How to delete quotPUP.Optional.Babylon.A malwarequot?
Normally I wouldn't need to post something like this, but I've googled and tried multiple ways to get rid of this. Every day Malwarebytes would warn me about "PUP.Optional.Babylon.A." I would quarantine it, but it would still detect it again. It is from the location C:UsersNameAppDataLocalGoogleChromeUser DataDefaultPreferences. I know that I got this malware from an "OpenCandy" after I installed an application (SUPER video converter) and was able to delete all other traces (it was removed from AppDataLocalFirefox, etc.), but not Google. Only uninstalling Chrome did Malwarebytes not report anything. As soon as I reinstalled it and made sure my short list of extensions were malware-free (they are trusted and popular extensions with no malware associations), I get the same warning from Malwarebytes.
This is apparently a popular problem but I've had no success despite deleting and emptying certain files/folders associated with it
12 Comments • Newest first
@immortal192 Good job tracking that down...!
The thing that pisses me off most about situations like this is there are people who's JOBS it is to sit around all day and figure out ways to exploit things like browser settings and software exploits to purposefully screw with your computer. Not to use their talents to cure cancer or improve humanity, but to specifically target you and your browser.
I got the problem resolved by someone from the Malwarebytes forum. After running tools like AdwCleaner, FRST, Roguekiller, HitmanPro, etc. again, He was able to generate a "fixlist.txt" and using FRST and that, further traces of Babylon was removed. Then, he told me to go to the Google setting "Open a specific set of pages" and delete MySearchDial URL (associated with Babylon). I assumed clearing Chrome browser settings would clear this. Also, this was hidden to me because I had the setting "restore previous tabs" bubbled instead.
Thanks everyone for the help--I learned a lot about the process of dealing with malware and how things like orphan registries are detected by MBAM.
[quote=immortal192]I have this file search application called "Everything" (lightweight and portable, searches files in an instant) and found no traces of Babylon.[/quote]
That app only searches the file names. You've already done that.
I was suggesting you search the file CONTENTS looking for the word "Babylon" to see if there's something on your hard drive, most likely with some innocuous filename to avoid suspicion, that contains the word "Babylon" somewhere inside it. That would involve opening EVERY file on the hard drive and reading the contents from start to finish, trying to match the search string. That would take HOURS, unless you have nothing on the drive.
What does the syncing process involve..? That is, what is it syncing with..?
It's suspicious the infection only shows after that process is run.
I have this file search application called "Everything" (lightweight and portable, searches files in an instant) and found no traces of Babylon. I just reseted Chrome settings to default, restarted computer, and scanned. No traces of malware. Then I chose to sync all Chrome settings except for extensions and got the warning back. I am going to repeat this process and not sync apps (and extensions) this time to see if I can isolate what is being synced that is associated with the malware.
Hmmm... one other thing you can do, although it will take a long, long time, would be to Search the hard drive (using Windows Search).
Search for "Files or Folders named:" [b]*.*[/b] and "Containing text:" [b]Babylon[/b].
That should turn up any file that contains that word in clear English.
It will probably find any cached copies of browser files from this discussion, but hopefully if there's still a malware file that's putting that PUP back into your system when you run or reinstall Chrome it should pick that up also and you can delete that file manually.
Have you checked the Chrome forums on Google to see if anyone else is having this same kind of problem..?
I used CCleaner to clean the registry and then searched and deleted all traces of Babylon in the registry. I had to do search for "Babylon" again, delete it, then repeat this procedure one more time before searching for it yielded no results (for some reason, deleting the 4 entries and searching for "Babylon" would show me the same 4 entries several times until it is finally deleted after the third time. I then ran a quick Malwarebytes scan and it reported as clean (I can't remember if it was a quick Malwarebytes scan or if it was comprehensive).
Unfortunately, restarting my computer and running comprehensive scan showed the same warning. I used CCleaner and this time there was nothing to clean. I searched for any traces of Babylon in the registries and this time there were no traces. O_O
Going to see if tinkering with Google extensions and settings will do anything.
@immortal192 I didn't go back over those links to see if they suggested anything like this, but just from your description of what happens it sounds like there may be a buried orphan registry entry telling Chrome it's got this thing installed when actually the files and folders have been quarantined/removed long ago. This may be what Malwarebytes is picking up, since it only affects Chrome, and only when Chrome is installed.
Have you tried cleaning the registry with something like CCleaner..?
I'd try doing that, then if Malwarebytes still reports the infection do a manual search in Regedit for "Babylon" and delete any entries you find.
Incidentally, I just had a need to use "SUPER" and it forced me to update to the newest version so I ended up going through the installation hell you got this thing from.
I was able to dodge the installation of most of the garbage, but something called "monetize" snuck through and I ended up having to remove it later with Malwarebytes.
Fortunately that worked successfully.
I then sent the developers a somewhat terse message telling them I'd gladly Paypal them a couple of bucks as ransom if they'd just make a clean install available.
I've never seen such a good program absolutely ruined by greed like this.
I tried both links and followed everything step by step (I already tried out the first link before i made this thread) and PUP.Optional.Bablyon.A in AppDataLocalGoogleChromeUser DataDefaultPreferences is still found in Malwarebytes (I have the pro version). Is it actually not a threat and I can change the settings in Malwarebytes to make it so that it does not treat it as malware and ignore it? Still, this "threat" is something leftover from something I deleted and keeping it would at best do nothing. Maybe I should disable Google sync preferences and re-install Chrome fresh with default settings and try to see/isolate it if it comes up.
Here's another, in addition to the one above: http://malwaretips.com/blogs/pup-optional-babylon-a-virus/
It explains what this is and ways to get rid of it. It's not a specific thing, it's a general class of "potentially unwanted programs" installed by many sites and downloaders.
It's unlikely what you're seeing actually was part of SUPER video converter, most likely it was bundled with it by the site you downloaded the program from, like CNet or Download.com or whatever.
You might want to use a known bad site blocker like Spyware Blaster to block the links many of these PUP installers use, so even if you do run into one in the future the actual download of the PUP infection will be blocked.
http://www.techsupportall.com/how-to-remove-pup-optional-babylon-a-virus-removal-help/
Oops, I forgot to mention that I had MBAM deleted it too. I tried Adwcleaner and restarted the computer but it was still there.
Use Adwcleaner. And just because it is quarantined does not mean it is gone. You have to go to the list of quarantined items and tell MBAM to delete it. Using Adwcleaner afterwards will help in getting rid of the traces.
Also, PUP stands for potentially unwanted software. They're not all viruses but they are annoying and are known to include malware in them as well as toolbars and stuff like that.