamb\AppData\Local\Google\Chrome\Application\chrome.exe" --show-icons [2012/06/28 06:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Users\slamb\AppData\Local\Google\Chrome\Application\chrome.exe" --hide-icons [2012/06/28 06:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Users\slamb\AppData\Local\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/06/28 06:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Users\slamb\AppData\Local\Google\Chrome\Application\chrome.exe" [2012/06/28 06:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2009/07/13 21:14:21 | 000,176,128 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2009/07/13 21:14:21 | 000,176,128 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2009/07/13 21:14:21 | 000,176,128 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012/04/20 01:08:37 | 000,672,856 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2012/04/20 01:08:37 | 000,672,856 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2012/04/25 10:36:36 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2012/04/25 10:36:36 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2012/04/25 10:36:36 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2012/04/25 10:36:36 | 002,388,336 | ---- | M] (Apple Inc.)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Users\slamb\AppData\Local\Google\Chrome\Application\chrome.exe" --show-icons [2012/06/28 06:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Users\slamb\AppData\Local\Google\Chrome\Application\chrome.exe" --hide-icons [2012/06/28 06:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Users\slamb\AppData\Local\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/06/28 06:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Users\slamb\AppData\Local\Google\Chrome\Application\chrome.exe" [2012/06/28 06:28:57 | 001,250,328 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2009/07/13 21:14:21 | 000,176,128 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2009/07/13 21:14:21 | 000,176,128 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2009/07/13 21:14:21 | 000,176,128 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012/04/20 01:08:37 | 000,672,856 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2012/04/20 01:08:37 | 000,672,856 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2012/04/25 10:36:36 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2012/04/25 10:36:36 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2012/04/25 10:36:36 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2012/04/25 10:36:36 | 002,388,336 | ---- | M] (Apple Inc.)

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\drivers\*.sys /90 >
[2012/07/10 21:19:52 | 000,043,480 | ---- | M] (Microsoft Corporation) -- C:\windows\system32\drivers\hqsqinzl.sys
[2012/07/10 21:11:24 | 000,043,480 | ---- | M] (Microsoft Corporation) -- C:\windows\system32\drivers\pgakyaic.sys
[2012/04/27 23:19:47 | 000,177,152 | ---- | M] (Microsoft Corporation) -- C:\windows\system32\drivers\rdpwd.sys

< %systemroot%\System32\config\*.sav >

< %SYSTEMDRIVE%\*.exe /md5 >
[2007/11/07 08:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) MD5=520A6D1CBCC9CF642C625FE814C93C58 -- C:\install.exe

Re: newsfudge and sirefef infections11th July 2012, 4:39 am

< "%WinDir%\$NtUninstallKB*$." /30 >

< %systemdrive%\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/13 21:15:13 | 000,346,112 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\windows\system32\dxtmsft.dll
[2009/07/13 21:15:13 | 000,215,552 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\windows\system32\dxtrans.dll
[1 C:\windows\system32\*.tmp files -> C:\windows\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >
[2012/04/26 04:58:52 | 000,082,926 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Certificate Revocation Lists
[2012/04/26 09:29:28 | 000,002,154 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Local State
[2012/04/26 08:35:49 | 007,025,216 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
[2012/04/26 08:35:49 | 002,144,134 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Filter 2
[2012/04/26 09:05:30 | 000,000,000 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom_new
[2012/04/26 08:35:50 | 000,134,356 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
[2012/04/26 09:05:30 | 000,000,000 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist_new
[2012/04/26 08:35:48 | 001,295,776 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Safe Browsing Download
[2012/04/26 08:35:50 | 000,014,696 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist
[2012/04/26 09:05:30 | 000,000,000 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist_new
[2012/04/26 09:05:30 | 000,000,000 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Safe Browsing Download_new
[2012/04/26 09:29:29 | 000,933,888 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Archived History
[2012/02/18 12:15:00 | 000,000,757 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
[2012/02/18 12:15:00 | 000,000,757 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak
[2012/04/25 23:54:12 | 000,019,456 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cookies
[2012/04/25 23:53:57 | 000,035,458 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Current Session
[2012/04/25 23:53:55 | 000,035,013 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Current Tabs
[2012/04/25 23:48:02 | 000,036,864 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Favicons
[2012/04/25 15:06:50 | 000,150,798 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
[2012/04/26 09:29:29 | 004,968,448 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\History
[2012/04/26 09:29:29 | 002,850,816 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\History Index 2012-01
[2012/04/25 23:42:50 | 004,202,496 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\History Index 2012-02
[2012/03/26 14:22:07 | 000,045,056 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\History Index 2012-03
[2012/04/25 23:53:53 | 000,196,608 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\History Index 2012-04
[2012/04/26 09:29:28 | 000,247,707 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache
[2012/04/25 23:48:16 | 000,127,876 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Last Session
[2012/04/25 23:48:16 | 000,025,613 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Last Tabs
[2012/02/18 12:15:01 | 000,012,288 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Login Data
[2012/04/25 15:06:50 | 000,024,576 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor
[2012/04/26 09:29:29 | 000,035,643 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Preferences
[2012/03/26 14:13:56 | 000,012,288 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Shortcuts
[2012/03/26 14:15:17 | 000,061,440 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Top Sites
[2012/04/25 23:48:17 | 000,262,160 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Visited Links
[2012/04/25 23:53:42 | 000,096,256 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Web Data
[2012/04/26 09:29:29 | 000,856,064 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0
[2012/04/26 09:29:29 | 016,621,568 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1
[2012/04/26 09:29:29 | 001,056,768 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2
[2012/04/26 09:29:29 | 265,822,208 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3
[2012/04/25 23:44:12 | 016,785,408 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\data_4
[2012/04/26 09:29:29 | 013,377,536 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\data_5
[2012/04/25 15:07:03 | 000,031,335 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00002f
[2012/04/25 15:07:06 | 000,082,343 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000031
[2012/04/25 15:07:11 | 000,918,494 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000032
[2012/04/25 15:08:09 | 000,019,481 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000048
[2012/04/25 23:37:28 | 000,040,718 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000060
[2012/04/25 23:37:28 | 000,078,525 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000061
[2012/04/25 23:37:28 | 000,016,538 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000062
[2012/04/25 23:37:28 | 000,022,145 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000063
[2012/04/25 23:37:28 | 000,017,082 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000064
[2012/04/25 23:37:28 | 000,021,211 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000065
[2012/04/25 23:37:28 | 000,040,975 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000066
[2012/04/25 23:37:28 | 000,025,144 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000067
[2012/04/25 23:37:28 | 000,028,745 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000068
[2012/04/25 23:37:28 | 000,028,658 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000069
[2012/04/25 23:37:28 | 000,035,922 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00006a
[2012/04/25 23:37:28 | 000,019,010 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00006b
[2012/04/25 23:37:28 | 000,019,794 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00006c
[2012/04/25 23:37:28 | 000,027,682 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00006d
[2012/04/25 23:37:48 | 000,020,074 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00006e
[2012/04/25 23:37:48 | 000,035,353 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00006f
[2012/04/25 23:37:48 | 000,045,149 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000070
[2012/04/25 23:38:59 | 000,025,970 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000071
[2012/04/25 23:38:59 | 000,087,782 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000072
[2012/04/25 23:39:01 | 000,254,148 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000073
[2012/04/25 23:39:01 | 000,017,365 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000074
[2012/04/25 23:39:02 | 000,022,486 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000075
[2012/04/25 23:39:03 | 000,047,497 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000076
[2012/04/25 23:39:04 | 000,168,501 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000077
[2012/04/25 23:39:26 | 000,018,974 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000078
[2012/04/25 23:39:26 | 000,043,524 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000079
[2012/04/25 23:39:26 | 000,078,525 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00007a
[2012/04/25 23:39:27 | 000,035,331 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00007b
[2012/04/25 23:39:27 | 000,267,566 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00007c
[2012/04/25 23:39:27 | 000,027,682 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00007d
[2012/04/25 23:39:33 | 000,168,501 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00007e
[2012/04/25 23:39:35 | 000,017,540 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00007f
[2012/04/25 23:39:35 | 000,064,375 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000080
[2012/04/25 23:39:35 | 000,053,730 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000081
[2012/04/25 23:39:48 | 000,119,876 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000082
[2012/04/25 23:40:05 | 000,046,785 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000083
[2012/04/25 23:40:05 | 000,022,592 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000084
[2012/04/25 23:40:23 | 000,020,278 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000085
[2012/04/25 23:40:23 | 000,082,974 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000086
[2012/04/25 23:40:24 | 000,060,930 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000087
[2012/04/25 23:40:24 | 000,023,882 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000088
[2012/04/25 23:40:24 | 000,029,745 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000089
[2012/04/25 23:40:25 | 000,019,942 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00008a
[2012/04/25 23:40:25 | 000,025,078 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00008b
[2012/04/25 23:40:25 | 000,025,332 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00008c
[2012/04/25 23:40:25 | 000,020,782 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00008d
[2012/04/25 23:40:25 | 000,024,327 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00008e
[2012/04/25 23:40:25 | 000,019,717 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00008f
[2012/04/25 23:40:25 | 000,026,918 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000090
[2012/04/25 23:42:28 | 000,016,461 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000091
[2012/04/25 23:42:28 | 000,017,046 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000092
[2012/04/25 23:43:40 | 000,033,142 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000094
[2012/04/25 23:43:53 | 000,021,207 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000095
[2012/04/25 23:43:53 | 000,046,488 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000096
[2012/04/25 23:43:53 | 000,105,708 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000097
[2012/04/25 23:43:54 | 000,074,239 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000098
[2012/04/25 23:43:54 | 000,036,010 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000099
[2012/04/25 23:43:54 | 000,043,468 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00009a
[2012/04/25 23:43:54 | 000,048,067 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00009b
[2012/04/25 23:43:54 | 000,024,412 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00009c
[2012/04/25 23:44:00 | 000,034,982 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00009d
[2012/04/25 23:44:00 | 000,019,858 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00009e
[2012/04/25 23:44:23 | 000,043,524 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00009f
[2012/04/25 23:44:23 | 000,019,504 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000a0
[2012/04/25 23:44:23 | 000,035,331 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000a1
[2012/04/25 23:44:23 | 000,059,539 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000a2
[2012/04/25 23:44:24 | 000,018,696 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000a3
[2012/04/25 23:45:04 | 000,017,583 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000a6
[2012/04/25 23:47:23 | 000,021,577 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000a8
[2012/04/25 23:47:23 | 000,021,459 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000a9
[2012/04/25 23:47:23 | 000,036,821 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000aa
[2012/04/25 23:47:23 | 000,021,339 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ab
[2012/04/25 23:47:52 | 000,021,600 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\f_0000ac
[2012/02/20 13:54:21 | 000,262,512 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Cache\index
[2012/02/18 17:03:17 | 000,003,524 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\128.png
[2012/02/18 17:03:17 | 000,000,745 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\manifest.json
[2012/02/18 17:03:17 | 000,000,401 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ar\messages.json
[2012/02/18 17:03:17 | 000,000,427 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\bg\messages.json
[2012/02/18 17:03:17 | 000,000,250 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ca\messages.json
[2012/02/18 17:03:17 | 000,000,255 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\cs\messages.json
[2012/02/18 17:03:17 | 000,000,242 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\da\messages.json
[2012/02/18 17:03:17 | 000,000,226 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\de\messages.json
[2012/02/18 17:03:17 | 000,000,475 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\el\messages.json
[2012/02/18 17:03:17 | 000,000,227 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\en\messages.json
[2012/02/18 17:03:17 | 000,000,240 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\es\messages.json
[2012/02/18 17:03:17 | 000,000,222 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\fi\messages.json
[2012/02/18 17:03:17 | 000,000,236 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\fil\messages.json
[2012/02/18 17:03:17 | 000,000,249 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\fr\messages.json
[2012/02/18 17:03:17 | 000,000,419 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\he\messages.json
[2012/02/18 17:03:17 | 000,000,408 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\hi\messages.json
[2012/02/18 17:03:17 | 000,000,220 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\hr\messages.json
[2012/02/18 17:03:17 | 000,000,253 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\hu\messages.json
[2012/02/18 17:03:17 | 000,000,231 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\id\messages.json
[2012/02/18 17:03:17 | 000,000,224 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\it\messages.json
[2012/02/18 17:03:17 | 000,000,349 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ja\messages.json
[2012/02/18 17:03:17 | 000,000,323 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ko\messages.json
[2012/02/18 17:03:17 | 000,000,266 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\lt\messages.json
[2012/02/18 17:03:17 | 000,000,245 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\lv\messages.json

