TechSpot

Problem with 8-steps. (TrendMicro flags files and prohibits downloads)

By Rwolf01
Mar 24, 2011
  1. I have TrendMicro OfficeScan on my machine. (The IT guys at work require it if you are going to connect via VPN. I can't uninstall or disable it, since all settintgs are PWD protected...)

    I updated & ran that for step 1. (also installed & ran their mail scanner)

    For Step 2, when I go to download TFC.exe, TrendMicro blocks in.

    I looked up the site http://oldtimer.geekstogo.com/TFC.exe on thier site http://global.sitesafety.trendmicro.com and it said:

    Is it safe? Dangerous: The latest tests indicate that this site contains malicious software or could defraud visitors.

    How would you categorize this site? Disease Vector: Sites that directly or indirectly facilitate the distribution of malicious software or source code .

    I guess they don't like free competition... :)

    Any suggestions? SHould I be concerned that TFC.exe is actual malware?
     
  2. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    For now, I'm using CCleaner instead.

    Just to keep going with the 8-steps, I'm going to substitiute Ccleaner for step 2, But I'm happy to repeat the steps from the top, if you recommend it and can provide a workaround for this issue.
     
  3. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Got through them as best I could. Here are the logs.

    My tweaks to the process:

    1: I used CCleaner instead of TFC.exe.

    2: I killed 2 of the 4 processes related to TM Office Scan, when instructed to disable other scanners. The other two I had to leave, but I never got any suspicious error messages.

    Here are the logs:
    ------------------------------------
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6152

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    3/24/2011 7:07:59 AM
    mbam-log-2011-03-24 (07-07-59).txt

    Scan type: Quick scan
    Objects scanned: 178645
    Time elapsed: 5 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ----------------------------------------
    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-03-24 07:57:09
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.VBM2
    Running: 1s7hvj0s.exe; Driver: C:\DOCUME~1\rwolf\LOCALS~1\Temp\kwrdrpod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    ---- EOF - GMER 1.0.15 ----
    ----------------------------------------------------------------
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by rwolf at 8:00:00.58 on Thu 03/24/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3510.2824 [GMT -7:00]
    .
    AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {9618DB9B-667E-4F02-9A27-C9ECD7BA6961}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
    C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IDT\WDM\stacsv.exe
    svchost.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files\Scalable Software\Survey\SSI Survey Client\SurveyClientNT.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
    C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\IDT\WDM\sttray.exe
    C:\WINDOWS\system32\AESTFltr.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\DOCUME~1\rwolf\LOCALS~1\Temp\Temporary Directory 1 for puretext20_x86.zip\PureText.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Scalable Software\Survey\SSI Survey Client\SurveyClientNT.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\nuggets\TechSpot\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    mStart Page = about:blank
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: IEBrowserHelperObject Class: {86ea4148-bee6-4cee-a72f-da27a5112bd1} - c:\windows\system32\SSIBrowserHook5.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [\\192.168.0.129\EPSON WF1100] c:\windows\system32\spool\drivers\w32x86\3\e_fatifea.exe /fu "c:\docume~1\rwolf\locals~1\temp\E_S122.tmp" /EF "HKCU"
    uRun: [PureText] "c:\docume~1\rwolf\locals~1\temp\temporary directory 1 for puretext20_x86.zip\PureText.exe"
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
    mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico
    uPolicies-system: disablelockworkstation = 1 (0x1)
    mPolicies-system: disablelockworkstation = 1 (0x1)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: digikey.com\ordering
    DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1285381672593
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285389881531
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\rwolf\applic~1\mozilla\firefox\profiles\xlw1tb4u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2010-9-24 17648]
    R1 CBUL32;Measurement Computing DataAcq;c:\windows\system32\drivers\CBUL32.sys [2010-10-15 54048]
    R2 SSI Survey Client;SSI Survey Client;c:\program files\scalable software\survey\ssi survey client\surveyclientnt.exe [2010-12-11 90112]
    R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-12-22 52304]
    R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-5-2 249424]
    R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-5-2 36432]
    R2 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-7-10 689416]
    R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-11-15 592120]
    R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2010-9-24 43888]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-9-24 113664]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-9-24 168616]
    R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-9-13 26137]
    R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-9-24 132480]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-9-24 235520]
    R3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [2010-9-24 6650752]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-4 136176]
    S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-9-13 157648]
    S3 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2010-11-17 724992]
    S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-1-2 96488]
    S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-1-2 12776]
    S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-1-2 121576]
    S3 SSI Client Installer;SSI Client Installer;c:\windows\system32\SCInstallerNT.exe [2010-12-11 503808]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
    .
    =============== Created Last 30 ================
    .
    2011-03-24 14:01:34 -------- d-----w- c:\docume~1\rwolf\applic~1\Malwarebytes
    2011-03-24 14:01:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-24 14:01:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-03-24 14:01:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-24 14:01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-24 04:10:01 102400 ----a-w- c:\windows\RegBootClean.exe
    2011-03-18 01:06:13 -------- d-----w- c:\docume~1\rwolf\locals~1\applic~1\Help
    .
    ==================== Find3M ====================
    .
    2011-02-03 05:40:23 472808 ------w- c:\windows\system32\deployJava1.dll
    2011-02-03 03:19:39 73728 ------w- c:\windows\system32\javacpl.cpl
    2011-01-27 08:15:59 249856 ------w- c:\windows\Setup1.exe
    2011-01-27 08:15:58 73216 ------w- c:\windows\ST6UNST.EXE
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:14:45 1864064 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 8:00:34.22 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/24/2010 6:32:16 PM
    System Uptime: 3/24/2011 7:41:44 AM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0667CC
    Processor: Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz | CPU 1 | 1169/533mhz
    .
    ==== Disk Partitions =========================
    .
    .
    ==== Installed Programs ======================
    .
    .
    2007 Microsoft Office Suite Service Pack 2 (SP2)
    AccelerometerP11
    Adobe AIR
    Adobe Common File Installer
    Adobe Flash Player 10 ActiveX
    Adobe Help Center 2.0
    Adobe Photoshop Elements 4.0
    Adobe Premiere Elements 2.0
    Adobe Reader 9.4.0
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    CCleaner
    Cisco AnyConnect VPN Client
    Cisco MeetingPlace for Outlook
    Cisco Systems VPN Client 5.0.07.0290
    Compatibility Pack for the 2007 Office system
    Configuration Manager Client
    Crystal XI
    Deco Planner 3
    Dell Touchpad
    FilterPro
    Garmin City Navigator North America v8
    Google Earth
    Google Update Helper
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB945436)
    Hotfix for Windows XP (KB949764)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB953955)
    Hotfix for Windows XP (KB954434)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB958244)
    Hotfix for Windows XP (KB958347)
    Hotfix for Windows XP (KB959252)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB981793)
    IDT Audio
    InstaCal and Universal Library for Windows
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Network Connections Drivers
    Intel(R) PROSet/Wireless WiFi Software
    Japanese Fonts Support For Adobe Reader 9
    Java Auto Updater
    Java(TM) 6 Update 24
    Kies mini
    KLAAgent
    M7800 DownLoader
    Malwarebytes' Anti-Malware
    MapSource
    MapSource - WorldMap v3.02
    MaX Compression Client
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 6.0 Professional Edition
    MikroSpec 4.0 Professional
    Mozilla Firefox (3.6.12)
    MSDN Library - Visual Studio 6.0a
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB925673)
    Nortel VPN Client
    OGA Notifier 2.0.0048.0
    OLYMPUS Digital Camera Updater
    OLYMPUS Master 2
    OLYMPUS Raw Codec
    Paint Shop Pro 7 Anniversary Edition
    PDF4Free 2.0
    PerformanceTest v7.0
    QuickBooks Pro 99
    QuickTime
    RDC
    Release OrCAD 16.2
    Remote Administrator v2.2
    RSA SecurID Token for Windows Desktops
    SAMSUNG USB Driver for Mobile Phones
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    TracerDAQ
    Trend Micro OfficeScan Client
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Outlook 2007 Junk Email Filter (KB2492475)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982664)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    V-Planner 3.89
    WebFldrs XP
    WIMGAPI
    Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00)
    Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please just skip TFC for now and go on with the rest of the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    This includes not substituting programs.

    The program TFC, is safe, however.
     
  5. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Two other things:

    1: Why am I here? My standard desktop photo disappeared and was replaced by a generic pale blue background not long after I got conned into clicking on a suspect .rar attachement in a spoofed email. XP was acting funny when I tried to restore the desktop photo, so I started to suspect malware.

    2: The original problem has disappeared in the course of completing the 8 steps.... My photo is back.

    At this point I don't see any other signs of trouble, but I would be grateful if the Wise Ones would review my logs and confirm.

    Best Regards & Thanks for being here!,

    Ralph Wolf
    Palo Alto
     
  6. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Hi Bobbye,

    I originally got CCleaner from a prior visit to this forum. (It was the 7-step process back then)
    Is there a reason it has fallen out of favor?

    In any case, my log files are attached above.

    Best Regards,

    Ralph
     
  7. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Hello? Can someone please look at my log files?

    I posted them above ~2 days ago.

    Not trying to nag, just thought maybe they got overlooked since Bobbye and I apparently cross posted.

    Thanks again for your kind and valuable assistance!

    - Ralph
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It appears that you and I were posting at the same time. When I made Reply #4, 3 days ago, your logs were not on the board at that time. Sorry about that- it happened to another member also.

    Am I clear that the problems you originally had have been resolved? If so, you have a choice:
    1. Remove the cleaning tools at this point -or-
    2. Run the following to make sure no bad entries remain:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    So far, I haven't seen malware. But I would recommend going ahead with the remaining scans.
     
  9. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Thanks for the reply. I just restarted ESET. (I got a bit to liberal with it on the first run and it murdered my RADMIN installation! This is a very handy tool that we use at work to control cleanroom instruments without having to put on our bunny suits.) I'm rerunning it in check-everything-change-nothing mode now.

    I still can't unload OfficeScan w/o the magic IT password, so I'll just have to hope that OfficeScan and ESET don't get into a shoving match. (Will let you know how that works out)

    Thanks again for the help!

    - R
     
  10. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    ESET log.

    C:\Program Files\Radmin\raddrv.dll a variant of Win32/RemoteAdmin application
    C:\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 application
    C:\Program Files\Radmin\r_server.exe Win32/RAdmin.22 application
    C:\WINDOWS\system32\raddrv.dll a variant of Win32/RemoteAdmin application
    C:\WINDOWS\system32\r_server.exe Win32/RAdmin.22 application
    D:\nuggets\Radmin\AdmDll.dll Win32/RemoteAdmin application
    D:\nuggets\Radmin\raddrv.dll Win32/RemoteAdmin application
    D:\nuggets\Radmin\radmin.exe Win32/RemoteAdmin application
    D:\nuggets\Radmin\r_server.exe Win32/RemoteAdmin application
    D:\nuggets\RegistryBooster\registrybooster.exe a variant of Win32/RegistryBooster application
    ---------------
    I've deleted RegistryBooster.exe, but I understand Radmin & use it regularly for my work, so I'd prefer to keep that. Nothing looks terribly wrong to me... D'accord?
     
  11. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Tried to run ComboFix, but it warned of "severe tire damage" if I ran it without disabling Trend Micro's Office Scan, which I can't do. So I think I'm done for now.

    Oh heck, let me see what happens if I bounce into safe mode...
     
  12. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    That worked, but I would recommend that people bounce into safemode with networking, so they can get the recovery console install. (I was feeling lucky, so I ran without it since it seems to take 2-3 tries before the safemode window actually comes up. I finally figured out that the time to start tapping F8 is right after the SATA Raid controller says hello...)

    In anycase, here is the combofix log. (I eagerly await wise counsel....)

    ---------------------------
    ComboFix 11-03-27.02 - Ralph Wolf 03/28/2011 11:08:21.1.4 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3510.3237 [GMT -7:00]
    Running from: d:\nuggets\TechSpot\ComboFix2.exe
    AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {9618DB9B-667E-4F02-9A27-C9ECD7BA6961}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\rwolf\Cookies\Index_3E227C64.dat
    c:\documents and settings\rwolf\Cookies\IndexIE_3E227C64.dat
    c:\documents and settings\rwolf\Cookies\IndexIE_53CB2050.dat
    c:\windows\system32\raddrv.dll
    .
    ----- BITS: Possible infected sites -----
    .
    hxxp://ca1appsccm03.adcorp.kla-tencor.com:80
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-28 07:19 . 2011-03-28 07:19 -------- d-----w- c:\program files\ESET
    2011-03-24 14:01 . 2011-03-24 14:01 -------- d-----w- c:\documents and settings\rwolf\Application Data\Malwarebytes
    2011-03-24 14:01 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-24 14:01 . 2011-03-24 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-03-24 14:01 . 2011-03-24 14:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-24 14:01 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-24 04:10 . 2011-03-24 04:10 102400 ----a-w- c:\windows\RegBootClean.exe
    2011-03-18 01:06 . 2011-03-18 01:06 -------- d-----w- c:\documents and settings\rwolf\Local Settings\Application Data\Help
    2011-03-07 22:20 . 2011-03-07 22:57 -------- d-----w- c:\documents and settings\rwolf\Application Data\U3
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-03 05:40 . 2010-11-17 09:18 472808 ------w- c:\windows\system32\deployJava1.dll
    2011-02-03 03:19 . 2010-11-17 09:18 73728 ------w- c:\windows\system32\javacpl.cpl
    2011-02-02 07:58 . 2010-09-25 01:27 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2010-09-25 01:27 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-27 08:15 . 2011-01-27 08:14 249856 ------w- c:\windows\Setup1.exe
    2011-01-27 08:15 . 2011-01-27 08:14 73216 ------w- c:\windows\ST6UNST.EXE
    2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:14 . 2008-04-14 12:00 1864064 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-07 737280]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-27 136216]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-27 170008]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-27 145432]
    "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-07-20 1400832]
    "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-07-20 1206544]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
    "FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-07-28 727664]
    "OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-02-06 849192]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    .
    c:\documents and settings\Ralph Wolf\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2010-12-7 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "disablelockworkstation"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\Licensing\\LicenseClientConfiguration.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdnshelp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsinfo.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsmps.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsMsgServer.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsNameServer.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsOaPathUtil.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsRemote.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsRemshClient.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsRunHidden.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsServIpc.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsUnzip.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdswhich.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsZip.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cds_root.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\clsAdminTool.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\clsbd.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\clu.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cmfeedback.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\consmgr.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\dregprint.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\emsChecker.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\emsMkError.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\mpsinfo.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\msgHelp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\nmp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\nmppath.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\switchversion.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\van.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\versionviewer.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\capture.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\comp16.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\pcadi.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\pspiceexplorersrvr.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\pstswp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\regsvr32.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\sch2cap.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\tutorial\\Captutor.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\cdnshelp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\cdnshelpindexer.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\indexer.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\tagtest.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\topicgen.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\_cdnshelp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\dfII\\bin\\skill.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\dfII\\bin\\skill_g.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\bodygen.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\cpmaccess.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\libaccess.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\lrm.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\mkdefcfg.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\newgenasym.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\pcbCache.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\projmgr.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\psetup.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\purge.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\QPSetup.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\rollback.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\UniversalBrowser.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\versiontool.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\java.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\javacpl.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\javaw.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\javaws.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\jucheck.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\jusched.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\keytool.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\kinit.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\klist.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\ktab.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\orbd.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\pack200.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\policytool.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\rmid.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\rmiregistry.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\servertool.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\tnameserv.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\unpack200.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\fvupdateutil.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\gcad.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\gcam.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\gcdin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\idfin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\ipc356.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\layout.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\libcat.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\lsession.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\max2hyp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxascb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxascx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxdxf.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxeco.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxfnetx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxminb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxminw.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxminx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxorcad.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxp99x.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxpadb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxpadx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxpcadb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxpcadx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxprotb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxprotx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxstrb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxstrx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxtangb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxtangx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\mfceco.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\orcadodb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\padb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\padx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\pcadb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\pcadx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\pcb2max.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\prcat.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\protb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\protx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\searchTool.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\setbrows.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\specin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\strb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\strx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\tangb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\tangx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\to386.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\toidf.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\tomax.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\tospec.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\update90.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\samples\\demo\\reset.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\sroute\\batch32.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\sroute\\sroute.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\tutorial\\laytutor.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\vcadd\\vcadd32.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\fvupdateutil.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\gcad.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\gcam.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\gcdin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\idfin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\ipc356.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\layout.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\libcat.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\lsession.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\max2hyp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxascb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxascx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxdxf.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxeco.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxfnetx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxminb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxminw.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxminx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxorcad.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxp99x.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxpadb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxpadx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxpcadb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxpcadx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxprotb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxprotx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxstrb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxstrx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxtangb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxtangx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\mfceco.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\orcadodb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\padb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\padx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\pcadb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\pcadx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\pcb2max.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\prcat.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\protb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\protx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\searchTool.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\setbrows.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\specin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\strb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\strx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\tangb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\tangx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\to386.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\toidf.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\tomax.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\tospec.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\update90.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\samples\\demo\\reset.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\sroute\\batch32.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\sroute\\sroute.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\tutorial\\Laytutor.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\vcadd\\vcadd32.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\fvupdateutil.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\gcad.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\gcam.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\gcdin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\idfin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\ipc356.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\layout.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\libcat.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\lsession.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\max2hyp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxascb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxascx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxdxf.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxeco.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxfnetx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxminb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxminw.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxminx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxorcad.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxp99x.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxpadb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxpadx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxpcadb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxpcadx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxprotb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxprotx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxstrb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxstrx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxtangb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxtangx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\mfceco.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\orcadodb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\padb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\padx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\pcadb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\pcadx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\pcb2max.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\prcat.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\protb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\protx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\searchTool.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\setbrows.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\specin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\strb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\strx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\tangb.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\tangx.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\to386.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\toidf.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\tomax.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\tospec.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\update90.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\samples\\demo\\reset.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\sroute\\batch32.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\sroute\\sroute.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\tutorial\\laytutor.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\vcadd\\vcadd32.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\a2dxf.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\allegro.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\allegro_batch.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\allegro_free_viewer.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\aprepmap.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\artwork.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ashowmap.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\batch_drc.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\bbvia.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\bem2d.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\brd2dml.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\convert_gerber.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\create_devices.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\create_sym.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbdoctor.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbdoctor14.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbdoctor15.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbdoctor_ui.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbfix11.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbfix12.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbfix13.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbstat.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\db_change_type.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dfa_dlg.