Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vosteran Search Tab in Browser


  • This topic is locked This topic is locked
8 replies to this topic

#1 allbenatt

allbenatt

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 26 December 2014 - 02:59 PM

I trusted two well-known brands - (SourceForge & FileZilla) - and wound up with Vosteran on my PC although I thought I had specified that Vosteran NOT be included while installing FileZilla.

 

I use a laptop running Windows 8.1 Pro.  Chrome is my primary browser but I have found that all 3 of my browsers now have a Vosteran tab. I tried using Add/Remove programs but that did not get rid of it.

 

I'm attaching the FRST scan files to this message and would be very grateful for your guidance.

 

Ben C

Attached File  BC_Vosteran_Addition.txt   42.17KB   2 downloadsAttached File  BC_Vosteran_FRST.txt   44.22KB   9 downloads



BC AdBot (Login to Remove)

 


#2 allbenatt

allbenatt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 26 December 2014 - 03:49 PM

Changed settings in all my browsers following instructions found on YouTube https://www.youtube.com/watch?v=8dvcp2Yp53Y

 

This has kept Vosteran from launching as a tab in my browsers but I don't feel confident it is not doing harm elsewhere on my PC (at least until I hear from you). If you'd like me to run another scan and send the new FRST files, I'll be happy to.

 

Ben C



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,224 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 AM

Posted 28 December 2014 - 09:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM-x32\...\RunOnce: [DelTr153796968] => cmd.exe /c rd /s /q  "C:\Users\Ben\AppData\Roaming\WSE_Vosteran"
HKU\S-1-5-21-2923792563-105519315-3143511854-1001\...\RunOnce: [WSE_Vosteran] => [X]
HKU\S-1-5-21-2923792563-105519315-3143511854-1001\...\RunOnce: [DelTr153796937] => cmd.exe /c rd /s /q  "C:\Users\Ben\AppData\Roaming\WSE_Vosteran"
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2923792563-105519315-3143511854-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://Vosteran.com/?f=1&a=vst_frg01_14_52_ch&cd=2XzuyEtN2Y1L1QzuzzyEyE0B0FyDtDtCtDzytCyCyB0A0DzytN0D0Tzu0StCtDzytDtN1L2XzutAtFyCtFtCyDtFtAtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyBtBtDtBtDzyyCtBtGyDtA0FtBtGyE0FyB0AtGyE0AtC0BtGtCyB0E0AzzyBtDtDyE0AyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0CtAtAyEyCyEyEtG0EyByEtDtGyEtBtAyCtG0BtBtBtDtG0BtD0ByEzyzzzz0D0AyCyEyC2Q&cr=2069509301&ir=
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_frg01_14_52_ch&cd=2XzuyEtN2Y1L1QzuzzyEyE0B0FyDtDtCtDzytCyCyB0A0DzytN0D0Tzu0StCtDzytDtN1L2XzutAtFyCtFtCyDtFtAtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyBtBtDtBtDzyyCtBtGyDtA0FtBtGyE0FyB0AtGyE0AtC0BtGtCyB0E0AzzyBtDtDyE0AyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0CtAtAyEyCyEyEtG0EyByEtDtGyEtBtAyCtG0BtBtBtDtG0BtD0ByEzyzzzz0D0AyCyEyC2Q&cr=2069509301&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_frg01_14_52_ch&cd=2XzuyEtN2Y1L1QzuzzyEyE0B0FyDtDtCtDzytCyCyB0A0DzytN0D0Tzu0StCtDzytDtN1L2XzutAtFyCtFtCyDtFtAtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyBtBtDtBtDzyyCtBtGyDtA0FtBtGyE0FyB0AtGyE0AtC0BtGtCyB0E0AzzyBtDtDyE0AyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0CtAtAyEyCyEyEtG0EyByEtDtGyEtBtAyCtG0BtBtBtDtG0BtD0ByEzyzzzz0D0AyCyEyC2Q&cr=2069509301&ir=
SearchScopes: HKU\S-1-5-21-2923792563-105519315-3143511854-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_frg01_14_52_ch&cd=2XzuyEtN2Y1L1QzuzzyEyE0B0FyDtDtCtDzytCyCyB0A0DzytN0D0Tzu0StCtDzytDtN1L2XzutAtFyCtFtCyDtFtAtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyBtBtDtBtDzyyCtBtGyDtA0FtBtGyE0FyB0AtGyE0AtC0BtGtCyB0E0AzzyBtDtDyE0AyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0CtAtAyEyCyEyEtG0EyByEtDtGyEtBtAyCtG0BtBtBtDtG0BtD0ByEzyzzzz0D0AyCyEyC2Q&cr=2069509301&ir=
SearchScopes: HKU\S-1-5-21-2923792563-105519315-3143511854-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_frg01_14_52_ch&cd=2XzuyEtN2Y1L1QzuzzyEyE0B0FyDtDtCtDzytCyCyB0A0DzytN0D0Tzu0StCtDzytDtN1L2XzutAtFyCtFtCyDtFtAtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyBtBtDtBtDzyyCtBtGyDtA0FtBtGyE0FyB0AtGyE0AtC0BtGtCyB0E0AzzyBtDtDyE0AyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0CtAtAyEyCyEyEtG0EyByEtDtGyEtBtAyCtG0BtBtBtDtG0BtD0ByEzyzzzz0D0AyCyEyC2Q&cr=2069509301&ir=
BHO: Freecorder extension x64 -> {B15BBE59-42F5-4206-B3F0-BE98F5DC4B93} -> C:\Program Files\Freecorder extension x64\ScriptHost.dll (Applian Technologies Inc.)
BHO-x32: Freecorder extension -> {B15BBE59-42F5-4206-B3F0-BE98F5DC4B93} -> C:\Program Files (x86)\Freecorder extension\ScriptHost.dll (Applian Technologies Inc.)
FF DefaultSearchEngine: Vosteran
FF SelectedSearchEngine: Vosteran
FF Homepage: hxxp://Vosteran.com/?f=1&a=vst_frg01_14_52_ch&cd=2XzuyEtN2Y1L1QzuzzyEyE0B0FyDtDtCtDzytCyCyB0A0DzytN0D0Tzu0StCtDzytDtN1L2XzutAtFyCtFtCyDtFtAtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyBtBtDtBtDzyyCtBtGyDtA0FtBtGyE0FyB0AtGyE0AtC0BtGtCyB0E0AzzyBtDtDyE0AyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0CtAtAyEyCyEyEtG0EyByEtDtGyEtBtAyCtG0BtBtBtDtG0BtD0ByEzyzzzz0D0AyCyEyC2Q&cr=2069509301&ir=
FF Keyword.URL: hxxp://www.bing.com/search?FORM=U038DF&PC=U038&dt=061913&q=
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF user.js: detected! => C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\649i87g0.default\user.js
FF SearchPlugin: C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\649i87g0.default\searchplugins\bingp.xml
FF SearchPlugin: C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\649i87g0.default\searchplugins\Vosteran.xml
FF Extension: Freecorder - C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\649i87g0.default\Extensions\addon@freecorder.com [2013-10-25]
CHR StartupUrls: Default -> "hxxp://mail.google.com/", "hxxp://Vosteran.com/?f=7&a=vst_frg01_14_52_ch&cd=2XzuyEtN2Y1L1QzuzzyEyE0B0FyDtDtCtDzytCyCyB0A0DzytN0D0Tzu0StCtDzytDtN1L2XzutAtFyCtFtCyDtFtAtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyBtBtDtBtDzyyCtBtGyDtA0FtBtGyE0FyB0AtGyE0AtC0BtGtCyB0E0AzzyBtDtDyE0AyBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szy0CtAtAyEyCyEyEtG0EyByEtDtGyEtBtAyCtG0BtBtBtDtG0BtD0ByEzyzzzz0D0AyCyEyC2Q&cr=2069509301&ir="
CHR Extension: (Freecorder) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpicboiclhmnllnjdcfcffifpoaebgkm [2013-10-25]
CHR Extension: (Bitly | Unleash the power of the link) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\iabeihobmhlgpkcgjiloemdbofjbdcic [2013-04-18]
CHR Extension: (Evernote Web) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbfehkoinhhcknnbdgnnmjhiladcgbol [2013-04-18]
CHR Extension: (Google Wallet) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-26]
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKU\S-1-5-21-2923792563-105519315-3143511854-1001\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
CHR HKU\S-1-5-21-2923792563-105519315-3143511854-1001\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKLM-x32\...\Chrome\Extension: [gpicboiclhmnllnjdcfcffifpoaebgkm] - C:\Program Files (x86)\Freecorder extension\Freecorder.crx [2013-01-27]
CHR HKLM-x32\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
C:\Users\Ben\AppData\Roaming\WSE_Vosteran
C:\Program Files (x86)\Freecorder extension
C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpicboiclhmnllnjdcfcffifpoaebgkm

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#4 allbenatt

allbenatt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 28 December 2014 - 06:31 PM

nasdaq:

 

Thanks for the instructions. Since taking the actions I described in my previous post, I have not seen any evidence of Vosteran in my browsers. 

 

Do you have any reason to believe Vosteran is still active on my PC and that it will cause any problems?  I don't want to take the actions you have recommended and occupy more of your time unless there is a good reason to do so.

 

Thanks for your attention and courtesy in responding to the question above.

 

Ben C



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,224 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 AM

Posted 29 December 2014 - 08:45 AM

The AdwCleaner will clean your registry of the bad items and will inform you of any other unwanted 3rd party programs.


Your call.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,224 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 AM

Posted 04 January 2015 - 09:12 AM

Are you still with me?

#7 allbenatt

allbenatt
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 04 January 2015 - 06:33 PM

Hi, nasdaq.

 

I still see no effect of Vosteran after taking the actions in the video I mentioned. So I think I'll just keep on keeping on the way things are at the moment.

 

I'm currently researching how to do a fresh install of Windows 8.1 anyway (for reasons unrelated to Vosteran) and that will remove any remnants of the adware from my system.

 

Thanks for your attention.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,224 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 AM

Posted 05 January 2015 - 08:34 AM

You may be interested to look or ask in this forum.

http://www.bleepingcomputer.com/forums/f/209/windows-8/

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,224 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 AM

Posted 11 January 2015 - 11:39 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users