Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92790 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Vosteran again, we think [Closed]

vosteran

  • This topic is locked This topic is locked
3 replies to this topic

#1 PatLibrary

PatLibrary

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 26 November 2014 - 04:56 PM

Hello,

 

My computer seems to be infected with Vosteran, it hijacks the browser. Please help.

 

I am computer illiterate and have had some help from family in getting this far.

 

I have attached the scans as requested. I am running Windows 8.1 on an i3 machine.T

 

Thanks

 

Pat.

Attached Files


    Advertisements

Register to Remove


#2 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 26 November 2014 - 07:56 PM

Hello PatLibrary, welcome to WhatTheTech's Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. :)
 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.  
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you require additional time to complete my instructions.
  • Ensure you are following this topic. Click etYzdbu.png at the top of the page. 
     

======================================================
 

I am computer illiterate and have had some help from family in getting this far.

No problem at all. If there's anything you're unsure of, please be sure to ask.
 
STEP 1
6JO0hXH.png Revo Uninstaller

  • Please download and install Revo Uninstaller Free.
  • Double-click Revo Uninstaller to run the programme. 
  • From the list of programmes, locate the following, or anything similar and carry out the steps below one at a time.
    • BrowseStudio
    • Driver Support
    • Driver Support Active Optimization
  • Double-click the programme. 
  • When prompted if you want to uninstall click Yes.
  • Ensure the Moderate option is selected and click Next.
  • The programme uninstaller will run. If prompted again click Yes.
  • Work your way through the uninstaller, ensuring you read each page thoroughly.
  • Note: Ensure you decline offers of additional software if applicable. 
  • Once the built-in uninstaller is finished click Next.
  • Once the programme has searched for leftovers click Next.
  • Check items in bold only in the list and click Delete. You may have to expand folders by clicking the "+" mark.
  • When prompted click Yes, followed by Next.
  • Click Select all, followed by Delete.
  • When prompted click Yes, followed by Next.
  • Once done click Finish.
     