Re: newsfudge and sirefef infections11th July 2012, 4:40 am

[2012/02/18 17:03:18 | 000,000,234 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\fil\messages.json
[2012/02/18 17:03:18 | 000,000,272 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\fr\messages.json
[2012/02/18 17:03:18 | 000,000,391 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\hi\messages.json
[2012/02/18 17:03:18 | 000,000,246 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\hr\messages.json
[2012/02/18 17:03:18 | 000,000,234 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\hu\messages.json
[2012/02/18 17:03:18 | 000,000,242 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\id\messages.json
[2012/02/18 17:03:18 | 000,000,260 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\it\messages.json
[2012/02/18 17:03:18 | 000,000,364 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ja\messages.json
[2012/02/18 17:03:18 | 000,000,328 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ko\messages.json
[2012/02/18 17:03:18 | 000,000,269 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\lt\messages.json
[2012/02/18 17:03:18 | 000,000,262 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\lv\messages.json
[2012/02/18 17:03:18 | 000,000,232 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\nl\messages.json
[2012/02/18 17:03:18 | 000,000,210 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\no\messages.json
[2012/02/18 17:03:18 | 000,000,292 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\pl\messages.json
[2012/02/18 17:03:18 | 000,000,230 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\pt_BR\messages.json
[2012/02/18 17:03:18 | 000,000,231 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\pt_PT\messages.json
[2012/02/18 17:03:18 | 000,000,281 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ro\messages.json
[2012/02/18 17:03:18 | 000,000,482 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ru\messages.json
[2012/02/18 17:03:18 | 000,000,210 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\se\messages.json
[2012/02/18 17:03:18 | 000,000,238 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\sk\messages.json
[2012/02/18 17:03:18 | 000,000,249 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\sl\messages.json
[2012/02/18 17:03:18 | 000,000,511 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\sr\messages.json
[2012/02/18 17:03:18 | 000,000,471 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\th\messages.json
[2012/02/18 17:03:18 | 000,000,250 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\tr\messages.json
[2012/02/18 17:03:18 | 000,000,536 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\uk\messages.json
[2012/02/18 17:03:18 | 000,000,257 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\vi\messages.json
[2012/02/18 17:03:18 | 000,000,339 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\zh_CN\messages.json
[2012/02/18 17:03:18 | 000,000,321 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\zh_TW\messages.json
[2 C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\*.tmp files -> C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\JumpListIcons\*.tmp -> ]
[2012/04/25 23:41:26 | 000,003,072 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-devtools_devtools_0.localstorage
[2012/04/25 23:47:59 | 000,003,072 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_plus.google.com_0.localstorage
[2012/04/25 23:39:05 | 000,004,096 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.youtube.com_0.localstorage
[2012/04/26 09:03:16 | 000,058,368 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\Sync Data\SyncData.sqlite3
[2012/02/18 12:14:57 | 000,000,000 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\Default\User StyleSheets\Custom.css
[2012/02/18 12:21:11 | 000,001,443 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\manifest.json
[2012/02/18 12:21:11 | 007,761,920 | ---- | M] () -- C:\Users\slamb\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll

< %USERPROFILE%\AppData\Local\ /s >

< %systemroot%\Installer\ /s >

< %systemroot%\system32\Cache\ /s >

< %systemroot%\system32\config\systemprofile\Application Data /s >

< %PROGRAMFILES%\*. >
[2011/03/09 09:52:40 | 000,000,000 | ---D | M] -- C:\Program Files\Acro Software
[2011/06/29 09:18:37 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2011/05/15 12:50:57 | 000,000,000 | ---D | M] -- C:\Program Files\AMX
[2012/05/13 19:05:44 | 000,000,000 | ---D | M] -- C:\Program Files\AMX Control Disc
[2012/03/23 14:49:55 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2011/05/09 14:16:38 | 000,000,000 | ---D | M] -- C:\Program Files\AT&T
[2012/01/29 13:46:01 | 000,000,000 | ---D | M] -- C:\Program Files\AVSnap
[2012/03/23 14:57:39 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2011/03/07 11:13:10 | 000,000,000 | ---D | M] -- C:\Program Files\Broadcom Corporation
[2011/03/12 16:15:07 | 000,000,000 | ---D | M] -- C:\Program Files\Canon
[2011/03/12 15:16:30 | 000,000,000 | -H-D | M] -- C:\Program Files\CanonBJ
[2011/07/12 10:01:41 | 000,000,000 | ---D | M] -- C:\Program Files\Citrix
[2012/05/14 13:44:24 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2011/03/07 11:31:11 | 000,000,000 | ---D | M] -- C:\Program Files\Dell
[2011/03/07 11:42:10 | 000,000,000 | ---D | M] -- C:\Program Files\DellTPad
[2011/05/15 12:53:57 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2009/07/14 03:27:30 | 000,000,000 | ---D | M] -- C:\Program Files\DVD Maker
[2011/03/07 11:12:48 | 000,000,000 | ---D | M] -- C:\Program Files\Fingerprint Sensor
[2011/09/21 19:13:11 | 000,000,000 | ---D | M] -- C:\Program Files\Garmin
[2011/11/12 02:11:32 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2011/03/09 09:53:09 | 000,000,000 | ---D | M] -- C:\Program Files\GPLGS
[2011/03/12 19:53:55 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2011/03/07 11:39:12 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2011/03/07 11:44:28 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2012/06/13 10:08:08 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2012/04/03 21:43:38 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2012/04/03 21:44:30 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2011/10/29 10:49:50 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2011/03/29 12:19:59 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2011/01/03 11:32:44 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Analysis Services
[2010/12/17 10:39:20 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2011/09/24 01:52:09 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Dynamics CRM
[2011/01/03 11:35:54 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2012/05/16 07:58:45 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2011/03/23 06:25:32 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server
[2011/03/11 18:08:04 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2011/01/03 11:35:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Sync Framework
[2011/01/03 11:36:06 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Synchronization Services
[2011/03/07 12:33:43 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2011/01/03 11:36:27 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2011/05/20 10:51:45 | 000,000,000 | ---D | M] -- C:\Program Files\PANTECH
[2012/05/15 20:14:58 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/07/14 00:52:30 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2011/03/14 11:23:37 | 000,000,000 | ---D | M] -- C:\Program Files\Research In Motion
[2012/05/15 20:17:06 | 000,000,000 | ---D | M] -- C:\Program Files\Safari
[2011/03/09 16:35:15 | 000,000,000 | ---D | M] -- C:\Program Files\Sierra Wireless Inc
[2012/05/14 13:45:10 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2011/03/07 11:39:12 | 000,000,000 | ---D | M] -- C:\Program Files\STMicroelectronics
[2011/03/29 14:11:39 | 000,000,000 | ---D | M] -- C:\Program Files\Times Reader
[2009/07/14 00:53:23 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2011/05/20 10:54:04 | 000,000,000 | ---D | M] -- C:\Program Files\Verizon Wireless
[2012/02/21 19:22:07 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2009/07/14 00:56:49 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Defender
[2012/05/11 09:59:25 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Journal
[2012/04/25 09:59:44 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2010/12/17 10:42:26 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Mail
[2010/12/17 10:42:25 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/07/14 00:52:30 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2009/07/14 00:56:49 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Photo Viewer
[2009/07/14 00:52:32 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Portable Devices
[2009/07/14 00:56:49 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar

< %appdata%\*.* >
[2012/03/12 19:44:01 | 000,038,541 | ---- | M] () -- C:\Users\slamb\AppData\Roaming\Comma Separated Values (Windows).ADR
[2011/03/14 11:55:26 | 000,000,077 | ---- | M] () -- C:\Users\slamb\AppData\Roaming\Rim.Desktop.Exception.log
[2011/03/14 11:24:22 | 000,001,147 | ---- | M] () -- C:\Users\slamb\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
[2012/03/12 19:45:03 | 000,038,543 | ---- | M] () -- C:\Users\slamb\AppData\Roaming\Tab Separated Values (Windows).ADR

Re: newsfudge and sirefef infections11th July 2012, 4:41 am

< MD5 for: AFD.SYS >
[2011/04/24 22:35:40 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=0DB7A48388D54D154EBEC120461A0FCD -- C:\Windows\System32\drivers\afd.sys
[2011/04/24 22:35:40 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=0DB7A48388D54D154EBEC120461A0FCD -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys
[2011/04/24 22:18:03 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=9EBBBA55060F786F0FCAA3893BFA2806 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys
[2011/04/24 22:27:23 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=C114AB7A1550D42EA1700FFD4179CF5A -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_d864ad9ad8c98d1f\afd.sys
[2011/04/24 23:24:09 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=C427F91A748CD342A2B3F9278D9FD6A5 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
[2009/07/13 19:12:38 | 000,338,944 | ---- | M] (Microsoft Corporation) MD5=DDC040FDB01EF1712A6B13E52AFB104C -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 21:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/13 21:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/13 21:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CRYPTSVC.DLL >
[2009/07/13 21:15:07 | 000,135,680 | ---- | M] (Microsoft Corporation) MD5=9C231178CE4FB385F4B54B0A9080B8A4 -- C:\Windows\System32\cryptsvc.dll
[2009/07/13 21:15:07 | 000,135,680 | ---- | M] (Microsoft Corporation) MD5=9C231178CE4FB385F4B54B0A9080B8A4 -- C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.1.7600.16385_none_75d5ef87fc22e35a\cryptsvc.dll

< MD5 for: DNSRSLVR.DLL >
[2011/03/03 01:38:01 | 000,132,608 | ---- | M] (Microsoft Corporation) MD5=33EF4861F19A0736B11314AAD9AE28D0 -- C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17570_none_e3a50618e0cfbec0\dnsrslvr.dll
[2011/03/03 01:29:23 | 000,132,608 | ---- | M] (Microsoft Corporation) MD5=B15BE77A2BACF9C3177D27518AFE26A9 -- C:\Windows\System32\dnsrslvr.dll
[2011/03/03 01:29:23 | 000,132,608 | ---- | M] (Microsoft Corporation) MD5=B15BE77A2BACF9C3177D27518AFE26A9 -- C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7600.16772_none_e1c0a9a6e3a78582\dnsrslvr.dll
[2011/03/03 01:50:46 | 000,132,608 | ---- | M] (Microsoft Corporation) MD5=B3A0A4414D8EC1DD28018004CE8DCBEE -- C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7600.20914_none_e28d2873fc92ad7b\dnsrslvr.dll
[2009/07/13 21:15:12 | 000,132,608 | ---- | M] (Microsoft Corporation) MD5=D0722E963D3C6145446874241401B209 -- C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7600.16385_none_e1b8d300e3acf8dc\dnsrslvr.dll
[2011/03/03 01:12:25 | 000,132,608 | ---- | M] (Microsoft Corporation) MD5=F3501CA4E93BF218C71CF9DEECEE838F -- C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.21673_none_e431a3c1f9eaaa8f\dnsrslvr.dll

< MD5 for: ES.DLL >
[2012/06/28 06:27:57 | 000,008,216 | ---- | M] () MD5=8C4CBA187C451FAE0C9C1674B9C3AC39 -- C:\Users\slamb\AppData\Local\Google\Chrome\Application\20.0.1132.47\Locales\es.dll
[2012/06/07 04:13:44 | 000,008,216 | ---- | M] () MD5=99DE0F08708D5EB156CC2EFA41C1FF6E -- C:\Users\slamb\AppData\Local\Google\Chrome\Application\19.0.1084.56\Locales\es.dll
[2009/07/13 21:15:19 | 000,271,360 | ---- | M] (Microsoft Corporation) MD5=F6916EFC29D9953D5D0DF06882AE8E16 -- C:\Windows\System32\es.dll
[2009/07/13 21:15:19 | 000,271,360 | ---- | M] (Microsoft Corporation) MD5=F6916EFC29D9953D5D0DF06882AE8E16 -- C:\Windows\winsxs\x86_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.1.7600.16385_none_0cc3f540b311359a\es.dll

< MD5 for: EXPLORER.EXE >
[2009/07/13 21:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2009/10/31 01:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\explorer.exe
[2009/10/31 01:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2009/08/03 01:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2009/08/03 01:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009/10/31 02:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

< MD5 for: IPNATHLP.DLL >
[2009/07/13 21:15:33 | 000,300,544 | ---- | M] (Microsoft Corporation) MD5=D1A079A0DE2EA524513B6930C24527A2 -- C:\Windows\System32\ipnathlp.dll
[2009/07/13 21:15:33 | 000,300,544 | ---- | M] (Microsoft Corporation) MD5=D1A079A0DE2EA524513B6930C24527A2 -- C:\Windows\winsxs\x86_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_04a3b4c9aa9fddd8\ipnathlp.dll

< MD5 for: NETBT.SYS >
[2009/07/13 19:12:21 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=DD52A733BF4CA5AF84562A5E2F963B91 -- C:\Windows\System32\drivers\netbt.sys
[2009/07/13 19:12:21 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=DD52A733BF4CA5AF84562A5E2F963B91 -- C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7600.16385_none_603b1e855897bcd6\netbt.sys

< MD5 for: NETMAN.DLL >
[2009/07/13 21:16:03 | 000,280,576 | ---- | M] (Microsoft Corporation) MD5=7CCCFCA7510684768DA22092D1FA4DB2 -- C:\Windows\System32\netman.dll
[2009/07/13 21:16:03 | 000,280,576 | ---- | M] (Microsoft Corporation) MD5=7CCCFCA7510684768DA22092D1FA4DB2 -- C:\Windows\winsxs\x86_microsoft-windows-netman_31bf3856ad364e35_6.1.7600.16385_none_0f9371b9b32368a4\netman.dll

< MD5 for: QMGR.DLL >
[2009/07/13 21:16:12 | 000,589,312 | ---- | M] (Microsoft Corporation) MD5=53F476476F55A27F580661BDE09C4EC4 -- C:\Windows\System32\qmgr.dll
[2009/07/13 21:16:12 | 000,589,312 | ---- | M] (Microsoft Corporation) MD5=53F476476F55A27F580661BDE09C4EC4 -- C:\Windows\winsxs\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.1.7600.16385_none_23671b105ac5a0fd\qmgr.dll

< MD5 for: RPCSS.DLL >
[2009/07/13 21:16:13 | 000,376,320 | ---- | M] (Microsoft Corporation) MD5=B82CD39E336973359D7C9BF911E8E84F -- C:\Windows\System32\rpcss.dll
[2009/07/13 21:16:13 | 000,376,320 | ---- | M] (Microsoft Corporation) MD5=B82CD39E336973359D7C9BF911E8E84F -- C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll

< MD5 for: SERVICES.EXE >
[2009/07/13 21:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=5F1B6A9C35D3D5CA72D6D6FDEF9747D6 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2012/07/10 21:53:22 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=A302BBFF2A7278C0E239EE5D471D86A9 -- C:\Windows\System32\services.exe

< MD5 for: SVCHOST.EXE >
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\System32\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe

< MD5 for: TCPIP.SYS >
[2011/04/25 00:56:06 | 001,286,016 | ---- | M] (Microsoft Corporation) MD5=0158D5E9982E9D6A90DFC802F618E130 -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16802_none_b347f075c77b9c9d\tcpip.sys
[2011/06/21 01:34:23 | 001,290,624 | ---- | M] (Microsoft Corporation) MD5=04E4A7D53A7ACE02E8C55B17A498F631 -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17638_none_b513df73c4b4f466\tcpip.sys
[2011/09/29 12:02:44 | 001,301,872 | ---- | M] (Microsoft Corporation) MD5=22F7E7CBCA308DEE3428B097D4F8A61C -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.21060_none_b38e8546e0cbe4a1\tcpip.sys
[2011/04/25 00:31:30 | 001,290,624 | ---- | M] (Microsoft Corporation) MD5=24326784DF8F3D5F5BBB9F878CE33C14 -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17603_none_b52f4dc5c4a121e0\tcpip.sys
[2009/07/13 21:19:10 | 001,285,712 | ---- | M] (Microsoft Corporation) MD5=2CC3D75488ABD3EC628BBB9A4FC84EFC -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16385_none_b2f46875c7b9d667\tcpip.sys
[2011/09/29 12:17:18 | 001,303,920 | ---- | M] (Microsoft Corporation) MD5=3C1C41E317710F74CEC1E7F0D5325993 -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21828_none_b5a84e10ddca7566\tcpip.sys
[2012/03/30 06:29:05 | 001,287,024 | ---- | M] (Microsoft Corporation) MD5=55E9965552741F3850CB22CBBA9671ED -- C:\Windows\System32\drivers\tcpip.sys
[2012/03/30 06:29:05 | 001,287,024 | ---- | M] (Microsoft Corporation) MD5=55E9965552741F3850CB22CBBA9671ED -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16986_none_b2f57423c7b8dea8\tcpip.sys
[2011/09/29 11:43:37 | 001,285,488 | ---- | M] (Microsoft Corporation) MD5=56C198AC82EFA622DD93E9E43575F79C -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16889_none_b2f8731bc7b62d86\tcpip.sys
[2010/04/09 03:16:33 | 001,289,096 | ---- | M] (Microsoft Corporation) MD5=5D6A83E928F22AF5AC9868B162FFAD0D -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20687_none_b38009a0e0d5a32d\tcpip.sys
[2010/04/09 03:24:54 | 001,285,000 | ---- | M] (Microsoft Corporation) MD5=63170B9EE1D0EF0032F0408605671D1A -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16569_none_b30e0d41c7a5fe2f\tcpip.sys
[2011/09/29 12:03:04 | 001,290,608 | ---- | M] (Microsoft Corporation) MD5=65D10B191C59C5501A1263FC33F6894B -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17697_none_b4d1ffa1c4e682b5\tcpip.sys
[2011/04/25 02:31:09 | 001,301,376 | ---- | M] (Microsoft Corporation) MD5=6D4728CFF2724FF3A4654971D61D0F1C -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21712_none_b5ad1a5addc7c444\tcpip.sys
[2012/03/30 06:23:11 | 001,291,632 | ---- | M] (Microsoft Corporation) MD5=7FA2E0F8B072BD04B77B421480B6CC22 -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17802_none_b52e5147c4a202d7\tcpip.sys
[2011/04/25 00:44:18 | 001,298,816 | ---- | M] (Microsoft Corporation) MD5=8861B9A06BA99C6E1D62D0C86DFAB86C -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20951_none_b39a7d5ae0c2aec5\tcpip.sys
[2012/03/30 05:04:23 | 001,306,480 | ---- | M] (Microsoft Corporation) MD5=88FCDB9923EFECA207B3CEBD24407126 -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21954_none_b583df0adde66104\tcpip.sys
[2011/06/21 01:30:45 | 001,301,376 | ---- | M] (Microsoft Corporation) MD5=93C444D118B184452132357C322124CD -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20992_none_b3703df4e0e237e0\tcpip.sys
[2010/06/14 02:06:58 | 001,288,576 | ---- | M] (Microsoft Corporation) MD5=A39EA325C081AD27461F630C8E3E56E0 -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.20733_none_b3b219fae0b0af43\tcpip.sys
[2010/06/14 02:12:30 | 001,286,016 | ---- | M] (Microsoft Corporation) MD5=BB7F39C31C4A4417FD318E7CD184E225 -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16610_none_b33b1c29c7858b92\tcpip.sys
[2011/06/21 01:39:53 | 001,286,016 | ---- | M] (Microsoft Corporation) MD5=C2DAAEB48F3A47C410B041A0D2382EE1 -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.16839_none_b32e82b7c78da1d1\tcpip.sys
[2011/06/21 02:54:00 | 001,303,424 | ---- | M] (Microsoft Corporation) MD5=DEC4940487050AE13C60C86F40E07E75 -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.21754_none_b583db3edde666b6\tcpip.sys
[2012/03/30 06:08:19 | 001,303,408 | ---- | M] (Microsoft Corporation) MD5=E47C2844A1605A44178F4281E4D58B3D -- C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7600.21178_none_b38bb990e0ccc871\tcpip.sys

< MD5 for: TDX.SYS >
[2009/07/13 19:12:11 | 000,074,240 | ---- | M] (Microsoft Corporation) MD5=CB39E896A2A83702D1737BFD402B3542 -- C:\Windows\System32\drivers\tdx.sys
[2009/07/13 19:12:11 | 000,074,240 | ---- | M] (Microsoft Corporation) MD5=CB39E896A2A83702D1737BFD402B3542 -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys

< MD5 for: USERINIT.EXE >
[2009/07/13 21:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\System32\userinit.exe
[2009/07/13 21:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe

< MD5 for: VOLSNAP.SYS >
[2009/07/13 21:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\System32\drivers\volsnap.sys
[2009/07/13 21:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_29364d30156a24ca\volsnap.sys
[2009/07/13 21:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys

< MD5 for: WININIT.EXE >
[2009/07/13 21:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\System32\wininit.exe
[2009/07/13 21:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

< MD5 for: WINLOGON.EXE >
[2009/10/28 02:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\System32\winlogon.exe
[2009/10/28 02:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009/10/28 01:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2009/07/13 21:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe

< MD5 for: WMISVC.DLL >
[2009/07/13 21:16:19 | 000,168,960 | ---- | M] (Microsoft Corporation) MD5=F62E510B6AD4C21EB9FE8668ED251826 -- C:\Windows\System32\wbem\WMIsvc.dll
[2009/07/13 21:16:19 | 000,168,960 | ---- | M] (Microsoft Corporation) MD5=F62E510B6AD4C21EB9FE8668ED251826 -- C:\Windows\winsxs\x86_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7600.16385_none_a08911f35844b3ff\WMIsvc.dll

< MD5 for: WSCSVC.DLL >
[2009/07/13 21:16:20 | 000,073,728 | ---- | M] (Microsoft Corporation) MD5=6F5D49EFE0E7164E03AE773A3FE25340 -- C:\Windows\winsxs\x86_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.1.7600.16385_none_1a16b3d6136c6bb2\wscsvc.dll
[2010/12/21 01:38:24 | 000,073,728 | ---- | M] (Microsoft Corporation) MD5=A661A76333057B383A06E65F0073222F -- C:\Windows\System32\wscsvc.dll
[2010/12/21 01:38:24 | 000,073,728 | ---- | M] (Microsoft Corporation) MD5=A661A76333057B383A06E65F0073222F -- C:\Windows\winsxs\x86_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.1.7600.16723_none_1a559a62133d85fa\wscsvc.dll
[2010/12/21 01:29:14 | 000,073,728 | ---- | M] (Microsoft Corporation) MD5=FC6DB3FF10A271A83A2CAFB340120FC4 -- C:\Windows\winsxs\x86_microsoft-windows-securitycenter-core_31bf3856ad364e35_6.1.7600.20862_none_1ab2f7332c7c7c31\wscsvc.dll

< >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 298 bytes -> C:\windows\System32\drivers\pgakyaic.sys:changelist
@Alternate Data Stream - 298 bytes -> C:\windows\System32\drivers\hqsqinzl.sys:changelist

< End of report >

Thank you so much for any help,
Stuart

Re: newsfudge and sirefef infections12th July 2012, 1:04 am

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
You only have 5.91% free space on your C drive. Windows requires at least 15/5 (22Gb) free space in order to function properly. You will have to find some more free space or your computer will become non-functional. You can do this by uninstalling programs you no longer need or use. You can transfer music, videos, pictures and other important data to DVD's or another drive.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*********************************************
newsfudge and sirefef infections Mbamicontw5

newsfudge and sirefef infections Mbamicontw5

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Re: newsfudge and sirefef infections12th July 2012, 3:37 pm

Here is the info from checkup.txt and I am currently running the Superantispyware stuff:
Results of screen317's Security Check version 0.99.42
Windows 7 x86 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 4 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials
(On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Java(TM) 6 Update 31
Java version out of Date!
Adobe Reader X (10.1.3)
Google Chrome 20.0.1132.47
Google Chrome 20.0.1132.57
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Re: newsfudge and sirefef infections12th July 2012, 3:38 pm

Sorry - no here is the info from the checkup.txt box:
Results of screen317's Security Check version 0.99.42
Windows 7 x86 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 4 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials
(On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Java(TM) 6 Update 31
Java version out of Date!
Adobe Reader X (10.1.3)
Google Chrome 20.0.1132.47
Google Chrome 20.0.1132.57
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

SuperAntiSpyware Scan Log12th July 2012, 6:19 pm

see attached for the log

Re: newsfudge and sirefef infections12th July 2012, 7:31 pm

colnagotifosi wrote:

see attached for the log

Please do not attach your logs. Just include them in your reply even if you need to make two or more posts to get them all in.

Re: newsfudge and sirefef infections13th July 2012, 3:27 am

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.12.09

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
slamb :: SLAMBA2436 [administrator]

Protection: Enabled

7/12/2012 2:35:31 PM
mbam-log-2012-07-12 (14-35-31).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 408210
Time elapsed: 2 hour(s), 55 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\slamb\AppData\Local\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot.
C:\Windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\00000004.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.

(end)

Re: newsfudge and sirefef infections13th July 2012, 3:28 am

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/12/2012 at 01:14 PM

Application Version : 5.5.1012

Core Rules Database Version : 8889
Trace Rules Database Version: 6701

Scan type : Complete Scan
Total Scan Time : 01:35:16

Operating System Information
Windows 7 Professional 32-bit (Build 6.01.7600)
UAC Off - Administrator

Memory items scanned : 781
Memory threats detected : 0
Registry items scanned : 37217
Registry threats detected : 0
File items scanned : 169999
File threats detected : 678

Adware.Tracking Cookie
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\slamb@adserver.newbay-media[1].txt [ /adserver.newbay-media ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\slamb@in.getclicky[1].txt [ /in.getclicky ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\slamb@twice.newbay-media[1].txt [ /twice.newbay-media ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\Z78LB5VL.txt [ /bs.serving-sys.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\WEZVGWR2.txt [ /c.gigcount.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\3MK1Y3WX.txt [ /liveperson.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\ZV2ZMJIM.txt [ /inrixtraffic.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\RDM4VV2X.txt [ /imrworldwide.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\BW1HXNJE.txt [ /countyofhowardmd.us ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\NPQ4W4OM.txt [ /122.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\9W1VO97R.txt [ /network.realmedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\DXNO321Q.txt [ /legolas-media.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\W7CA588Z.txt [ /yieldmanager.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\CCM50VXK.txt [ /eventbrite.122.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\LR8P08RC.txt [ /ar.atwola.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\7CM135XO.txt [ /kanoodle.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\83E6LZ4S.txt [ /accounts.google.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\T3CIZPTF.txt [ /questionmarket.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\C7K12Z0D.txt [ /liveperson.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\RCZ5MP6Z.txt [ /specificclick.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\6T2L6SK7.txt [ /accounts.youtube.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\BYQ22OLZ.txt [ /ad.wsod.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\08AFI2EX.txt [ /media6degrees.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\9EJFK3E6.txt [ /myaccount.maestroconference.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\JW3876S0.txt [ /traffic.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\R6WEG7KB.txt [ /adserving.autotrader.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\SW88DTHH.txt [ /adserver.adtechus.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\IEX30CQG.txt [ /ads.lycos.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\E617BBGD.txt [ /carfax.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\IPYNR2NV.txt [ /h.atdmt.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\V5RO4ADG.txt [ /pappasgroup.rotator.hadj7.adjuggler.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\K7JOO6OY.txt [ /interclick.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\EY8BMFEB.txt [ /advertising.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\0HA18HJT.txt [ /adtech.de ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\AXOC41MP.txt [ /verizontelecom.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\QCSHQA3A.txt [ /casalemedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\2G5BQQAV.txt [ /geconsumerfinance.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\FZ8CM0T1.txt [ /ad.360yield.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\XNBGFM8T.txt [ /ads.saymedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\GDAVFZVU.txt [ /insightexpressai.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\O08XHWX7.txt [ /adbrite.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\7F7XFPHE.txt [ /serving-sys.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\1IRQ7YR6.txt [ /ads.pointroll.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\PW3QG5VG.txt [ /pointroll.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\067J094U.txt [ /mediaplex.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\M9L2CN65.txt [ /ad.yieldmanager.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\FQ2O9G9F.txt [ /safelite.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\23A8DU3R.txt [ /247realmedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\01EO2UL7.txt [ /adinterax.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\IC9MMKKN.txt [ /roiservice.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\6OPQBZL3.txt [ /apmebf.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\L07GTUHF.txt [ /ehg-verizon.hitbox.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\ULVVNNON.txt [ /trafficmp.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\19SX4BBI.txt [ /at.atwola.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\XQW0DVQT.txt [ /stat.dealtime.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\IZR0IGU3.txt [ /tribalfusion.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\RW2L9FKG.txt [ /t5.trackalyzer.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\ZV6BD1RS.txt [ /advertising.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\IPLXGUO7.txt [ /statse.webtrendslive.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\QAMJ5IHO.txt [ /adxpose.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\8SZE3RT3.txt [ /atdmt.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\T9CK3DTY.txt [ /statcounter.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\Q1ODE6H7.txt [ /networldmedia.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\SVP1SQ6Z.txt [ /ads.undertone.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\NH4VP32O.txt [ /collective-media.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\NSTFNWQB.txt [ /ru4.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\EE3N7CAC.txt [ /trackalyzer.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\W14ASFMD.txt [ /overture.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\F908F3HC.txt [ /vortexmediagroup.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\4SVCGRLG.txt [ /atwola.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\56PRDZI2.txt [ /stats.paypal.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\GWQMXOBE.txt [ /inside.rotator.hadj1.adjuggler.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\5AYK4F84.txt [ /ewstv.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\9MY3918D.txt [ /dc.tremormedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\M8SHEUOR.txt [ /lucidmedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\LMYH0Y6I.txt [ /ads.pubmatic.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\Y76YT861.txt [ /linksynergy.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\QOPS2BTC.txt [ /uk.sitestat.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\3GNYQNAL.txt [ /postnewsweekmedia.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\JIXTRU0O.txt [ /steelhousemedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\Y0XBI9C4.txt [ /msnbc.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\1TS42ZGY.txt [ /mediaservices-d.openxenterprise.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\QA23LWYG.txt [ /mediageniusart.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\GHYI2TR5.txt [ /www.cellartracker.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\XEW50TVT.txt [ /amazon-adsystem.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\5E3LHGHD.txt [ /myroitracking.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\VO57I0XH.txt [ /usairways.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\PY9E8WE1.txt [ /c.atdmt.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\96523B42.txt [ /fastclick.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\QBCU44BC.txt [ /media.adfrontiers.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\ZGEPUK3M.txt [ /cellartracker.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\0H4YITPR.txt [ /pro-market.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\N97REE2W.txt [ /smartadserver.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\3RS08EOG.txt [ /s.clickability.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\4QCDBM0B.txt [ /clickbooth.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\2ADPFAWD.txt [ /dmtracker.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\6BNCOLXU.txt [ /a.intentmedia.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\M64K98YU.txt [ /lfstmedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\13VM8DAH.txt [ /martiniadnetwork.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\EDFLIBMH.txt [ /traveladvertising.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\ZDDNNA81.txt [ /ads.as4x.tmcs.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\8D8QQ14V.txt [ /revsci.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\D24BTC84.txt [ /hitbox.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\TDX39Z1P.txt [ /sonyelectronicssupportus.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\9GFLXORB.txt [ /rotator.adjuggler.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\GGUY53YI.txt [ /mediaforge.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\7CTPC1NV.txt [ /movieclipscom.122.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\Q0YGAB8D.txt [ /highbeam.122.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\GMI7E411.txt [ /www.bizrate.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\97LAJ0JY.txt [ /ad3.adfarm1.adition.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\O3GVZO8R.txt [ /e-2dj6wjlieiazabo.stats.esomniture.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\IRULQOLT.txt [ /media2.abc2news.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\U8DSZ2S6.txt [ /ads.wineenthusiast.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\E92PVMXF.txt [ /uk.sitestat.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\Z16QJAS6.txt [ /clicksor.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\FXYMKIV5.txt [ /liveperson.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\9MI6KXQ7.txt [ /e-2dj6wnliggdpccp.stats.esomniture.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\KBHXJPX8.txt [ /bizrate.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\17P58ORN.txt [ /ehg-airtran.hitbox.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\6KE3GNLR.txt [ /sales.liveperson.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\RFSVEW3Y.txt [ /www.dealtime.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\R4DQ3371.txt [ /kontera.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\33P1I2L1.txt [ /e-2dj6wnkyuhc5ieo.stats.esomniture.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\1VCMBTQS.txt [ /aimfar.solution.weborama.fr ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\GFP8JDK0.txt [ /www.googleadservices.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\IH30O6M7.txt [ /www.howardcountymd.gov ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\VJCVBZO0.txt [ /yahoogroups.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\TWN3E1LT.txt [ /media.performancebike.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\0L36Z2LX.txt [ /e-2dj6wjk4ggdpefp.stats.esomniture.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\PM6L1EOB.txt [ /ads.jiwire.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\D5YWKD24.txt [ /intermundomedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\E6KRTB5W.txt [ /ads.us.e-planning.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\Q73AMMYU.txt [ /xiti.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\4QSX7R2D.txt [ /www.burstnet.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\CIDUU1LN.txt [ /dealtime.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\CGBXS7UO.txt [ /tracking.hostgator.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\D26MDZ8M.txt [ /mycountdown.org ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\7IQXW650.txt [ /stats-newyork1.bloxcms.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\XG3S4X5O.txt [ /adlegend.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\OL99M3D6.txt [ /msnportal.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\75WTB2TU.txt [ /eyewonder.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\NS3JLC6E.txt [ /nandomedia.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\TYBPL5BS.txt [ /premiumtv.122.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\TWPNIBKG.txt [ /gntbcstglobal.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\2GXA9JH9.txt [ /mm.chitika.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\JJK9F1JI.txt [ /link.mercent.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\IU2AT6DU.txt [ /testdata.coremetrics.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\LUBJ09P2.txt [ /solvemedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\OH9M27MF.txt [ /ox-d.promediagrp.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\PVITDGOK.txt [ /invitemedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\LP6Q4G3Z.txt [ /hotwire.db.advertising.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\LQPBSX1R.txt [ /ads.as4x.tmcs.ticketmaster.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\3PJM1Q05.txt [ /a1.interclick.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\34CWCQX8.txt [ /leeenterprises.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\Z1BS1DN1.txt [ /liveperson.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\MSSTFM81.txt [ /doubleclick.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\61FP7R1A.txt [ /click.get-answers-fast.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\EW7LZR3M.txt [ /ads.bleepingcomputer.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\9TLQUUM1.txt [ /rocknroadcyclery.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\8B4KLKNG.txt [ /tacoda.at.atwola.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\4S163G5D.txt [ /stats.townnews.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\4ZWO7FEL.txt [ /ad2.adfarm1.adition.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\J39VLOKW.txt [ /zedo.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\ZGN7WRJD.txt [ /southwestairlines.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\NZFSI2GD.txt [ /adfarm1.adition.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\LP6UIYFN.txt [ /pubads.g.doubleclick.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\9TQGYJ80.txt [ /triseptsolutions.122.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\K1A7SYO8.txt [ /evite.112.2o7.net ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\OB59WMTU.txt [ /realmedia.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\Q8Z3F63M.txt [ /ads.bridgetrack.com ]
C:\Users\slamb\AppData\Roaming\Microsoft\Windows\Cookies\DFWRPECT.txt [ /liveperson.net ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\1M5TLG7L.txt [ Cookie:slamb@adsonar.com/adserving ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\0QFQ5740.txt [ Cookie:slamb@blogs.babble.com/strollerderby/wp-content/plugins/pixelstats/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\OVC51Y8T.txt [ Cookie:slamb@data.coremetrics.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\6QJ66GJS.txt [ Cookie:slamb@yahoogroups.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\HG0QTXWJ.txt [ Cookie:slamb@atwola.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\JYADZKP9.txt [ Cookie:slamb@intermundomedia.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\QT8C63FV.txt [ Cookie:slamb@adsonar.com/adserving ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\MB7LJDQG.txt [ Cookie:slamb@dc.tremormedia.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\CZEWNUEE.txt [ Cookie:slamb@mediabrandsww.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\VCWDWQ06.txt [ Cookie:slamb@imrworldwide.com/cgi-bin ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\QDP5GGFA.txt [ Cookie:slamb@lucidmedia.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\436580I5.txt [ Cookie:slamb@doubleclick.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\A1BEO1HD.txt [ Cookie:slamb@pointscom.122.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\6QPN26J4.txt [ Cookie:slamb@yieldmanager.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\HCMWNS0F.txt [ Cookie:slamb@ar.atwola.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\GUR3UYAE.txt [ Cookie:slamb@anrtx.tacoda.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\JN3XRN1D.txt [ Cookie:slamb@questionmarket.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\C4RBB3PE.txt [ Cookie:slamb@specificclick.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\WZZISLPQ.txt [ Cookie:slamb@2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\99X2X125.txt [ Cookie:slamb@fastclick.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\7MSOWCD0.txt [ Cookie:slamb@in.getclicky.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\U8V61AHD.txt [ Cookie:slamb@google.com/accounts/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\YP13E656.txt [ Cookie:slamb@media6degrees.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\UZL2ZEY2.txt [ Cookie:slamb@pro-market.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\YK1OKS0L.txt [ Cookie:slamb@gsimedia.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\YEH8AHU9.txt [ Cookie:slamb@adserver.adtechus.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\CH065QNV.txt [ Cookie:slamb@h.atdmt.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\34VK60UK.txt [ Cookie:slamb@interclick.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\3G9ZN4TN.txt [ Cookie:slamb@snapfish.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\0HGP0R7K.txt [ Cookie:slamb@adtech.de/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\5LWO3EAH.txt [ Cookie:slamb@adlegend.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\4UVWTXMF.txt [ Cookie:slamb@casalemedia.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\DRYWCDFQ.txt [ Cookie:slamb@hyatt.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\4IE2QETD.txt [ Cookie:slamb@securetrack22.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\TLYOXDLS.txt [ Cookie:slamb@insightexpressai.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\K9JMZR5Z.txt [ Cookie:slamb@dmtracker.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\IY0M3B2C.txt [ Cookie:slamb@a.intentmedia.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\D1C13RYU.txt [ Cookie:slamb@zedo.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\1YTOYDPQ.txt [ Cookie:slamb@lfstmedia.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\0JYFMJZQ.txt [ Cookie:slamb@ads.pointroll.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\FHAQJMTA.txt [ Cookie:slamb@mediaplex.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\CHONARXR.txt [ Cookie:slamb@support.mediafire.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\M1O35R6F.txt [ Cookie:slamb@ad.yieldmanager.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\9W4YM19G.txt [ Cookie:slamb@eyewonder.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\E2XM93OI.txt [ Cookie:slamb@skyscanner.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\J2ZYKHJE.txt [ Cookie:slamb@adinterax.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\6RT6LHNL.txt [ Cookie:slamb@liveperson.net/hc/44153975 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\7RBRL1K8.txt [ Cookie:slamb@liveperson.net/hc/36005843 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\N3QFDWBA.txt [ Cookie:slamb@trafficmp.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\883DISEC.txt [ Cookie:slamb@112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\O1QAXA0D.txt [ Cookie:slamb@google.com/accounts/recovery/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\C740E68R.txt [ Cookie:slamb@stpetersburgtimes.122.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\H71FG8CL.txt [ Cookie:slamb@at.atwola.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\904WCDR5.txt [ Cookie:slamb@tribalfusion.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\BCFFFKJ3.txt [ Cookie:slamb@invitemedia.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\H4398DS5.txt [ Cookie:slamb@liveperson.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\07YMSTWR.txt [ Cookie:slamb@statse.webtrendslive.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\NY1Y9QVC.txt [ Cookie:slamb@citi.bridgetrack.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\EOTHC9PF.txt [ Cookie:slamb@statcounter.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\T0M8E16I.txt [ Cookie:slamb@www.skyscanner.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\PLPDMVR5.txt [ Cookie:slamb@collective-media.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\UVMR9IYY.txt [ Cookie:slamb@ru4.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\OWZUPFW5.txt [ Cookie:slamb@a1.interclick.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\001BCDGQ.txt [ Cookie:slamb@cbsdigitalmedia.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\2S78JB9R.txt [ Cookie:slamb@bs.serving-sys.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\15GV5BX5.txt [ Cookie:slamb@i4commerce.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\R6SLTECD.txt [ Cookie:slamb@www.skyscanner.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\54STGX14.txt [ Cookie:slamb@findthebest.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\B0X68D2X.txt [ Cookie:slamb@liveperson.net/hc/7599417 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\A75KJGGB.txt [ Cookie:slamb@countyofhowardmd.us/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\CHNH5D66.txt [ Cookie:slamb@akamai.interclickproxy.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\5Q5JW9SV.txt [ Cookie:slamb@counter.hitslink.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\BJU30EHA.txt [ Cookie:slamb@e-2dj6wjkyeid5eaq.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\FCKH9A8O.txt [ Cookie:slamb@liveperson.net/hc/45882586 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\7QU4YMSX.txt [ Cookie:slamb@e-2dj6wmkyekdjeho.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\H241QEE0.txt [ Cookie:slamb@accounts.youtube.com/accounts ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\3AZMLSU6.txt [ Cookie:slamb@media.adfrontiers.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\PMAETW2X.txt [ Cookie:slamb@skyscanner.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\LOZQ6KIS.txt [ Cookie:slamb@videos.mediaite.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\IDVGF31E.txt [ Cookie:slamb@adserver.sandowmedia.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\8XO8549X.txt [ Cookie:slamb@stats.talkingpointsmemo.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\AVMYFJR2.txt [ Cookie:slamb@ad10.walklightmedia.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\U8I8WV92.txt [ Cookie:slamb@viewablemedia.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\YHXCSEFB.txt [ Cookie:slamb@eas.apm.emediate.eu/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\J5HWPFYS.txt [ Cookie:slamb@mtvn.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\ZWA50UVY.txt [ Cookie:slamb@martiniadnetwork.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\QRVOLYB7.txt [ Cookie:slamb@www.google.com/accounts ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\YLCQQBEU.txt [ Cookie:slamb@hitbox.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\K6SUBSJS.txt [ Cookie:slamb@safelite.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\4RI1R6OC.txt [ Cookie:slamb@resources.baltimorecountymd.gov/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\PT634HMV.txt [ Cookie:slamb@indieclick.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\ZT9CMYMS.txt [ Cookie:slamb@stat.dealtime.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\607WVMT7.txt [ Cookie:slamb@uk.sitestat.com/future/cyclingnews/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\SWK6CZRU.txt [ Cookie:slamb@ehg-dreyfus.hitbox.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\1BWU6APO.txt [ Cookie:slamb@ads.bridgetrack.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\UTEQO29B.txt [ Cookie:slamb@reunioncom.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\Q4RLI6XZ.txt [ Cookie:slamb@www.safelite.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\J6OZGK1Q.txt [ Cookie:slamb@ad.yieldmanager.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\4XIGL0IG.txt [ Cookie:slamb@e-2dj6aekiejazsfp.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\R6T1PQCF.txt [ Cookie:slamb@optimize.indieclick.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\78Z0S7XO.txt [ Cookie:slamb@surveymonkey.122.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\KJDTQ6FS.txt [ Cookie:slamb@mediafire.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\3IU5AYNT.txt [ Cookie:slamb@stats.paypal.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\V7AKK71Z.txt [ Cookie:slamb@northstartravelmedia.d1.sc.omtrdc.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\W5L64DWS.txt [ Cookie:slamb@baltimorecountymd.gov/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\9KMNNSKF.txt [ Cookie:slamb@liveperson.net/hc/29295087 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\QE1DGQ9R.txt [ Cookie:slamb@www.tyrrellcountygis.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\IGU7OBTD.txt [ Cookie:slamb@xiti.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\4O5QP7UB.txt [ Cookie:slamb@msnbc.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\XZ33IK1H.txt [ Cookie:slamb@findaspring.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\MG6QRSNN.txt [ Cookie:slamb@amazon-adsystem.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\XJ8HQXE4.txt [ Cookie:slamb@liveperson.net/hc/92040368 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\695LV22F.txt [ Cookie:slamb@pgm.rotator.hadj7.adjuggler.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\JGJ6P0AG.txt [ Cookie:slamb@paypal.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\6UX9TE37.txt [ Cookie:slamb@ox.mediabistro.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\VN17LJHU.txt [ Cookie:slamb@nextag.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\BUI39UM0.txt [ Cookie:slamb@lumberliquidators.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\VGI24EXA.txt [ Cookie:slamb@verizontelecom.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\KLCXILUH.txt [ Cookie:slamb@geconsumerfinance.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\9OSRA0GO.txt [ Cookie:slamb@clickbooth.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\C6BSRF4G.txt [ Cookie:slamb@static.freewebs.getclicky.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\RXHZ4AR4.txt [ Cookie:slamb@mediaforge.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\RO0TKHGS.txt [ Cookie:slamb@liveperson.net/hc/LPfaucetdepot ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\QE1KJFYX.txt [ Cookie:slamb@e-2dj6wflispazohp.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\AWOSSJ36.txt [ Cookie:slamb@www.bizrate.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\H9BU9UBY.txt [ Cookie:slamb@ad3.adfarm1.adition.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\8DT8O3FT.txt [ Cookie:slamb@ehg-verizon.hitbox.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\WL16JQTJ.txt [ Cookie:slamb@sdctrack2.thomasnet.com/dcswownlk00000gkmr5w3q0yk_3d4c ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\LHO05PR1.txt [ Cookie:slamb@e-2dj6wjlieiazabo.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\GQGE08AU.txt [ Cookie:slamb@liveperson.net/hc/71062525 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\TKZLKQSG.txt [ Cookie:slamb@e-2dj6aemiakdzmao.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\H7HTGCTM.txt [ Cookie:slamb@bizrate.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\AKW9VIF2.txt [ Cookie:slamb@domedia.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\W7JZMU37.txt [ Cookie:slamb@e-2dj6wjl4chd5kbp.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\R933A2JG.txt [ Cookie:slamb@cabinetdiscounters.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\5E6TMCDO.txt [ Cookie:slamb@microsoftsto.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\WKFALTY1.txt [ Cookie:slamb@peoplefinders.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\36TVC9Q4.txt [ Cookie:slamb@fidelity.rotator.hadj7.adjuggler.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\4BIEWYUM.txt [ Cookie:slamb@t4.trackalyzer.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\WVV6I7RV.txt [ Cookie:slamb@hc2.humanclick.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\JFIB9K50.txt [ Cookie:slamb@www.googleadservices.com/pagead/conversion/1070316017/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\1ZWG1S76.txt [ Cookie:slamb@inside.rotator.hadj1.adjuggler.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\K88JQY3U.txt [ Cookie:slamb@dinehowardcounty.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\8DGS3AX1.txt [ Cookie:slamb@e-2dj6aeliwmcpcap.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\TXQBCLD2.txt [ Cookie:slamb@burstnet.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\YMATD7OL.txt [ Cookie:slamb@liveperson.net/hc/13045352 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\GUGREX2L.txt [ Cookie:slamb@liveperson.net/hc/70582249 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\HCMK6WQD.txt [ Cookie:slamb@e-2dj6wfkigjczmkq.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\FI4SDNN9.txt [ Cookie:slamb@support.google.com/accounts/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\ZLQGXB67.txt [ Cookie:slamb@media.ford.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\OY9IJ1EM.txt [ Cookie:slamb@d.mediaforge.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\1861N1N6.txt [ Cookie:slamb@bonniercorp.122.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\1EGNIMKU.txt [ Cookie:slamb@volvocarsofna.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\5Q3R08UU.txt [ Cookie:slamb@e-2dj6wjnywkajsbq.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\SVPKDYC2.txt [ Cookie:slamb@azjmp.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\3J5R9O4L.txt [ Cookie:slamb@ict.infinity-tracking.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\PQ5S9VWV.txt [ Cookie:slamb@msnportal.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\VBULDCED.txt [ Cookie:slamb@premiumtv.122.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\2NGXE8BA.txt [ Cookie:slamb@e-2dj6wnlisocpweq.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\G4NHII07.txt [ Cookie:slamb@e-2dj6ael4ahcpwap.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\LZMNK5QN.txt [ Cookie:slamb@www.peoplefinders.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\9MDQ34X7.txt [ Cookie:slamb@greensboronewsrecord.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\4YAZBTXA.txt [ Cookie:slamb@homestore.122.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\XH5RL12W.txt [ Cookie:slamb@e-2dj6wfloaodjofo.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\LHYHL1ST.txt [ Cookie:slamb@vortexmediagroup.com/advertpro ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\2JG0ARIE.txt [ Cookie:slamb@www.howardcountymd.gov/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\J7QR76SK.txt [ Cookie:slamb@steelhousemedia.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\T6KOO5QI.txt [ Cookie:slamb@e-2dj6wflikpd5keo.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\71TEEWAD.txt [ Cookie:slamb@server.iad.liveperson.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\3FR7JRQ4.txt [ Cookie:slamb@superpages.122.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\5UC47KCE.txt [ Cookie:slamb@z.blogads.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\832VF5ZQ.txt [ Cookie:slamb@cellartracker.com/ ]

