Free Malware Removal Forum

[Erikthered]

Hi,

All processes killed
========== PROCESSES ==========
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Local Page| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ not found.
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D0F4A166-B8D4-48b8-9D63-80849FE137CB} scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D0F4A166-B8D4-48b8-9D63-80849FE137CB}\ not found.
========== FILES ==========
C:\ProgramData\bProtectorForWindows\2.1.419.7\traking_settings folder moved successfully.
Folder move failed. C:\ProgramData\bProtectorForWindows\2.1.419.7 scheduled to be moved on reboot.
Folder move failed. C:\ProgramData\bProtectorForWindows scheduled to be moved on reboot.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Erik The Red\Desktop\cmd.bat deleted successfully.
C:\Users\Erik The Red\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Erik The Red
->Temp folder emptied: 3023253 bytes
->Temporary Internet Files folder emptied: 11839394 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 506 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 42127 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 14.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.57.0 log created on 08172012_145044

Files\Folders moved on Reboot...
C:\ProgramData\bProtectorForWindows\2.1.419.7\traking_settings folder moved successfully.
Folder move failed. C:\ProgramData\bProtectorForWindows\2.1.419.7 scheduled to be moved on reboot.
Folder move failed. C:\ProgramData\bProtectorForWindows\2.1.419.7 scheduled to be moved on reboot.
Folder move failed. C:\ProgramData\bProtectorForWindows scheduled to be moved on reboot.
C:\Users\Erik The Red\AppData\Local\Temp\Low\REG9DF.tmp moved successfully.
C:\Users\Erik The Red\AppData\Local\Temp\Low\~DF193996374299F2AB.TMP moved successfully.
C:\Users\Erik The Red\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Erik The Red\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\Erik The Red\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8B189970-7542-4C8F-AE1F-3A68563E7ACD}.tmp moved successfully.

PendingFileRenameOperations files...
File C:\ProgramData\bProtectorForWindows\2.1.419.7 not found!
File C:\ProgramData\bProtectorForWindows not found!
File C:\Users\Erik The Red\AppData\Local\Temp\Low\REG9DF.tmp not found!
File C:\Users\Erik The Red\AppData\Local\Temp\Low\~DF193996374299F2AB.TMP not found!
File C:\Users\Erik The Red\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Users\Erik The Red\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT not found!
File C:\Users\Erik The Red\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8B189970-7542-4C8F-AE1F-3A68563E7ACD}.tmp not found!

Registry entries deleted on Reboot...
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D0F4A166-B8D4-48b8-9D63-80849FE137CB} scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D0F4A166-B8D4-48b8-9D63-80849FE137CB}\ not found.

[Erikthered]

Still having the same problem where I can't change my home page.

Note: When I start up I get runtime error 2 at 00004AD4- I've had this for a while so it is not a new issue.

[Erikthered]

Some additional info- When I run the malwarebytes program I still have an identfied threat.

[Cypher]

Hi,

Still having the same problem where I can't change my home page.

Which browser are you having problems with, FireFox Internet Explorer or both?

Some additional info- When I run the malwarebytes program I still have an identfied threat

Could you please do a MBAM scan using these settings:

• Launch the application, Check for Updates >> Perform Full scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Logs/Information to Post in your Next Reply

• Which browser are you having problems with.
• Malwarebytes log.

[Erikthered]

I am using internet explorer.

[Erikthered]

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.18.03

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Erik The Red :: ERIKTHERED-PC [administrator]

Protection: Enabled

18/08/2012 6:26:22 AM
mbam-log-2012-08-18 (06-26-22).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 521229
Time elapsed: 55 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 52
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Delete on reboot.
HKCR\CLSID\{e49b29de-a1b6-499a-b3e8-883b5c88e013} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{856136bb-fd9a-43d2-8664-131ce963f16a} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{025D6190-6765-407F-BC7C-D748708FC795} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{6ed6bd05-113e-4dae-b268-646a9335c521} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.DynamicBarButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.DynamicBarButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{d3793e0e-6d4a-4c01-8ff5-654f20c12a8e} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{6cce5b53-3fdc-4afd-8e8d-4c943ae1717b} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{0889C02C-E9A5-4248-BA4A-C542A08C8C32} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.FeedManager.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.FeedManager (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{4f901763-6c25-4cac-98fe-df3a55f5aeb4} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{ee84f0ff-c55c-40a7-bb4b-2f24726eabca} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{0FA9A98A-F3A6-4F8F-A22E-4B1BA1E15C8E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.HTMLPanel.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.HTMLPanel (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4F901763-6C25-4CAC-98FE-DF3A55F5AEB4} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{94CD37D0-D27E-4873-8227-53525406D7BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.HTMLMenu.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.HTMLMenu (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{94CD37D0-D27E-4873-8227-53525406D7BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{93e6ca29-b4ed-4dde-90cf-f89a24756339} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{67e60d68-4d2c-4fa2-a8e8-340effd8a837} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{A96C61FB-7AD9-401F-9EA1-8DB9798B7A92} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{612f1f86-3a05-49c8-bed2-9db18f90dc13} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.MultipleButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.MultipleButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{1adef423-42c9-4aa4-bca1-0c71cfc5809a} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{3cacec93-4085-4a16-874f-15ecf784782f} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{3120C992-D011-428B-A9A1-541F8D69C1C9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.XMLSessionPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.XMLSessionPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1ADEF423-42C9-4AA4-BCA1-0C71CFC5809A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{5eec4ead-4c59-46eb-975c-1d9e3c6a308a} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.Radio.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.Radio (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{0838a762-8d5e-4fbb-9ea9-44dbedaf3642} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.ScriptButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.ScriptButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{4743bf10-db5f-449a-b43c-7db132560626} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{2ed25ff4-5642-4f09-968d-0af2fc5e4cfa} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{3C1F4CFE-5035-4695-806F-11646487C623} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{79a4039e-0550-409d-a072-82b82f3c1924} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{fdafe7e4-9e77-479e-9402-bbaf0d694ab8} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{68E9E564-E979-4827-AA7C-66A57820BFA8} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.ThirdPartyInstaller.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.ThirdPartyInstaller (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{79A4039E-0550-409D-A072-82B82F3C1924} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{7ab1268b-b291-47fe-b699-c50bd3a090ec} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.UrlAlertButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MindDabble_4p.UrlAlertButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 27
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pdatact.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pdyn.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pfeedmg.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4phighin.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4phkstub.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4phtml.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4phtmlmu.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4phttpct.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pidle.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pimpipe.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pmedint.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pmlbtn.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pmsg.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pPlugin.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pradio.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pregfft.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4preghk.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pregiet.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pscript.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pskin.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4pskplay.exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4ptpinst.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\4puabtn.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\MindDabble_4p\bar\1.bin\NP4pStub.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Uninstall Information\ib_uninst_361\uninstall.exe (PUP.BundleInstaller.IB) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Uninstall Information\ib_uninst_455\uninstall.exe (PUP.BundleInstaller.IB) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Uninstall Information\ib_uninst_519\uninstall.exe (PUP.BundleInstaller.IB) -> Quarantined and deleted successfully.

(end)

[Cypher]

Hi,
ok before we dig a little deeper lets try resetting IE, to do so follow the instructions Here

Once done let me know if you are still having problems.

[Erikthered]

I've completed the reset, but I still seem to have the same problem with the Search.gboxapp.com forcing itself to be my home page.

Immediately after the reset, Microsoft becomes the home page, but after exiting and going back into IE9, the babylon search page comes back.

[Erikthered]

Now my links Internet explorer links don't work in Outlook.

The operation has been cancelled due to restrictions in effect on this computer. contact system administrator.

[Cypher]

Hi,

Uninstall programs

• Click on Start.
• All programs.
• Accessories.
• Run.
• In the open text box copy/paste appwiz.cpl Then click Ok.
• Uninstall the following if present.

SProtector

Now reboot your computer.

Next.

Please download aswMBR and save it to your Desktop.

• Right click aswMBR.exe & choose "Run as Administrator" to run it.
• Click Yes to the prompt to download Avast! virus definitions.
  (Please be patient whilst the virus definitions download)
• With the AVscan set to Quick Scan, click the Scan button.
  (Please be patient whilst your computer is scanned.)
• After a while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
• Click OK > Exit.
• Note: Do not attempt to fix anything at this stage!
• Two files will be created, aswMBR.txt & a file named MBR.dat.
• MBR.dat is a backup of the MBR(master boot record), do not delete it..
• I strongly suggest you keep a copy of this backup stored on an external device.
• Copy & Paste the contents of aswMBR.txt into your next reply.

Next.

Please delete the SystemLook.txt if it's still on your desktop.

Next.

• Right-click SystemLook.exe and select " Run as administrator " to run it.
• Copy the content of the following codebox into the main textfield:
  

  Code: Select all

  :filefind
  *babylon*
  
  :folderfind
  *babylon*
  
  :Regfind
  *babylon*

  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Logs/Information to Post in your Next Reply

• aswMBR.txt.
• SystemLook.txt

[Erikthered]

sprotector uninstalled and computer has been rebooted.

[Erikthered]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-19 07:18:50
-----------------------------
07:18:50.481 OS Version: Windows x64 6.1.7600
07:18:50.481 Number of processors: 2 586 0x602
07:18:50.482 ComputerName: ERIKTHERED-PC UserName: Erik The Red
07:18:52.603 Initialize success
07:20:01.118 AVAST engine defs: 12081900
07:20:40.477 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000057
07:20:40.482 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
07:20:40.498 Disk 0 MBR read successfully
07:20:40.503 Disk 0 MBR scan
07:20:40.511 Disk 0 Windows 7 default MBR code
07:20:40.523 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 14000 MB offset 2048
07:20:40.536 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 28674048
07:20:40.549 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 596378 MB offset 28878848
07:20:40.572 Disk 0 scanning C:\Windows\system32\drivers
07:20:46.457 Service scanning
07:21:05.625 Modules scanning
07:21:05.644 Disk 0 trace - called modules:
07:21:05.662 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
07:21:06.010 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004346060]
07:21:06.023 3 CLASSPNP.SYS[fffff8800198843f] -> nt!IofCallDriver -> [0xfffffa80041d51c0]
07:21:06.035 5 ACPI.sys[fffff88000f36781] -> nt!IofCallDriver -> \Device\00000057[0xfffffa80036ec730]
07:21:07.685 AVAST engine scan C:\Windows
07:21:10.401 AVAST engine scan C:\Windows\system32
07:24:28.293 AVAST engine scan C:\Windows\system32\drivers
07:24:40.908 AVAST engine scan C:\Users\Erik The Red
07:26:51.188 Disk 0 MBR has been saved successfully to "C:\Users\Erik The Red\Desktop\MBR.dat"
07:26:51.194 The log file has been saved successfully to "C:\Users\Erik The Red\Desktop\aswMBR.txt"
07:27:03.048 AVAST engine scan C:\ProgramData
07:31:36.622 Scan finished successfully
07:33:38.290 Disk 0 MBR has been saved successfully to "C:\Users\Erik The Red\Desktop\MBR.dat"
07:33:38.294 The log file has been saved successfully to "C:\Users\Erik The Red\Desktop\aswMBR.txt"

[Erikthered]

SystemLook 30.07.11 by jpshortstuff
Log created at 07:37 on 19/08/2012 by Erik The Red
Administrator - Elevation successful

========== filefind ==========

Searching for "*babylon*"
C:\Users\Erik The Red\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7VB1E4JL\remove-babylon-search-engine-browser[1].htm --a---- 197683 bytes [03:40 19/08/2012] [03:40 19/08/2012] 48D2A747227D8CAC6FA02BD3A6CFEBAE
C:\_OTL\MovedFiles\08152012_171416\C_Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml --a---- 2423 bytes [09:02 22/03/2011] [22:35 02/07/2011] 90694BF74F3EEACFA647022E2AF5F1CB
C:\_OTL\MovedFiles\08162012_064312\C_Users\Erik The Red\AppData\Local\Babylon\Setup\Babylon.dat --a---- 11205 bytes [22:21 29/06/2012] [13:42 01/12/2011] 8E6B33A7F03E2693A614002587A35DDD
C:\_OTL\MovedFiles\08162012_064312\C_Users\Erik The Red\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\babylon48.png --a---- 4192 bytes [02:10 12/07/2011] [02:10 12/07/2011] 0E8BB681B8F657F854D7DA0CE51B463C
C:\_OTL\MovedFiles\08162012_064312\C_Users\Erik The Red\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.0_0\BabylonChromePI.dll --a---- 169472 bytes [02:10 12/07/2011] [02:10 12/07/2011] 407D9FA22631B1585438BBD74DC15D0A

========== folderfind ==========

Searching for "*babylon*"
C:\ProgramData\WildTangent\Acer Game Console\UI\htdocs2\Common\product\babylonia d------ [22:25 31/03/2010]
C:\Users\All Users\WildTangent\Acer Game Console\UI\htdocs2\Common\product\babylonia d------ [22:25 31/03/2010]
C:\_OTL\MovedFiles\08152012_171416\C_Users\Erik The Red\AppData\Roaming\Babylon d------ [22:21 29/06/2012]
C:\_OTL\MovedFiles\08162012_064312\C_ProgramData\Babylon d------ [22:21 29/06/2012]
C:\_OTL\MovedFiles\08162012_064312\C_Users\Erik The Red\AppData\Local\Babylon d------ [22:21 29/06/2012]
C:\_OTL\MovedFiles\08162012_064312\C_Users\Erik The Red\AppData\LocalLow\BabylonToolbar d------ [22:38 02/07/2011]
C:\_OTL\MovedFiles\08162012_064312\C_Users\Erik The Red\AppData\LocalLow\BabylonToolbar\BabylonToolbar d------ [22:38 02/07/2011]

========== Regfind ==========

Searching for "*babylon*"
No data found.

-= EOF =-

[Erikthered]

Note, when I did a quick find with regedit, I found some links to gboxapp.com. I didn't make any changes and won't do any changes unless instructed by yourself.

[Erikthered]

I came across this on the web, not sure if it is something that could help us.........or could be trusted.


How to Remove Search.babylon.com Redirect Virus? Search.babylon.com Browser Hijacker Removal Guide

Dec 06, 2011 by admin

Search.babylon.com is a dangerous Google redirect virus that can hijack web browser and redirect search results to unwanted sites on infected computers. Search.babylon.com may catch and target on you when you are on facebook or youtube or when you click on links in your emails. Search.babylon.com hides over cyber network and tries to attack computer systems all the time. Search.babylon.com is a malicious domain you should avoid this browser hijacker and remove it once it is found.

Search.babylon.com may install Babylon search toolbar on your browser so that it can more easily do its nasty activities. Search.babylon.com modifies browser setting and your homepage. It won’t allow you easily reset your homepage back. When you search something from your browser’ url bar, you are redirected to its site and filled with the information Search.babylon.com tries to promote or distribute. You should take steps to get rid of Search.babylon.com immediately before it creates more trouble to your computer.

How to Remove Search.babylon.com Completely and Effectively?

Some computer users may ask why you don’t introduce the automatic Search.babylon.com removal as antivirus programs may be available for many computer users. Well, as far as today we have received lots of feedback and complain from victim users who talk about their antivirus/antispyware software being out of work in front of the redirect virus Search.babylon.com.

Search.babylon.com is a well-designed malicious browser hijacker, so the best way to get rid of it is to perform a manual Search.babylon.com removal solution.

Manual Search.babylon.com Removal Steps:

1) Open Windows Task Manager to stop Search.babylon.com process.

2) Go to Windows Control Panel Add/Remove Programs to uninstall Search.babylon.com program.

3) Open Windows Registry using regedit.exe command. Find and Remove all Search.babylon.com Registry Files.

4) Search for Search.babylon.com Files on your computer and delete them.

Manual removal of Search.babylon.com hijacker is an effective solution, but also a difficult one especially for users who are not very familiar with Windows Registry component. Therefore, to make things much easier, and to help you remove Search.babylon.com redirect virus safely and quickly, you are suggested to contact Tee Support expert for complete Search.babylon.com removal once and for