Hi all,
a couple of weeks ago I asked help to remove funmood. Now I need help to remove babylon (children are terrible).
I followed standard procedure but babylon still appear in my browser.
Because I have a recent good restore point I recoved laptop on on 22 september, removed firefox and reinstalled it but… babilon is still there!
I made again the standard procedure, in attach there logs and hope you can help me again.
Did you download latest AdwCleaner and run it after you did system restore?
Same with malwarebytes, did you update and run it after system restore?
Let me know if this fixes it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
SRV - [2011/12/16 18:44:48 | 000,156,160 | ---- | M] (ServiceUpd) [Auto | Stopped] -- C:\Users\Andreolli\AppData\Local\ServUpdater\ServiceUpd.exe -- (ServUpdater)
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.findeer.com
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=115284&tt=120912_cpc_3812_2&babsrc=SP_ss&mntrId=6459e9a60000000000009cb70d561b34
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\..\SearchScopes\{73D941B0-BD4A-8AA8-B0F8-28685D6EFB5D}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=STC3&o=APN10173&src=kw&q={searchTerms}&locale=&apn_ptnrs=^A7S&apn_dtid=^YYYYYY^YY^IT&apn_uid=4FEC3EDB-9D43-4C2C-9E63-7C636439B224&apn_sauid=F50F1D26-1A07-4221-986C-42F25EB598CB
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56847
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\emoticoons-toolbar@emoticoons.com: C:\Users\Public\Documents\Emoticoons\emoticoons-toolbar@emoticoons.com
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{b64982b1-d112-42b5-b1e4-d3867c4533f8}: C:\ProgramData\Browser Manager\2.2.643.41\{16cdff19-861d-48e3-a751-d99a27784753}\FirefoxExtension
O2 - BHO: (no name) - {2EECD738-5844-4a99-B4B6-146BF802613B} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {D0F4A166-B8D4-48b8-9D63-80849FE137CB} - No CLSID value found.
O4 - Startup: C:\Users\Andreolli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tcbhn.lnk = C:\Users\Andreolli\AppData\Roaming\BrowserCompanion\tcbhn.exe ()
O20 - AppInit_DLLs: (c:\progra~3\browse~1\22643~1.41\{16cdf~1\browse~1.dll) - c:\ProgramData\Browser Manager\2.2.643.41\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll ()
[2012/09/22 07:56:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Browser Manager
[2012/09/01 19:30:36 | 000,002,093 | ---- | C] () -- C:\Users\Andreolli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tcbhn.lnk
:Files
C:\Users\Andreolli\AppData\Roaming\BrowserCompanion
C:\Users\Andreolli\AppData\Local\ServUpdater
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
x Pondus
adwCleaner was downloded 2 weeks ago
malwarebytes is up-to-date
x essexboy
I just opened Firefox and babylon is still there…
in attach logs
OK lets try again ;D
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\..\SearchScopes,Backup.Old.DefaultScope = {80555931-5E7D-4C4A-845D-5BAA68ECE693}
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\..\SearchScopes,BrowserMngrDefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-3126821588-40386997-737668875-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=115284&tt=120912_cpc_3812_2&babsrc=SP_ss&mntrId=6459e9a60000000000009cb70d561b34
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\emoticoons-toolbar@emoticoons.com: C:\Users\Public\Documents\Emoticoons\emoticoons-toolbar@emoticoons.com
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{b64982b1-d112-42b5-b1e4-d3867c4533f8}: C:\ProgramData\Browser Manager\2.2.643.41\{16cdff19-861d-48e3-a751-d99a27784753}\FirefoxExtension
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX
[2012/09/22 07:56:03 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}
O2 - BHO: (no name) - {2EECD738-5844-4a99-B4B6-146BF802613B} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {D0F4A166-B8D4-48b8-9D63-80849FE137CB} - No CLSID value found.
O20 - AppInit_DLLs: (c:\progra~3\browse~1\22643~1.41\{16cdf~1\browse~1.dll) - c:\ProgramData\Browser Manager\2.2.643.41\{16cdff19-861d-48e3-a751-d99a27784753}\browsemngr.dll ()
[2012/09/22 07:56:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Browser Manager
[2012/09/14 17:12:16 | 000,000,000 | ---D | C] -- C:\Users\Andreolli\AppData\Local\{003C6A69-BDB1-4838-B18F-FBF8E9884DD4}
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
I downloaded adwCleaner, it is more recent. Tell me if I have to run it
I updated malwarebites after system restore
I run OTL with the script, here is the log.
Unfortunately babylon is still the main page of firefox
x Pondus
I checked again, I confirm that malwarebytes is up-to-date (29 september), this morning I update it again and run ‘quick scan’ and it did not find any problem.
adwCleaner was not up-to-date, I downloaded the new one I run ‘search’ and it has found something related to babylon
in attach the log of adwCleaner
Run delete on AdwCleaner please and let me know if that kills it
Go to Control Panel, click Programs (software).
Uninstall “Browser Manager” + “Bprotector” + “Object Installer” + “Babylon Toolbar on IE”
Then depending on which browser you use , follow the relevant steps:
----------------------Firefox ---------------------------
Open a new Firefox window (website)
Go to Tools> Options> and go to change your order, the Home. ( f.e www.google.de) and click OK.
Remove the search engine of Babylon by clicking the small arrow next to the icon of Babylon
Manage Search Engines
select Babylon and Remove
Close Firefox and open again
write in the address Bar "about:config " and click Enter
Write in the search engine “Babylon.”
Click on any ‘Babylon’ preferences with the right mouse button and select “Reset”
In the following video you can see how to change TAB URL :
http://www.youtube.com/watch?v=4yPX-ZJ5fQc&feature=related
----------------------------- Chrome -------------------------------------------------
Open Google Chrome and click on the “wrench” icon:
Click> Settings , choose the option “Open a particular page or set of pages.”
Click “Set Pages” on page Babylon and delete from the list.
To change the search engine in Google Chrome, please follow the instructions below:
Open Google Chrome on the “wrench” icon on the right side of the address bar, click:
Settings> Under “Search”, click “Manage Search Engines …”.
If you see “Babylon Search” as a standard (default), select please another search engine as the default from (Google, Bing, etc.). Only then will you Babylon You can remove by clicking the little ‘X’.
--------------------------------- Internet Explorer (IE) ------------ -------------------------------------
Open your Internet Explorer browser, click on “Tools”, then “Internet Options” and in the section “Tabs” click on “Settings”. It will open a new window, on the option “When a new tab is opened, open:” in the drop-down menu please choose “Your first homepage”. Then click OK, Apply and OK.
If you delete the browser manger ,and you still get Babylon search
• Navigate to the key HKLM\SYSTEM\CurrentControlset\services, locate the Browser Manager subkey here and hit the delete key
• Go to HKLM\Software\ and delete Browser Manager from here
• Remove the dll from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls