Author Topic: Babylon Search Hijacked my Firefox  (Read 4740 times)

Offline jkbaby

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Babylon Search Hijacked my Firefox
« on: May 19, 2012, 05:33:11 AM »
.. My original post didn't go I don' t think.
I followed instructions for removing Babylon in another post and ran an OTL scan: attached is the first log, I'll have the 2nd log in a reply, they were too large to attach together

I'm a subscriber to Avast and am running a deep scan now with PUP activated as was suggested by another poster

Offline jkbaby

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #1 on: May 19, 2012, 05:33:41 AM »
here's the 2nd log from OTL

Offline jeffce

  • Probably Not A Bot
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2463
  • Gender: Male
  • Member of UNITE
    • Malware Removal
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #2 on: May 19, 2012, 07:50:33 PM »
Hi,

Please download aswMBR to your desktop.

  • Right click and Run as Administrator the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.

Click the image to enlarge it
----------

Offline jkbaby

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #3 on: May 20, 2012, 06:21:56 AM »
Heres the scan log

Thanks for the help!

Offline jeffce

  • Probably Not A Bot
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2463
  • Gender: Male
  • Member of UNITE
    • Malware Removal
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #4 on: May 20, 2012, 08:45:55 PM »
Hi,

Download CKScanner by askey127 from Here & save it to your Desktop.
  • Right-click and Run as Administrator CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
----------

Offline jkbaby

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #5 on: May 21, 2012, 05:41:11 PM »
-edit-
« Last Edit: June 18, 2012, 01:06:46 AM by jkbaby »

Offline jeffce

  • Probably Not A Bot
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2463
  • Gender: Male
  • Member of UNITE
    • Malware Removal
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #6 on: May 22, 2012, 01:38:54 AM »
Hi,

CKScanner has detected illegal software on your system. Besides being illegal, it's the number one way of infecting your system as all cracked/keygen software is infected. This forum, as well as all the other malware removal forums, do not support the use of illegal software except for their removal.  If I were to continue helping you with illegal software installed, it could be construed in the eyes of the law as aiding and abetting a crime.

I have worked up a fix for their removal as well as you need to remove all software that you know is illegal.  If you do not agree to this then this thread will be closed and no further help will be offered because I will never be able to tell you your malware logs are clean.  Please let me know if you wish to continue.

Offline jkbaby

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #7 on: May 22, 2012, 01:53:24 AM »
Yes I agree,
I have since purchased all the adobe software -
Please let me know how to proceed.

Offline jeffce

  • Probably Not A Bot
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2463
  • Gender: Male
  • Member of UNITE
    • Malware Removal
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #8 on: May 22, 2012, 01:56:23 AM »
Ok...let me work up a thorough fix and I will post it as quickly as I can.  :)

Offline jkbaby

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #9 on: May 22, 2012, 01:59:09 AM »
thanks much!

Offline jeffce

  • Probably Not A Bot
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2463
  • Gender: Male
  • Member of UNITE
    • Malware Removal
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #10 on: May 23, 2012, 01:49:00 AM »
Hi,

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {F17003B1-1465-4474-A49F-DF2DC2735E6F}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{A9DB8F31-C852-4A14-8E79-6764BD89638A}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cnnb
IE - HKLM\..\SearchScopes,DefaultScope = {F17003B1-1465-4474-A49F-DF2DC2735E6F}
IE - HKLM\..\SearchScopes\{A9DB8F31-C852-4A14-8E79-6764BD89638A}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKU\S-1-5-21-2970950096-1459967042-383241778-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=109935&tt=290412_4_vs&babsrc=HP_ss&mntrId=e4cb735f0000000000000024d636c31b
IE - HKU\S-1-5-21-2970950096-1459967042-383241778-1001\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-2970950096-1459967042-383241778-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109935&tt=290412_4_vs&babsrc=SP_ss&mntrId=e4cb735f0000000000000024d636c31b
IE - HKU\S-1-5-21-2970950096-1459967042-383241778-1001\..\SearchScopes\{A9DB8F31-C852-4A14-8E79-6764BD89638A}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKU\S-1-5-21-2970950096-1459967042-383241778-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local;<local>
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=109935&tt=290412_4_vs&babsrc=KW_ss&mntrId=e4cb735f0000000000000024d636c31b&q="
[2012/05/07 13:46:24 | 000,002,354 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
[2012/04/02 10:59:04 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
O1 - Hosts: 127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
O1 - Hosts: 127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
O1 - Hosts: 127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
O1 - Hosts: 127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net
O3 - HKU\S-1-5-21-2970950096-1459967042-383241778-1001\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
[2012/05/07 13:46:14 | 000,000,000 | ---D | C] -- C:\Users\Joe Kaatz\AppData\Local\Babylon
[2012/05/07 13:46:12 | 000,000,000 | ---D | C] -- C:\Users\Joe Kaatz\AppData\Roaming\Babylon
[2012/05/07 13:46:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Joe Kaatz\Documents\*.tmp files -> C:\Users\Joe Kaatz\Documents\*.tmp -> ]

:Files
C:\Users\Joe Kaatz\AppData\Local\Babylon\Setup\Babylon.dat
C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Offline jkbaby

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #11 on: May 23, 2012, 02:41:17 AM »
OTL Attachment.
I tested out my Firefox, and did a search in the browser bar and it still used "search.babylon.com "

Offline jkbaby

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #12 on: May 23, 2012, 03:03:32 AM »
JeffCE:
Thank you so much for all your help- My computer started up MUCH faster after your OTL Fix you gave me and I don't have to worry about Babylon or any other malware.
 :) :) :)

Update:
For others with the "search.babylon.com" problem I figured out how to get rid of the last vestiges of its presence after JeffCE's fixes.

http://superuser.com/questions/270560/installed-babylon-in-firefox-now-i-cant-get-rid-of-it

Firefox:
Help - Restart with add-ons disabled

In the pop up check the box next to - reset all user preferences to fire fox defaults. 



Offline jeffce

  • Probably Not A Bot
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2463
  • Gender: Male
  • Member of UNITE
    • Malware Removal
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #13 on: May 23, 2012, 12:12:06 PM »
Hi,

Glad that helped.  Let's check for anything that might still be hiding.

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
----------

In your next reply please attach the logs made by Malwarebytes and ESET online scanner.  :)

Offline jkbaby

  • Newbie
  • *
  • Posts: 10
    • Personal Message (Offline)
Re: Babylon Search Hijacked my Firefox
« Reply #14 on: May 23, 2012, 06:05:38 PM »
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.23.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Joe Kaatz :: SIMON [administrator]

Protection: Enabled

5/23/2012 10:39:06 AM
mbam-log-2012-05-23 (10-39-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 223971
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)
MalwareBytes:

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




-edit-
« Last Edit: June 18, 2012, 01:07:16 AM by jkbaby »

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now