Author Topic: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar  (Read 7173 times)

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
okay I had no idea how it happened until I found this article:
http://www.ghacks.net/2011/08/17/how-to-uninstall-the-babylon-toolbar-completely/

... so this must have been yesterday, I wanted to download a program to do desktop video capture and that's what you get from Cnet now:
cnet_Pixetell-1_3_16005_zip.exe

... then after running it you get the actual program file you're looking for, downloaded:
in this case Pixetell-1.3.16005.zip

... I'm sure I unchecked any suggested crapware during the Cnet download, but it still happened:

Chrome >>> search engine hijacked
Firefox >>> search engine and homepage hijacked
Internet Explorer 9 >>> search engine, homepage hikacked + toolbar installed (but not enabled, I got a prompt)

 Their freakin' homepage imitates Google ;D

... don't what would have happened with Avast, I didn't have it installed anymore for a few days (boottime issues, unrelated here), just MSE was running. But I'm not sure at all if Avast would have prevented anything.
« Last Edit: September 16, 2011, 11:16:35 AM by logos »
w7 - ais7

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search and toolbar" hijack
« Reply #1 on: September 16, 2011, 10:54:41 AM »
anyway I could get rid of everything manually, toolbar etc.. no add-on was installed in Firefox (although one is mentioned in the log). MSE + MBAM + SAS say system clean. I also deleted any babylon entry manually in the registry. So everything should be fine now.

here's the log file content of that crap:

Code: [Select]
-----------  15/09/11 - running v9.0.3.19 on  (user:*****)  -----------
  Windows Path: C:\Windows
22:41:42 (Setup)-Command line: "C:\Users\*****\AppData\Local\Temp\6939853D-BAB0-7891-9532-EA094CDE8AC1\Setup.exe" /s   /mhp  /mds  /babTrack="affID=100489" /instlref=sst /srcExt=ss /babExt=babExt /rvrt /rt /aflt=babsst /mnt /S /tbGen="/tlbrid=tb9".
22:41:42 (Client)-LM file is C:\ProgramData\Babylon\BabAll.dat.
22:41:42 (Client)-LM imported to file.
22:41:42 (Client)-LM file access denied.
22:41:42 (Setup)-Setup start, installing version 9.0.3.19.
22:41:42 (Setup)-SourceDir: C:\Users\*****\AppData\Local\Temp\6939853D-BAB0-7891-9532-EA094CDE8AC1\.
22:41:42 (Setup)-InstallDir: C:\Program Files (x86)\Babylon\Babylon-Pro\.
22:41:42 (Setup)-ImportInstallDir: 0.
22:41:42 (Setup)-SilentInstall: 1.
22:41:42 (Setup)-ExecuteBabylon: 1.
22:41:42 (Setup)-NeedToImport: 0.
22:41:42 (Setup)-MinRequirements: 0.
22:41:42 (Setup)-IsUpgrade: 0.
22:41:42 (Setup)-LicenseStatus: 2.
22:41:42 (Setup)-TBInstallState: 2.
22:41:42 (Setup)-SetupType: 52.
22:41:42 (Setup)-PrevVersion: 0.
22:41:42 (Setup)-TBInstall: 1.
22:41:42 (Setup)-Report: source=setup-start&stage=0&ver=9.0.3.19&sutp=50&sufl=2&dnld=0&dcnt=0&dtot=0&iev=9&dwb=cr&affilID=100489&guid={C9145065-9ACC-43D4-A24D-D5E7C314A3CD}&prver=0&impdir=0&impt=0&exc=1&minreq=0&lic=2&mntrId=84cec260000000000000001d72e70a0e.
22:41:43 (Setup)-Setup HP: http://search.babylon.com/home?AF=100489&babsrc=HP_ss&affID=100489&mntrId=84cec260000000000000001d72e70a0e.
22:41:43 (Setup)-Current HP (0): http://www.google.com/webhp?hl=en.
22:41:43 (Setup)-Setup DSP: Search the web (Babylon).
22:41:43 (Setup)-Current DSP (0): -.
22:41:43 (Setup)-Current DSP id (0): -.
22:41:45 (Setup)-Homepage added to preferences(FF): http://search.babylon.com/?babsrc=HP_ss&affID=100489&mntrId=84cec260000000000000001d72e70a0e.
22:41:45 (Setup)-Search provider added to preferences(FF): http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100489&mntrId=84cec260000000000000001d72e70a0e.
22:41:45 (Setup)-Saving preferences file for FF succeeded: .....\extensions\ffxtlbr@babylon.com\defaults\preferences\babylon.js.
22:41:45 (Setup)-Search properties were set - hp: 1, dsp: 1, (0x3).
22:41:48 (Setup)-File 1 (Setup-tbmntr903-9.0.3.19.zpb) out of 1: errCode - 200, complete - 100, opt - 0.
22:41:48 (Setup)-Toolbar installation command: (C:\Users\*****\AppData\Local\Temp\6939853D-BAB0-7891-9532-EA094CDE8AC1\MyBabylonTB.exe /lng=en   /babTrack="affID=100489" /instlRef=sst /aflt=babsst /srcExt=ss /tlbrid=tb9).
22:41:56 (Setup)-Toolbar installation command: (C:\Users\*****\AppData\Local\Temp\6939853D-BAB0-7891-9532-EA094CDE8AC1\MyBabylonTB.exe /lng=en   /babTrack="affID=100489" /instlRef=sst /aflt=babsst /srcExt=ss /tlbrid=tb9).
22:41:57 (Setup)-ExitInstallation 90.
22:41:57 (Setup)-exit message loop.
22:41:57 (Setup)-ExitOnError: 90.
22:41:58 (Setup)-Report: source=setup-end&stage=90&ver=9.0.3.19&sutp=50&sufl=2&dnld=100&dcnt=1&dtot=1&iev=9&dwb=cr&affilID=100489&vid=1316119301-611464649&guid={C9145065-9ACC-43D4-A24D-D5E7C314A3CD}&mntrId=84cec260000000000000001d72e70a0e&spbi=iespt:-1;crsp:3;&osp=hp0:927461885;dsp0:0;hp1:927461885;dsp1:0;hp2:-244313394;dsp2:927461885;&hp=1&dsp=1&tb=1&hpx=1&dspx=1&tbx=1&tbp=0&dtct=-1145341807&excd=7.
22:41:58 (Setup)-Setup end.
w7 - ais7

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #2 on: September 16, 2011, 11:06:08 AM »
more info about the The CNET Download.com Installer here:
http://www.ghacks.net/2011/08/17/the-cnet-download-com-installer/

this is exactly what happened to me.
w7 - ais7

Offline craigb

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 8068
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #3 on: September 16, 2011, 11:13:48 AM »
Cnet's known for doing this as of late, there have been a few discussions over at the MBAM forums as well.
I wont get anything from cnet anymore, sticking too FileHippo, Fileforum and Softpedia.
Windows 8.1 Pro X64/ IE 11/ Avast 9.0.2018/ MBAM Premium 2

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #4 on: September 16, 2011, 11:14:01 AM »
and hey btw, this CNet site is where users download the free version (Avast free)  ;D
http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button

... no Cnet downloader there though, but still, I don't like that at all ::)
« Last Edit: September 16, 2011, 11:16:56 AM by logos »
w7 - ais7

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #5 on: September 16, 2011, 11:22:06 AM »
I wont get anything from cnet anymore
+1

sticking too FileHippo, Fileforum and Softpedia.
+1
The best things in life are free.

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #6 on: September 16, 2011, 11:22:25 AM »
guys if you're on twitter, feel free to talk to @cnet there, I'm sure they'll enjoy the feedback  ;D
w7 - ais7

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #7 on: September 16, 2011, 11:24:00 AM »
@craig @tech remains the fact that Avast downloads are hosted on CNet :D I'd be glad to hear a few words from the Avast team about that...
w7 - ais7

Offline logos

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9456
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #8 on: September 16, 2011, 11:57:08 AM »
what worries me is that I'm almost (?) sure that I dismissed the babylon install by un-checking the options in the downloader, hard to believe that I missed that... and I still got that crap installed silently (?) I don't feel like checking/trying again really, but okay I have a little doubt now that I may have missed the check boxes by focusing on the babylon ad above them, and clicked next immediately. I may have thought the "go" button (which is not a button at all in fact, but just a pic of their search bar) was what triggered the install of babylon  ::)... it all happened very quickly so I can't tell. I didn't even remember that babylon was part of the Cnet install until I found out today on a web site.
w7 - ais7

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21696
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #9 on: September 16, 2011, 12:03:15 PM »
That installer used to be detected at VT also.....
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline phoenix1

  • Jr. Member
  • **
  • Posts: 33
  • Gender: Female
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #10 on: September 18, 2011, 02:39:26 AM »
My newly repaired computer didn't stay that way for long, it died on Thursday so I got a new  HP with Windows7  ;D  I've got everything (almost) reloaded but I need to get SpywareBlaster installed, I used to use Cnet for all my downloads but now with all these problems I'm not sure if I should use them to add SpywareBlaster. I went to their site and they re-routed me back to Cnet, should I try to find it somewhere else?

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21696
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #11 on: September 18, 2011, 02:51:34 AM »
Quote
should I try to find it somewhere else?
http://filehippo.com/download_spywareblaster/


Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline phoenix1

  • Jr. Member
  • **
  • Posts: 33
  • Gender: Female
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #12 on: September 18, 2011, 04:43:29 AM »
Thanks  :)

Offline Harikrishnan

  • Jr. Member
  • **
  • Posts: 99
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #13 on: September 21, 2011, 07:30:57 AM »
Not just cnet.., i have downloaded update for you tube downloader using its own update checking, 2 weeks before. While installation i unchecked option for yahoo tool bar, but after installation it altered my firefox default search to yahoo from google and reinstalled ff to getridoff from it...
Windows 7 32-bit, Intel C2D 2.93 GHz, 2 GB RAM, Avast! Free(latest), MBAM Free, SAS Free, WinPatrol Free, Wndows7FirewallControl, Mozilla Firefox(Latest), Thunderbird(Latest), CCleaner

Offline craigb

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 8068
  • Gender: Male
    • Personal Message (Offline)
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #14 on: September 21, 2011, 09:41:34 AM »
Not just cnet.., i have downloaded update for you tube downloader using its own update checking, 2 weeks before. While installation i unchecked option for yahoo tool bar, but after installation it altered my firefox default search to yahoo from google and reinstalled ff to getridoff from it...
Sorry for the OT

Youtube downloader will also try to install McAfee
Windows 8.1 Pro X64/ IE 11/ Avast 9.0.2018/ MBAM Premium 2

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now