Inactive Problem with 8-steps. (TrendMicro flags files and prohibits downloads)

Status
Not open for further replies.
R

Rwolf01

Posts: 127   +0
I have TrendMicro OfficeScan on my machine. (The IT guys at work require it if you are going to connect via VPN. I can't uninstall or disable it, since all settintgs are PWD protected...)

I updated & ran that for step 1. (also installed & ran their mail scanner)

For Step 2, when I go to download TFC.exe, TrendMicro blocks in.

I looked up the site http://oldtimer.geekstogo.com/TFC.exe on thier site http://global.sitesafety.trendmicro.com and it said:

Is it safe? Dangerous: The latest tests indicate that this site contains malicious software or could defraud visitors.

How would you categorize this site? Disease Vector: Sites that directly or indirectly facilitate the distribution of malicious software or source code .

I guess they don't like free competition... :)

Any suggestions? SHould I be concerned that TFC.exe is actual malware?
 
For now, I'm using CCleaner instead.

Just to keep going with the 8-steps, I'm going to substitiute Ccleaner for step 2, But I'm happy to repeat the steps from the top, if you recommend it and can provide a workaround for this issue.
 
Got through them as best I could. Here are the logs.

My tweaks to the process:

1: I used CCleaner instead of TFC.exe.

2: I killed 2 of the 4 processes related to TM Office Scan, when instructed to disable other scanners. The other two I had to leave, but I never got any suspicious error messages.

Here are the logs:
------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6152

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/24/2011 7:07:59 AM
mbam-log-2011-03-24 (07-07-59).txt

Scan type: Quick scan
Objects scanned: 178645
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
----------------------------------------
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-24 07:57:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.VBM2
Running: 1s7hvj0s.exe; Driver: C:\DOCUME~1\rwolf\LOCALS~1\Temp\kwrdrpod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----
----------------------------------------------------------------
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by rwolf at 8:00:00.58 on Thu 03/24/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3510.2824 [GMT -7:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {9618DB9B-667E-4F02-9A27-C9ECD7BA6961}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IDT\WDM\stacsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Scalable Software\Survey\SSI Survey Client\SurveyClientNT.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\DOCUME~1\rwolf\LOCALS~1\Temp\Temporary Directory 1 for puretext20_x86.zip\PureText.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Scalable Software\Survey\SSI Survey Client\SurveyClientNT.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\nuggets\TechSpot\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEBrowserHelperObject Class: {86ea4148-bee6-4cee-a72f-da27a5112bd1} - c:\windows\system32\SSIBrowserHook5.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [\\192.168.0.129\EPSON WF1100] c:\windows\system32\spool\drivers\w32x86\3\e_fatifea.exe /fu "c:\docume~1\rwolf\locals~1\temp\E_S122.tmp" /EF "HKCU"
uRun: [PureText] "c:\docume~1\rwolf\locals~1\temp\temporary directory 1 for puretext20_x86.zip\PureText.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico
uPolicies-system: disablelockworkstation = 1 (0x1)
mPolicies-system: disablelockworkstation = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: digikey.com\ordering
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1285381672593
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285389881531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\rwolf\applic~1\mozilla\firefox\profiles\xlw1tb4u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2010-9-24 17648]
R1 CBUL32;Measurement Computing DataAcq;c:\windows\system32\drivers\CBUL32.sys [2010-10-15 54048]
R2 SSI Survey Client;SSI Survey Client;c:\program files\scalable software\survey\ssi survey client\surveyclientnt.exe [2010-12-11 90112]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-12-22 52304]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-5-2 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-5-2 36432]
R2 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-7-10 689416]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-11-15 592120]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2010-9-24 43888]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-9-24 113664]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-9-24 168616]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-9-13 26137]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-9-24 132480]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-9-24 235520]
R3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [2010-9-24 6650752]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-4 136176]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-9-13 157648]
S3 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [2010-11-17 724992]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-1-2 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-1-2 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-1-2 121576]
S3 SSI Client Installer;SSI Client Installer;c:\windows\system32\SCInstallerNT.exe [2010-12-11 503808]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
.
=============== Created Last 30 ================
.
2011-03-24 14:01:34 -------- d-----w- c:\docume~1\rwolf\applic~1\Malwarebytes
2011-03-24 14:01:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 14:01:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-24 14:01:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-24 14:01:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-24 04:10:01 102400 ----a-w- c:\windows\RegBootClean.exe
2011-03-18 01:06:13 -------- d-----w- c:\docume~1\rwolf\locals~1\applic~1\Help
.
==================== Find3M ====================
.
2011-02-03 05:40:23 472808 ------w- c:\windows\system32\deployJava1.dll
2011-02-03 03:19:39 73728 ------w- c:\windows\system32\javacpl.cpl
2011-01-27 08:15:59 249856 ------w- c:\windows\Setup1.exe
2011-01-27 08:15:58 73216 ------w- c:\windows\ST6UNST.EXE
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:14:45 1864064 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 8:00:34.22 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/24/2010 6:32:16 PM
System Uptime: 3/24/2011 7:41:44 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 0667CC
Processor: Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz | CPU 1 | 1169/533mhz
.
==== Disk Partitions =========================
.
.
==== Installed Programs ======================
.
.
2007 Microsoft Office Suite Service Pack 2 (SP2)
AccelerometerP11
Adobe AIR
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Help Center 2.0
Adobe Photoshop Elements 4.0
Adobe Premiere Elements 2.0
Adobe Reader 9.4.0
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
CCleaner
Cisco AnyConnect VPN Client
Cisco MeetingPlace for Outlook
Cisco Systems VPN Client 5.0.07.0290
Compatibility Pack for the 2007 Office system
Configuration Manager Client
Crystal XI
Deco Planner 3
Dell Touchpad
FilterPro
Garmin City Navigator North America v8
Google Earth
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB945436)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB958244)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
IDT Audio
InstaCal and Universal Library for Windows
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) Network Connections Drivers
Intel(R) PROSet/Wireless WiFi Software
Japanese Fonts Support For Adobe Reader 9
Java Auto Updater
Java(TM) 6 Update 24
Kies mini
KLAAgent
M7800 DownLoader
Malwarebytes' Anti-Malware
MapSource
MapSource - WorldMap v3.02
MaX Compression Client
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 6.0 Professional Edition
MikroSpec 4.0 Professional
Mozilla Firefox (3.6.12)
MSDN Library - Visual Studio 6.0a
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB925673)
Nortel VPN Client
OGA Notifier 2.0.0048.0
OLYMPUS Digital Camera Updater
OLYMPUS Master 2
OLYMPUS Raw Codec
Paint Shop Pro 7 Anniversary Edition
PDF4Free 2.0
PerformanceTest v7.0
QuickBooks Pro 99
QuickTime
RDC
Release OrCAD 16.2
Remote Administrator v2.2
RSA SecurID Token for Windows Desktops
SAMSUNG USB Driver for Mobile Phones
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
TracerDAQ
Trend Micro OfficeScan Client
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2492475)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
V-Planner 3.89
WebFldrs XP
WIMGAPI
Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00)
Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
.
==== End Of File ===========================
 
Please just skip TFC for now and go on with the rest of the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
This includes not substituting programs.

The program TFC, is safe, however.
 
Two other things:

1: Why am I here? My standard desktop photo disappeared and was replaced by a generic pale blue background not long after I got conned into clicking on a suspect .rar attachement in a spoofed email. XP was acting funny when I tried to restore the desktop photo, so I started to suspect malware.

2: The original problem has disappeared in the course of completing the 8 steps.... My photo is back.

At this point I don't see any other signs of trouble, but I would be grateful if the Wise Ones would review my logs and confirm.

Best Regards & Thanks for being here!,

Ralph Wolf
Palo Alto
 
Hi Bobbye,

I originally got CCleaner from a prior visit to this forum. (It was the 7-step process back then)
Is there a reason it has fallen out of favor?

In any case, my log files are attached above.

Best Regards,

Ralph
 
Hello? Can someone please look at my log files?

I posted them above ~2 days ago.

Not trying to nag, just thought maybe they got overlooked since Bobbye and I apparently cross posted.

Thanks again for your kind and valuable assistance!

- Ralph
 
It appears that you and I were posting at the same time. When I made Reply #4, 3 days ago, your logs were not on the board at that time. Sorry about that- it happened to another member also.

Am I clear that the problems you originally had have been resolved? If so, you have a choice:
1. Remove the cleaning tools at this point -or-
2. Run the following to make sure no bad entries remain:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
  10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
  11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
======================================
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

So far, I haven't seen malware. But I would recommend going ahead with the remaining scans.
 
Thanks for the reply. I just restarted ESET. (I got a bit to liberal with it on the first run and it murdered my RADMIN installation! This is a very handy tool that we use at work to control cleanroom instruments without having to put on our bunny suits.) I'm rerunning it in check-everything-change-nothing mode now.

