also @ TechSpot: Oculus Rift secures $16 million in Series A round of funding

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Google searches being redirected

Discussion in 'Virus and Malware Removal' started by prosidius, Jul 27, 2012.

Post New Reply

Page 2 of 3

Jay Pfoutz Malware Helper Posts: 4,286 +49
While you're at it, check for install program: Babylon Toolbar...

Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 76 1C 67 C0 2C 18 CD 01 [binary data]
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://isearch.babylon.com/web/{sea...SP_ss&mntrId=284697e2000000000000bcaec5915245
O2:64bit: - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.

:commands
[emptytemp]
[reboot]

Then click the Run Fix button at the top.

Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.

Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
Jay Pfoutz, Aug 4, 2012

#21
prosidius Newcomer, in training Posts: 24

Didnt have Babylon toolbar installed (at least not that I could see in add/remove programs). I took a look at the last log and saw that babylon has an XML file in my firefox/searchplugins directory. I should delete it right?

All processes killed
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache_TIMESTAMP| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Adam
->Temp folder emptied: 144859457 bytes
->Temporary Internet Files folder emptied: 4699793 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 646878899 bytes
->Flash cache emptied: 39805 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56475 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 76876 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 666 bytes
RecycleBin emptied: 142088642 bytes

Total Files Cleaned = 895.00 mb

OTL by OldTimer - Version 3.2.55.0 log created on 08042012_173654

Files\Folders moved on Reboot...
C:\Users\Adam\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Adam\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...

prosidius, Aug 4, 2012

#22
Jay Pfoutz Malware Helper Posts: 4,286 +49

Yes. Delete it at once!

Open OTL, click the None button, copy and paste this to the Custom Scans/Fixes box:

*babylon* /md5
babylon.* /md5

Jay Pfoutz, Aug 5, 2012

#23
prosidius Newcomer, in training Posts: 24

OTL spits this out at me:

Error: Unable to interpret <*babylon* /md5> in the current context!
Error: Unable to interpret <babylon.* /md5> in the current context!

prosidius, Aug 5, 2012

#24
Jay Pfoutz Malware Helper Posts: 4,286 +49
Oh brother. LOL

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.

Copy the content of the following codebox into the main textfield:

Code:

:filefind *babylon* babylon.* :folderfind *babylon* :regfind *babylon*

Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
Jay Pfoutz, Aug 6, 2012

#25

prosidius Newcomer, in training Posts: 24

SystemLook 30.07.11 by jpshortstuff
Log created at 08:38 on 06/08/2012 by Adam
Administrator - Elevation successful

========== filefind ==========

Searching for "*babylon*"
C:\Users\Adam\AppData\Local\Babylon\Setup\Babylon.dat --a---- 11205 bytes [23:24 27/04/2012] [14:06 27/12/2011] 8E6B33A7F03E2693A614002587A35DDD

Searching for "babylon.*"
C:\Users\Adam\AppData\Local\Babylon\Setup\Babylon.dat --a---- 11205 bytes [23:24 27/04/2012] [14:06 27/12/2011] 8E6B33A7F03E2693A614002587A35DDD

Searching for " "
No files found.

========== folderfind ==========

Searching for "*babylon*"
C:\ProgramData\Babylon d------ [23:24 27/04/2012]
C:\Users\Adam\AppData\Local\Babylon d------ [23:24 27/04/2012]
C:\Users\Adam\AppData\Roaming\Babylon d------ [23:24 27/04/2012]
C:\Users\All Users\Babylon d------ [23:24 27/04/2012]

Searching for " "
No folders found.

========== regfind ==========

Searching for "*babylon*"
No data found.

-= EOF =-

prosidius, Aug 6, 2012

#26

Jay Pfoutz Malware Helper Posts: 4,286 +49
Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:files
C:\ProgramData\Babylon
C:\Users\Adam\AppData\Local\Babylon
C:\Users\Adam\AppData\Roaming\Babylon
C:\Users\All Users\Babylon

:commands
[emptytemp]
[reboot]

Then click the Run Fix button at the top.

Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.

Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

Then let me know if Babylon is still present or not.
Jay Pfoutz, Aug 6, 2012

#27
prosidius Newcomer, in training Posts: 24

Heres the log. I'll report in a bit if I'm still getting redirected on Google searches.

All processes killed
========== FILES ==========
C:\ProgramData\Babylon folder moved successfully.
C:\Users\Adam\AppData\Local\Babylon\Setup\HtmlScreens folder moved successfully.
C:\Users\Adam\AppData\Local\Babylon\Setup folder moved successfully.
C:\Users\Adam\AppData\Local\Babylon folder moved successfully.
C:\Users\Adam\AppData\Roaming\Babylon folder moved successfully.
File\Folder C:\Users\All Users\Babylon not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Adam
->Temp folder emptied: 29939462 bytes
->Temporary Internet Files folder emptied: 7990405 bytes
->Java cache emptied: 12102923 bytes
->FireFox cache emptied: 523909417 bytes
->Flash cache emptied: 30422 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 253965 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 6720114 bytes

Total Files Cleaned = 554.00 mb

OTL by OldTimer - Version 3.2.55.0 log created on 08082012_001909

Files\Folders moved on Reboot...
C:\Users\Adam\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Adam\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...

prosidius, Aug 8, 2012

#28
Jay Pfoutz Malware Helper Posts: 4,286 +49

Excellent work.

Waiting on your report.

Jay Pfoutz, Aug 8, 2012

#29
prosidius Newcomer, in training Posts: 24

Happened again. Got this url: click.get-answers-fast.com/ads-clicktrack/click/jump1.do?sid=wvSCoOxhvwGvwHYSck%2F69F56aZ8Xw7%2FUJVQyT2FG7aQj5YN5IdCUmw%3D%3D&affiliate=46573&subid=178303-43-28356&rc=0&terms=mw3sa

Not sure what to do anymore. I rather not reinstall Windows but a google search on this yields no solutions. I'll try uninstalling firefox completely and reinstalling to see if that'll fix it.

prosidius, Aug 8, 2012

#30
prosidius Newcomer, in training Posts: 24

I did a virus scan from http://www.eset.com/us/online-scanner/ and it found a redirect trojan. Hope its gone now.

prosidius, Aug 8, 2012

#31
Jay Pfoutz Malware Helper Posts: 4,286 +49
Please download Farbar Service Scanner and run it on the computer with the issue.

Check the following options: Internet Services, Windows Firewall, System restore, Security Center/Action Center, Windows Update, and Windows Defender

Press "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

And another Quick Scan from OTL please.
Jay Pfoutz, Aug 9, 2012

#32
prosidius Newcomer, in training Posts: 24
Farbar Service Scanner Version: 06-08-2012
Ran by Adam (administrator) on 09-08-2012 at 10:46:52
Running from "E:\Downloads"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****
Attached Files:
- OTL.Txt
  
  File size:
  
  88.1 KB
  
  Views:
  
  2
prosidius, Aug 9, 2012

#33
Jay Pfoutz Malware Helper Posts: 4,286 +49
Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:OTL
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{867B665F-D37E-11E1-8270-B8AC6F996F26}: C:\Users\Adam\AppData\Local\{867B665F-D37E-11E1-8270-B8AC6F996F26}\ [2012/07/21 16:53:11 | 000,000,000 | ---D | M]
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMPFC5A2B2

:commands
[emptytemp]
[reboot]

Then click the Run Fix button at the top.

Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.

Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
Jay Pfoutz, Aug 9, 2012

#34
prosidius Newcomer, in training Posts: 24

All processes killed
========== OTL ==========
File HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{867B665F-D37E-11E1-8270-B8AC6F996F26}: C:\Users\Adam\AppData\Local\{867B665F-D37E-11E1-8270-B8AC6F996F26}\ not found.
ADS C:\ProgramData\TEMPFC5A2B2 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Adam
->Temp folder emptied: 122786419 bytes
->Temporary Internet Files folder emptied: 31241680 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 642672629 bytes
->Flash cache emptied: 10288 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1713986 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 22188 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 90857 bytes

Total Files Cleaned = 762.00 mb

OTL by OldTimer - Version 3.2.55.0 log created on 08102012_001634

Files\Folders moved on Reboot...
C:\Users\Adam\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Adam\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...

prosidius, Aug 10, 2012

#35
Jay Pfoutz Malware Helper Posts: 4,286 +49

OTL Quick Scan please.

Jay Pfoutz, Aug 10, 2012

#36
prosidius Newcomer, in training Posts: 24
Here it is
Attached Files:
- OTL.Txt
  
  File size:
  
  82.4 KB
  
  Views:
  
  1
prosidius, Aug 10, 2012

#37
Jay Pfoutz Malware Helper Posts: 4,286 +49
Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:reg
[-HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{867B665F-D37E-11E1-8270-B8AC6F996F26}]

:files
C:\Users\Adam\AppData\Local\{867B665F-D37E-11E1-8270-B8AC6F996F26}

:commands
[emptytemp]
[reboot]

Then click the Run Fix button at the top.

Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.

Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
Jay Pfoutz, Aug 11, 2012

#38
prosidius Newcomer, in training Posts: 24

All processes killed
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{867B665F-D37E-11E1-8270-B8AC6F996F26} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{867B665F-D37E-11E1-8270-B8AC6F996F26}\ not found.
========== FILES ==========
C:\Users\Adam\AppData\Local\{867B665F-D37E-11E1-8270-B8AC6F996F26}\chrome\content folder moved successfully.
C:\Users\Adam\AppData\Local\{867B665F-D37E-11E1-8270-B8AC6F996F26}\chrome folder moved successfully.
C:\Users\Adam\AppData\Local\{867B665F-D37E-11E1-8270-B8AC6F996F26} folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Adam
->Temp folder emptied: 230728 bytes
->Temporary Internet Files folder emptied: 1024643 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 485579309 bytes
->Flash cache emptied: 10518 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 12302 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 84416 bytes

Total Files Cleaned = 464.00 mb

OTL by OldTimer - Version 3.2.55.0 log created on 08112012_232709

Files\Folders moved on Reboot...
C:\Users\Adam\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...
File C:\Users\Adam\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

Registry entries deleted on Reboot...

prosidius, Aug 12, 2012

#39
Jay Pfoutz Malware Helper Posts: 4,286 +49

Test Google redirect please.

We got that bad redirect add-on removed.

Jay Pfoutz, Aug 12, 2012

#40

Page 2 of 3

Add New Comment

	TechSpot Members Login or sign up for free, it takes about 30 seconds.			You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.