Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92790 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Program called Vosteran Hijacked my search option [Solved]

vosteran search engine

  • This topic is locked This topic is locked
28 replies to this topic

#16 NicoleD

NicoleD

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts
  • Interests:Social Media, Marketing, IT, Graphic Design, Real Estate

Posted 09 January 2015 - 05:04 PM

When opening IE the same box comes up.  It's the Yellow security box that tells you a website wants to open web content using this program on your computer:  Google Toolbar for Internet Explorer --  I keep choosing no because I've never seen this come up before even though I know google toolbar is a legit toolbar.  What should I do? 

 

Java SERuntime Environment 7 Update 71 (Oracle) keeps popping up as well.  Even though Java is a legit program, this started popping up at the same time the computer starting performing wrong.  Suggestion?

 

Also, Vosteran is finally removed from IE and Firefox, but is still being used as the search engine default in Chrome. 

 

thankyou


    Advertisements

Register to Remove


#17 fbfbfb

fbfbfb

    SuperMember

  • Malware Team
  • 1,218 posts

Posted 10 January 2015 - 05:34 PM

Hello, nikid506.
 
Thank you for the FRST log and the update of your machine.
 
Please run the following Fix

Please open Notepad:  Press the Windows key + r (Win Key + r) > Type Notepad > Click OK.

  • Copy and paste the entire contents of the code box below:  To do this, highlight the contents of the box, right click on it, and select Copy > Right-click in the open Notepad and select Paste.
  • Save this to the same directory you saved FRST / FRST64 > Save it as fixlist.txt.

Note:  In order for the fix to work, fixlist.txt must be placed next to FRST / FRST64.  You can use your mouse to drag it in place.


Start
CloseProcesses:
HKLM\...\Run: [MapsGalaxy Home Page Guard 64 bit] => "C:\PROGRA~2\MAPSGA~2\bar\1.bin\AppIntegrator64.exe"
HKLM-x32\...\Run: [MapsGalaxy Search Scope Monitor] => "C:\PROGRA~2\MAPSGA~2\bar\1.bin\39srchmn.exe" /m=2 /w /h
HKLM-x32\...\Run: [] => [X]
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKU\S-1-5-21-936412100-4191080330-638901748-1001 - (No Name) - {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39SrcAs.dll No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-936412100-4191080330-638901748-1001 -> URL http://search.conduit.com/Results.aspx?ctid=CT3314759&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP37AD5991-3F10-4FCC-BE25-5C4340AA9C6A&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-936412100-4191080330-638901748-1001 -> SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
Toolbar: HKLM - No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
Toolbar: HKLM-x32 - No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
Toolbar: HKU\S-1-5-21-936412100-4191080330-638901748-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-936412100-4191080330-638901748-1001 -> No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
CHR HomePage: Default -> hxxp://Vosteran.com/?f=1&a=vst_ggfc_15_01_ie&cd=2XzuyEtN2Y1L1QzutBtD0C0FtAtD0C0ByBtB0C0F0DzyyCtDtN0D0Tzu0StCtDzyzytN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtA0BtCzz0C0AyBtG0CtDyBtAtG0EyE0DyEtGtDyD0CyEtGyDyEyDyCtBzytA0CzytC0B0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0CtCyDtDtCtDyCtGzy0A0DtDtGyEtB0BtDtG0BtBtAzytGyCtB0FyDyB0A0D0AzytByD0C2Q&cr=1327159923&ir=
CHR StartupUrls: Default -> "hxxp://Vosteran.com/?f=7&a=vst_ggfc_15_01_ie&cd=2XzuyEtN2Y1L1QzutBtD0C0FtAtD0C0ByBtB0C0F0DzyyCtDtN0D0Tzu0StCtDzyzytN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtA0BtCzz0C0AyBtG0CtDyBtAtG0EyE0DyEtGtDyD0CyEtGyDyEyDyCtBzytA0CzytC0B0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0CtCyDtDtCtDyCtGzy0A0DtDtGyEtB0BtDtG0BtBtAzytGyCtB0FyDyB0A0D0AzytByD0C2Q&cr=1327159923&ir=","hxxp://www.google.com/"
CHR DefaultSuggestURL: Default -> http://ssmsp.ask.com/query?sstype=prefix&li=ff&q={searchTerms}
CHR HKU\S-1-5-21-936412100-4191080330-638901748-1001\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [fabcmochhfpldjekobfaaggijgohadih] - No Path
C:\Users\Nicole\hpbcfgre.dll
C:\Users\Nicole\hpmco160.dll
C:\Users\Nicole\hpmews02.dll
C:\Users\Nicole\hpmldm02.dll
C:\Users\Nicole\hpmprein.dll
C:\Users\Nicole\Install.dll
C:\Users\Nicole\Install.exe
C:\Users\Nicole\msvcp100.dll
C:\Users\Nicole\AppData\Local\Temp\CreativeCloudSet-Up.exe
C:\Users\Nicole\AppData\Local\Temp\cstub.exe
C:\Users\Nicole\AppData\Local\Temp\Quarantine.exe
C:\Users\Nicole\AppData\Local\Temp\scp916D.tmp.exe
C:\Users\Nicole\AppData\Local\Temp\sqlite3.dll
CustomCLSID: HKU\S-1-5-21-936412100-4191080330-638901748-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Nicole\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-936412100-4191080330-638901748-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Nicole\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
AlternateDataStreams: C:\ProgramData\TEMP:F9CFE070Hosts:
EmptyTemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine.  Running this on another machine may cause damage to your operating system.

  • Run FRST / FRST64, press the Fix button once and wait.
  • When finished, the tool will generate a log on the Desktop (Fixlog.txt).  Please post it to your next reply.


#18 NicoleD

NicoleD

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts
  • Interests:Social Media, Marketing, IT, Graphic Design, Real Estate

Posted 10 January 2015 - 07:06 PM

when you say "run" does that mean open the file "frst.txt" and then open the "frst64 tool" at the same time?  I'm confused on what the txt file is going to do for the tool.  Please clarify.  thanks



#19 NicoleD

NicoleD

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts
  • Interests:Social Media, Marketing, IT, Graphic Design, Real Estate

Posted 10 January 2015 - 08:47 PM

I really don't know if I did this right, but when you said they should all be together.  I created a new folder on the desktop called whatthetech and inside of it I put the two text files and the tool inside (frst.txt, fixlist.txt and frst64.exe  -- I wasn't sure what you meant when you said run FRST/FRST64, so I opened up the one text file and ran the tool in fix mode.  When it was all said and done, the fixlist.txt file was gone and a new fixlog.txt was in it's place.  Does that sound right?  anyway, here is the log you requested.  I hope it's right.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-01-2015
Ran by Nicole at 2015-01-10 20:11:22 Run:1
Running from C:\Users\Nicole\Desktop\whatthetech
Loaded Profile: Nicole (Available profiles: Nicole & Cole & Mia & Ryan & Angela & Guest)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
CloseProcesses:
HKLM\...\Run: [MapsGalaxy Home Page Guard 64 bit] => "C:\PROGRA~2\MAPSGA~2\bar\1.bin\AppIntegrator64.exe"
HKLM-x32\...\Run: [MapsGalaxy Search Scope Monitor] => "C:\PROGRA~2\MAPSGA~2\bar\1.bin\39srchmn.exe" /m=2 /w /h
HKLM-x32\...\Run: [] => [X]
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKU\S-1-5-21-936412100-4191080330-638901748-1001 - (No Name) - {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39SrcAs.dll No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-936412100-4191080330-638901748-1001 -> URL http://search.condui...archTerms}=
SearchScopes: HKU\S-1-5-21-936412100-4191080330-638901748-1001 -> SuggestionsURL_JSON http://suggest.searc...ix={searchTerms}
Toolbar: HKLM - No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
Toolbar: HKLM-x32 - No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
Toolbar: HKU\S-1-5-21-936412100-4191080330-638901748-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-936412100-4191080330-638901748-1001 -> No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll No File
CHR HomePage: Default -> hxxp://Vosteran.com/?f=1&a=vst_ggfc_15_01_ie&cd=2XzuyEtN2Y1L1QzutBtD0C0FtAtD0C0ByBtB0C0F0DzyyCtDtN0D0Tzu0StCtDzyzytN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtA0BtCzz0C0AyBtG0CtDyBtAtG0EyE0DyEtGtDyD0CyEtGyDyEyDyCtBzytA0CzytC0B0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0CtCyDtDtCtDyCtGzy0A0DtDtGyEtB0BtDtG0BtBtAzytGyCtB0FyDyB0A0D0AzytByD0C2Q&cr=1327159923&ir=
CHR StartupUrls: Default -> "hxxp://Vosteran.com/?f=7&a=vst_ggfc_15_01_ie&cd=2XzuyEtN2Y1L1QzutBtD0C0FtAtD0C0ByBtB0C0F0DzyyCtDtN0D0Tzu0StCtDzyzytN1L2XzutAtFyCtFtCyCtFyCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtA0BtCzz0C0AyBtG0CtDyBtAtG0EyE0DyEtGtDyD0CyEtGyDyEyDyCtBzytA0CzytC0B0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0CtCyDtDtCtDyCtGzy0A0DtDtGyEtB0BtDtG0BtBtAzytGyCtB0FyDyB0A0D0AzytByD0C2Q&cr=1327159923&ir=","hxxp://www.google.com/"
CHR DefaultSuggestURL: Default -> http://ssmsp.ask.com...&q={searchTerms}
CHR HKU\S-1-5-21-936412100-4191080330-638901748-1001\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [fabcmochhfpldjekobfaaggijgohadih] - No Path
C:\Users\Nicole\hpbcfgre.dll
C:\Users\Nicole\hpmco160.dll
C:\Users\Nicole\hpmews02.dll
C:\Users\Nicole\hpmldm02.dll
C:\Users\Nicole\hpmprein.dll
C:\Users\Nicole\Install.dll
C:\Users\Nicole\Install.exe
C:\Users\Nicole\msvcp100.dll
C:\Users\Nicole\AppData\Local\Temp\CreativeCloudSet-Up.exe
C:\Users\Nicole\AppData\Local\Temp\cstub.exe
C:\Users\Nicole\AppData\Local\Temp\Quarantine.exe
C:\Users\Nicole\AppData\Local\Temp\scp916D.tmp.exe
C:\Users\Nicole\AppData\Local\Temp\sqlite3.dll
CustomCLSID: HKU\S-1-5-21-936412100-4191080330-638901748-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Nicole\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-936412100-4191080330-638901748-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Nicole\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
AlternateDataStreams: C:\ProgramData\TEMP:F9CFE070Hosts:
EmptyTemp:
End
*****************

Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\MapsGalaxy Home Page Guard 64 bit => Value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\MapsGalaxy Search Scope Monitor => Value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKU\S-1-5-21-936412100-4191080330-638901748-1001\Software\Microsoft\Internet Explorer\URLSearchHooks\\{26842a09-ffa8-4e2c-ae12-0c80f01c3295} => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-936412100-4191080330-638901748-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\URL => value deleted successfully.
HKU\S-1-5-21-936412100-4191080330-638901748-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\SuggestionsURL_JSON => value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{1DAC0C53-7D23-4AB3-856A-B04D98CD982A} => value deleted successfully.
HKCR\CLSID\{1DAC0C53-7D23-4AB3-856A-B04D98CD982A} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{1DAC0C53-7D23-4AB3-856A-B04D98CD982A} => value deleted successfully.
HKCR\Wow6432Node\CLSID\{1DAC0C53-7D23-4AB3-856A-B04D98CD982A} => Key not found.
HKU\S-1-5-21-936412100-4191080330-638901748-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
HKU\S-1-5-21-936412100-4191080330-638901748-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1DAC0C53-7D23-4AB3-856A-B04D98CD982A} => value deleted successfully.
HKCR\CLSID\{1DAC0C53-7D23-4AB3-856A-B04D98CD982A} => Key not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf" => Key deleted successfully.
Chrome HomePage deleted successfully.
Chrome StartupUrls deleted successfully.
Chrome DefaultSuggestURL deleted successfully.
"HKU\S-1-5-21-936412100-4191080330-638901748-1001\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fabcmochhfpldjekobfaaggijgohadih" => Key deleted successfully.
C:\Users\Nicole\hpbcfgre.dll => Moved successfully.
C:\Users\Nicole\hpmco160.dll => Moved successfully.
C:\Users\Nicole\hpmews02.dll => Moved successfully.
C:\Users\Nicole\hpmldm02.dll => Moved successfully.
C:\Users\Nicole\hpmprein.dll => Moved successfully.
C:\Users\Nicole\Install.dll => Moved successfully.
C:\Users\Nicole\Install.exe => Moved successfully.
C:\Users\Nicole\msvcp100.dll => Moved successfully.
C:\Users\Nicole\AppData\Local\Temp\CreativeCloudSet-Up.exe => Moved successfully.
"C:\Users\Nicole\AppData\Local\Temp\cstub.exe" => File/Directory not found.
C:\Users\Nicole\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Nicole\AppData\Local\Temp\scp916D.tmp.exe => Moved successfully.
C:\Users\Nicole\AppData\Local\Temp\sqlite3.dll => Moved successfully.
HKU\S-1-5-21-936412100-4191080330-638901748-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208} => Key not found.
HKU\S-1-5-21-936412100-4191080330-638901748-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8} => Key not found.
"C:\ProgramData\TEMP" => ":F9CFE070Hosts:" ADS not found.
EmptyTemp: => Removed 11.5 GB temporary data.

The system needed a reboot.

==== End of Fixlog 20:14:15 ====



#20 fbfbfb

fbfbfb

    SuperMember

  • Malware Team
  • 1,218 posts

Posted 11 January 2015 - 09:04 AM

Hello, nikid506.

 

Thank you for the fixlog.txt file.  It ran correctly, but let me answer some of your questions.

 

 

when you say "run" does that mean open the file "frst.txt" and then open the "frst64 tool" at the same time?

 

When I ask you to run the fix, I am simply asking you to follow the given directions so that FRST can begin cleaning your system.  When you first downloaded FRST, you selected to download either FRST.exe or FRST64.exe, depending on which version was compatible with your machine.  As you are running Windows 8.1, you would have downloaded FRST64.exe, and that would be the file you have been using all along.

 

 

I'm confused on what the txt file is going to do for the tool.  Please clarify.  thanks

 

When you first run FRST, it produces a log which is then analyzed to located malware on your computer.  The malware is listed in a prepared script that you are asked to save as fixlist.txtFRST has built in codes that reads this text file and then proceeds to fix your machine by deleting, restoring and/or moving the infected files as needed.

 

 

I created a new folder on the desktop called whatthetech and inside of it I put the two text files and the tool inside (frst.txt, fixlist.txt and frst64.exe

 

It was not necessary to create a WTT folder, but it worked out as you obviously did place the fixlist.txt next to FRST64.

 

Please run the following scan

 

Let's make sure that we have deleted all infected files.  This scan will take quite awhile to complete.

 

ESET Online Scanner

 

Note:

  • Disable any antivirus program and antispyware programs to avoid conflicts.
  • Run Eset with Internet Explorer, but if using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted, then double click on it to install.
  • Please do not surf the internet while your security programs are disabled.
  • Let the scan run uninterrupted to avoid a stall.
  • Remember to enable your security programs when the scan has finished.

Run ESET Online Scanner from HERE.

  •   Click the green ESET Online Scanner button.
  •   Read the End User License Agreement and check the box YES, I accept the Terms of Use.
  •   Click on the Start button next to it.
  •   If prompted, allow the Add-On/Active X to install.

Under Computer scan settings:


  •   Do not check Remove found threats
  •   Check Scan Archives.
  •   Click Advanced settings and select the following:

 

  •   Scan potentially unwanted applications
  •   Scan for potentially unsafe applications
  •   Enable Anti-Stealth technology

 

  • Click Start. ESET will download updates, install itself, and begin scanning your computer. Please be patient as this scan could take up to a few hours to complete.
  •   Wait for the scan to finish. When the scan completes, click List of found threats.
  •   Click Export and save the file to your desktop using a unique name, such as ESETScan.
  •   Copy and paste the contents of this report in your next reply.
  •   Click the Back button.
  •   Click the Finish button.

 

CHECKLIST : In your next reply, please post the following:

  •  ESET log
  •  Let me know how your computer is running now and any issues you are still experiencing.

