[sottovoce]

Babylon keeps taking over as my search engine. I removed it from Programs on Windows 7 but each time I log on it takes over IE8 again. GMER showed no changes made. See attachments

[jeffce]

Hi and Welcome!! My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

• The fixes are specific to your problem and should only be used for the issues on this machine.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Having said that....Let's get going!! :thumbup:
----------

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• In Custom Scans/Fixes put the following:
  netsvcs
  /md5start
  consrv.dll
  /md5stop
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

----------

Please download aswMBR to your desktop.

• Double click the aswMBR icon to run it.
• Click the Scan button to start scan.
• When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Click the image to enlarge it
----------

[sottovoce]

Thank you so much, Jeff. Just today under Start -->Search - I followed another directive to type in 'appwiz.cpl ' after deleting all of Temp files, cookies and History. So far the search.babylon has no reappeared but I have to give it time to make sure.

[jeffce]

Ok.....thanks for letting me know.

Normally there are more instances than that hiding on a system. I would advise that you go ahead and run OTL and aswMBR to be on the safe side.

[sottovoce]

Jeff, I did as you requested and ran the software. I did have a STOP shutdown with blue screen while running Agast, but reboot went okay. I have attached the logs, however the photobucket (1st one was confusing, as it was a blurred photo of a log file. Was I supposed to do anything?)

Attached are results.

[jeffce]

Hi,

The picture I provided you can click on and it gets bigger so you can see it better.
--------------

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes

• Open the scanner and select the Protection tab
• Remove the tick from "Start Protection Module with Windows" as seen below

Once complete continue with the instructions...
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  Code:

  :Services
  
  :OTL
  IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
  IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
  O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  [2012/06/30 20:19:51 | 000,000,000 | ---D | C] -- C:\Users\Carol\AppData\Local\Babylon
  [2012/06/30 20:19:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
  [2012/06/30 20:19:48 | 000,000,000 | ---D | C] -- C:\Users\Carol\AppData\Roaming\Babylon
  [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
  [2011/10/05 17:24:10 | 000,003,584 | ---- | C] () -- C:\Users\Carol\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
  [2012/06/30 20:19:48 | 000,000,000 | ---D | M] -- C:\Users\Carol\AppData\Roaming\Babylon
  @Alternate Data Stream - 757 bytes -> C:\Users\Carol\Documents\Retirement Home.eml:OECustomProperty
  @Alternate Data Stream - 1185 bytes -> C:\Users\Carol\Documents\http___hotair_cachefly_net_media_michellemalkin_com_nursery_school_orientation-1_pdf.eml:OECustomProperty
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

----------

[sottovoce]

Jeff, done! Thanks so very much for this service. Tech Guys have brought me out of bad times for years now and I am so appreciative.

OTL says all is restored to perfect health!

[jeffce]

Hi,

There should have been a log created....could you post that please? There are still some things that we need to look over and possibly repair.

[sottovoce]

Certainly!

All processes killed
Error: Unable to interpret <Code:> in the current context!
Error: Unable to interpret <---------> in the current context!
========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
C:\Users\Carol\AppData\Local\Babylon\Setup\HtmlScreens folder moved successfully.
C:\Users\Carol\AppData\Local\Babylon\Setup folder moved successfully.
C:\Users\Carol\AppData\Local\Babylon folder moved successfully.
C:\ProgramData\Babylon folder moved successfully.
C:\Users\Carol\AppData\Roaming\Babylon folder moved successfully.
C:\Windows\msdownld.tmp folder deleted successfully.
C:\Users\Carol\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
Folder C:\Users\Carol\AppData\Roaming\Babylon\ not found.
ADS C:\Users\Carol\Documents\Retirement Home.eml:OECustomProperty deleted successfully.
ADS C:\Users\Carol\Documents\http___hotair_cachefly_net_media_michellemalkin_co m_nursery_school_orientation-1_pdf.eml:OECustomProperty deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Carol\Desktop\cmd.bat deleted successfully.
C:\Users\Carol\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Carol
->Temp folder emptied: 686266579 bytes
->Temporary Internet Files folder emptied: 200928381 bytes
->Java cache emptied: 1137748 bytes
->Google Chrome cache emptied: 7959970 bytes
->Flash cache emptied: 178085 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56466 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 900057128 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows \Temporary Internet Files folder emptied: 215050855 bytes
RecycleBin emptied: 8553537 bytes

Total Files Cleaned = 1,927.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.53.1 log created on 07042012_124214
Files\Folders moved on Reboot...
C:\Users\Carol\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M3C6GIZF\si[4].htm moved successfully.
C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EXS7U9F8\1059301-babylon-woes[1].html moved successfully.
C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EXS7U9F8\iframe[1].htm moved successfully.
C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EXS7U9F8\si[5].htm moved successfully.
C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
PendingFileRenameOperations files...
File C:\Users\Carol\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M3C6GIZF\si[4].htm not found!
File C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EXS7U9F8\1059301-babylon-woes[1].html not found!
File C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EXS7U9F8\iframe[1].htm not found!
File C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EXS7U9F8\si[5].htm not found!
File C:\Users\Carol\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT not found!
Registry entries deleted on Reboot...

[jeffce]

Hi,

Please download Malwarebytes' Anti-Malware to your desktop.

• Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan as shown below.
  
  
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The log can also be found here:
C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
• Click Scan (This scan can take several hours, so please be patient)
• If there are threats that are found, please press List of found threats and then in the next window that opens press Export to text file...
• Copy and paste/or attach that log as a reply to this topic

**Note** If not threats are found there will not be a log created.
----------

In your next reply please post the logs made by Malwarebytes and ESET online scanner.

[sottovoce]

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.07.05.03
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Carol :: CAROL-PC [administrator]
7/5/2012 8:02:34 AM
mbam-log-2012-07-05 (08-02-34).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207654
Time elapsed: 6 minute(s), 47 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)

[jeffce]

Hi,

Was there a log created by ESET? If so please post that as well.

Also run Malwarebytes again and remove the entry that is found and post the new Malwarebytes log.

[sottovoce]

The first time I ran ESET I noted when about 88% completed there were 4 threats, but when I returned to computer a bit of time after completion I'm thinking, I found no log. The second time I ran it it said 'No threats found' again no copying of log so I clicked Finish and it was about buying the software, but no where to save log. I should have done a print screen but it didn't allow me to go back.

[jeffce]

Ok that is fine. How is your system behaving?

[sottovoce]

How good it feels to have a smooth operating machine where things are in their place and zipping right along. This is a great public service and very much appreciated. Thanks again.