Re: newsfudge and sirefef infections13th July 2012, 3:38 am

C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\832VF5ZQ.txt [ Cookie:slamb@cellartracker.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\Y2Y9Z4MZ.txt [ Cookie:slamb@uk.sitestat.com/future/triathlon/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\DEY49QRM.txt [ Cookie:slamb@liveperson.net/hc/73524265 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\89JPXCI4.txt [ Cookie:slamb@newsday.122.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\YXN4Q08D.txt [ Cookie:slamb@liveperson.net/hc/20182383 ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\SAQHM4F7.txt [ Cookie:slamb@adfarm1.adition.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\3H6B34IZ.txt [ Cookie:slamb@carfax.112.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\RVVMF3JY.txt [ Cookie:slamb@amazonwebstore.122.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\2OACDJRB.txt [ Cookie:slamb@amazonmerchants.122.2o7.net/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\MID17NWH.txt [ Cookie:slamb@e-2dj6wjlyqndjwcq.stats.esomniture.com/ ]
C:\USERS\SLAMB\AppData\Roaming\Microsoft\Windows\Cookies\Low\W381ZCOR.txt [ Cookie:slamb@trackalyzer.com/ ]
C:\USERS\SLAMB\Cookies\Z78LB5VL.txt [ Cookie:slamb@bs.serving-sys.com/ ]
C:\USERS\SLAMB\Cookies\WEZVGWR2.txt [ Cookie:slamb@c.gigcount.com/ ]
C:\USERS\SLAMB\Cookies\3MK1Y3WX.txt [ Cookie:slamb@liveperson.net/hc/18262047 ]
C:\USERS\SLAMB\Cookies\1M5TLG7L.txt [ Cookie:slamb@adsonar.com/adserving ]
C:\USERS\SLAMB\Cookies\ZV2ZMJIM.txt [ Cookie:slamb@inrixtraffic.com/ ]
C:\USERS\SLAMB\Cookies\RDM4VV2X.txt [ Cookie:slamb@imrworldwide.com/cgi-bin ]
C:\USERS\SLAMB\Cookies\BW1HXNJE.txt [ Cookie:slamb@countyofhowardmd.us/ ]
C:\USERS\SLAMB\Cookies\NPQ4W4OM.txt [ Cookie:slamb@122.2o7.net/ ]
C:\USERS\SLAMB\Cookies\W7CA588Z.txt [ Cookie:slamb@yieldmanager.net/ ]
C:\USERS\SLAMB\Cookies\LR8P08RC.txt [ Cookie:slamb@ar.atwola.com/ ]
C:\USERS\SLAMB\Cookies\7CM135XO.txt [ Cookie:slamb@kanoodle.com/ ]
C:\USERS\SLAMB\Cookies\T3CIZPTF.txt [ Cookie:slamb@questionmarket.com/ ]
C:\USERS\SLAMB\Cookies\slamb@in.getclicky[1].txt [ Cookie:slamb@in.getclicky.com/ ]
C:\USERS\SLAMB\Cookies\RCZ5MP6Z.txt [ Cookie:slamb@specificclick.net/ ]
C:\USERS\SLAMB\Cookies\6T2L6SK7.txt [ Cookie:slamb@accounts.youtube.com/accounts ]
C:\USERS\SLAMB\Cookies\08AFI2EX.txt [ Cookie:slamb@media6degrees.com/ ]
C:\USERS\SLAMB\Cookies\9EJFK3E6.txt [ Cookie:slamb@myaccount.maestroconference.com/ ]
C:\USERS\SLAMB\Cookies\R6WEG7KB.txt [ Cookie:slamb@adserving.autotrader.com/ ]
C:\USERS\SLAMB\Cookies\SW88DTHH.txt [ Cookie:slamb@adserver.adtechus.com/ ]
C:\USERS\SLAMB\Cookies\E617BBGD.txt [ Cookie:slamb@carfax.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\IPYNR2NV.txt [ Cookie:slamb@h.atdmt.com/ ]
C:\USERS\SLAMB\Cookies\V5RO4ADG.txt [ Cookie:slamb@pappasgroup.rotator.hadj7.adjuggler.net/ ]
C:\USERS\SLAMB\Cookies\K7JOO6OY.txt [ Cookie:slamb@interclick.com/ ]
C:\USERS\SLAMB\Cookies\0HA18HJT.txt [ Cookie:slamb@adtech.de/ ]
C:\USERS\SLAMB\Cookies\AXOC41MP.txt [ Cookie:slamb@verizontelecom.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\QCSHQA3A.txt [ Cookie:slamb@casalemedia.com/ ]
C:\USERS\SLAMB\Cookies\2G5BQQAV.txt [ Cookie:slamb@geconsumerfinance.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\XNBGFM8T.txt [ Cookie:slamb@ads.saymedia.com/ ]
C:\USERS\SLAMB\Cookies\GDAVFZVU.txt [ Cookie:slamb@insightexpressai.com/ ]
C:\USERS\SLAMB\Cookies\1IRQ7YR6.txt [ Cookie:slamb@ads.pointroll.com/ ]
C:\USERS\SLAMB\Cookies\067J094U.txt [ Cookie:slamb@mediaplex.com/ ]
C:\USERS\SLAMB\Cookies\M9L2CN65.txt [ Cookie:slamb@ad.yieldmanager.com/ ]

Re: newsfudge and sirefef infections13th July 2012, 3:42 am

C:\USERS\SLAMB\Cookies\FQ2O9G9F.txt [ Cookie:slamb@safelite.com/ ]
C:\USERS\SLAMB\Cookies\01EO2UL7.txt [ Cookie:slamb@adinterax.com/ ]
C:\USERS\SLAMB\Cookies\L07GTUHF.txt [ Cookie:slamb@ehg-verizon.hitbox.com/ ]
C:\USERS\SLAMB\Cookies\ULVVNNON.txt [ Cookie:slamb@trafficmp.com/ ]
C:\USERS\SLAMB\Cookies\19SX4BBI.txt [ Cookie:slamb@at.atwola.com/ ]
C:\USERS\SLAMB\Cookies\XQW0DVQT.txt [ Cookie:slamb@stat.dealtime.com/ ]
C:\USERS\SLAMB\Cookies\IZR0IGU3.txt [ Cookie:slamb@tribalfusion.com/ ]
C:\USERS\SLAMB\Cookies\IPLXGUO7.txt [ Cookie:slamb@statse.webtrendslive.com/ ]
C:\USERS\SLAMB\Cookies\T9CK3DTY.txt [ Cookie:slamb@statcounter.com/ ]
C:\USERS\SLAMB\Cookies\Q1ODE6H7.txt [ Cookie:slamb@networldmedia.net/ ]
C:\USERS\SLAMB\Cookies\NH4VP32O.txt [ Cookie:slamb@collective-media.net/ ]
C:\USERS\SLAMB\Cookies\NSTFNWQB.txt [ Cookie:slamb@ru4.com/ ]
C:\USERS\SLAMB\Cookies\EE3N7CAC.txt [ Cookie:slamb@trackalyzer.com/ ]
C:\USERS\SLAMB\Cookies\F908F3HC.txt [ Cookie:slamb@vortexmediagroup.com/advertpro ]
C:\USERS\SLAMB\Cookies\4SVCGRLG.txt [ Cookie:slamb@atwola.com/ ]
C:\USERS\SLAMB\Cookies\56PRDZI2.txt [ Cookie:slamb@stats.paypal.com/ ]
C:\USERS\SLAMB\Cookies\GWQMXOBE.txt [ Cookie:slamb@inside.rotator.hadj1.adjuggler.net/ ]
C:\USERS\SLAMB\Cookies\5AYK4F84.txt [ Cookie:slamb@ewstv.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\9MY3918D.txt [ Cookie:slamb@dc.tremormedia.com/ ]
C:\USERS\SLAMB\Cookies\M8SHEUOR.txt [ Cookie:slamb@lucidmedia.com/ ]
C:\USERS\SLAMB\Cookies\Y76YT861.txt [ Cookie:slamb@linksynergy.com/ ]
C:\USERS\SLAMB\Cookies\3GNYQNAL.txt [ Cookie:slamb@postnewsweekmedia.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\JIXTRU0O.txt [ Cookie:slamb@steelhousemedia.com/ ]
C:\USERS\SLAMB\Cookies\Y0XBI9C4.txt [ Cookie:slamb@msnbc.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\XEW50TVT.txt [ Cookie:slamb@amazon-adsystem.com/ ]
C:\USERS\SLAMB\Cookies\5E3LHGHD.txt [ Cookie:slamb@myroitracking.com/ ]
C:\USERS\SLAMB\Cookies\96523B42.txt [ Cookie:slamb@fastclick.net/ ]
C:\USERS\SLAMB\Cookies\QBCU44BC.txt [ Cookie:slamb@media.adfrontiers.com/ ]
C:\USERS\SLAMB\Cookies\ZGEPUK3M.txt [ Cookie:slamb@cellartracker.com/ ]
C:\USERS\SLAMB\Cookies\0H4YITPR.txt [ Cookie:slamb@pro-market.net/ ]
C:\USERS\SLAMB\Cookies\3RS08EOG.txt [ Cookie:slamb@s.clickability.com/ ]
C:\USERS\SLAMB\Cookies\4QCDBM0B.txt [ Cookie:slamb@clickbooth.com/ ]
C:\USERS\SLAMB\Cookies\2ADPFAWD.txt [ Cookie:slamb@dmtracker.com/ ]
C:\USERS\SLAMB\Cookies\6BNCOLXU.txt [ Cookie:slamb@a.intentmedia.net/ ]
C:\USERS\SLAMB\Cookies\M64K98YU.txt [ Cookie:slamb@lfstmedia.com/ ]
C:\USERS\SLAMB\Cookies\13VM8DAH.txt [ Cookie:slamb@martiniadnetwork.com/ ]
C:\USERS\SLAMB\Cookies\D24BTC84.txt [ Cookie:slamb@hitbox.com/ ]
C:\USERS\SLAMB\Cookies\GGUY53YI.txt [ Cookie:slamb@mediaforge.com/ ]
C:\USERS\SLAMB\Cookies\7CTPC1NV.txt [ Cookie:slamb@movieclipscom.122.2o7.net/ ]
C:\USERS\SLAMB\Cookies\GMI7E411.txt [ Cookie:slamb@www.bizrate.com/ ]
C:\USERS\SLAMB\Cookies\97LAJ0JY.txt [ Cookie:slamb@ad3.adfarm1.adition.com/ ]
C:\USERS\SLAMB\Cookies\O3GVZO8R.txt [ Cookie:slamb@e-2dj6wjlieiazabo.stats.esomniture.com/ ]
C:\USERS\SLAMB\Cookies\IRULQOLT.txt [ Cookie:slamb@media2.abc2news.com/html/widgets/ ]
C:\USERS\SLAMB\Cookies\E92PVMXF.txt [ Cookie:slamb@uk.sitestat.com/future/cyclingnews/ ]
C:\USERS\SLAMB\Cookies\Z16QJAS6.txt [ Cookie:slamb@clicksor.com/ ]
C:\USERS\SLAMB\Cookies\FXYMKIV5.txt [ Cookie:slamb@liveperson.net/ ]
C:\USERS\SLAMB\Cookies\9MI6KXQ7.txt [ Cookie:slamb@e-2dj6wnliggdpccp.stats.esomniture.com/ ]
C:\USERS\SLAMB\Cookies\KBHXJPX8.txt [ Cookie:slamb@bizrate.com/ ]
C:\USERS\SLAMB\Cookies\RFSVEW3Y.txt [ Cookie:slamb@www.dealtime.com/ ]
C:\USERS\SLAMB\Cookies\33P1I2L1.txt [ Cookie:slamb@e-2dj6wnkyuhc5ieo.stats.esomniture.com/ ]
C:\USERS\SLAMB\Cookies\1VCMBTQS.txt [ Cookie:slamb@aimfar.solution.weborama.fr/ ]
C:\USERS\SLAMB\Cookies\IH30O6M7.txt [ Cookie:slamb@www.howardcountymd.gov/ ]
C:\USERS\SLAMB\Cookies\VJCVBZO0.txt [ Cookie:slamb@yahoogroups.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\TWN3E1LT.txt [ Cookie:slamb@media.performancebike.com/ ]
C:\USERS\SLAMB\Cookies\0L36Z2LX.txt [ Cookie:slamb@e-2dj6wjk4ggdpefp.stats.esomniture.com/ ]
C:\USERS\SLAMB\Cookies\D5YWKD24.txt [ Cookie:slamb@intermundomedia.com/ ]
C:\USERS\SLAMB\Cookies\Q73AMMYU.txt [ Cookie:slamb@xiti.com/ ]
C:\USERS\SLAMB\Cookies\CGBXS7UO.txt [ Cookie:slamb@tracking.hostgator.com/ ]
C:\USERS\SLAMB\Cookies\D26MDZ8M.txt [ Cookie:slamb@mycountdown.org/ ]

Re: newsfudge and sirefef infections13th July 2012, 3:55 am

C:\USERS\SLAMB\Cookies\CGBXS7UO.txt [ Cookie:slamb@tracking.hostgator.com/ ]
C:\USERS\SLAMB\Cookies\D26MDZ8M.txt [ Cookie:slamb@mycountdown.org/ ]
C:\USERS\SLAMB\Cookies\7IQXW650.txt [ Cookie:slamb@stats-newyork1.bloxcms.com/stltoday.com/ ]
C:\USERS\SLAMB\Cookies\XG3S4X5O.txt [ Cookie:slamb@adlegend.com/ ]
C:\USERS\SLAMB\Cookies\OL99M3D6.txt [ Cookie:slamb@msnportal.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\75WTB2TU.txt [ Cookie:slamb@eyewonder.com/ ]
C:\USERS\SLAMB\Cookies\TYBPL5BS.txt [ Cookie:slamb@premiumtv.122.2o7.net/ ]
C:\USERS\SLAMB\Cookies\TWPNIBKG.txt [ Cookie:slamb@gntbcstglobal.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\LUBJ09P2.txt [ Cookie:slamb@solvemedia.com/ ]
C:\USERS\SLAMB\Cookies\OH9M27MF.txt [ Cookie:slamb@ox-d.promediagrp.com/ ]
C:\USERS\SLAMB\Cookies\0QFQ5740.txt [ Cookie:slamb@blogs.babble.com/strollerderby/wp-content/plugins/pixelstats/ ]
C:\USERS\SLAMB\Cookies\PVITDGOK.txt [ Cookie:slamb@invitemedia.com/ ]
C:\USERS\SLAMB\Cookies\LP6Q4G3Z.txt [ Cookie:slamb@hotwire.db.advertising.com/ ]
C:\USERS\SLAMB\Cookies\3PJM1Q05.txt [ Cookie:slamb@a1.interclick.com/ ]
C:\USERS\SLAMB\Cookies\34CWCQX8.txt [ Cookie:slamb@leeenterprises.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\Z1BS1DN1.txt [ Cookie:slamb@liveperson.net/hc/29295087 ]
C:\USERS\SLAMB\Cookies\MSSTFM81.txt [ Cookie:slamb@doubleclick.net/ ]
C:\USERS\SLAMB\Cookies\61FP7R1A.txt [ Cookie:slamb@click.get-answers-fast.com/ads-clicktrack/click/ ]
C:\USERS\SLAMB\Cookies\9TLQUUM1.txt [ Cookie:slamb@rocknroadcyclery.net/ ]
C:\USERS\SLAMB\Cookies\4S163G5D.txt [ Cookie:slamb@stats.townnews.com/lacrossetribune.com/ ]
C:\USERS\SLAMB\Cookies\J39VLOKW.txt [ Cookie:slamb@zedo.com/ ]
C:\USERS\SLAMB\Cookies\ZGN7WRJD.txt [ Cookie:slamb@southwestairlines.112.2o7.net/ ]
C:\USERS\SLAMB\Cookies\NZFSI2GD.txt [ Cookie:slamb@adfarm1.adition.com/ ]
C:\USERS\SLAMB\Cookies\9TQGYJ80.txt [ Cookie:slamb@triseptsolutions.122.2o7.net/ ]
C:\USERS\SLAMB\Cookies\Q8Z3F63M.txt [ Cookie:slamb@ads.bridgetrack.com/ ]
C:\USERS\SLAMB\Cookies\DFWRPECT.txt [ Cookie:slamb@liveperson.net/hc/75182960 ]

Re: newsfudge and sirefef infections13th July 2012, 3:58 am

.doubleclick.net [ C:\USERS\SLAMB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.youtube.com [ C:\USERS\SLAMB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.doubleclick.net [ C:\USERS\SLAMB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.google.com [ C:\USERS\SLAMB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.google.com [ C:\USERS\SLAMB\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
a.ads2.msads.net [ C:\USERS\SLAMB\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HQ5PZRLK ]
ad.insightexpressai.com [ C:\USERS\SLAMB\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HQ5PZRLK ]

Re: newsfudge and sirefef infections13th July 2012, 4:01 am

ad.insightexpressai.com [ C:\USERS\SLAMB\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HQ5PZRLK ]
cdn.eyewonder.com [ C:\USERS\SLAMB\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HQ5PZRLK ]
cdn.insights.gravity.com [ C:\USERS\SLAMB\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HQ5PZRLK ]
cdn.tremormedia.com [ C:\USERS\SLAMB\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\HQ5PZRLK ]

Re: newsfudge and sirefef infections13th July 2012, 4:09 am

I keep trying to paste the rest of the SuperAntiSpyware Scan Log and it keeps telling me I do not have access tot hat page - even when I only cut and paste one line of it. That is why I had done the attachment. Suggestions?

Re: newsfudge and sirefef infections13th July 2012, 5:39 pm

Help! Did the Superanti-SPyware and Malware installations and scans and removals as you indicated but the virues are still there, I know, because they are still hijacking my browser off and on. What next? Haven't heard from anyone in a day or so. Tried to copy and paste the Superanitspyware scan log but after I got half or 3/4 of the way through it in multiple posts (because it kept not allowing me to send larger portions), I get to lines where it won't let me send even one line without saying I don't have access to that page. That was why I originally attached the log. What do I do next?

Re: newsfudge and sirefef infections13th July 2012, 6:52 pm

Trying to post the remainder of the SuperAntiSpyware log file but it is hanging up now and says:

"You haven't got the rights to access this page"

It doesn't say "Your Post is too long" it is saying I don't have rights.
Do I have to start a new topic or are you in the file blocking it?
Thanks, Stuart

Re: newsfudge and sirefef infections13th July 2012, 10:01 pm

It doesn't say "Your Post is too long" it is saying I don't have rights.
Do I have to start a new topic or are you in the file blocking it?
Thanks, Stuart

It just a hiccup with the site. If it continues, just attach the logs.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

newsfudge and sirefef infections AswMBR_Scan

newsfudge and sirefef infections AswMBR_Scan

Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

newsfudge and sirefef infections AswMBR_SaveLog

newsfudge and sirefef infections AswMBR_SaveLog

On completion of the scan click save log, save it to your desktop and post in your next reply
*************************************************
Download Combofix from any of the links below, and save it to your DESKTOP.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click ComboFix.exe to run it.

You will see the following image:

newsfudge and sirefef infections NSIS_disclaimer_ENG

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

newsfudge and sirefef infections NSIS_extraction

newsfudge and sirefef infections NSIS_extraction

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

newsfudge and sirefef infections RcAuto1

newsfudge and sirefef infections RcAuto1

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

newsfudge and sirefef infections Whatnext

newsfudge and sirefef infections Whatnext

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Re: newsfudge and sirefef infections14th July 2012, 2:14 am

New, second running of aswMBR files below. Now running ComboFix

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-13 21:17:24
-----------------------------
21:17:24.180 OS Version: Windows 6.1.7600
21:17:24.180 Number of processors: 4 586 0x2505
21:17:24.180 ComputerName: SLAMBA2436 UserName: slamb
21:17:47.597 Initialize success
21:18:49.179 AVAST engine defs: 12071301
21:19:07.448 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:19:07.448 Disk 0 Vendor: WDC_WD16 01.0 Size: 152627MB BusType: 8
21:19:07.463 Disk 0 MBR read successfully
21:19:07.463 Disk 0 MBR scan
21:19:07.463 Disk 0 Windows VISTA default MBR code
21:19:07.479 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 200 MB offset 2048
21:19:07.479 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 152425 MB offset 411648
21:19:07.495 Disk 0 scanning sectors +312578048
21:19:07.557 Disk 0 scanning C:\windows\system32\drivers
21:19:26.776 Service scanning
21:20:26.764 Modules scanning
21:21:01.757 Disk 0 trace - called modules:
21:21:01.788 ntkrnlpa.exe CLASSPNP.SYS disk.sys stdfltn.sys iaStorV.sys halmacpi.dll
21:21:01.804 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87b68030]
21:21:01.804 3 CLASSPNP.SYS[8cf9f59e] -> nt!IofCallDriver -> [0x87b673e0]
21:21:01.835 5 stdfltn.sys[8d1d070c] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x870ba028]
21:21:04.300 AVAST engine scan C:\windows
21:21:06.734 AVAST engine scan C:\windows\system32
21:22:49.970 File: C:\windows\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
21:23:49.143 AVAST engine scan C:\windows\system32\drivers
21:24:01.500 AVAST engine scan C:\Users\slamb
22:02:22.562 AVAST engine scan C:\ProgramData
22:07:14.137 Scan finished successfully
22:10:53.696 Disk 0 MBR has been saved successfully to "C:\Users\slamb\Documents\IT & Downloads\MBR.dat"
22:10:53.696 The log file has been saved successfully to "C:\Users\slamb\Documents\IT & Downloads\aswMBR 7-13.txt"

Re: newsfudge and sirefef infections14th July 2012, 3:38 am

OK, looking good. Had some problems getting ComboFix to run but finally booted up in Safe Mode and ran it successfully. Here is the log file after it ran.

