C drive display

[CBMatt]

Heh, no worries, my wife is still at work.  I do have to get to my classes pretty soon, however.

I hate to admit it, but I'm not entirely sure what to do about this program.  I'm not seeing any trace of it in your log.  It's not set to start up with the computer, nor is it imbedded in your IE.

The only thing I can think of at the moment is to try removing it with CCleaner and then clean the registry.  Download CCleaner (install without Yahoo! toolbar) and configure it according to this guide.  Make sure you let CCleaner back up your registry!

You could also install a new download of Tubesucker and then try uninstalling that.

If you still have no luck, you may want to contact them and ask for help...
http://www.newrad.com/mail.html

[NNEagle]

Ran CCleaner and followed the guide. It had 314 issues and all was fixed. Uninstalled Tubesucker from CCleaner and came up with a lost internet connection. Restored the internet connection after a system restore and got back my internet connection. The tubesucker is back and runs each time I sign in,open inbox or refresh a page.

Wrote to the folk at Newrad and now awaiting a response from them. You have a great day and do take care.

[NNEagle]

Reply from newrad

hmmm.all I can say is msft sucks. If I did not want TubeSucker onmy PC, (but of course u do),I would just reinstall IE.But if u dont mind TS beingon ur pc, then I would just reinstallTS, and see if that helps.If it does not, then re-installIE, and you should be fine. I apologize on msft's behalf.They are crazy.Most of what they do is toprotect their monopoly, andwe are the ones who pay without wasted time. But all systemsexcept maybe linux are the same.They just want money it seems. Thanks for trying my product,and please tell your friends about it. Thx E  -----

Original Message ----- : Friday, October 31, 2008 12:25 AMSubject: Uninstalling TubeSucker  >
 Hello,>> I had some computer problems with a virus. I did what has to be done and > got rid of it. Created a new restore point after a clean and ran restore > point after deleting all the old restore points. When my computer booted > up, TubeSucker came up and automatically started to install the same. > Since there was a file by name TubeSucker.msi missing. I am prompted to > browse and install the same. And this happens each time I sign into the > internet, refresh the page or go to another link. When I uninstalled > TubeSucker, my internet connection does not get activated.The icon on the > desk top changes to another Icon and I just cannot get back onto the > internet, till I go back and do a system restore and do the same from > Systemcheck point Unistall TubeSucker.>> I have no problem to let this software remain on my computer as a friend > of mine had downloaded the same. Kindly advise and appreciate your time.>> Thank you 

[NNEagle]

Dowloaded Internet Explorer,Uninstalled Tubesucker. Rebooted the computer and then re installed Internet Explorer and this has stopped the tubescuker from reloading.

Thank you very much for all the help.

As Always

Computerhope will overcome them all. Thank you very much once again

[CBMatt]

Awesome!  I'm a bit surprised that this ended up being the solution, but it's certainly good to know (we will now know what to do if this happens to someone else).  I figured if anyone was going to have an idea of how to fix this, it would be the program's creator.  Heh.  In any case, I'm very glad that everything is working as it should.  Take care and keep safe.

[[email protected]]

When I went to my computer last evening. It showed and still showing  my C drive as %$thb$%(C). and a picture with thb creation. Is this a virus or what is it. Kindly help

[CBMatt]

Are you experiencing the same problem, chakra?  If so, you need to start your own thread and follow the instructions here:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[patti]

Congrats!  You are now clean!  That last log indicates that ComboFix has managed to delete those files, along with a few others. 

I think that system is still infected. The next HJT log that was posted doesn't show it because HJT is pretty limited, but if you look at the Combofix log it indicates:

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\
{1EC04D97-5F10-DD1B-0306-020403060503}]
C:\WINDOWS\system32\SecSystem.exe

This is a common load point for trojans. That particular entry is related to a member of Win32.Poison, a family of backdoor trojans. See: http://www.threatexpert.com/report.aspx?uid=1fbb1810-63d1-40f1-82da-c4b065bace0f for details. You can also grab a copy of secsystem.exe and upload it to VirusTotal for a scan.

NNEagle, in addition to Win32.Poison, there's indication of a possible autorun worm impacting the system:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\
{93b6f101-cc8c-11dc-acfc-aa8fad93d89f}]
\Shell\AutoRun\command - setup.exe

I don't recognized that CLSID; it may or may not be legit. Definitely worth checking into since autorun is frequently abused by malware distributors (and autorun worms frequently come hand in hand with backdoors). There are really only two good ways of disabling autorun: either via TweakUI or via a registry hack that sends calls to autorun.inf into never-never-land:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

For details on the challenges of disabling autorun (and why only the above 2 methods will work), see:
http://nick.brown.free.fr/blog/2007/10/memory-stick-worms

In any event, if the system was infected by a backdoor, trying to remove the malware is fruitless. You should consider the system completely compromised and do a wipe and reload. Make sure you change all your passwords afterward since those were likely compromised during the infection.

[evilfantasy]

Welcome to CH patti.

Do you have any experience in online malware removal?

trying to remove the malware is fruitless

This isn't entirely true. Many of the malware we deal with are very curable, just because it's labeled a backdoor trojan doesn't mean they are incurable. And many users don't really just have the option to reinstall since PC manufacturers have fallen into the trend of not shipping the install CD with a new computer. Thats where we come in.

You might want to look here http://www.computerhope.com/forum/index.php/topic,57605.0.html

We would love to have you on our team if you are willing to work with us and provide a little more information.

Thanks. Kevin.

[CBMatt]

I'm with evilfantasy; this infection should be curable.  I would also like to know if you have experience in this (and how much if you do) because we are quite shorthanded and could use some help.  This is probably part of the reason why I missed this file...I stare at tons of these logs each day and I have to admit that something slips by me from time to time.  So, any help we can get would be great.

With that said...NNEagle, if you're still around, I'd like to request a new ComboFix and HijackThis log to get an update on your system. [PM sent as well]

[patti]

The problem with malware today is that even a simple adware infestation can quickly evolve into rootkit-enabled threats that aren't easily discoverable. Combofix does better than HJT, but even it ignores some things (NTFS data streams are one example). And since you're forced to interpret based on filename / location alone, neither is much help when it comes to malware that is named after a legitimate system file and has modified or replaced the original. It's not whether something *can* be removed, but whether you're able to find all the things that *must* be removed. I realize it's not easy to wipe and reload, but it's a necessary evil these days. :-(

I'm a professional in the antivirus/security industry. I'd love to help more but I seriously lack the time. I came across the forum while searching for something else and just didn't want NNEagle going on his merry way with a likely backdoor still intact on his system.

[BC_Programmer]

People make it more difficult then it seems. I've easily accosted many infections on my machine- maybe 10 in the last year. I have no anti-virus software.

One or two got my normally 28 Process task manager into the 200+ process count.


Recovery console. Deleted the files. Ran a Windows Repair install.


Boom- reboot. 28 processes.

re-installation is only a "necessary evil", and it's only hard to identify what to delete when you don't know everywhere you have to look.

specific registry keys, such as the run, winlogon and browser helper keys, can be used to find dlls and CLSIDs. CLSIDs, of course, can be looked up under the HKEY_CLASSES_ROOT\CLSID and the inprocserver dll identified, and subsequently added to the list of items one needs to delete in recovery console.

Rootkits are a breeze as well. Once again, Rootkitrevealer paired with recovery console, or in the worst case the usage of a separate OS install.

ALL infections are curable. It's a matter of weighing in the time/skill required to vanquish them with the time that would be used backing up important data, wiping the drive, reinstalling the OS and applications, and restoring the data.

The only variable here is skill.

[evilfantasy]

There is a big difference in doing malware removal as a profession and as a volunteer. We have no time constraints. Reinstalling an OS is relatively a quick process and, more bluntly, cheaper then spending hours and hours looking over logs from the wide variety of tools at our disposal.

There is one particular rootkit that has been introduced recently that was taking hours just to get started in removing. The more we learn about it the better we are prepared to deal with it and less time is spent.

Many of the volunteers who do malware removal are also in the antivirus/security industry. The result is a better product for the end user. So you can say that what we do is also a necessary evil these days. :-(

[BC_Programmer]

indeed- but it was implied that reinstallation was necessary in severe cases. Sure, it may be warranted in some cases, but necessary? No.

[evilfantasy]

Agreed. Although a reinstall is the only sure way to know it is seldom a must.