[SOLVED] search.babylon

[Britton30]

Has anyone heard of a toolbar/search engine called search.babylon? Apparently it is a redirect which works when one searches from a browser address bar and redirects to some malicious site and may add itself to a tab home page.
An OP on SF said it was installed when he installed MBAM, but I don't want to try it myself.

 

[writhziden]

I just installed MBAM. No issues. Was MBAM downloaded from http://www.malwarebytes.org/ or from another site? I wonder if the user downloaded a version someone else created with malicious items built in...

 

[Corrine]

No, it wouldn't have been installed with MBAM. From Manual Removal Guide for Babylon.Toolbar - Safer-Networking Forums.

Babylon Toolbar is a useless toolbar that gets installed by other software, for instance FoxTab Videoconverter. Legal age for installation is 18 while this fact is only mentioned in the terms.
Babylon Toolbar installs itself to the system, the Internet Explorer, Firefox and Google Chrome. The Babylon.Toolbar is almost identical to Toolbar.Facemood. Some affiliates like MediGet also install Babylon and the Babylon Toolbar without proper user consent using a count down timer to start the installation.

Now that Bleeping Computer is hosting MBAM, I prefer to use that link: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/?1.

 

[Britton30]

Thanks, I don't know where the OP downloaded from, but I'll ask and still recommend MBAM to him. I just installed MBAM over my current one with no problems too.

I used both of the DL pages you linked, the one from http://www.malwarebytes.org/ came down in less than two seconds and bleepingcomputer took over thirty. Identical files but the MBAM download goes to c|NET to do it.

 

[Trouble]

I've heard of it, but no actual experience with it.
I do remember on another forum, somebody blaming an Install of Firefox as being responsible, which is highly unlikely. Seems it depends more on where you obtain the installer than what is actually being installed.
As I recall it (babylon) installs as a BHO and is not always picked up by anti-malware products. Seems something like AutoRuns might give you a good idea of where it's coming from and point you towards some ideas as to where to go to then eliminate it.

 

[Britton30]

I suppose it depends on where a software if obtained from. I have heard that Brothersoft has a bad rep for adding crapware, but no experience.

Hello fellow Hoosier, Trouble.

 

[N_J]

More than likely people are searching Google and clicking on the ad links at the top. I really wish Google would move those links to the side and police their site better. :banghead:

 

[Britton30]

I have found the OP got MBAM from a UK magazine site download. HE had use the official site and installed it fine. HE got rid of Babylon through some tools and registry edits.

N_J, Google, police their site? They are all powerful and omnipotent and are completely innocent. <removes tongue from cheek>

 

[Fred Garvin]

I've never seen MBAM install anything additional, ever. CNET is one of the worst places to download anything from because it's difficult to tell the actual download link from all the garbage ads. Click the wrong link and you end up installing sketchy software.

 

[Patrick]

I've never seen MBAM install anything additional, ever. CNET is one of the worst places to download anything from because it's difficult to tell the actual download link from all the garbage ads. Click the wrong link and you end up installing sketchy software.

Indeed, it's quite a shame.

 

[Britton30]

Some C|net downloads also "require" a download manager be installed too, Download.com has been guilty too. We don't need no steenkin' DL manager!

 

[DonnaB]

Babylon is very aggressive and will not only install a Toolbar, but will change your homepage and search engine. It is very hard to remove without the help of malware removal tools. It is installed as foistware but I can't think of any specific download at this time it is bundled with though I do recall seeing it prechecked in some software that I downloaded prior to offering to an unsavvy user. I like to do that to prevent foistware from being installed so I can warn the user as to what to look out for and hopefully to educate about crapware, drive by installs so the user can be more aware when they do download without assistance.

I just shared a tool called AdwCleaner with Corrine that Essexboy introduced to me that will annihilate Babylon, adware, PUP's, toolbars and homepage hijackers.

Here's an example of the log it produces upon deletion:

# AdwCleaner v1.801 - Logfile created 08/17/2012 at 22:36:28
# Updated 14/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : xxxxx - xxxxx-xxxxxxxxx
# Boot Mode : Normal
# Running from : C:\Documents and Settings\xxxx\Ambiente de trabalho\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\xxxx\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Programas\DAEMON Tools Toolbar
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Premium
File Deleted : C:\Programas\Mozilla Firefox\.autoreg
File Deleted : C:\Programas\Mozilla Firefox\searchplugins\babylon.xml
File Deleted : C:\WINDOWS\system32\conduitEngine.tmp
File Deleted : C:\user.js

***** [Registry] *****
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1561552
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1750559
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2304157
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2405280
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2604146
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2765711
Key Deleted : HKCU\Software\AutocompleteProBHO
Key Deleted : HKCU\Software\Billeo
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0FB6A909-6086-458F-BD92-1F8EE10042A0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{97ED3A9F-CD6F-473A-8FE1-7505C1B844C3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.13

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://eu.ask.com/?l=dis&o=14780 --> hxxp://www.google.com

*************************

AdwCleaner[S1].txt - [3419 octets] - [17/08/2012 22:36:28]

########## EOF - C:\AdwCleaner[S1].txt - [3547 octets] ##########

​

 

[Britton30]

I had to Google "foistware":r1:

 

[DonnaB]

I had to Google "foistware":r1:

:lol: Not long ago I had to do the same! I had no idea that crapware was an alias for foistware aka drive by installs. I could share a few more names that foistware is known by but I might get my mouth washed out with soap.

It is installed as foistware but I can't think of any specific download at this time it is bundled with though I do recall seeing it prechecked in some software that I downloaded

I nearly forgot that I had downloaded Dr. Web CureIt just playing around one day while familiarizing myself to programs used in the removal forums. Here's a fine example of Babylon that is bundled as foistware!

How about that? You send someone a link to download a program from cnet to remove malware, and they install a piece of software that is just as aggressive as the malware you want to remove! Go figure! :r1: I love how it states SAFE, TRUSTED AND SPYWARE FREE in the upper right hand corner of the dialog box.

Softonic is just as bad, by the way. In one download for JavaRa I came across the following foistware. Notice how the 2nd image states that BestVideo is powered by Yontoo Layers! If you look close enough, you'll also find that someone doesn't know how to spell Download. Not once, but 3 times in the same dialog box!
And the best part! It's RECOMMENDED! :thud:

 

[Corrine]

That is why I always recommend going to the source.

Dr.WebCureit: http://www.freedrweb.com/cureit/?lng=en
Direct FTP download link: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

JavaRa moved from RaProducts to *Singular Labs: http://singularlabs.com/

*Singular Labs is also now the home of the Ultimate List of Uninstallers:

• List of Security Software uninstallers
• List of Driver uninstallers
• List of Pre-Installed Software uninstallers
• List of Other Software uninstallers

 

[Fred Garvin]

I love how it states SAFE, TRUSTED AND SPYWARE FREE in the upper right hand corner of the dialog box.

I found that a bit ironic myself :lol: