Skype installs malware toolbars

4 September 2013 at 23:38 (Random Randomness) (, , , , , , , , )

You were very fortunate to get an older version of the Babylon virus. The newer “improved” version installs a totally separate, disguised and totally unidentified program titled Browser Manager. While that is still on the hard drive, about:config resets will not work, as the last Babylon file, of 30 total Babylon files, cannot be reset, not by you and not even by Mozilla. When FFX restarts, this program re-installs Babylon, and you never knew it was there. — jaguar6cy

Please watch out when installing Skype! It seems the current installer is bundled with a malicious toolbar called Delta, which from what I’ve seen, seems to be by the same malware-factory that created the ebil Babylon toolbar.

What is sneaky about these installers (and I’m including the just-as-evil CNET malware installer here) is that, just like SecuROM, they are incredibly devious in the way they operate. Hiding behind a trusted name, most people will assume the software is safe (Cnet even proudly proclaims all software hosted on their site is checked for viruses, malware and spyware — but they cannot extend that to their installer). However, they have to get their money from somewhere, and this is how they do it.

When installing any software, always check each step before proceeding — don’t just keep hitting “accept”. The moment you see a toolbar offered (or any 3rd party software), proceed very VERY carefully indeed. Unchecking the boxes is not enough to stop the malware infection. You have to also press DECLINE.

See, this is how they fool you. You’d assume that you uncheck the boxes, then press “accept” to continue, but what you don’t realise is that you can uncheck all the checkboxes in the world; the moment you hit “accept” that’s your consent to install the malware toolbar.

How do I know if I’ve already installed these malware bars?

First off, all your browsers will probably be infected with the toolbar. So check that first.

Next, you need to search through your list of programs for any of the following:
Clarosearch
Babylon
Delta
Yontoo
BrowserManager (or variant spelling, eg BrowseMngr)
BrowserProtect (or variant spellings)
BrowserDefender (or variant spellings)

This is not a complete list! There are bound to be many more.

You can be damn sure I check my programs list and Task Manager frequently.

In Firefox’s address bar type in about:config and search for these terms also.

Your AV may or may not pick up on the infection. Babylon + BrowserManager seems to have been installed on my mum’s computer for some months before AVG detected it and tried to quarantine it, only for it to keep replicating 10x over each time AVG managed to nuke one instance. F-Secure did pick up on the latest Skype-related infection, but that was after I halted the installation with Ctrl+Alt+Del.

Aieeeee! I’m infected! How do I remove?!

If you have a System Restore point from when you know you were definitely not infected, that may be enough.

Otherwise: start by going to your control panel (or CCleaner) and uninstalling the malware. This won’t completely remove it, though!

Reset Firefox to its default state. Disable/uninstall the stupid toolbars. Do the equivalent for your other browsers. This is still not enough to remove it!

True to their malicious nature, they can be an absolute pain to remove. Malwarebytes may or may not pick it up (download it HERE so you can bypass the CrapNet installer). If it gets it, the next step will probably be enough to clear the infection. Otherwise, you’ll have to do the whole lot manually.

Next, clean up your registry with a free tool called CCleaner. Once you’ve loaded it up, go to Registry and Scan for Issues. Click Fix All Issues. When it prompts to backup, say yes. You will need to do this multiple times until you get a No Issues Detected.

After that you need to go through your registry to make sure it’s completely nuked. If you don’t know what that means, I suggest getting someone more experienced to have a look. If you still wanna try, go to Start > Run. Type in regedit then hit enter. Search for Babylon (or whatever your crapware of choice is) and delete the blighters. If your PC blows up, it’s your own fault for not listening to me and getting someone more experienced.

Okay, now we need to check out the ProgramData folder. Start up Windoze in Safe Mode. To do this, keep hitting F8 when your computer is booting, before Windoze has loaded. See here for more: http://windows.microsoft.com/en-us/windows/start-computer-safe-mode

Select Safe Mode with Networking.

Windoze will load up all low-res and stuff. This is fine. Open up My Computer. Tools > Folder Options…
Make sure hidden files are visible.
viewhidden
Then navigate to C:\ProgramData and look for a folder with any of the names I showed you above. You can safely delete those folders (leave everything else in that folder alone though).

Restart Windoze normally and check your browsers again. Check Task Manager, click on the Processes and then the Services tabs, and look for anything related to the malicious toolbar. No sign? Then you are now crapware free! Yayz!

Run Ccleaner’s registry checker and disk cleanup one more time, just to be sure any last trace of the blighters is gone.

And remember, CNET is NOT your friend!

More:
c|net is bad bad bad!
Malwaretips page on removing Babylon
Mozilla support page on Babylon
“Worse than any virus”; Babylon’s uninstaller flagged as a Trojan by McAfee

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: