PUP.Optional.Babylon.A found by Malwarebytes

[DavisJes]

Monday my computer was running slow when I was using google+ chat with a friend through Chrome and then tried to go on Mozilla which was like using dialup waiting for the page to load. I felt that Chrome was being slow and somehow affecting Mozilla so I tried to fix Chrome first by reseting the browser. When that did not help I ran MicrosoftSercurityEssentails which found nothing. Next I ran Spybot which also did not find anything. Last I ran Malwarebyte which found PUP.Optional.Babylon.A. I removed it and then ran Malwarebytes again and this time it found nothing.

 

Tuseday something told me to run Malwarebytes again which I did. Malwarebyte again found PUP.Optional.Babylon.A. This time I paid attentionto where it said it was attached which my google Chrome browser. I again told Malwarebytes to remove it and then I went and deleted Chrome and reinstalled Chrome. Rebooted the computer ran Malwarebytes again and it was back. Deleted Chrome through windows 7 add remove and then also went into my computer and deleted the Google folder.

 

Reinstalled Chrome and found it strange that after I had deleted Chrome and the Google folder that Chrome when reinstalled had my bookmarks already there. Ran Malwarebytes againa and it was still there. This time I now searched my computer for Babylon and found 78 zip files for the Babylon Toolbar which I deleted. During this I also deleted Big Fish through add removed and the folder for it (which is where I think it came from when I was downloading Jewel Quest which I also no longer have on my computer).

 

I have used AdwCleaner, Junkware Removal Tool, Malwarebytes and Hitman Pro in that order. Only Malwarebytes seems to find it. I deleted everything these programs found. I have also ran CCleaner. I am not sure if I still have the logs but I can run the programs again if need be and post the logs.

 

My browsers is running normal now and not slow but Malwarebytes is still finding PUP.Optional.Babylon.A and saying it is attached to the preferance file in Google Chrome.

[MrCharlie]

Welcome to the forum.

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 

Please run a Quick Scan with Malwarebytes (if possible)

For Malwarebytes ver: 1.75

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

For Malwarebytes 2.0, please run a Threat Scan

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log

Then......

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button. (make sure the Addition box is checked)
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

Last................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

 

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

[DavisJes]

Using Malwarebytes v2.0 and this time it didn't find anything. I rebooted and ran Malwarebytes again while I ran to the store and Malwarebyte still did not find anything. Sometimes Malwarebytes will find nothing and then tomorrow it could find the PUP.

 

Both run logs are below.

 

I wanted to check with you before I did the other steps since Malwarebytes did not find anything on the two runs today.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/6/2014
Scan Time: 1:56:58 PM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.06.06
Rootkit Database: v2014.07.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jess

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 275034
Time Elapsed: 14 min, 21 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/6/2014
Scan Time: 2:18:31 PM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.06.06
Rootkit Database: v2014.07.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jess

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 275112
Time Elapsed: 12 min, 12 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

[MrCharlie]

Please run FRST and RogueKiller and post the log, MrC

[DavisJes]

FRST files attached

 

Going to run RougeKiller now FRST files attached

FRST.txt

Addition.txt

[DavisJes]

I know this may sound like a dumb question but asking because it was not in the instructions and your instructions say "When the scan completes > Close out the program > Don't Fix anything!"

 

I ran RougeKiller and after it ran about halfway through it then popped up a accept or decline use of terms box. Just checking because you said don't fix anything so I wanted to check with you before accepting as I am unsure if accepting will fix things it find.

[MrCharlie]

I ran RougeKiller and after it ran about halfway through it then popped up a accept or decline use of terms box. Just checking because you said don't fix anything so I wanted to check with you before accepting as I am unsure if accepting will fix things it find

Yes now click on Scan

MrC

[DavisJes]

Thanks just a little twitchy when it comes to my computer. I consider myself very careful and annoyed.

 

RougeKiller report

 

 

RogueKiller V9.1.0.0 (x64) [Jun 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Jess [Admin rights]
Mode : Scan -- Date : 07/06/2014  15:28:43

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-1781283194-246445077-1282580398-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-1781283194-246445077-1282580398-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-1781283194-246445077-1282580398-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-1781283194-246445077-1282580398-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0  -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0  -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[suspicious.Path] \\IHUninstallTrackingTASK -- CMD (/C DEL C:\Users\Jess\AppData\Local\Temp\IHU9BF0.tmp.exe) -> FOUND

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500420ASG ATA Device +++++
--- User ---
[MBR] 5325a20a63b36c4547ab427b59f30585
[bSP] a4bafa258b946b49ae6f5b31a602672b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB
User = LL1 ... OK
User = LL2 ... OK
 

[MrCharlie]

Can you post one of the logs from Malwarebytes that shows the problem.

 

MrC

[DavisJes]

This is the last log that found the problem. I have only run Malwarebytes twice since this log was created and they are posted above.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/4/2014
Scan Time: 8:14:25 AM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.04.03
Rootkit Database: v2014.07.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jess

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 274704
Time Elapsed: 14 min, 24 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.Babylon.A, C:\Users\Jess\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (   "homepage": "http://search.babylon.com/?affID=110803&tt=031012_IKAN_4012_5&babsrc=HP_ss&mntrId=7aca2bb20000000000005cac4c651e44",), Replaced,[70b25546166542f4b326dde4b4506a96]

Physical Sectors: 0
(No malicious items detected)


(end)

[MrCharlie]

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

========================

Then in Chrome go to Settings > Under Sign In, go to Google Dashboard > Click on Settings > Click on Stop and Clear left bottom of the page.

That should clear out the setting.

Let me know, MrC

[DavisJes]

When I searched my computer for the FRST64.exe file it says the FRST64 application is on my desktop (which is where it was put when I downloaded it) and also a FRST64.ext-CA46F545.pf file that says it is in the folder Prefetch (C:\\Windows).

 

Where should I put the fixlist.txt? Desktop or C:\\Windows\Prefetch?

[MrCharlie]

Where should I put the fixlist.txt? Desktop or C:\\Windows\Prefetch?

No, it has to be in the same folder as FRST64.exe.

Download it again:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

MrC

[DavisJes]

When I got to re-download the file it tells me it is going to save the file to my desktop. I attached a screenshot. Should I tell it to save it in my download folder instead even thought it is already on my desktop from the first time I downloaded and ran the program?

[MrCharlie]

You can save it any where you want to, just as long as both FRST64.exe and the Fixlist.txt are in the same folder.

MrC

[DavisJes]

Okay. Do I need to have the Addition.txt box checked again this time?

[MrCharlie]

No, you're not running a scan, you just need to hit the Fix Button

 

[DavisJes]

Log below and "stop and cleared" Chrome

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-07-2014 01
Ran by Jess at 2014-07-06 21:28:39 Run:1
Running from C:\Users\Jess\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
URLSearchHook: HKCU - MHURLSearchHook Class - {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - C:\Program Files (x86)\Family Toolbar\tbhelper.dll No File
SearchScopes: HKLM-x32 - DefaultScope value is missing.
BHO-x32: MHTBPos00 Class - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files (x86)\Family Toolbar\tbcore3.dll No File
C:\Users\Jess\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpj04d4r.dll
AlternateDataStreams: C:\ProgramData\TEMP:0588E665
AlternateDataStreams: C:\ProgramData\TEMP:AB554F94

*****************

'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1' => Key deleted successfully.
'HKLM\Software\Wow6432Node\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2' => Key deleted successfully.
'HKLM\Software\Wow6432Node\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3' => Key deleted successfully.
'HKLM\Software\Wow6432Node\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4' => Key deleted successfully.
'HKLM\Software\Wow6432Node\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} => value deleted successfully.
'HKCR\Wow6432Node\CLSID\{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}' => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{0C37B053-FD68-456a-82E1-D788EE342E6F}' => Key deleted successfully.
C:\Users\Jess\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpj04d4r.dll => Moved successfully.
C:\ProgramData\TEMP => ":0588E665" ADS removed successfully.
C:\ProgramData\TEMP => ":AB554F94" ADS removed successfully.

==== End of Fixlog ====

[MrCharlie]

How is it?????

MrC

[DavisJes]

How is my computer? Computer is running fine. I have not tried google+ chat in since it was being slow the other day. Should I run Malewarebyte to see if it still finds it?

[MrCharlie]

Yes run MB, MrC

[DavisJes]

Malwarebyte still found PUP.Optional.Babylon.A attached to the preferences in Google chrome.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/8/2014
Scan Time: 7:32:38 AM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.07.08.04
Rootkit Database: v2014.07.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Jess

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 275545
Time Elapsed: 17 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.Babylon.A, C:\Users\Jess\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (   "homepage": "http://search.babylon.com/?affID=110803&tt=031012_IKAN_4012_5&babsrc=HP_ss&mntrId=7aca2bb20000000000005cac4c651e44",), Replaced,[c2f496064338ee483e5cb313887c4ab6]

Physical Sectors: 0
(No malicious items detected)


(end)

[MrCharlie]

Reboot and run another scan, see if it's still there, MrC

[DavisJes]

Not sure if I can get to it tonight as I will not be home until late but will get back to you by tomorrow morning. Thanks for all your help so far.

[MrCharlie]

OK...MrC