MalWare Removal Forum

Hello again,

Below is the VirusTotal scans for files Video Converter and Uninstall.
Back about the behaviour of the PC in a moment...
Best regards,
Jujucds

VirusTotal
SHA256: 3acd9f3abd1f80d4220e3d2d902fe1c39ccf0b6f5f47b5d4a94e953f1d2c380c
File name: VideoConverter.exe
Detection ratio: 2 / 42
Analysis date: 2012-04-08 17:44:11 UTC ( 1 minute ago )
0
0
Antivirus Result Update
AhnLab-V3 - 20120408
AntiVir - 20120408
Antiy-AVL - 20120408
Avast - 20120408
AVG - 20120408
BitDefender - 20120408
ByteHero - 20120407
CAT-QuickHeal - 20120408
ClamAV - 20120408
Commtouch - 20120408
Comodo - 20120408
DrWeb Adware.Foxtab.2 20120408
Emsisoft - 20120408
eSafe - 20120408
eTrust-Vet - 20120406
F-Prot - 20120408
F-Secure - 20120408
Fortinet - 20120408
GData - 20120408
Ikarus - 20120408
Jiangmin - 20120331
K7AntiVirus - 20120407
Kaspersky - 20120408
McAfee - 20120408
McAfee-GW-Edition - 20120408
Microsoft - 20120408
NOD32 a variant of Win32/InstallCore.A 20120408
Norman - 20120408
nProtect - 20120408
Panda - 20120408
PCTools - 20120408
Rising - 20120406
Sophos - 20120408
SUPERAntiSpyware - 20120402
Symantec - 20120408
TheHacker - 20120408
TrendMicro - 20120408
TrendMicro-HouseCall - 20120408
VBA32 - 20120405
VIPRE - 20120408
ViRobot - 20120408
VirusBuster - 20120407

Comments
Additional information

No comments

VirusTotal
SHA256: 076e2c951803e624dadf45e7afed4f269b563708067c8f2595ae552eb9586ae3
File name: Uninstall.exe
Detection ratio: 14 / 40
Analysis date: 2012-04-08 17:49:34 UTC ( 1 minute ago )
0
0
Antivirus Result Update
AntiVir ADWARE/Adware.Gen 20120408
Antiy-AVL - 20120408
Avast Win32:InstallCore-F [PUP] 20120408
AVG - 20120408
BitDefender Gen:Variant.Application.InstallCore.4 20120408
CAT-QuickHeal Trojan.Rimod.A8 20120408
ClamAV - 20120408
Commtouch - 20120408
Comodo ApplicUnwnt.Win32.AdWare.InstallCore.0 20120408
DrWeb Adware.Zugo.55 20120408
Emsisoft - 20120408
eSafe - 20120408
eTrust-Vet - 20120406
F-Prot W32/Agent.MC.gen!Eldorado 20120408
F-Secure Gen:Variant.Application.InstallCore.4 20120408
Fortinet Adware/InstallCore.B 20120408
GData Gen:Variant.Application.InstallCore.4 20120408
Ikarus - 20120408
Jiangmin Trojan/Genome.arpz 20120331
K7AntiVirus Riskware 20120407
Kaspersky - 20120408
McAfee - 20120408
McAfee-GW-Edition - 20120408
Microsoft - 20120408
NOD32 a variant of Win32/InstallCore.D 20120408
Norman - 20120408
nProtect - 20120408
Panda - 20120408
PCTools - 20120408
Rising - 20120406
Sophos - 20120408
SUPERAntiSpyware - 20120402
Symantec - 20120408
TheHacker - 20120408
TrendMicro - 20120408
TrendMicro-HouseCall - 20120408
VBA32 - 20120405
VIPRE - 20120408
ViRobot - 20120408
VirusBuster Adtool.InstallCore.Gen.2 20120407

Comments
Additional information

No comments

You ran a custom scan, not a custom fix.

Please run the fix again, and this time follow the instructions exactly as I gave them, paying particular attention to press the Run Fix button, and NOT the Run Scan button.
_________________

Hello,
Sorry for wrongly executing your instructions. Below is the result of the Run Fix button by OTL
Best regards,
Jujucds

All processes killed
========== OTL ==========
Registry key HKEY_USERS\S-1-5-21-2004331368-872200146-798892892-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
C:\Users\Mathieu\AppData\Roaming\mozilla\Firefox\Profiles\t0np4bv7.default\extensions\ffxtlbr@babylon.com\defaults\preferences folder moved successfully.
C:\Users\Mathieu\AppData\Roaming\mozilla\Firefox\Profiles\t0np4bv7.default\extensions\ffxtlbr@babylon.com\defaults folder moved successfully.
C:\Users\Mathieu\AppData\Roaming\mozilla\Firefox\Profiles\t0np4bv7.default\extensions\ffxtlbr@babylon.com\content\imgs\flgs folder moved successfully.
C:\Users\Mathieu\AppData\Roaming\mozilla\Firefox\Profiles\t0np4bv7.default\extensions\ffxtlbr@babylon.com\content\imgs folder moved successfully.
C:\Users\Mathieu\AppData\Roaming\mozilla\Firefox\Profiles\t0np4bv7.default\extensions\ffxtlbr@babylon.com\content folder moved successfully.
C:\Users\Mathieu\AppData\Roaming\mozilla\Firefox\Profiles\t0np4bv7.default\extensions\ffxtlbr@babylon.com\components folder moved successfully.
C:\Users\Mathieu\AppData\Roaming\mozilla\Firefox\Profiles\t0np4bv7.default\extensions\ffxtlbr@babylon.com folder moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{98889811-442D-49dd-99D7-DC866BE87DBC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC}\ deleted successfully.
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ deleted successfully.
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll moved successfully.
========== FILES ==========
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh folder moved successfully.
C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17 folder moved successfully.
C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.31.2\bh folder moved successfully.
C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.31.2 folder moved successfully.
C:\Program Files\BabylonToolbar\BabylonToolbar folder moved successfully.
C:\Program Files\BabylonToolbar folder moved successfully.
C:\Users\Mathieu\AppData\Roaming\Babylon folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Invité
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes

User: Mathieu
->Temp folder emptied: 913405 bytes
->Temporary Internet Files folder emptied: 2096435084 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 100155179 bytes
->Google Chrome cache emptied: 6681770 bytes
->Apple Safari cache emptied: 547840 bytes
->Flash cache emptied: 4949 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 117411 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 7452521 bytes

Total Files Cleaned = 2 110,00 mb



OTL by OldTimer - Version 3.2.39.2 log created on 04092012_114324

Files\Folders moved on Reboot...
C:\Users\Mathieu\AppData\Local\Temp\ehmsas.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

OK, looks like the Babylon Toolbar entries were successfully removed.

The results from VirusTotal are fairly inconclusive as far as I can see. The first file looks to only be detected by E-Set, and the second I believe is detected because it is an uninstaller, and uninstallers generally trigger heuristic detections.

Did you install FoxTabVideoConverter yourself, and was it downloaded from a reliable and trustworthy source? If you did, then I think we can probably leave it, however if you have any doubt about where it came from, then it's probably best to remove it.

Let me know what you want to do, and let me know how your computer is behaving now please.
_________________

Hello,

About FoxTabVideoConverter, I dont remember having downloaded it and I do not use it, so it can be readily removed.
Concerning the behaviour of the computer, it takes from two and a half to three minutes to get ready when started. I would be attempted to say that this duration did not change much, but as I did not measure it during the virus period, I cannot conclude with certainty. Another thing, when I had viruses, the control panel took sometimes from about half to one minute to open but now, it opens normaly (a couple of seconds).
Do you believe there are no more infected files in my computer, and would you say that the duration of the starting period is correct for this type of computer?
Yours sincerly,
jujucds

If you're not using it, then go to Control Panel > Programs > Uninstall a program and uninstall FoxTab Video Converter

Reboot your computer when finished.

Next

• Double click OTL.exe to launch the programme.
• Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.

• Click the Run Fix button.
• OTL will now process the instructions.
• When finished a box will open asking you to open the fix log, click OK.
• The fix log will open.
• Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

As for your startup time, it's not excessive, but we can speed it up a little by disabling some of the unecessary auto-startup entries if you wish. Let me know if you want to do that, and I can make a few suggestions.

Below the content of file fix log :

========== FILES ==========
File\Folder C:\Program Files\FoxTabVideoConverter\VideoConverter.exe not found.
File\Folder C:\Program Files\FoxTabVideoConverter\Uninstall\Uninstall.exe not found.

OTL by OldTimer - Version 3.2.39.2 log created on 04092012_194420


Thank you for your suggestions. Please tell me how to disable unecessary starting program.

Thank you again,
jujucds

The following programs can be disabled from starting automatically .....

• Double click OTL.exe to launch the programme.
• Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.

• Click the Run Fix button.
• OTL will now process the instructions.
• When finished a box will open asking you to open the fix log, click OK.
• The fix log will open.
• Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

PLEASE NOTE ..... all we are doing here is removing the Registry entries that auto-start these programs on startup, we are not removing the programs themselves. If you wish to use one of these programs you can launch it by clicking .... Start > All Programs then clicking on the icon for the program you wish to launch.

For further information on how to speed up your computer, please see .... What to do if your Computer is running slowly

Now it's time to remove all the programs we've been using to check and clean your computer ....

Let's clear out Combofix and the files/folders it created

• Click Start > Run
• Copy/Paste ComboFix /Uninstall into the Run box.
• Click OK
• Combofix will now delete its files and folders and also perform the following function.
  
  • Clears System Restore cache and creates a new Restore point. This will remove any "malicious" System Restore files, which may have been created whilst your computer was infected.

IMPORTANT

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Next

Let's clear out OTL and the files and folders it created.

• Double click OTL.exe to launch the programme.
• Click on the CleanUp! button.
• OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
• You will be prompted to allow the clean up procedure, click Yes
• When finished exit out of OTL
• Now delete OTL.exe (if still present).

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?

• If you are let me know about them.
• If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

• Computer Security - a short guide to staying safer online

Hello,
I will finish the cleanning as you indicated.
I send you the contents of the OTL log file :

========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\LightScribe Control Panel deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Software Informer deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RGSC deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Facebook Update deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\swg deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Adobe Reader Speed Launcher deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AppleSyncNotifier deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\TkBellExe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task deleted successfully.

OTL by OldTimer - Version 3.2.39.2 log created on 04102012_193802

Everything seems ok now. Thank you very much for your help,
jujucds.

You're welcome, glad we could help.

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.