 



#21 NicoleD

NicoleD

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts
  • Interests:Social Media, Marketing, IT, Graphic Design, Real Estate

Posted 11 January 2015 - 08:11 PM

C:\AdwCleaner\Quarantine\C\Windows\System32\roboot64.exe.vir    a variant of Win64/Systweak.A potentially unwanted application
C:\Users\Nicole\AppData\Local\Microsoft\Windows\FileHistory\Data\1977\C\Users\Nicole\Downloads\cbsidlm-cbsi213-Free_Screen_Capture-SEO-76038565.exe    a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Users\Nicole\Downloads\cbsidlm-cbsi213-Free_Screen_Capture-SEO-76038565.exe    a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Users\Nicole\Downloads\InternationalPrimoPDF.exe    Win32/OpenCandy potentially unsafe application
 



#22 NicoleD

NicoleD

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts
  • Interests:Social Media, Marketing, IT, Graphic Design, Real Estate

Posted 11 January 2015 - 08:21 PM

A couple issues that I'm still noticing:

1.  When opening Chrome my default search is set to 'google', however it's bypassing google homepage and opening up a second tab bring me to a "vosteran" search homepage.  Vosteran does not show up in my programs, therefore, I can't remove it.  I thought it was removed with one of the scans we did, but it looks like chrome is still infected. 

2.  Every time I open IE I'm still getting the pop up box regarding google toolbar and update java.   I've never seen these come up so much, does that seem normal?  Thanks



#23 fbfbfb

fbfbfb

    SuperMember

  • Malware Team
  • 1,218 posts

Posted 12 January 2015 - 06:56 PM

Hello, nikid506.
 
Thank you for your ESET log and your list of pending issues.  We have a few more items to delete.
 
Please run the following Fix
 
Please open Notepad:  Press the Windows key + r (Win Key + r) > Type Notepad > Click OK.

  • Copy and paste the entire contents of the code box below:  To do this, highlight the contents of the box, right click on it, and select Copy > Right-click in the open Notepad and select Paste.
  • Save this to the same directory you saved FRST / FRST64 > Save it as fixlist.txt.

Note:  In order for the fix to work, fixlist.txt must be placed next to FRST / FRST64.  You can use your mouse to drag it in place.


Start
CloseProcesses:
C:\AdwCleaner\Quarantine\C\Windows\System32\roboot64.exe.vir  
C:\Users\Nicole\AppData\Local\Microsoft\Windows\FileHistory\Data\1977\C\Users\Nicole\Downloads\cbsidlm-cbsi213-Free_Screen_Capture-SEO-76038565.exe   
C:\Users\Nicole\Downloads\cbsidlm-cbsi213-Free_Screen_Capture-SEO-76038565.exe  
C:\Users\Nicole\Downloads\InternationalPrimoPDF.exe  
Hosts:
EmptyTemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine.  Running this on another machine may cause damage to your operating system.

  • Run FRST / FRST64, press the Fix button once and wait.
  • When finished, the tool will generate a log on the Desktop (Fixlog.txt).  Please post it to your next reply.

Please work through the following tasks
 
1.  Reset Chrome Home Page

  •   Click on Chrome's main menu button: icon with 3 horizontal bars
  •   The drop-down menu appears > Click Settings.
  •   The next window opens > Click Show Advanced Settings (bottom of page).
  •   The next window opens > Click the Reset Browser Settings button (bottom of page).
  •   A confirmation page opens > Click Reset.
  •   Exit your browser.

2.  Google Toolbar Pop-up
 
Is Google Toolbar installed on your Internet Explorer browser?  Often times, this toolbar causes repetitive pop-ups if it is not configured properly or if it is malfunctioning.  If you do not use the Google Toolbar, it is best to uninstall/disable it:
 

Option 1

  •   Open Internet Explorer.
  •   On the right side of toolbar, click the down arrow next to the wrench icon.
  •   Select Uninstall from the drop-down menu.
  •   Click OK.

Option 2

  • Open Internet Explorer.
  • Click Tools > Manage Add-ons.
  • In the Manage Add-ons window, under Add-on Types (found on left side) highlight Toolbars and Extensions.
  • Under the Show: drop-down menu (found on left side) make sure All add-ons is selected.
  • Highlight the extension you wish to remove (Google Toolbar), and select Disable.
  • The Disable add-on window may pop up to warn you that related services and add-ons will also be disabled. Click Disable.
  • Click Close to exit the Manage Add-ons window.