ComboFix 12-07-13.03 - slamb 07/13/2012 23:05:27.1.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3318.2345 [GMT -4:00]
Running from: c:\users\slamb\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files\INSTALL.LOG
c:\users\slamb\g2mdlhlpx.exe
c:\windows\assembly\GAC\Desktop.ini
c:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\@
c:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\L\00000004.@
c:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\L\1afb2d56
c:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\L\201d3dde
c:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\00000004.@
c:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\00000008.@
c:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\000000cb.@
c:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\80000000.@
c:\windows\Installer\{6d78ef2d-0d08-895e-67d8-f43a6e45d28d}\U\80000032.@
c:\windows\system32\SET6979.tmp
.
Infected copy of c:\windows\system32\services.exe was found and disinfected
Restored copy from - c:\32788r22fwjfw\HarddiskVolumeShadowCopy3_!windows!winsxs!x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b!services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-14 to 2012-07-14 )))))))))))))))))))))))))))))))
.
.
2012-07-14 03:14 . 2012-07-14 03:21 -------- d-----w- c:\users\slamb\AppData\Local\temp
2012-07-14 03:14 . 2012-07-14 03:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-14 03:14 . 2012-07-14 03:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-07-14 02:37 . 2012-07-14 03:10 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E9AF10E9-AE78-42C6-881B-E8842DFC613B}\offreg.dll
2012-07-13 13:33 . 2012-06-12 02:44 2344448 ----a-w- c:\windows\system32\win32k.sys
2012-07-12 18:24 . 2012-07-12 18:24 -------- d-----w- c:\users\slamb\AppData\Roaming\Malwarebytes
2012-07-12 18:21 . 2012-07-12 18:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-12 18:21 . 2012-07-12 18:21 -------- d-----w- c:\programdata\Malwarebytes
2012-07-12 18:21 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-12 15:26 . 2012-07-12 15:26 -------- d-----w- c:\users\slamb\AppData\Roaming\SUPERAntiSpyware.com
2012-07-12 15:26 . 2012-07-12 15:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-07-12 15:26 . 2012-07-12 15:26 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-07-11 12:22 . 2012-06-02 04:51 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 12:22 . 2012-06-02 04:51 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-11 12:22 . 2012-06-02 04:50 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-11 12:22 . 2012-06-02 04:48 225280 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 12:22 . 2012-06-02 04:47 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-11 12:22 . 2012-06-06 05:09 987136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 12:22 . 2012-06-06 05:09 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 12:22 . 2012-06-06 05:09 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 12:22 . 2012-04-24 04:47 139264 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-11 12:22 . 2012-04-24 04:47 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-11 12:22 . 2012-04-24 04:47 1156608 ----a-w- c:\windows\system32\crypt32.dll
2012-07-11 01:19 . 2012-07-11 01:19 43480 ----a-w- c:\windows\system32\drivers\hqsqinzl.sys
2012-07-11 01:11 . 2012-07-11 01:11 43480 ----a-w- c:\windows\system32\drivers\pgakyaic.sys
2012-07-08 20:48 . 2012-07-08 20:48 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-19 14:15 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-19 14:15 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-19 14:15 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-19 14:15 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-19 14:14 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-19 14:14 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-19 14:14 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-19 14:14 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-19 14:14 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-27 15:37 . 2012-04-12 13:02 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-27 15:37 . 2011-05-25 12:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-15 03:08 . 2012-06-13 05:02 981504 ----a-w- c:\windows\system32\wininet.dll
2012-04-28 03:19 . 2012-06-13 05:02 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:48 . 2012-06-13 05:01 57856 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:48 . 2012-06-13 05:01 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:43 . 2012-06-13 05:01 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-20 05:05 . 2012-06-13 05:02 44544 ----a-w- c:\windows\system32\licmgr10.dll
2012-04-20 03:58 . 2012-06-13 05:02 386048 ----a-w- c:\windows\system32\html.iec
2012-04-20 03:24 . 2012-06-13 05:02 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-18 07:06 . 2012-05-01 14:04 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E9AF10E9-AE78-42C6-881B-E8842DFC613B}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-05-03 17355912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-21 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-21 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-21 169496]
"IMSS"="c:\program files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [2010-09-16 112152]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"nwiz"="nwiz.exe" [2010-04-15 1657448]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-17 13838952]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2010-04-17 92776]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2508104]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2012-02-23 59240]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2010-07-27 883272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"MSCRM"="c:\program files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe" [2011-04-28 58216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2009-02-04 78848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-415701840-2084708928-925700815-16464\Scripts\Logon\0\0]
"Script"=defaultlogin.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-415701840-2084708928-925700815-16464\Scripts\Logon\0\1]
"Script"=IEREG.VBS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-415701840-2084708928-925700815-16464\Scripts\Logon\0\2]
"Script"=IE9_Blocker.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-415701840-2084708928-925700815-16464\Scripts\Logon\0\3]
"Script"=SPreg.cmd
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-415701840-2084708928-925700815-16464\Scripts\Logon\1\0]
"Script"=eastlogin.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-415701840-2084708928-925700815-16464\Scripts\Logon\1\1]
"Script"=itupeast.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-04-21 23:36 171032 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-04-21 23:36 136216 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-04-21 23:36 169496 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picon]
2009-10-15 19:29 111640 ----a-w- c:\program files\Common Files\Intel\Privacy Icon\PIconStartup.exe
.
R1 yqdphmul;yqdphmul;c:\windows\system32\drivers\yqdphmul.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [x]
R3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [x]
R3 GTNDIS62;GT62 Zero Config Driver;c:\windows\system32\DRIVERS\Gtuhs62.sys [x]
R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\DRIVERS\gtuhsbus.sys [x]
R3 GTUHSSER;GT UHS SER;c:\windows\system32\DRIVERS\gtuhsser.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 MSSQL$CRM;SQL Server (CRM);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 PTUMLBUS;PTUML USB Composite Device Driver;c:\windows\system32\DRIVERS\PTUMLBUS.sys [x]
R3 PTUMLCVsp;PANTECH UML290 Connection Manager Port;c:\windows\system32\DRIVERS\PTUMLCVsp.sys [x]
R3 PTUMLMdm;PANTECH UML290;c:\windows\system32\DRIVERS\PTUMLMdm.sys [x]
R3 PTUMLNET61;PANTECH UML290 WWAN (NDIS6.1);c:\windows\system32\DRIVERS\PTUMLNET61.sys [x]
R3 PTUMLNVsp;PANTECH UML290 NMEA Port;c:\windows\system32\DRIVERS\PTUMLNVsp.sys [x]
R3 PTUMLRMNET;PANTECH UML290 RMNET Service;c:\windows\system32\DRIVERS\PTUMLRMNET.sys [x]
R3 PTUMLVsp;PANTECH UML290 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMLVsp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [x]
S1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\DRIVERS\dwvkbd.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [x]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [x]
S2 CrmSqlStartupSvc;CrmSqlStartupSvc;c:\program files\Microsoft Dynamics CRM\Client\bin\CrmSqlStartupSvc.exe [x]
S2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 ptumlcmsvc;PTUML290 Connection Manager Service;c:\windows\system32\ptumlcmsvc.exe [x]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [x]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 WMCoreService;Mobile Broadband Service;c:\program files\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
S3 DwMirror;DwMirror;c:\windows\system32\DRIVERS\DamewareMini.sys [x]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - BMLoad
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-27 22:08]
.
2012-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-27 22:08]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-415701840-2084708928-925700815-16464Core.job
- c:\users\slamb\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-18 05:22]
.
2012-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-415701840-2084708928-925700815-16464UA.job
- c:\users\slamb\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-18 05:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: amxcrm4
Trusted Zone: localhost
TCP: DhcpNameServer = 192.168.1.1 71.242.0.12
TCP: Interfaces\{0009E5B0-5AAD-465D-AC20-689742D989C1}: NameServer = 209.183.54.151 209.183.54.151
TCP: Interfaces\{50D594D0-DA95-4F83-91F0-E9D59E01E2FB}: NameServer = 209.183.33.23 209.183.35.23
TCP: Interfaces\{B862B451-AE99-4F2F-AF13-287D8558FFD9}: NameServer = 209.183.33.23 209.183.35.23
TCP: Interfaces\{D468AAD5-C53D-4A4F-843E-C026751D2C48}: NameServer = 209.183.33.23 209.183.35.23
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://reporting.amx.com/ReportServer/Reserved.ReportViewerWebControl.axd?ExecutionID=suf5cuiq4oirt045avimvr30&Culture=1033&CultureOverrides=False&UICulture=9&UICultureOverrides=False&ReportStack=1&ControlID=77c99ff0c10b461fa9456fb5ac0a8f36&OpType=PrintCab&Arch=X86
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-USBLAN - c:\program files\AMX\USBLAN\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3640)
c:\windows\System32\nview.dll
c:\windows\system32\nvapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CISVC.EXE
c:\windows\SYSTEM32\DWRCS.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Dell\Dell WWAN\WMCore\mini_WMCore.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
c:\windows\system32\conhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\cidaemon.exe
.
**************************************************************************
.
Completion time: 2012-07-13 23:28:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-14 03:28
.
Pre-Run: 59,020,795,904 bytes free
Post-Run: 59,397,296,128 bytes free
.
- - End Of File - - B90951E46B587E9E3A95F6DE56F8F850

Re: newsfudge and sirefef infections14th July 2012, 4:38 am

Hi Superdave,
You rock. I think it is great these tools are out there and that you have figured out the method, sequence and which ones to use. I've used AntiMalWareBytes and SuperAntiSpyware before but didn't have them on this computer. They didn't work alone this time. ComboFix was a bit buggy but it did the trick when let alone finally. I reinstalled Windows Security Essentials and it ran a clean scan.

A year and a half on this computer and it was really bugged up. I hope there wern't any keyloggers or other bugs stealing my info. I contine to be unable to post the SuperAntiSpyware log as it says I don't have access. I'm going to set a schedule to run all of these programs in sequence monthly to stay ahead of this stuff.

It appears that the "redirect" (perhaps the 2nd or 3rd morph) has finally gone away and I can browse without being pushed to a weird looking site mimicking what I was recently searching for, I'm sure just bad crap there.

Thanks for your help, I'll let you know if I run into any problems. Is there anything else I should do other than just run each of these programs and see their results?

Thank you very much.
Regards,
Stuart aka colnagotifosi

Re: newsfudge and sirefef infections14th July 2012, 10:31 pm

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\system32\drivers\yqdphmul.sys

Firefox::
Trusted Zone: amxcrm4
Trusted Zone: localhost

DDS::
Trusted Zone: amxcrm4
Trusted Zone: localhost
Driver::
yqdphmul
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

***************************************************
Please run aswMBR.exe again and post the log.
We still have a few scans to run just be sure your computer is clean.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*******************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
[list]
[*]Double click Sysprot.exe to start the program.
[*]Click on the Log tab.
[*]In the Write to log box select the following items.
[list]
[*] Process [color=red]

newsfudge and sirefef infections

descriptionnewsfudge and sirefef infections11th July 2012, 4:33 am

descriptionRe: newsfudge and sirefef infections11th July 2012, 4:35 am

descriptionRe: newsfudge and sirefef infections11th July 2012, 4:35 am

descriptionRe: newsfudge and sirefef infections11th July 2012, 4:39 am

descriptionRe: newsfudge and sirefef infections11th July 2012, 4:40 am

descriptionRe: newsfudge and sirefef infections11th July 2012, 4:41 am

descriptionRe: newsfudge and sirefef infections12th July 2012, 1:04 am

descriptionRe: newsfudge and sirefef infections12th July 2012, 3:37 pm

descriptionRe: newsfudge and sirefef infections12th July 2012, 3:38 pm

descriptionSuperAntiSpyware Scan Log12th July 2012, 6:19 pm

descriptionRe: newsfudge and sirefef infections12th July 2012, 7:31 pm

descriptionRe: newsfudge and sirefef infections13th July 2012, 3:27 am

descriptionRe: newsfudge and sirefef infections13th July 2012, 3:28 am

descriptionRe: newsfudge and sirefef infections13th July 2012, 3:38 am

descriptionRe: newsfudge and sirefef infections13th July 2012, 3:42 am

descriptionRe: newsfudge and sirefef infections13th July 2012, 3:55 am

descriptionRe: newsfudge and sirefef infections13th July 2012, 3:58 am

descriptionRe: newsfudge and sirefef infections13th July 2012, 4:01 am

descriptionRe: newsfudge and sirefef infections13th July 2012, 4:09 am

descriptionRe: newsfudge and sirefef infections13th July 2012, 5:39 pm

descriptionRe: newsfudge and sirefef infections13th July 2012, 6:52 pm

descriptionRe: newsfudge and sirefef infections13th July 2012, 10:01 pm

descriptionRe: newsfudge and sirefef infections14th July 2012, 2:14 am

descriptionRe: newsfudge and sirefef infections14th July 2012, 3:38 am

descriptionRe: newsfudge and sirefef infections14th July 2012, 4:38 am

descriptionRe: newsfudge and sirefef infections14th July 2012, 10:31 pm

descriptionRe: newsfudge and sirefef infections