Author Topic: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar  (Read 7781 times)

0 Members and 1 Guest are viewing this topic.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9448
okay I had no idea how it happened until I found this article:
http://www.ghacks.net/2011/08/17/how-to-uninstall-the-babylon-toolbar-completely/

... so this must have been yesterday, I wanted to download a program to do desktop video capture and that's what you get from Cnet now:
cnet_Pixetell-1_3_16005_zip.exe

... then after running it you get the actual program file you're looking for, downloaded:
in this case Pixetell-1.3.16005.zip

... I'm sure I unchecked any suggested crapware during the Cnet download, but it still happened:

Chrome >>> search engine hijacked
Firefox >>> search engine and homepage hijacked
Internet Explorer 9 >>> search engine, homepage hikacked + toolbar installed (but not enabled, I got a prompt)

 Their freakin' homepage imitates Google ;D

... don't what would have happened with Avast, I didn't have it installed anymore for a few days (boottime issues, unrelated here), just MSE was running. But I'm not sure at all if Avast would have prevented anything.
« Last Edit: September 16, 2011, 01:16:35 PM by logos »
w7 - ais7

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9448
Re: CNET downloader >>> beware "babylon search and toolbar" hijack
« Reply #1 on: September 16, 2011, 12:54:41 PM »
anyway I could get rid of everything manually, toolbar etc.. no add-on was installed in Firefox (although one is mentioned in the log). MSE + MBAM + SAS say system clean. I also deleted any babylon entry manually in the registry. So everything should be fine now.

here's the log file content of that crap:

Code: [Select]
-----------  15/09/11 - running v9.0.3.19 on  (user:*****)  -----------
  Windows Path: C:\Windows
22:41:42 (Setup)-Command line: "C:\Users\*****\AppData\Local\Temp\6939853D-BAB0-7891-9532-EA094CDE8AC1\Setup.exe" /s   /mhp  /mds  /babTrack="affID=100489" /instlref=sst /srcExt=ss /babExt=babExt /rvrt /rt /aflt=babsst /mnt /S /tbGen="/tlbrid=tb9".
22:41:42 (Client)-LM file is C:\ProgramData\Babylon\BabAll.dat.
22:41:42 (Client)-LM imported to file.
22:41:42 (Client)-LM file access denied.
22:41:42 (Setup)-Setup start, installing version 9.0.3.19.
22:41:42 (Setup)-SourceDir: C:\Users\*****\AppData\Local\Temp\6939853D-BAB0-7891-9532-EA094CDE8AC1\.
22:41:42 (Setup)-InstallDir: C:\Program Files (x86)\Babylon\Babylon-Pro\.
22:41:42 (Setup)-ImportInstallDir: 0.
22:41:42 (Setup)-SilentInstall: 1.
22:41:42 (Setup)-ExecuteBabylon: 1.
22:41:42 (Setup)-NeedToImport: 0.
22:41:42 (Setup)-MinRequirements: 0.
22:41:42 (Setup)-IsUpgrade: 0.
22:41:42 (Setup)-LicenseStatus: 2.
22:41:42 (Setup)-TBInstallState: 2.
22:41:42 (Setup)-SetupType: 52.
22:41:42 (Setup)-PrevVersion: 0.
22:41:42 (Setup)-TBInstall: 1.
22:41:42 (Setup)-Report: source=setup-start&stage=0&ver=9.0.3.19&sutp=50&sufl=2&dnld=0&dcnt=0&dtot=0&iev=9&dwb=cr&affilID=100489&guid={C9145065-9ACC-43D4-A24D-D5E7C314A3CD}&prver=0&impdir=0&impt=0&exc=1&minreq=0&lic=2&mntrId=84cec260000000000000001d72e70a0e.
22:41:43 (Setup)-Setup HP: http://search.babylon.com/home?AF=100489&babsrc=HP_ss&affID=100489&mntrId=84cec260000000000000001d72e70a0e.
22:41:43 (Setup)-Current HP (0): http://www.google.com/webhp?hl=en.
22:41:43 (Setup)-Setup DSP: Search the web (Babylon).
22:41:43 (Setup)-Current DSP (0): -.
22:41:43 (Setup)-Current DSP id (0): -.
22:41:45 (Setup)-Homepage added to preferences(FF): http://search.babylon.com/?babsrc=HP_ss&affID=100489&mntrId=84cec260000000000000001d72e70a0e.
22:41:45 (Setup)-Search provider added to preferences(FF): http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100489&mntrId=84cec260000000000000001d72e70a0e.
22:41:45 (Setup)-Saving preferences file for FF succeeded: .....\extensions\ffxtlbr@babylon.com\defaults\preferences\babylon.js.
22:41:45 (Setup)-Search properties were set - hp: 1, dsp: 1, (0x3).
22:41:48 (Setup)-File 1 (Setup-tbmntr903-9.0.3.19.zpb) out of 1: errCode - 200, complete - 100, opt - 0.
22:41:48 (Setup)-Toolbar installation command: (C:\Users\*****\AppData\Local\Temp\6939853D-BAB0-7891-9532-EA094CDE8AC1\MyBabylonTB.exe /lng=en   /babTrack="affID=100489" /instlRef=sst /aflt=babsst /srcExt=ss /tlbrid=tb9).
22:41:56 (Setup)-Toolbar installation command: (C:\Users\*****\AppData\Local\Temp\6939853D-BAB0-7891-9532-EA094CDE8AC1\MyBabylonTB.exe /lng=en   /babTrack="affID=100489" /instlRef=sst /aflt=babsst /srcExt=ss /tlbrid=tb9).
22:41:57 (Setup)-ExitInstallation 90.
22:41:57 (Setup)-exit message loop.
22:41:57 (Setup)-ExitOnError: 90.
22:41:58 (Setup)-Report: source=setup-end&stage=90&ver=9.0.3.19&sutp=50&sufl=2&dnld=100&dcnt=1&dtot=1&iev=9&dwb=cr&affilID=100489&vid=1316119301-611464649&guid={C9145065-9ACC-43D4-A24D-D5E7C314A3CD}&mntrId=84cec260000000000000001d72e70a0e&spbi=iespt:-1;crsp:3;&osp=hp0:927461885;dsp0:0;hp1:927461885;dsp1:0;hp2:-244313394;dsp2:927461885;&hp=1&dsp=1&tb=1&hpx=1&dspx=1&tbx=1&tbp=0&dtct=-1145341807&excd=7.
22:41:58 (Setup)-Setup end.
w7 - ais7

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9448
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #2 on: September 16, 2011, 01:06:08 PM »
more info about the The CNET Download.com Installer here:
http://www.ghacks.net/2011/08/17/the-cnet-download-com-installer/

this is exactly what happened to me.
w7 - ais7

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 8995
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #3 on: September 16, 2011, 01:13:48 PM »
Cnet's known for doing this as of late, there have been a few discussions over at the MBAM forums as well.
I wont get anything from cnet anymore, sticking too FileHippo, Fileforum and Softpedia.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9448
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #4 on: September 16, 2011, 01:14:01 PM »
and hey btw, this CNet site is where users download the free version (Avast free)  ;D
http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button

... no Cnet downloader there though, but still, I don't like that at all ::)
« Last Edit: September 16, 2011, 01:16:56 PM by logos »
w7 - ais7

Online Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65678
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #5 on: September 16, 2011, 01:22:06 PM »
I wont get anything from cnet anymore
+1

sticking too FileHippo, Fileforum and Softpedia.
+1
The best things in life are free.

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9448
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #6 on: September 16, 2011, 01:22:25 PM »
guys if you're on twitter, feel free to talk to @cnet there, I'm sure they'll enjoy the feedback  ;D
w7 - ais7

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9448
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #7 on: September 16, 2011, 01:24:00 PM »
@craig @tech remains the fact that Avast downloads are hosted on CNet :D I'd be glad to hear a few words from the Avast team about that...
w7 - ais7

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9448
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #8 on: September 16, 2011, 01:57:08 PM »
what worries me is that I'm almost (?) sure that I dismissed the babylon install by un-checking the options in the downloader, hard to believe that I missed that... and I still got that crap installed silently (?) I don't feel like checking/trying again really, but okay I have a little doubt now that I may have missed the check boxes by focusing on the babylon ad above them, and clicked next immediately. I may have thought the "go" button (which is not a button at all in fact, but just a pic of their search bar) was what triggered the install of babylon  ::)... it all happened very quickly so I can't tell. I didn't even remember that babylon was part of the Cnet install until I found out today on a web site.
w7 - ais7

Offline Pondus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 25932
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #9 on: September 16, 2011, 02:03:15 PM »
That installer used to be detected at VT also.....
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline phoenix1

  • Jr. Member
  • **
  • Posts: 33
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #10 on: September 18, 2011, 04:39:26 AM »
My newly repaired computer didn't stay that way for long, it died on Thursday so I got a new  HP with Windows7  ;D  I've got everything (almost) reloaded but I need to get SpywareBlaster installed, I used to use Cnet for all my downloads but now with all these problems I'm not sure if I should use them to add SpywareBlaster. I went to their site and they re-routed me back to Cnet, should I try to find it somewhere else?

Offline Pondus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 25932
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #11 on: September 18, 2011, 04:51:34 AM »
Quote
should I try to find it somewhere else?
http://filehippo.com/download_spywareblaster/


Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline phoenix1

  • Jr. Member
  • **
  • Posts: 33
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #12 on: September 18, 2011, 06:43:29 AM »
Thanks  :)

Offline Harikrishnan

  • Full Member
  • ***
  • Posts: 142
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #13 on: September 21, 2011, 09:30:57 AM »
Not just cnet.., i have downloaded update for you tube downloader using its own update checking, 2 weeks before. While installation i unchecked option for yahoo tool bar, but after installation it altered my firefox default search to yahoo from google and reinstalled ff to getridoff from it...
Windows 7 32-bit, Intel C2D 2.93 GHz, 2 GB RAM, Avast! Free(latest), MBAM Free, SAS Free, WinPatrol Free, Wndows7FirewallControl, Mozilla Firefox(Latest), K9 Web Protection, Thunderbird(Latest), CCleaner

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 8995
Re: CNET downloader >>> beware "babylon search, homepage" hijack + IE toolbar
« Reply #14 on: September 21, 2011, 11:41:34 AM »
Not just cnet.., i have downloaded update for you tube downloader using its own update checking, 2 weeks before. While installation i unchecked option for yahoo tool bar, but after installation it altered my firefox default search to yahoo from google and reinstalled ff to getridoff from it...
Sorry for the OT

Youtube downloader will also try to install McAfee