I still can't unload OfficeScan w/o the magic IT password, so I'll just have to hope that OfficeScan and ESET don't get into a shoving match. (Will let you know how that works out)

Thanks again for the help!

- R
 
ESET log.

C:\Program Files\Radmin\raddrv.dll a variant of Win32/RemoteAdmin application
C:\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 application
C:\Program Files\Radmin\r_server.exe Win32/RAdmin.22 application
C:\WINDOWS\system32\raddrv.dll a variant of Win32/RemoteAdmin application
C:\WINDOWS\system32\r_server.exe Win32/RAdmin.22 application
D:\nuggets\Radmin\AdmDll.dll Win32/RemoteAdmin application
D:\nuggets\Radmin\raddrv.dll Win32/RemoteAdmin application
D:\nuggets\Radmin\radmin.exe Win32/RemoteAdmin application
D:\nuggets\Radmin\r_server.exe Win32/RemoteAdmin application
D:\nuggets\RegistryBooster\registrybooster.exe a variant of Win32/RegistryBooster application
---------------
I've deleted RegistryBooster.exe, but I understand Radmin & use it regularly for my work, so I'd prefer to keep that. Nothing looks terribly wrong to me... D'accord?
 
Tried to run ComboFix, but it warned of "severe tire damage" if I ran it without disabling Trend Micro's Office Scan, which I can't do. So I think I'm done for now.

Oh heck, let me see what happens if I bounce into safe mode...
 
That worked, but I would recommend that people bounce into safemode with networking, so they can get the recovery console install. (I was feeling lucky, so I ran without it since it seems to take 2-3 tries before the safemode window actually comes up. I finally figured out that the time to start tapping F8 is right after the SATA Raid controller says hello...)

In anycase, here is the combofix log. (I eagerly await wise counsel....)

---------------------------
ComboFix 11-03-27.02 - Ralph Wolf 03/28/2011 11:08:21.1.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3510.3237 [GMT -7:00]
Running from: d:\nuggets\TechSpot\ComboFix2.exe
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {9618DB9B-667E-4F02-9A27-C9ECD7BA6961}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\rwolf\Cookies\Index_3E227C64.dat
c:\documents and settings\rwolf\Cookies\IndexIE_3E227C64.dat
c:\documents and settings\rwolf\Cookies\IndexIE_53CB2050.dat
c:\windows\system32\raddrv.dll
.
----- BITS: Possible infected sites -----
.
hxxp://ca1appsccm03.adcorp.kla-tencor.com:80
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))
.
.
2011-03-28 07:19 . 2011-03-28 07:19 -------- d-----w- c:\program files\ESET
2011-03-24 14:01 . 2011-03-24 14:01 -------- d-----w- c:\documents and settings\rwolf\Application Data\Malwarebytes
2011-03-24 14:01 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-24 14:01 . 2011-03-24 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-24 14:01 . 2011-03-24 14:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-24 14:01 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-24 04:10 . 2011-03-24 04:10 102400 ----a-w- c:\windows\RegBootClean.exe
2011-03-18 01:06 . 2011-03-18 01:06 -------- d-----w- c:\documents and settings\rwolf\Local Settings\Application Data\Help
2011-03-07 22:20 . 2011-03-07 22:57 -------- d-----w- c:\documents and settings\rwolf\Application Data\U3
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 05:40 . 2010-11-17 09:18 472808 ------w- c:\windows\system32\deployJava1.dll
2011-02-03 03:19 . 2010-11-17 09:18 73728 ------w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2010-09-25 01:27 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-09-25 01:27 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-27 08:15 . 2011-01-27 08:14 249856 ------w- c:\windows\Setup1.exe
2011-01-27 08:15 . 2011-01-27 08:14 73216 ------w- c:\windows\ST6UNST.EXE
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:14 . 2008-04-14 12:00 1864064 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-07 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-27 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-27 170008]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-27 145432]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-07-20 1400832]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-07-20 1206544]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"FreeFallProtection"="c:\program files\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-07-28 727664]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-02-06 849192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\documents and settings\Ralph Wolf\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2010-12-7 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablelockworkstation"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\OrCAD\\OrCAD_16.2\\Licensing\\LicenseClientConfiguration.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdnshelp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsinfo.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsmps.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsMsgServer.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsNameServer.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsOaPathUtil.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsRemote.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsRemshClient.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsRunHidden.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsServIpc.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsUnzip.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdswhich.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cdsZip.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cds_root.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\clsAdminTool.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\clsbd.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\clu.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\cmfeedback.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\consmgr.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\dregprint.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\emsChecker.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\emsMkError.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\mpsinfo.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\msgHelp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\nmp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\nmppath.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\switchversion.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\van.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\bin\\versionviewer.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\capture.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\comp16.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\pcadi.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\pspiceexplorersrvr.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\pstswp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\sch2cap.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\capture\\tutorial\\Captutor.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\cdnshelp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\cdnshelpindexer.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\indexer.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\tagtest.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\topicgen.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\cdnshelp\\bin\\_cdnshelp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\dfII\\bin\\skill.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\dfII\\bin\\skill_g.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\bodygen.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\cpmaccess.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\libaccess.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\lrm.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\mkdefcfg.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\newgenasym.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\pcbCache.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\projmgr.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\psetup.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\purge.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\QPSetup.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\rollback.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\UniversalBrowser.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\fet\\bin\\versiontool.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\java.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\javacpl.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\javaw.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\javaws.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\jucheck.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\jusched.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\keytool.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\kinit.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\klist.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\ktab.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\orbd.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\pack200.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\policytool.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\rmid.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\rmiregistry.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\servertool.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\tnameserv.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\jre\\bin\\unpack200.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\fvupdateutil.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\gcad.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\gcam.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\gcdin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\idfin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\ipc356.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\layout.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\libcat.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\lsession.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\max2hyp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxascb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxascx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxdxf.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxeco.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxfnetx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxminb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxminw.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxminx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxorcad.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxp99x.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxpadb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxpadx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxpcadb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxpcadx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxprotb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxprotx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxstrb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxstrx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxtangb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\maxtangx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\mfceco.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\orcadodb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\padb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\padx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\pcadb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\pcadx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\pcb2max.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\prcat.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\protb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\protx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\searchTool.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\setbrows.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\specin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\strb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\strx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\tangb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\tangx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\to386.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\toidf.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\tomax.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\tospec.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\update90.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\samples\\demo\\reset.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\sroute\\batch32.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\sroute\\sroute.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\tutorial\\laytutor.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout\\vcadd\\vcadd32.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\fvupdateutil.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\gcad.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\gcam.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\gcdin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\idfin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\ipc356.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\layout.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\libcat.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\lsession.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\max2hyp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxascb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxascx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxdxf.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxeco.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxfnetx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxminb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxminw.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxminx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxorcad.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxp99x.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxpadb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxpadx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxpcadb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxpcadx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxprotb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxprotx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxstrb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxstrx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxtangb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\maxtangx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\mfceco.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\orcadodb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\padb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\padx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\pcadb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\pcadx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\pcb2max.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\prcat.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\protb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\protx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\searchTool.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\setbrows.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\specin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\strb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\strx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\tangb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\tangx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\to386.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\toidf.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\tomax.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\tospec.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\update90.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\samples\\demo\\reset.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\sroute\\batch32.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\sroute\\sroute.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\tutorial\\Laytutor.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_eng_ed\\vcadd\\vcadd32.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\fvupdateutil.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\gcad.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\gcam.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\gcdin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\idfin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\ipc356.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\layout.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\libcat.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\lsession.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\max2hyp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxascb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxascx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxdxf.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxeco.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxfnetx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxminb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxminw.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxminx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxorcad.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxp99x.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxpadb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxpadx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxpcadb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxpcadx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxprotb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxprotx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxstrb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxstrx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxtangb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\maxtangx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\mfceco.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\orcadodb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\padb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\padx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\pcadb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\pcadx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\pcb2max.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\prcat.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\protb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\protx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\searchTool.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\setbrows.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\specin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\strb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\strx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\tangb.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\tangx.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\to386.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\toidf.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\tomax.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\tospec.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\update90.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\samples\\demo\\reset.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\sroute\\batch32.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\sroute\\sroute.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\tutorial\\laytutor.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\layout_plus\\vcadd\\vcadd32.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\a2dxf.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\allegro.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\allegro_batch.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\allegro_free_viewer.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\aprepmap.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\artwork.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ashowmap.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\batch_drc.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\bbvia.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\bem2d.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\brd2dml.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\convert_gerber.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\create_devices.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\create_sym.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbdoctor.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbdoctor14.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbdoctor15.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbdoctor_ui.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbfix11.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbfix12.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbfix13.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dbstat.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\db_change_type.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dfa_dlg.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dfa_update.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dml2brd.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dmlcheck.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dmlcrypt.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\downrev14.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\downrev_library.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\draw_check.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dump_libraries.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\dxf2a.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ems2d.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\enved.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\explot.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\extracta.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\fatten.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\flash_convert.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\fpbrowse.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\FSvia.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\FSviaSolver.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ftsmerge.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\gate_assign.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\gbplot.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\genfeedformat.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\genrad.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\gloss.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ibis2signoise.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ibischk3.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ibischk4.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\icmchk.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\idf_in.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\idf_out.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\iges_in.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\iges_out.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\il_allegro.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ipc356_out.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\j2script.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\l2a.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\lis2buf.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\mbs2lib.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\mcm_escapes.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\mergedml.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\mkdeviceindex.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\modelintegrity.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\modelsim.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ncroute.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\nctape.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\netin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\netrev.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\pads_in.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\pad_designer.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\parallel.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\pcad_in.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\pe_wordpad.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\placement.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\plctxt.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\pre_check.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\productServer.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\quad2signoise.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\qvupdate.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\refresh_padstack.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\refresh_symbol.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\refresh_vs.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\reftxt.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\report.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\signoise.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\sigwave.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\sigxp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\sigxsect.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\spc2dml.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\spc2spc.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\spif.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\spif_batch.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\swap.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\systemdump.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\sys_root.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\techfile.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\techfile13.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\techfile14.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\techfile15.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\tlsim.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\ts2dml.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\uprev.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\zrouter.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\perl5\\bin\\perl.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\perl5\\bin\\perlglob.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\perl5\\ntt\\cmd32.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\appmgr.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\IndiceFileGeneration.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\lxcwin.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\Magneticdesigner.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\modeled.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\MrkSrvr.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\msgview.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\PDesign.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\psched.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\pspice.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\pspiceaa.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\PSpiceEnc.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\pspiceexplorersrvr.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\psp_cmd.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\simmgr.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\simsrvr.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pspice\\stmed.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\specctra\\bin\\mbs2sp.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\specctra\\bin\\sp2mbs.exe"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\specctra\\bin\\specctra.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\OrCAD\\OrCAD_16.2\\tools\\pcb\\bin\\aconvmap.exe"=
"c:\\Program Files\\Measurement Computing\\DAQ\\MccSkts.exe"=
"c:\\Program Files\\Nortel\\Nortel VPN Client\\Extranet.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Trend Micro\\OfficeScan Client\\ScanMailOutLook.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"35205:TCP"= 35205:TCP:Trend Micro OfficeScan Listener
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [9/24/2010 7:23 PM 17648]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [9/24/2010 7:23 PM 43888]
S1 CBUL32;Measurement Computing DataAcq;c:\windows\system32\drivers\CBUL32.sys [10/15/2010 12:27 AM 54048]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2011 6:55 PM 136176]
S2 SSI Survey Client;SSI Survey Client;c:\program files\Scalable Software\Survey\SSI Survey Client\surveyclientnt.exe [12/11/2010 12:19 AM 90112]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/22/2010 12:52 AM 52304]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [5/2/2008 4:22 PM 249424]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [5/2/2008 4:21 PM 36432]
S2 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/10/2008 6:46 PM 689416]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [11/15/2010 1:32 PM 592120]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/24/2010 7:06 PM 113664]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [9/24/2010 7:11 PM 168616]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [9/13/2007 9:52 AM 26137]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [9/24/2010 6:51 PM 132480]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [9/24/2010 7:09 PM 235520]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [9/13/2007 9:51 AM 157648]
S3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [9/24/2010 7:17 PM 6650752]
S3 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [11/17/2010 7:54 PM 724992]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [1/2/2011 9:42 AM 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [1/2/2011 9:42 AM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [1/2/2011 9:42 AM 121576]
S3 SSI Client Installer;SSI Client Installer;c:\windows\system32\SCInstallerNT.exe [12/11/2010 12:19 AM 503808]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-05 01:55]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-05 01:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 11:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-28 11:12:21
ComboFix-quarantined-files.txt 2011-03-28 18:12
.
Pre-Run: 90,651,209,728 bytes free
Post-Run: 91,162,918,912 bytes free
.
- - End Of File - - ACD810577DD61ADA705F872632B6826B
 
RegBootClean.exe looks suspicious. (I am generally very wary of "registry cleaners" and don't recall installing it.) The file time is very close to when I opened the spoofed UPS email that started the initial infection) I've rendered it inert, but won't delete it until you tell me to.

Anything else look out of place?

I confess that "disablelockworkstation"= 1 (0x1) is my doing, but [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001 looks suspicious to me.... (I'd submit a help ticket at work to enquire about it... but I'm afraid the'll just send some goon to wipe my hard disk!)
 
I'd submit a help ticket at work to enquire about it... but I'm afraid the'll just send some goon to wipe my hard disk!
Click to expand...

If I has realized this was your work computer when we started, I would have told you the same thing I tell other members:

I will not take responsibility for handling- removing or otherwise-processes that are specifically work-related. Many are not on the best terms with their IT representative, but that's who should be working on your system.

"Win32/RemoteAdmin application" is part of your work software as I'm sure the several hundred entries loading for "c:\\OrCAD\\OrCAD_16.2\\tools...

You cannot expect someone who volunteers their help on a free computer forum to rake any responsibility for these kinds of processes.
 
Thank you for volunteering. Your position is totally fair, but I fear we have had a misunderstanding.

I'm NOT asking for help with VPN, Radmin, email or OrCad. Those are work related SW and I know how to get help for those. (I'm actually on pretty good terms with the local IT guys... it's just the corporate "Help Desk" system that we have to work around that we all roll our eyes at...)

Here's the full story. I'm a contractor and tele-commute. (I'm sitting at home, with the LT in a docking station as I write this) Basically, my entire personal & professional life is on this laptop & I back it up often. I take care of most things myself and seek help from whoever seems most knowledgable about the problem at hand.

My current trouble started when someone did a good enough job of spoofing UPS to get past my spam filter and conned me into clicking on an attached rar file. Since that's a universal scourage in society. I came here. (No doubt if I brought the problem to the guys at work, they would say "well, that's your home computer, and we don't support those" before grudingly offering to wipe my hard disk :)

I would be sincerely grateful if you would look at the remaining lines in the log files and let me know if anything besides the work apps seems out of the ordinary.

Just to be clear, your help and this site are clearly valuable. I am happy to pay you or help support this site if there is a mechanism in place to do that.

Since you are a volunteer, I won't hold it against you if you refuse to help me in this situation.
But I will be stuck, with no clear path to a solution...

Thanks again for volunteering. You are clearly one of the 'good guys' on this planet! I hope you don't think I've behaved unethically, by coming here...
 
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files 
D:\nuggets\RegistryBooster\registrybooster.exe 
c:\windows\RegBootClean.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========================================
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

Please read this as to why TFC gets flagged occasionally and why it has the advantage over CCleaner:
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/page__st__30

This is about all I can do.
 
Good news

The good news is that I've found a workaround for the overzelous Office Scan. I can bounce it into Safe Mode to do the scans or other actions which require OS to be disabled. I am in the process of rerunning the 8-steps without any exceptions or ommisions & installing TFC.

After that I'll clean up as you suggested above.

Thanks again for your help and the explaination on TFC vs CCleaner.

May your surge protectors be manly and the lightning miss your neighborhood. :)
 
May your surge protectors be manly and the lightning miss your neighborhood. :)
Click to expand...

I'm happy to say that none of the 9 tornadoes was on my street, that the wind here only got up to about 40mph-not the 70-80mph that some had, I did not lose power or blow anything through the surge protector! The lightening was spectacular (as long as one was inside) and the rain was so heavy that the tornadoes were 'rain wrapped'- meaning that the funnels couldn't be seen, only felt when they were on top of you!

About CCleaner: it tends to get overactive and remove Registry entries it shouldn't. and as for TFC, occasionally a security program will act on the file extension of some of the cleaning programs. We try to anticipate that and instruct the user to override it, but it's only recently that TFC has gotten flagged.

Sometimes I think the authors of security programs bend so far one way to try and keep malware out- or what perceive as malware, that they try to take the good down with the bad.
 
Status
Not open for further replies.

Similar threads

T
Solved Have 'antivirus security pro' virus and copying logs for review
Replies
21
Views
5K
Broni
Broni
D
Inactive Strange Internet connection problem
Replies
7
Views
5K
Broni
Broni
CanHazTrojanz?
Solved File recovery rogue scanner infection
5 6 7
Replies
152
Views
22K
Broni
Broni

Latest posts

Back