Major Help needed...Waaaaaaaaa

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by TGHC, Oct 26, 2004.

  1. TGHC

    TGHC Private E-2

    Hi guys, great forum very helpful to an old codger like me, I've read all the do's and don'ts and am trying to adhere to your rules, so here goes:-

    Two problems - a) My home page has been hijacked by Search-Control
    and my email send receive in outlook has stopped working, it keeps hanging.

    I have been running winXP, Panda antivirus, Ad-Aware, spybot, spywareblaster and zone alarm. Browser is IE6.0.2800.1106

    I've also downloaded all your suggested anti-spy thingies, that I didn't already have, eg CW shredder, Kill2me, etc

    I've carried out all your scanning and cleaning steps, and I've also run Hijackthis and deleted the Search-control items but to no avail.

    Search control keeps coming back and my email still won't work....WAAAAAAA

    Incidentally the email was working fine before all this hijack stuff started.

    Please make an old man happy, before he pulls up his sleeves and gets out the safety razor!!!!
     
    TGHC, Oct 26, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or from a sub-folder of C:\Documents and Settings, or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Please make sure you have HijackThis version 1.98.2 and I repeat, exit all browsers (IE, etc) before running HijackThis.
     
    chaslang, Oct 27, 2004
    #2
  3. PhilliePhan

    PhilliePhan Guest

    EDIT: I'm last again, darn it!!
    Was a bit distracted and when I got back I didn't see you Chas.

    PP
     
    Last edited by a moderator: Oct 27, 2004
    PhilliePhan, Oct 27, 2004
    #3
  4. TGHC

    TGHC Private E-2

    Thanks for the response, search-control has hijacked my browser again grrrrrr
    anyway attached is the hijack log file converted into a txt file as requested, I hope I've done it correctly.

    Incidentally when I saved the HJT log, my antivirus popped up and said it had found a virus and disinfected it....the virus was Trj/comsys.A

    thanks

    TGHC
     

    Attached Files:

    TGHC, Oct 28, 2004
    #4
  5. TGHC

    TGHC Private E-2

    Hmmmm, the antivirus keeps popping up with the txt file I posted back to the forum, and when I try and close the virus found dialogue box it pops back up about 3 times before it stays down! Should I throw myself on my sword now?

    TGHC
     
    TGHC, Oct 28, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run the McAfee Avert Stinger Scan? If not, please do so. Then do the below.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-control.com/search.cgi?id=244
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-control.com/search.cgi?id=244
    O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-544243544243} - C:\WINDOWS\System32\TBC.dll


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\TBC.dll

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Oct 29, 2004
    #6
  7. Kodo

    Kodo SNATCHSQUATCH

    Kodo, Oct 29, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 29, 2004
    #8
  9. TGHC

    TGHC Private E-2

    Hi again, thanks for your advice it is very much apreciated.

    Ok I've followed your instructions, to the letter, with one exception, The file you said to delete in safe mode i.e. C:\WINDOWS\System32\TBC.dll was not there, however there was a file called C:\WINDOWS\System32\TBC with no extension, and itwas described as configuration settings 2kb, so I've left it alone pending your advice.

    The latest HJT log is attached

    TGHC
     

    Attached Files:

    TGHC, Oct 30, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When enabling viewing of hidden files, are you sure you have unchecked the line that says:
    Hide extensions for known file types? That would cause TBC.dll to be TBC.
     
    chaslang, Oct 31, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Even more important, you never upgraded to HijackThis Version 1.98.2 as I asked awhile ago. You should do that and post a new log. It finds things the old version did not. Also, you did not get any backups when you fixed lines using version 1.97.7
     
    chaslang, Oct 31, 2004
    #11
  12. TGHC

    TGHC Private E-2

    Thanks guys for your assistance, things have certainly improved, but not sure if I'm out of the woods completely.

    Now that's odd, about the HJT version, because I did download it from the majorgeeks download link as you asked. I'll go through it again and check to see if I have both versions in my folders somewhwere, and I'll follow your advice on the hidden file extensions and get back to you.

    once again thanks for your help

    TGHC
     
    TGHC, Oct 31, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What do you mean "you are not out of the woods completely"? What is still wrong?
    (Besides the TBC.dll file.)

    You are running HJT from C:\Zdata\Downloads\HijackThis.exe perhaps you download the new version from us (which is in a ZIP file and must be extracted) but you are clicking on a link to the old file.
     
    chaslang, Oct 31, 2004
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds