[tjmk]

here is the new OTL log. it looks the same to me.
note: i ticked 'none' to all those items, but as soon as i clicked 'run scan' the one called 'standard registry' changed it's tick to 'all'.


OTL logfile created on: 6/29/2009 8:43:01 AM - Run 3
OTL by OldTimer - Version 3.0.5.3 Folder = C:\Documents and Settings\tjmk\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.00 Mb Total Physical Memory | 385.86 Mb Available Physical Memory | 37.75% Memory free
1.90 Gb Paging File | 1.33 Gb Available in Paging File | 69.80% Paging File free
Paging file location(s): C:\pagefile.sys 1022 1222 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 25.09 Gb Free Space | 33.69% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 7.83 Gb Total Space | 0.59 Gb Free Space | 7.50% Space Free | Partition Type: FAT32
Drive G: | 5.14 Gb Total Space | 4.73 Gb Free Space | 92.13% Space Free | Partition Type: FAT32
Drive H: | 6.12 Gb Total Space | 2.30 Gb Free Space | 37.57% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: D4J0FH31
Current User Name: tjmk
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========


< HKLM\SOFTWARE\Classes|minibugtransporter /rs >

< HKCU\SOFTWARE\Classes|minibugtransporter /rs >

< HKLM\SOFTWARE\Classes|webcom /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000C0373-0000-0000-C000-000000000046}\\: WebComponentProperties
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000CD100-0000-0000-C000-000000000046}\\: WebComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000CD101-0000-0000-C000-000000000046}\\: WebComponentWindowExternal
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000CD102-0000-0000-C000-000000000046}\\: WebComponentFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E792405F-8668-11D3-9058-00C04F799E3F}\\: WebCommandButton

< HKCU\SOFTWARE\Classes|webcom /rs >
< End of report >

[Advertisements]

Hi tjmk,
This unexpected behaviour, with MBAM & hose registry keys has happened before.
There is a suggestion that it might be caused by faulty blocks on the h'drive, so we will rule that out first.

Run Chkdsk from My Computer or Windows Explorer:

• Double-click My Computer, and then right-click the hard disk that you want to check.
• Click Properties, and then click Tools.
• Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
• Tick both the boxes, & click Start.
  
  Note:- This will generate a warning that this process can only be done at a restart because the drive is in use.
• Click Yes & reboot the PC.

When that is done, rescan with MBAM & let it remove the keys it finds, then Reboot & rescan with MBAM & see if they are back

Edited by sage5, 29 June 2009 - 10:09 PM.

[sage5]

Hi tjmk,
This unexpected behaviour, with MBAM & hose registry keys has happened before.
There is a suggestion that it might be caused by faulty blocks on the h'drive, so we will rule that out first.

Run Chkdsk from My Computer or Windows Explorer:

• Double-click My Computer, and then right-click the hard disk that you want to check.
• Click Properties, and then click Tools.
• Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
• Tick both the boxes, & click Start.
  
  Note:- This will generate a warning that this process can only be done at a restart because the drive is in use.
• Click Yes & reboot the PC.

When that is done, rescan with MBAM & let it remove the keys it finds, then Reboot & rescan with MBAM & see if they are back

Edited by sage5, 29 June 2009 - 10:09 PM.

[tjmk]

yep, they're back.

note: mbam finds the minibugtransporter, while mcafee finds webcom

Malwarebytes' Anti-Malware 1.38
Database version: 2353
Windows 5.1.2600 Service Pack 2

6/30/2009 12:43:17 AM
mbam-log-2009-06-30 (00-43-17).txt

Scan type: Quick Scan
Objects scanned: 107048
Time elapsed: 13 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[sage5]

Hi tjmk,

We have another course of action yet.

Please print these instructions, and have the hard copy handy, to complete the steps below.

Once you have downloaded the file, please close all open windows, browsers, email clients etc

Download RootRepeal.zip and unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
• Click on the Report tab at the bottom of the program window
• Click the Scan button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, the Save Report button will become available
• Click this and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Edited by sage5, 01 July 2009 - 09:09 PM.

[tjmk]

here is the rootrepeal log


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/01 20:16
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE54C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D5F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF7925000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcafee_wu9encip6q4jcgw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_ilyuxby0k4pbfq6
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: F:\Program Files\Norton Rescue\s32fatl.dl^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\s32krnll.dl^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\s32utill.dl^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\symkrnll.vx^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\trouble.tx^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\rescue32.hl^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\rscfmt.dl^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\s32guil.dl^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\s32sysl.dl^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\symkrnll.dl^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\tkke32l.dl^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\aspi8u2.sy^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\aspicd.sy^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\aspidisk.sy^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\centhelp.cn^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\rescue32.cn^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\config.sy^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\nugloss.hl^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\readme.tx^
Status: Invisible to the Windows API!