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dfa_update.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dml2brd.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dmlcheck.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dmlcrypt.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\downrev14.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\downrev_library.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\draw_check.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dump_libraries.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dxf2a.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ems2d.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\enved.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\explot.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\extracta.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\fatten.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\flash_convert.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\fpbrowse.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\FSvia.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\FSviaSolver.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ftsmerge.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\gate_assign.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\gbplot.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\genfeedformat.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\genrad.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\gloss.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ibis2signoise.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ibischk3.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ibischk4.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\icmchk.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\idf_in.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\idf_out.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\iges_in.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\iges_out.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\il_allegro.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ipc356_out.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\j2script.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\l2a.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\lis2buf.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\mbs2lib.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\mcm_escapes.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\mergedml.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\mkdeviceindex.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\modelintegrity.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\modelsim.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ncroute.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\nctape.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\netin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\netrev.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\pads_in.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\pad_designer.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\parallel.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\pcad_in.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\pe_wordpad.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\placement.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\plctxt.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\pre_check.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\productServer.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\quad2signoise.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\qvupdate.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\refresh_padstack.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\refresh_symbol.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\refresh_vs.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\reftxt.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\report.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\signoise.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\sigwave.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\sigxp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\sigxsect.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\spc2dml.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\spc2spc.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\spif.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\spif_batch.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\swap.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\systemdump.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\sys_root.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\techfile.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\techfile13.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\techfile14.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\techfile15.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\tlsim.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ts2dml.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\uprev.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\zrouter.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\perl5\\bin\\perl.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\perl5\\bin\\perlglob.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\perl5\\ntt\\cmd32.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\appmgr.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\IndiceFileGeneration.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\lxcwin.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\Magneticdesigner.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\modeled.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\MrkSrvr.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\msgview.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\PDesign.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\psched.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\pspice.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\pspiceaa.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\PSpiceEnc.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\pspiceexplorersrvr.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\psp_cmd.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\regsvr32.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\simmgr.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\simsrvr.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\stmed.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\specctra\\bin\\mbs2sp.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\specctra\\bin\\sp2mbs.exe"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\specctra\\bin\\specctra.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\aconvmap.exe"=
    "c:\\Program Files\\Measurement Computing\\DAQ\\MccSkts.exe"=
    "c:\\Program Files\\Nortel\\Nortel VPN Client\\Extranet.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Trend Micro\\OfficeScan Client\\ScanMailOutLook.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "35205:TCP"= 35205:TCP:Trend Micro OfficeScan Listener
    .
    R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [9/24/2010 7:23 PM 17648]
    R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [9/24/2010 7:23 PM 43888]
    S1 CBUL32;Measurement Computing DataAcq;c:\windows\system32\drivers\CBUL32.sys [10/15/2010 12:27 AM 54048]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2011 6:55 PM 136176]
    S2 SSI Survey Client;SSI Survey Client;c:\program files\Scalable Software\Survey\SSI Survey Client\surveyclientnt.exe [12/11/2010 12:19 AM 90112]
    S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/22/2010 12:52 AM 52304]
    S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [5/2/2008 4:22 PM 249424]
    S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [5/2/2008 4:21 PM 36432]
    S2 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/10/2008 6:46 PM 689416]
    S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [11/15/2010 1:32 PM 592120]
    S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/24/2010 7:06 PM 113664]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [9/24/2010 7:11 PM 168616]
    S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [9/13/2007 9:52 AM 26137]
    S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [9/24/2010 6:51 PM 132480]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [9/24/2010 7:09 PM 235520]
    S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [9/13/2007 9:51 AM 157648]
    S3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [9/24/2010 7:17 PM 6650752]
    S3 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [11/17/2010 7:54 PM 724992]
    S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [1/2/2011 9:42 AM 96488]
    S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [1/2/2011 9:42 AM 12776]
    S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [1/2/2011 9:42 AM 121576]
    S3 SSI Client Installer;SSI Client Installer;c:\windows\system32\SCInstallerNT.exe [12/11/2010 12:19 AM 503808]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-05 01:55]
    .
    2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-05 01:55]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = about:blank
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
    DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
    FF - ProfilePath -
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
    AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
    AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
    AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-28 11:11
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-03-28 11:12:21
    ComboFix-quarantined-files.txt 2011-03-28 18:12
    .
    Pre-Run: 90,651,209,728 bytes free
    Post-Run: 91,162,918,912 bytes free
    .
    - - End Of File - - ACD810577DD61ADA705F872632B6826B
     
  13. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    RegBootClean.exe looks suspicious. (I am generally very wary of "registry cleaners" and don't recall installing it.) The file time is very close to when I opened the spoofed UPS email that started the initial infection) I've rendered it inert, but won't delete it until you tell me to.

    Anything else look out of place?

    I confess that "disablelockworkstation"= 1 (0x1) is my doing, but [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=dword:00000001 looks suspicious to me.... (I'd submit a help ticket at work to enquire about it... but I'm afraid the'll just send some goon to wipe my hard disk!)
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If I has realized this was your work computer when we started, I would have told you the same thing I tell other members:

    I will not take responsibility for handling- removing or otherwise-processes that are specifically work-related. Many are not on the best terms with their IT representative, but that's who should be working on your system.

    "Win32/RemoteAdmin application" is part of your work software as I'm sure the several hundred entries loading for "c:\\OrCAD\\OrCAD_16.2\\tools...

    You cannot expect someone who volunteers their help on a free computer forum to rake any responsibility for these kinds of processes.
     
  15. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Thank you for volunteering. Your position is totally fair, but I fear we have had a misunderstanding.

    I'm NOT asking for help with VPN, Radmin, email or OrCad. Those are work related SW and I know how to get help for those. (I'm actually on pretty good terms with the local IT guys... it's just the corporate "Help Desk" system that we have to work around that we all roll our eyes at...)

    Here's the full story. I'm a contractor and tele-commute. (I'm sitting at home, with the LT in a docking station as I write this) Basically, my entire personal & professional life is on this laptop & I back it up often. I take care of most things myself and seek help from whoever seems most knowledgable about the problem at hand.

    My current trouble started when someone did a good enough job of spoofing UPS to get past my spam filter and conned me into clicking on an attached rar file. Since that's a universal scourage in society. I came here. (No doubt if I brought the problem to the guys at work, they would say "well, that's your home computer, and we don't support those" before grudingly offering to wipe my hard disk :)

    I would be sincerely grateful if you would look at the remaining lines in the log files and let me know if anything besides the work apps seems out of the ordinary.

    Just to be clear, your help and this site are clearly valuable. I am happy to pay you or help support this site if there is a mechanism in place to do that.

    Since you are a volunteer, I won't hold it against you if you refuse to help me in this situation.
    But I will be stuck, with no clear path to a solution...

    Thanks again for volunteering. You are clearly one of the 'good guys' on this planet! I hope you don't think I've behaved unethically, by coming here...
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      D:\nuggets\RegistryBooster\registrybooster.exe 
      c:\windows\RegBootClean.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===========================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Please read this as to why TFC gets flagged occasionally and why it has the advantage over CCleaner:
    http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/page__st__30

    This is about all I can do.
     
  17. Rwolf01

    Rwolf01 TS Enthusiast Topic Starter Posts: 127

    Good news

    The good news is that I've found a workaround for the overzelous Office Scan. I can bounce it into Safe Mode to do the scans or other actions which require OS to be disabled. I am in the process of rerunning the 8-steps without any exceptions or ommisions & installing TFC.

    After that I'll clean up as you suggested above.

    Thanks again for your help and the explaination on TFC vs CCleaner.

    May your surge protectors be manly and the lightning miss your neighborhood. :)
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm happy to say that none of the 9 tornadoes was on my street, that the wind here only got up to about 40mph-not the 70-80mph that some had, I did not lose power or blow anything through the surge protector! The lightening was spectacular (as long as one was inside) and the rain was so heavy that the tornadoes were 'rain wrapped'- meaning that the funnels couldn't be seen, only felt when they were on top of you!

    About CCleaner: it tends to get overactive and remove Registry entries it shouldn't. and as for TFC, occasionally a security program will act on the file extension of some of the cleaning programs. We try to anticipate that and instruct the user to override it, but it's only recently that TFC has gotten flagged.

    Sometimes I think the authors of security programs bend so far one way to try and keep malware out- or what perceive as malware, that they try to take the good down with the bad.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...