3.  Java Update Pop-Up

 

You are presently running Java 7 Version 71.  This needs to be updated to Java 8 Update 25, which is why you are receiving this pop-up.  Please update your Java HERE. When finished, please go to your Control Panel and delete all older versions of Java.


Please let me know if we have resolved all your issues, or if there is anything more that needs attention.



#24 NicoleD

NicoleD

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts
  • Interests:Social Media, Marketing, IT, Graphic Design, Real Estate

Posted 12 January 2015 - 07:32 PM

here is the log file.  I'm going to do the next steps now.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-01-2015
Ran by Nicole at 2015-01-12 20:22:37 Run:2
Running from C:\Users\Nicole\Desktop\whatthetech
Loaded Profile: Nicole (Available profiles: Nicole & Cole & Mia & Ryan & Angela & Guest)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
CloseProcesses:
C:\AdwCleaner\Quarantine\C\Windows\System32\roboot64.exe.vir 
C:\Users\Nicole\AppData\Local\Microsoft\Windows\FileHistory\Data\1977\C\Users\Nicole\Downloads\cbsidlm-cbsi213-Free_Screen_Capture-SEO-76038565.exe  
C:\Users\Nicole\Downloads\cbsidlm-cbsi213-Free_Screen_Capture-SEO-76038565.exe 
C:\Users\Nicole\Downloads\InternationalPrimoPDF.exe 
Hosts:
EmptyTemp:
End
*****************

Processes closed successfully.
C:\AdwCleaner\Quarantine\C\Windows\System32\roboot64.exe.vir => Moved successfully.
C:\Users\Nicole\AppData\Local\Microsoft\Windows\FileHistory\Data\1977\C\Users\Nicole\Downloads\cbsidlm-cbsi213-Free_Screen_Capture-SEO-76038565.exe => Moved successfully.
C:\Users\Nicole\Downloads\cbsidlm-cbsi213-Free_Screen_Capture-SEO-76038565.exe => Moved successfully.
C:\Users\Nicole\Downloads\InternationalPrimoPDF.exe => Moved successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 350.3 MB temporary data.

The system needed a reboot.

==== End of Fixlog 20:23:15 ====



#25 NicoleD

NicoleD

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts
  • Interests:Social Media, Marketing, IT, Graphic Design, Real Estate

Posted 12 January 2015 - 07:49 PM

I followed your steps and it seems so far so good.  Let me know if there is anything else you  need me to do from the log I sent you.  Also, on a separate note, I think I have a lot of programs running at startup, but I don't know which ones I need for start up.  is there a list of which programs not to close?  thanks


    Advertisements

Register to Remove


#26 fbfbfb

fbfbfb

    SuperMember

  • Malware Team
  • 1,218 posts

Posted 13 January 2015 - 10:52 AM

Hello, nikid506.
 
Thank you for your Fixlog.  I am glad to hear that your home page and popup issues now seem to be resolved.  Your machine appears to be all clear.
 
In answer to your question regarding Startup items, you may find the following information useful.  You can download Malwarebytes StartUp LITE HERE.  Once installed, it will safely eliminate unnecessary start-up programs for you by disabling or removing them.
 
We need to perform a final bit of housekeeping. I am also including a list of recommendations to help you maintain a clean and secure system.
 
1.  REMOVAL OF DISINFECTION TOOLS
 
Please run the following application to ensure that all removal tools used during your system's disinfection are deleted.
Download Delfix from HERE and save it to your desktop.

  • Tick the following boxes:
  • Remove disinfection tools
  • Create registry backup
  • Purge system restore

Delfix.png

  • Click Run. > When finished, a report will open listing the tools that have been deleted.
  • Any remaining tools, logs, files or folders remaining on your desktop can be removed manually.

Malwarebytes Anti-Malware (MBAM)
You may wish to keep MBAM. Perform weekly updates and scans to maintain system security. If you choose to delete this programme, remove it from your Control Panel.
 
2.  UPDATES
 
Remember to update regularly. Updates contain important changes to improve the performance, stability and security of programs that run on your system. Many web exploits search for outdated software with security flaws resulting in compromised personal files (banking and credit card information, ID data, passwords…) and cause other major issues.
 
Windows Updates
You can stay up to date with the latest critical and security updates by using Automatic Updates. To turn on Automatic Updates for Windows 8, click HERE.
 
Java
You have the latest Java installed on your system.  Always keep Java updated to ensure that your applications continue to run safely and efficiently.  Updates are available HERE.
 
Adobe Reader
You are presently running Adobe Reader XI.  Check for the latest Update HERE.  Make sure you uncheck Optional Offer to prevent it from downloading McAfee Security Scan Plus.
 
Adobe Flash
You are presently running Adobe Flash 16.0.0.235.  Update to the latest version 16.0.0.257 HERE.  Make sure you uncheck Optional Offer to prevent it from downloading McAfee Security Scan Plus.
 
3. BROWSER SECURITY
 
Enable Firewall
Ensure your firewall is enabled to protect your computer against malicious internet traffic.  To enable the Firewall in Windows 8, click HERE.
 
Browser Updates
Running older versions of a browser pose serious security vulnerabilities.  Updates increase the stability, security, speed, and functionality of your web browsers.  Download the latest version of your browser:

Internet Explorer:  HERE.
Mozilla Firefox:  HERE
Google Chrome:  HERE
 
Turn On Safe Browsing Features
For Internet Explorer, activate SmartScreen Filter

  • Open Internet Explorer.
  • Click Tools > SmartScreen Filter > Turn on SmartScreen Filter.

For Mozilla Firefox:
1.  Block Attack Sites and Web Forgeries

  • Open Firefox.
  • Click Tools > Options.
  • Click the Security tab and check mark the following:
  • Warn me when sites try to install add-ons
  • Block reported attack sites
  • Block reported web forgeries.

2.  AdBlock Plus
To remove online advertising and block all known malware domains, download AdBlock Plus from HERE.

For Google Chrome: Enable Phishing and Malware Protection

  • Open Google Chrome.
  • Click the Customize and control icon (wrench or 3 bars) located at the top right corner of the browser.
  • Click Settings > Show advanced settings > Under the Hood.
  • In the Privacy section, check mark Enable phishing and malware protection.
  • Restart

4. RECOMMENDED ENHANCEMENTS FOR SYSTEM SECURITY
 
If you are looking to add even more security features to protect your system, the following applications may be of interest to you.
 
For Internet Explorer: SpywareBlaster

  • Download SpywareBlaster from HERE. SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.

For Firefox: No-Script

  • Download No-Script from HERE. No Script prevents malicious scripts from being executed on your system.

For All Browsers: Web of Trust

  • To avoid untrustworthy sites while browsing, download Web of Trust (WOT) from HERE. WOT informs you which websites you can trust by displaying coloured rating symbols next to search results: Green (good), Yellow (caution), Red (dangerous).

5.  RECOMMENDED READING
 
To help you maintain a clean, safe, and healthy system, the following informative articles may be of interest to you:
How to Prevent Malware by Miekiemoes HERE
So How Did I Get Infected In the First Place? By Tony Klein HERE
Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams HERE
Create Strong Passwords by Microsoft HERE
PC Safety and Security – What do I need to do?  by Glaswegian HERE
 
Nikid506, thank you for using Whatthetech support and working patiently through all the procedures. Please respond to this thread one last time so we can mark it resolved.
Wishing you a very safe browsing experience.
~fbfbfb



#27 NicoleD

NicoleD

    Authentic Member

  • Authentic Member
  • PipPip
  • 215 posts
  • Interests:Social Media, Marketing, IT, Graphic Design, Real Estate

Posted 14 January 2015 - 09:26 PM

Thank you very much for all your help and I appreciate giving me some housekeeping tips. Everything seems to be good  now. 



#28 fbfbfb

fbfbfb

    SuperMember

  • Malware Team
  • 1,218 posts

Posted 15 January 2015 - 09:07 AM

Hello, nikid506.

 

Glad everything has worked out for you.

 

All the best,

 

~fbfbfb



#29 fbfbfb

fbfbfb

    SuperMember

  • Malware Team
  • 1,218 posts

Posted 15 January 2015 - 09:07 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

Related Topics




Also tagged with one or more of these keywords: vosteran, search engine

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users