Limited Time!
Totally FREE Web Design!
Click here!

Parasite: Tubby

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

Tubby is a family of browser hijackers, implemented as Internet Explorer Browser Helper Object (BHO) DLLs stored in the System folder, associated with CoolWebSearch.

Variants

Tubby/Tubby: original version, including a search toolbar, filename tubby.dll. Not widespread, believed to be non-functional.

Tubby/NAS: hijacker and toolbar aimed at makemesearch.com, filename NAS.dll.

Tubby/DLL: hijacker and toolbar aimed at othersearch.com, filename DLL.dll.

Tubby/ADV: hijacker and toolbar aimed at thenewsearch.com, filename ADV.dll. Takes updates from thenewsearch.com and pormans.com.

Tubby/TBC: hijacker and toolbar aimed at search-control.com, filename TBC.dll. Takes updates from search1-tools.com.

Tubby/MTC: hijacker and toolbar aimed at makemesearch.com, filename MTC.dll. Takes updates from toolbarplace.com.

Tubby/VTL: toolbar aimed at makemesearch.com, filename VTLbar1.dll. No hijacker, but generally delivered with the CoolWebSearch/Res homepage hijacker (msasp.dll, ‘MS Global Search Engine’).

Tubby/max6032, max8264, mtc2608, qwe0486, qwe1316, qwe2698, qwe4820, qwe7972, qwe8264, spm1316, spm4820, vld1306, wer1306, wer4820, yer5750 and yer6032: plain hijackers with the object name ‘Cls’; no toolbar. Sometimes installed by one of the other Tubby variants.

Tubby/wins32t: address bar search hijacker calling itself ‘Mailto Class’, filename wins32t.dll, often installed by one of the other Tubby variants.

Also known as

MakeMeSearch, after one of the commonly-hijacked-to domains. CoolWebSearch, as a generic name for all CWS-related parasites.

Tubby/qwe0486 may be detected as Spyware.Arau by Symantec anti-virus. Tubby/wins32t may be detected as Trojan.Win32.StartPage.ih by Kaspersky anti-virus or Trojan.StartPage-FJ by McAfee anti-virus.

Distribution

Installed by the CoolWebSearch group of Internet Explorer security hole exploits.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes. Can silently download and execute arbitrary unsigned code from from its controlling server.

Stability problems

No.

Removal

Tubby/TBC and MTC may put an entry in Add/Remove Programs for ‘Search Toolbar’ and Tubby/ADV ‘Advanced Search’. This entry worked for me, though it left the hijacked search settings behind.

Manual removal

Open a Command Prompt window (from Start->Programs->Accessories; called ‘DOS Prompt’ on Windows 95/98/Me) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u filename.dll

Replace “filename.dll” with the filename for the variant involved: tubby.dll, NAS.dll, DLL.dll, ADV.dll, TBC.dll, MTC.dll, VTLbar1.dll, max6032.dll, max8264.dll, mtc2608.dll, qwe0486.dll, qwe1316.dll, qwe2698.dll, qwe4820.dll, qwe7972.dll, qwe8264.dll, spm1316.dll, spm4820.dll, vld1306.dll, wer1306.dll, wer4820.dll, yer5750.dll, yer6032.dll or wins32t.dll.

Restart the computer and you should be able to delete this file, which you can find in the System32 folder (inside the Windows folder; called just ‘System’ on Windows 95/98/Me).

Finally, use the Internet Options->Programs->Reset Web Settings button to restore the default homepage and search settings.