Path: F:\Program Files\Norton Rescue\S32FATL.DLL
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\S32KRNLL.DLL
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\S32UTILL.DLL
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\SYMKRNLL.VXD
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\TROUBLE.TXT
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\RESCUE32.HLP
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\RSCFMT.DLL
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\S32GUIL.DLL
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\S32SYSL.DLL
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\SYMKRNLL.DLL
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\TKKE32L.DLL
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\ASPI8U2.SYS
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\ASPICD.SYS
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\ASPIDISK.SYS
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\CENTHELP.CNT
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\RESCUE32.CNT
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\CONFIG.SYS
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\NUGLOSS.HLP
Status: Visible to the Windows API, but not on disk.

Path: F:\Program Files\Norton Rescue\README.TXT
Status: Visible to the Windows API, but not on disk.

Path: F:\Documents and Settings\Kari\Local Settings\Temp\Temporary Internet Files\Content.IE5\49ABC9EF\Type%3dclick%26FlightID%3d23330%26AdID%3d35204%26TargetID%3d8526%26Segments%3d%26Targets%3d%26Values%3d31,43,51,60,72,82,92,93,100,110,150,155,197,210,214,531,596,638,730,74[1].htm
Status: Locked to the Windows API!

Path: F:\Documents and Settings\Kari\Local Settings\Temp\Temporary Internet Files\Content.IE5\49ABC9EF\Type%3dclick%26FlightID%3d23330%26AdID%3d35204%26TargetID%3d8526%26Segments%3d%26Targets%3d%26Values%3d31,43,51,60,72,82,92,93,100,110,150,155,197,210,214,531,596,638,730,74[2].htm
Status: Locked to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xee724df0

Stealth Objects
-------------------
Object: Hidden Module [Name: sprtmessage.dll]
Process: sprtcmd.exe (PID: 1972) Address: 0x02f10000 Size: 77824

Object: Hidden Module [Name: SupportSoft.Agent.Sprocket.SupportMessage.dll]
Process: sprtcmd.exe (PID: 1972) Address: 0x03950000 Size: 45056

Object: Hidden Module [Name: SupportSoft.Agent.Sprocket.dll]
Process: sprtcmd.exe (PID: 1972) Address: 0x03970000 Size: 28672

==EOF==

[sage5]

F:\Program Files\Norton Rescue

This doesn't appear in the Add/Remove Programs list.

Please download the following & save to your Desktop:
Norton Removal Tool

Remove Nortons:
Double click the Norton_Removal_Tool.exe & follow the instructions.
The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.
Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.

When that is done, please check thet the F:\Program Files\Norton Rescue folder is gone.

Copy the Text in the Code box below to a new Notepad file & save to the Desktop as Entries.txt

minibugtransporter.minibugtransporterx
minibugtransporter.minibugtransporterx.1
WebCom.WebBar
WebCom.WebBar.1

Close all other windows, except Entries.txt

Re-run RootRepeal:

• Double click RootRepeal.exe to start the program
• Go to Tools > Delete Registry Key, in the upper menu bar
• In the Drop-down box on the left, scroll down to HKEY_CLASSES_ROOT
• Copy & paste the first line of text from Entries.txt, into the box on the right.
• Click the Delete Key button
• Repeat the procedure for the other 3 lines from Entries.txt
• Click the Close button & exit from RootRepeal

When done, reboot & rescan with MBAM & McAfee & see if those are finally gone

Edited by sage5, 02 July 2009 - 05:48 PM.

[tjmk]

F:\Program Files\Norton Rescue folder is still there - the computer did not restart at all, nor did i get any instructions. i did manually restart the computer when it finished running.

is this something i can just delete, or does that mess things up?

as i mentioned, the files f,g,h are partitions on a hard drive from a former computer that is slave to the one on this computer. that computer had norton av , this one has mcafee.

--
have not yet run the rootrepeal stuff yet.

[sage5]

As they are just "baggage", delete them at your leisure.
Try the RootRepeal thing, to see if we can get those keys removed.

[tjmk]

both mbam and mcafee scans came up clean!
hooray!!

[sage5]

That is great news
Does the machine have any other symptoms?
Otherwise, I think we can close this & you can be on your merry way.

Cheers,

sage5

[tjmk]

i think we are good.
THANK YOU VERY MUCH FOR STICKING WITH IT!!

which of these utilities i downloaded can i get rid of? and which do you recommend keeping

(i'm keeping mbam for sure)

sysrestorepoint
rootrepeal
nortonremovaltool
tfc
erunt
drwebcureit
rooter
regsearch
superantispyware

[sage5]

You are very welcome tjmk

Of all of those, I would only keep:
EruNT --> handy to amke a backup of the registry before installing trial software
TFC --> The best temp file cleaner
Any of the others, you download as fresh copies, if needed.

All the very best,

sage5

[sage5]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.