STEP 2
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    start
    () C:\Program Files (x86)\BrowseStudio\updateBrowseStudio.exe
    () C:\Program Files (x86)\BrowseStudio\bin\utilBrowseStudio.exe
    () C:\Program Files (x86)\BrowseStudio\bin\BrowseStudio.BOASHelper.exe
    () C:\Program Files (x86)\BrowseStudio\bin\BrowseStudio.BrowserAdapter.exe
    () C:\Program Files (x86)\BrowseStudio\bin\BrowseStudio.BrowserAdapter64.exe
    () C:\Program Files (x86)\BrowseStudio\bin\BrowseStudio.BOASPRT.exe
    () C:\Program Files (x86)\BrowseStudio\bin\BrowseStudio.BOAS.exe
    () C:\Program Files (x86)\BrowseStudio\bin\BrowseStudio.PurBrowse64.exe
    C:\Program Files (x86)\BrowseStudio
    ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
    ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
    ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
    ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll No File
    GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    SearchScopes: HKLM -> DefaultScope {1B562AF0-55B4-4EA8-B397-29263E4BAA18} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_coinis_14_47_ie&cd=2XzuyEtN2Y1L1Qzuzy0CyE0EtAyC0AyCzz0F0BtC0A0A0CtDtN0D0Tzu0StCtDyDyBtN1L2XzutAtFyCtFtBtFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StC0CtAtD0CzzyDzztGyB0EtCtAtGyEyCyCyDtGzy0B0CyEtGtC0AtBzzzy0DzyyCtAtCzzzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0A0FyE0B0E0AyDtGzy0FtCyCtGyEyC0E0FtG0B0C0FtCtG0C0BtBtCyBtCyBzyyCyD0BtA2Q&cr=1543367622&ir=
    SearchScopes: HKLM -> {1B562AF0-55B4-4EA8-B397-29263E4BAA18} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_coinis_14_47_ie&cd=2XzuyEtN2Y1L1Qzuzy0CyE0EtAyC0AyCzz0F0BtC0A0A0CtDtN0D0Tzu0StCtDyDyBtN1L2XzutAtFyCtFtBtFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StC0CtAtD0CzzyDzztGyB0EtCtAtGyEyCyCyDtGzy0B0CyEtGtC0AtBzzzy0DzyyCtAtCzzzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0A0FyE0B0E0AyDtGzy0FtCyCtGyEyC0E0FtG0B0C0FtCtG0C0BtBtCyBtCyBzyyCyD0BtA2Q&cr=1543367622&ir=
    SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MALNJS
    SearchScopes: HKLM-x32 -> DefaultScope {1B562AF0-55B4-4EA8-B397-29263E4BAA18} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MALNJS
    SearchScopes: HKLM-x32 -> {1B562AF0-55B4-4EA8-B397-29263E4BAA18} URL = http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MALNJS
    SearchScopes: HKU\S-1-5-21-1621951248-2427452393-3495397249-1001 -> DefaultScope {1B562AF0-55B4-4EA8-B397-29263E4BAA18} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_coinis_14_47_ie&cd=2XzuyEtN2Y1L1Qzuzy0CyE0EtAyC0AyCzz0F0BtC0A0A0CtDtN0D0Tzu0StCtDyDyBtN1L2XzutAtFyCtFtBtFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StC0CtAtD0CzzyDzztGyB0EtCtAtGyEyCyCyDtGzy0B0CyEtGtC0AtBzzzy0DzyyCtAtCzzzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0A0FyE0B0E0AyDtGzy0FtCyCtGyEyC0E0FtG0B0C0FtCtG0C0BtBtCyBtCyBzyyCyD0BtA2Q&cr=1543367622&ir=
    SearchScopes: HKU\S-1-5-21-1621951248-2427452393-3495397249-1001 -> {1B562AF0-55B4-4EA8-B397-29263E4BAA18} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_coinis_14_47_ie&cd=2XzuyEtN2Y1L1Qzuzy0CyE0EtAyC0AyCzz0F0BtC0A0A0CtDtN0D0Tzu0StCtDyDyBtN1L2XzutAtFyCtFtBtFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StC0CtAtD0CzzyDzztGyB0EtCtAtGyEyCyCyDtGzy0B0CyEtGtC0AtBzzzy0DzyyCtAtCzzzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0A0FyE0B0E0AyDtGzy0FtCyCtGyEyC0E0FtG0B0C0FtCtG0C0BtBtCyBtCyBzyyCyD0BtA2Q&cr=1543367622&ir=
    SearchScopes: HKU\S-1-5-21-1621951248-2427452393-3495397249-1001 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
    BHO-x32: BrowseStudio -> {1e9e0e98-4ab7-40b0-a0ce-69105c1b7c92} -> C:\Program Files (x86)\BrowseStudio\BrowseStudiobho.dll (BrowseStudio)
    FF DefaultSearchEngine: Vosteran
    FF SelectedSearchEngine: Vosteran
    FF Homepage: hxxp://Vosteran.com/?f=1&a=vst_coinis_14_47_ie&cd=2XzuyEtN2Y1L1Qzuzy0CyE0EtAyC0AyCzz0F0BtC0A0A0CtDtN0D0Tzu0StCtDyDyBtN1L2XzutAtFyCtFtBtFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StC0CtAtD0CzzyDzztGyB0EtCtAtGyEyCyCyDtGzy0B0CyEtGtC0AtBzzzy0DzyyCtAtCzzzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0E0A0FyE0B0E0AyDtGzy0FtCyCtGyEyC0E0FtG0B0C0FtCtG0C0BtBtCyBtCyBzyyCyD0BtA2Q&cr=1543367622&ir=
    FF SearchPlugin: C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\stxa4dbv.default\searchplugins\Vosteran.xml
    FF Extension: BrowseStudio - C:\Users\Pat\AppData\Roaming\Mozilla\Firefox\Profiles\stxa4dbv.default\Extensions\{b6f164a0-5e01-4c08-b4af-72276812d17d}.xpi [2014-11-23]
    R2 Update BrowseStudio; C:\Program Files (x86)\BrowseStudio\updateBrowseStudio.exe [423152 2014-11-26] ()
    R2 Util BrowseStudio; C:\Program Files (x86)\BrowseStudio\bin\utilBrowseStudio.exe [423152 2014-11-26] ()
    R1 {b6f164a0-5e01-4c08-b4af-72276812d17d}Gw64; C:\Windows\System32\drivers\{b6f164a0-5e01-4c08-b4af-72276812d17d}Gw64.sys [48784 2014-11-23] (StdLib)
    R1 {fa03420d-05ef-4826-9373-bf3c8734921f}Gw64; C:\Windows\System32\drivers\{fa03420d-05ef-4826-9373-bf3c8734921f}Gw64.sys [48784 2014-11-24] (StdLib)
    C:\Windows\System32\drivers\{b6f164a0-5e01-4c08-b4af-72276812d17d}Gw64.sys
    C:\Windows\System32\drivers\{fa03420d-05ef-4826-9373-bf3c8734921f}Gw64.sys
    2014-11-25 08:14 - 2014-11-25 08:14 - 00000000 ____D () C:\ProgramData\2355320829
    2014-11-23 23:23 - 2014-11-25 07:58 - 00000000 ____D () C:\Users\Pat\AppData\Local\Vosteran
    2014-11-23 23:22 - 2014-11-23 23:21 - 01055936 _____ (Adobe) C:\Users\Pat\Downloads\flash_setup.exe
    2014-11-23 23:20 - 2014-11-23 23:20 - 00762408 _____ ( ) C:\Users\Pat\Downloads\adobe_flash_setup.exe
    C:\Users\Pat\AppData\Local\Temp\DriverSupport.exe
    C:\Users\Pat\AppData\Local\Temp\MouseKeyboardCenterx64_1033.exe
    C:\Users\Pat\AppData\Local\Temp\supoptsetup.exe
    CMD: ipconfig /flushdns
    CMD: netsh winsock reset all
    EmptyTemp:
    end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 3
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[S0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 
 
STEP 4
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

======================================================
 
STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Did the programmes uninstall OK?
  • Fixlog.txt
  • AdwCleaner[S0].txt
  • JRT.txt

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#3 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 30 November 2014 - 09:49 AM

Hello, 

 

Do you still require assistance?


50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!


#4 LiquidTension

LiquidTension

    SuperMember

  • Retired Classroom Teacher
  • 2,566 posts

Posted 02 December 2014 - 02:15 AM

Due to inactivity this topic will be closed.
If you need help please start a new thread.

New members follow the instructions here http://forums.whatth...ed_t106388.html and start a new topic

50QfLth.png

 

Would you like to help others with malware removal? Join our Classroom and learn how!

Related Topics




Also tagged with one or more of these keywords: vosteran

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users