Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vosteran hijacker - need removal instructions


  • This topic is locked This topic is locked
6 replies to this topic

#1 stick1387

stick1387

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 28 January 2015 - 10:23 PM

I believe I got Vosteran when I was downloading FireFox.  Guess I didn't use the correct download version.  I want to remove Vosteran and add a virus/malware protection.

 

Thanks for your help.

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by Denna (administrator) on DENNA-PC on 28-01-2015 22:07:02
Running from C:\Users\Denna\Desktop
Loaded Profiles: Denna (Available profiles: Denna)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Carbonite, Inc. (www.carbonite.com)) C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
() C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe
(Carbonite, Inc.) C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
() C:\Program Files (x86)\ace race\bin\utilacerace.exe
() C:\Program Files (x86)\ace race\updateacerace.exe
() C:\Program Files (x86)\ace race\bin\acerace.expext.exe
() C:\Program Files (x86)\ace race\bin\acerace.PurBrowse64.exe
() C:\Program Files (x86)\ace race\bin\acerace.BrowserAdapter.exe
() C:\Program Files (x86)\ace race\bin\acerace.BrowserAdapter64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(RaMMicHaeL) C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe
(RaMMicHaeL) C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Expression\Web 4\ExpressionWeb.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [Carbonite Backup] => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1055952 2014-12-02] (Carbonite, Inc.)
HKLM-x32\...\RunOnce: [WSE_Vosteran] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Denna\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
HKLM-x32\...\RunOnce: [Del4977789] => C:\Users\Denna\AppData\Local\Temp\0.del [108032 2013-04-12] () <===== ATTENTION
HKLM-x32\...\RunOnce: [Del5010642] => C:\Users\Denna\AppData\Local\Temp\0.del [108032 2013-04-12] () <===== ATTENTION
HKLM-x32\...\RunOnce: [Del5016742] => C:\Users\Denna\AppData\Local\Temp\0.del [108032 2013-04-12] () <===== ATTENTION
HKU\S-1-5-21-266589301-2800457582-3805976467-1000\...\Run: [GoogleChromeAutoLaunch_9C7FD018DDC9DA5B169BAE6FF32807D2] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [843592 2015-01-25] (Google Inc.)
HKU\S-1-5-21-266589301-2800457582-3805976467-1000\...\Run: [GoogleChromeAutoLaunch_198A79EB77237FA7D1EC00DF43649E40] => C:\Users\Denna\AppData\Local\Vosteran\Application\vosteran.exe [1014272 2014-11-06] ()
HKU\S-1-5-21-266589301-2800457582-3805976467-1000\...\RunOnce: [WSE_Vosteran] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Denna\AppData\Roaming\WSE_Vosteran\UpdateProc\bkup.dat"
HKU\S-1-5-21-266589301-2800457582-3805976467-1000\...\RunOnce: [Del4977789] => C:\Users\Denna\AppData\Local\Temp\0.del [108032 2013-04-12] () <===== ATTENTION
HKU\S-1-5-21-266589301-2800457582-3805976467-1000\...\RunOnce: [Del5010642] => C:\Users\Denna\AppData\Local\Temp\0.del [108032 2013-04-12] () <===== ATTENTION
HKU\S-1-5-21-266589301-2800457582-3805976467-1000\...\RunOnce: [Del5016742] => C:\Users\Denna\AppData\Local\Temp\0.del [108032 2013-04-12] () <===== ATTENTION
AppInit_DLLs-x32: C:/PROGRA~3/{ED950~1/171~1.0/cesa.dll => C:/PROGRA~3/{ED950~1/171~1.0/cesa.dll [649216 2015-01-28] ()
ShellIconOverlayIdentifiers: [ Carbonite.Green] -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [ Carbonite.Partial] -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [ Carbonite.Yellow] -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [Carbonite.Green] -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [Carbonite.Partial] -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [Carbonite.Yellow] -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: [ Carbonite.Green] -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: [ Carbonite.Partial] -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: [ Carbonite.Yellow] -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: [Carbonite.Green] -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: [Carbonite.Partial] -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: [Carbonite.Yellow] -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-266589301-2800457582-3805976467-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://vosteran.com/?f=1&a=vst_dnldstr_15_05_ch&cd=2XzuyEtN2Y1L1QzutDtDzz0E0FtBzztCyDyDyBtBtBzy0CtBtN0D0Tzu0StCtCtBtAtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0D0A0E0EtA0AyBtGyByCtCtCtG0CzyyB0FtGzyzztCtBtGyByDzzyBzytDtA0CtA0F0EtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtC0B0A0A0EyE0CtGyB0EzytAtGyE0EtCtDtG0B0EyE0EtGzyyDtCyEzz0FtAyB0Ezy0AyD2Q&cr=1969787125&ir=
HKU\S-1-5-21-266589301-2800457582-3805976467-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_dnldstr_15_05_ch&cd=2XzuyEtN2Y1L1QzutDtDzz0E0FtBzztCyDyDyBtBtBzy0CtBtN0D0Tzu0StCtCtBtAtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0D0A0E0EtA0AyBtGyByCtCtCtG0CzyyB0FtGzyzztCtBtGyByDzzyBzytDtA0CtA0F0EtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtC0B0A0A0EyE0CtGyB0EzytAtGyE0EtCtDtG0B0EyE0EtGzyyDtCyEzz0FtAyB0Ezy0AyD2Q&cr=1969787125&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_dnldstr_15_05_ch&cd=2XzuyEtN2Y1L1QzutDtDzz0E0FtBzztCyDyDyBtBtBzy0CtBtN0D0Tzu0StCtCtBtAtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0D0A0E0EtA0AyBtGyByCtCtCtG0CzyyB0FtGzyzztCtBtGyByDzzyBzytDtA0CtA0F0EtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtC0B0A0A0EyE0CtGyB0EzytAtGyE0EtCtDtG0B0EyE0EtGzyyDtCyEzz0FtAyB0Ezy0AyD2Q&cr=1969787125&ir=
SearchScopes: HKU\S-1-5-21-266589301-2800457582-3805976467-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_dnldstr_15_05_ch&cd=2XzuyEtN2Y1L1QzutDtDzz0E0FtBzztCyDyDyBtBtBzy0CtBtN0D0Tzu0StCtCtBtAtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0D0A0E0EtA0AyBtGyByCtCtCtG0CzyyB0FtGzyzztCtBtGyByDzzyBzytDtA0CtA0F0EtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtC0B0A0A0EyE0CtGyB0EzytAtGyE0EtCtDtG0B0EyE0EtGzyyDtCyEzz0FtAyB0Ezy0AyD2Q&cr=1969787125&ir=
SearchScopes: HKU\S-1-5-21-266589301-2800457582-3805976467-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_dnldstr_15_05_ch&cd=2XzuyEtN2Y1L1QzutDtDzz0E0FtBzztCyDyDyBtBtBzy0CtBtN0D0Tzu0StCtCtBtAtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0D0A0E0EtA0AyBtGyByCtCtCtG0CzyyB0FtGzyzztCtBtGyByDzzyBzytDtA0CtA0F0EtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtC0B0A0A0EyE0CtGyB0EzytAtGyE0EtCtDtG0B0EyE0EtGzyyDtCyEzz0FtAyB0Ezy0AyD2Q&cr=1969787125&ir=
BHO-x32: ace race 1.0.0.7 -> {68182220-3c75-49d9-a9c4-4093d3986279} -> C:\Program Files (x86)\ace race\aceracebho.dll (ace race)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 8.8.4.4 209.55.27.13
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Denna\AppData\Roaming\Mozilla\Firefox\Profiles\ezpqf7t3.default
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Extension: ace race 1.0.1 - C:\Users\Denna\AppData\Roaming\Mozilla\Firefox\Profiles\ezpqf7t3.default\Extensions\{f2944598-b89f-4e10-b544-5173761572df}.xpi [2015-01-28]

Chrome:
=======
CHR HomePage: Default ->
CHR StartupUrls: Default -> "hxxp://vosteran.com/?f=7&a=vst_dnldstr_15_05_ch&cd=2XzuyEtN2Y1L1QzutDtDzz0E0FtBzztCyDyDyBtBtBzy0CtBtN0D0Tzu0StCtCtBtAtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0D0A0E0EtA0AyBtGyByCtCtCtG0CzyyB0FtGzyzztCtBtGyByDzzyBzytDtA0CtA0F0EtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtC0B0A0A0EyE0CtGyB0EzytAtGyE0EtCtDtG0B0EyE0EtGzyyDtCyEzz0FtAyB0Ezy0AyD2Q&cr=1969787125&ir="
CHR DefaultSearchKeyword: Default -> vosteran.com
CHR DefaultSearchURL: Default -> http://vosteran.com/results.php?f=4&q={searchTerms}&a=vst_dnldstr_15_05_ch&cd=2XzuyEtN2Y1L1QzutDtDzz0E0FtBzztCyDyDyBtBtBzy0CtBtN0D0Tzu0StCtCtBtAtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0D0A0E0EtA0AyBtGyByCtCtCtG0CzyyB0FtGzyzztCtBtGyByDzzyBzytDtA0CtA0F0EtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtC0B0A0A0EyE0CtGyB0EzytAtGyE0EtCtDtG0B0EyE0EtGzyyDtCyEzz0FtAyB0Ezy0AyD2Q&cr=1969787125&ir=
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR Profile: C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-15]
CHR Extension: (Google Docs) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-15]
CHR Extension: (Google Drive) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-15]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-15]
CHR Extension: (YouTube) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-15]
CHR Extension: (Facebook) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\boeajhmfdjldchidhphikilcgdacljfm [2014-12-15]
CHR Extension: (Google Search) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-15]
CHR Extension: (Google Sheets) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-15]
CHR Extension: (TweetDeck by Twitter) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbdpomandigafcibbmofojjchbcdagbl [2014-12-15]
CHR Extension: (Google Wallet) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-15]
CHR Extension: (Gmail) - C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-15]
CHR HKLM\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKU\S-1-5-21-266589301-2800457582-3805976467-1000\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
CHR HKLM-x32\...\Chrome\Extension: [oilkkkefbalmbfppgjmgjoefbclebkce] - No Path
StartMenuInternet: Google Chrome - chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Unchecky; C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe [126568 2015-01-28] (RaMMicHaeL)
R2 Update ace race; C:\Program Files (x86)\ace race\updateacerace.exe [673008 2015-01-28] ()
R2 Util ace race; C:\Program Files (x86)\ace race\bin\utilacerace.exe [673008 2015-01-28] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WSWNDA3100v2; C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [307928 2013-12-30] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 NPF; C:\Windows\System32\DRIVERS\npf.sys [47632 2010-02-03] (CACE Technologies, Inc.)
R3 smwdm; C:\Windows\System32\drivers\smwdm.sys [348032 2005-11-29] (Analog Devices, Inc.)
R1 {f2944598-b89f-4e10-b544-5173761572df}Gw64; C:\Windows\System32\drivers\{f2944598-b89f-4e10-b544-5173761572df}Gw64.sys [48784 2015-01-28] (StdLib)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 22:07 - 2015-01-28 22:07 - 00014756 _____ () C:\Users\Denna\Desktop\FRST.txt
2015-01-28 22:06 - 2015-01-28 22:07 - 00000000 ____D () C:\FRST
2015-01-28 22:05 - 2015-01-28 22:06 - 02130432 _____ (Farbar) C:\Users\Denna\Desktop\FRST64.exe
2015-01-28 22:04 - 2015-01-28 22:04 - 02130432 _____ (Farbar) C:\Users\Denna\Downloads\FRST64.exe
2015-01-28 21:08 - 2015-01-28 21:08 - 00000000 ____D () C:\Users\Denna\Desktop\Strength_Purple-Grey2_Spa_34953-150128
2015-01-28 20:37 - 2015-01-28 20:37 - 00000047 _____ () C:\Users\Denna\AppData\Roaming\WB.CFG
2015-01-28 20:18 - 2015-01-28 20:18 - 00002644 _____ () C:\Users\Denna\Desktop\Gmail.lnk
2015-01-28 19:47 - 2015-01-28 12:36 - 00048784 _____ (StdLib) C:\Windows\system32\Drivers\{f2944598-b89f-4e10-b544-5173761572df}Gw64.sys
2015-01-28 19:46 - 2015-01-28 19:46 - 00001097 _____ () C:\Users\Denna\Desktop\Continue Firefox Installation.lnk
2015-01-28 19:45 - 2015-01-28 19:45 - 00797384 _____ (Dnldstr_Aggregator) C:\Users\Denna\Downloads\Firefox_Setup (2).exe
2015-01-28 19:40 - 2015-01-28 19:41 - 00000000 ____D () C:\Users\Denna\AppData\Roaming\Mozilla
2015-01-28 19:40 - 2015-01-28 19:41 - 00000000 ____D () C:\Users\Denna\AppData\Local\Mozilla
2015-01-28 19:40 - 2015-01-28 19:40 - 00001159 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-01-28 19:40 - 2015-01-28 19:40 - 00001147 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-01-28 19:40 - 2015-01-28 19:40 - 00000000 ____D () C:\ProgramData\Mozilla
2015-01-28 19:40 - 2015-01-28 19:40 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-28 19:40 - 2015-01-28 19:40 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-28 19:38 - 2015-01-28 21:39 - 00000292 _____ () C:\Windows\Tasks\UpdaterEX.job
2015-01-28 19:38 - 2015-01-28 21:38 - 00000302 _____ () C:\Windows\Tasks\Vosteran_helper.job
2015-01-28 19:38 - 2015-01-28 19:38 - 00003242 _____ () C:\Windows\System32\Tasks\Vosteran_helper
2015-01-28 19:38 - 2015-01-28 19:38 - 00003232 _____ () C:\Windows\System32\Tasks\UpdaterEX
2015-01-28 19:38 - 2015-01-28 19:38 - 00000000 ____D () C:\Users\Denna\AppData\Roaming\UpdaterEX
2015-01-28 19:38 - 2015-01-28 19:38 - 00000000 ____D () C:\Users\Denna\AppData\Local\Vosteran
2015-01-28 19:37 - 2015-01-28 21:37 - 00000292 _____ () C:\Windows\Tasks\WSE_Vosteran.job
2015-01-28 19:37 - 2015-01-28 19:46 - 00000000 ____D () C:\Program Files (x86)\ace race
2015-01-28 19:37 - 2015-01-28 19:39 - 00000000 ____D () C:\ProgramData\Unchecky
2015-01-28 19:37 - 2015-01-28 19:38 - 00003232 _____ () C:\Windows\System32\Tasks\WSE_Vosteran
2015-01-28 19:37 - 2015-01-28 19:37 - 00797384 _____ (Dnldstr_Aggregator) C:\Users\Denna\Downloads\Firefox_Setup (1).exe
2015-01-28 19:37 - 2015-01-28 19:37 - 00000000 ____D () C:\Users\Denna\AppData\Roaming\WSE_Vosteran
2015-01-28 19:37 - 2015-01-28 19:37 - 00000000 ____D () C:\ProgramData\{ED950556-BD17-D4D0-0C91-A452DC1377DC}
2015-01-28 19:37 - 2015-01-28 19:37 - 00000000 ____D () C:\Program Files (x86)\WSE_Vosteran
2015-01-28 19:37 - 2015-01-28 19:37 - 00000000 ____D () C:\Program Files (x86)\Unchecky
2015-01-28 19:37 - 2015-01-28 19:36 - 00244104 _____ () C:\Users\Denna\Downloads\Firefox_Setup_34.0.exe
2015-01-28 19:36 - 2015-01-28 19:36 - 00797384 _____ (Dnldstr_Aggregator) C:\Users\Denna\Downloads\Firefox_Setup.exe
2015-01-28 19:31 - 2015-01-28 21:12 - 00000000 ___HD () C:\Users\Denna\Desktop\_vti_pvt
2015-01-28 19:31 - 2015-01-28 21:02 - 00000000 ___HD () C:\Users\Denna\Desktop\_vti_cnf
2015-01-28 19:21 - 2015-01-28 16:42 - 00001267 _____ () C:\Users\Denna\Documents\Strength #2163.lnk
2015-01-28 18:43 - 2015-01-28 18:44 - 103542856 _____ (Microsoft Corporation) C:\Users\Denna\Downloads\Web_Trial_en.exe
2015-01-28 17:38 - 2015-01-28 17:38 - 00000000 ___SD () C:\Users\Denna\Documents\My Web Sites
2015-01-28 17:34 - 2015-01-28 17:34 - 00002956 _____ () C:\Windows\System32\Tasks\{C0BA2FA2-DE24-4D2B-ADE2-35290B7EEE4B}
2015-01-28 17:34 - 2015-01-28 17:34 - 00002956 _____ () C:\Windows\System32\Tasks\{776EF723-10AD-4A10-A8F7-E59797FA4BA8}
2015-01-28 17:15 - 2015-01-28 17:15 - 00002956 _____ () C:\Windows\System32\Tasks\{247E9A45-1753-4DDF-9586-EEB40B82F7B4}
2015-01-28 17:14 - 2015-01-28 17:14 - 00002956 _____ () C:\Windows\System32\Tasks\{1189F158-2184-4118-B1A8-9DE21974ABAC}
2015-01-28 16:33 - 2015-01-28 16:33 - 00000000 ____D () C:\Users\Denna\Downloads\Strength_Purple-Grey2_Spa_34953-150128
2015-01-28 14:55 - 2015-01-28 14:55 - 08882850 _____ () C:\Users\Denna\Downloads\Strength_Purple-Grey2_Spa_34953-150128.zip
2015-01-28 14:08 - 2015-01-28 17:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Expression
2015-01-28 14:08 - 2015-01-28 14:08 - 00000000 ____D () C:\Program Files (x86)\Microsoft Visual Studio 8
2015-01-28 14:08 - 2008-07-12 08:18 - 03851784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_39.dll
2015-01-28 14:07 - 2015-01-28 14:08 - 00000000 ____D () C:\Program Files (x86)\Microsoft Expression
2015-01-27 18:18 - 2015-01-27 18:18 - 00009292 _____ () C:\Users\Denna\Downloads\test.odt
2015-01-27 18:14 - 2015-01-27 18:14 - 00009292 _____ () C:\Users\Denna\Documents\test.odt
2015-01-27 17:07 - 2015-01-27 17:07 - 00057971 _____ () C:\Users\Denna\Downloads\Joann Collins2 (1).odt
2015-01-27 17:05 - 2015-01-27 17:07 - 00058190 _____ () C:\Users\Denna\Downloads\Joann Collins2.odt
2015-01-27 16:52 - 2015-01-27 17:10 - 00057857 _____ () C:\Users\Denna\Documents\Joann Collins2.odt
2015-01-27 14:36 - 2015-01-27 14:50 - 00044735 _____ () C:\Users\Denna\Documents\successcodes.odt
2015-01-20 10:28 - 2015-01-20 10:28 - 00064365 _____ () C:\Users\Denna\Desktop\20 Mini-Gems.odt
2015-01-19 14:43 - 2015-01-19 14:43 - 00072213 _____ () C:\Users\Denna\Documents\Sacral Chakra.odt
2015-01-18 14:40 - 2015-01-18 14:40 - 00045517 _____ () C:\Users\Denna\Documents\thanksgiving.odt
2015-01-18 14:39 - 2015-01-18 22:08 - 00058443 _____ () C:\Users\Denna\Documents\20 mini gems.odt
2015-01-18 14:38 - 2015-01-18 14:38 - 00062175 _____ () C:\Users\Denna\Documents\don't die with your song.odt
2015-01-18 14:31 - 2015-01-18 14:31 - 00073384 _____ () C:\Users\Denna\Documents\set-point to life.odt
2015-01-18 14:25 - 2015-01-18 14:25 - 00080946 _____ () C:\Users\Denna\Documents\spreadthelove2.odt
2015-01-18 14:23 - 2015-01-18 14:23 - 00041260 _____ () C:\Users\Denna\Documents\Hokey Pokey.odt
2015-01-18 13:58 - 2015-01-18 13:58 - 00079801 _____ () C:\Users\Denna\Desktop\Evelyn's testimony.odt
2015-01-17 20:59 - 2015-01-20 17:36 - 111886910 _____ () C:\Users\Denna\Desktop\E-Book with Shutterstock.odt
2015-01-17 17:57 - 2015-01-27 14:47 - 00000099 _____ () C:\Users\Public\LMDebug.log
2015-01-17 17:53 - 2015-01-17 17:53 - 00002701 _____ () C:\Users\Denna\Downloads\legitcheck (4).hta
2015-01-17 17:53 - 2015-01-17 17:53 - 00002701 _____ () C:\Users\Denna\Downloads\legitcheck (3).hta
2015-01-17 17:48 - 2015-01-17 17:48 - 00002701 _____ () C:\Users\Denna\Downloads\legitcheck (2).hta
2015-01-17 17:43 - 2015-01-17 17:43 - 00002701 _____ () C:\Users\Denna\Downloads\legitcheck (1).hta
2015-01-17 17:41 - 2015-01-17 17:43 - 00002701 _____ () C:\Users\Denna\Downloads\legitcheck.hta
2015-01-17 15:53 - 2015-01-17 20:57 - 115747924 _____ () C:\Users\Denna\Desktop\E-Book with NO Photos & Audio links.odt
2015-01-15 16:21 - 2015-01-15 16:33 - 06699439 _____ () C:\Users\Denna\Documents\E-Book with Photos.odt
2015-01-14 21:49 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 21:49 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 21:49 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-14 20:49 - 2015-01-15 20:22 - 06652164 _____ () C:\Users\Denna\Documents\E-Book with Photos & Audio links.odt
2015-01-14 14:05 - 2015-01-14 14:05 - 00000000 ____D () C:\Users\Denna\Desktop\Hope
2015-01-14 13:54 - 2015-01-20 10:18 - 00000000 ____D () C:\Users\Denna\Desktop\20Gems 1-14-15
2015-01-14 13:52 - 2015-01-08 14:49 - 00005556 _____ () C:\Users\Denna\Desktop\Review.eml
2015-01-14 13:51 - 2015-01-08 14:49 - 02165864 _____ () C:\Users\Denna\Desktop\Images.eml
2015-01-14 13:47 - 2015-01-14 13:47 - 00000000 ____D () C:\Users\Denna\VIP
2015-01-14 13:47 - 2015-01-14 13:47 - 00000000 ____D () C:\Users\Denna\Unity
2015-01-14 13:46 - 2015-01-14 13:46 - 00000000 ____D () C:\Users\Denna\ObesityHelp
2015-01-14 13:45 - 2015-01-14 13:45 - 00000000 ____D () C:\Users\Denna\DVD 4 Journal
2015-01-14 13:45 - 2015-01-14 13:45 - 00000000 ____D () C:\Users\Denna\DVD 2 Blueprint
2015-01-14 13:45 - 2015-01-14 13:45 - 00000000 ____D () C:\Users\Denna\DVD 1 Journal
2015-01-14 13:32 - 2015-01-14 13:33 - 00000000 ____D () C:\Users\Denna\20Gems Artwork
2015-01-14 00:26 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 00:26 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 00:26 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 00:26 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 00:26 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 00:26 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 00:26 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 00:26 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 00:26 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-14 00:26 - 2014-12-11 12:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-08 20:34 - 2015-01-08 20:50 - 00000000 ____D () C:\Users\Denna\Documents\Website
2015-01-08 16:30 - 2015-01-08 16:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Carbonite
2015-01-08 14:33 - 2015-01-08 14:33 - 00000000 ____D () C:\Users\My Netbook.KCAGIVEAWAY\Desktop\20Gems photos
2015-01-08 13:41 - 2015-01-08 13:41 - 00020315 _____ () C:\Users\Denna\Downloads\what_is_twentygems.html
2015-01-08 13:40 - 2015-01-08 13:40 - 00024988 _____ () C:\Users\Denna\Downloads\calm-baby.html
2015-01-08 13:40 - 2015-01-08 13:40 - 00024752 _____ () C:\Users\Denna\Downloads\what_other_are_saying.html
2015-01-08 13:40 - 2015-01-08 13:40 - 00020871 _____ () C:\Users\Denna\Downloads\denna_shelton.html
2015-01-08 13:40 - 2015-01-08 13:40 - 00018018 _____ () C:\Users\Denna\Downloads\how_to_use_twentygems.html
2015-01-08 13:40 - 2015-01-08 13:40 - 00013800 _____ () C:\Users\Denna\Downloads\meditation-for-stress-relief.html
2015-01-08 13:40 - 2015-01-08 13:40 - 00002760 _____ () C:\Users\Denna\Downloads\positive-thinking-affirmations.html
2015-01-08 12:06 - 2015-01-08 12:07 - 02363204 _____ () C:\Users\Denna\Downloads\truthful-clip2.wmv
2015-01-08 12:06 - 2015-01-08 12:07 - 02363204 _____ () C:\Users\Denna\Downloads\truthful-clip2 (1).wmv
2015-01-08 12:06 - 2015-01-08 12:06 - 03835252 _____ () C:\Users\Denna\Downloads\Joy-clip2.wmv
2015-01-08 12:06 - 2015-01-08 12:06 - 03827252 _____ () C:\Users\Denna\Downloads\Joy-clip1.wmv
2015-01-08 12:06 - 2015-01-08 12:06 - 03723276 _____ () C:\Users\Denna\Downloads\harmonious-clip2.wmv
2015-01-08 12:06 - 2015-01-08 12:06 - 03595276 _____ () C:\Users\Denna\Downloads\harmonious-clip1.wmv
2015-01-08 12:06 - 2015-01-08 12:06 - 03019216 _____ () C:\Users\Denna\Downloads\peace-clip1.wmv
2015-01-08 12:06 - 2015-01-08 12:06 - 02683180 _____ () C:\Users\Denna\Downloads\truthful-clip1.wmv
2015-01-08 12:06 - 2015-01-08 12:06 - 01275228 _____ () C:\Users\Denna\Downloads\peace-clip2.wmv
2015-01-08 11:55 - 2015-01-08 11:56 - 10799448 _____ () C:\Users\Denna\Downloads\TruthSample-YouTube.wmv
2015-01-08 11:55 - 2015-01-08 11:56 - 10347381 _____ () C:\Users\Denna\Downloads\JoySample-YouTube.wmv
2015-01-08 11:55 - 2015-01-08 11:55 - 10281859 _____ () C:\Users\Denna\Downloads\PeaceSample-YouTube.wmv
2015-01-08 11:55 - 2015-01-08 11:55 - 09416787 _____ () C:\Users\Denna\Downloads\HarmonySample-YouTube.wmv
2014-12-30 15:44 - 2014-12-30 15:48 - 00064278 _____ () C:\Users\Denna\Downloads\Kathy Hoga 12-30-14 reading.odt
2014-12-30 15:25 - 2014-12-30 15:29 - 00064164 _____ () C:\Users\Denna\Documents\Kathy Hoga 12-30-14 reading.odt

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 21:25 - 2014-12-15 18:20 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-28 21:20 - 2009-07-13 23:45 - 00017088 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-28 21:20 - 2009-07-13 23:45 - 00017088 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-28 19:47 - 2009-07-13 21:34 - 00000505 _____ () C:\Windows\win.ini
2015-01-28 19:37 - 2014-12-15 18:22 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-28 18:25 - 2014-12-15 18:20 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-28 18:22 - 2009-07-14 00:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-28 18:19 - 2014-12-03 22:35 - 01125295 _____ () C:\Windows\WindowsUpdate.log
2015-01-28 18:15 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-28 18:15 - 2009-07-13 23:51 - 00029896 _____ () C:\Windows\setupact.log
2015-01-28 18:15 - 2009-07-13 23:45 - 00330424 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-28 17:38 - 2014-12-15 18:11 - 00074816 _____ () C:\Users\Denna\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-14 13:47 - 2014-12-03 19:44 - 00000000 ____D () C:\Users\Denna
2015-01-08 16:30 - 2014-12-16 08:41 - 00004144 _____ () C:\Windows\System32\Tasks\{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4}
2015-01-08 16:30 - 2014-12-16 08:41 - 00002132 _____ () C:\Users\Public\Desktop\Carbonite InfoCenter.lnk
2015-01-08 15:25 - 2011-04-12 02:51 - 00000000 ___RD () C:\Users\Public\Recorded TV
2015-01-08 14:33 - 2014-12-16 08:52 - 00000000 ____D () C:\Users\My Netbook.KCAGIVEAWAY
2015-01-08 14:03 - 2014-12-16 09:00 - 00000000 ____D () C:\Users\Denna\Documents\Twenty Gems
2015-01-02 09:18 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF

==================== Files in the root of some directories =======

2015-01-28 20:37 - 2015-01-28 20:37 - 0000047 _____ () C:\Users\Denna\AppData\Roaming\WB.CFG
2014-12-16 12:49 - 2014-11-17 13:16 - 0010240 _____ () C:\Users\Denna\AppData\Local\Z@!-506d754f-c504-4dd2-9b6e-3d39faa920cb.tmp
2014-12-16 12:49 - 2014-11-17 13:16 - 0009216 _____ () C:\Users\Denna\AppData\Local\Z@S!-ce2b820b-24e6-4993-86ad-6fd958ef0742.tmp

Files to move or delete:
====================
C:\Users\Denna\AppData\Local\Temp\0.del

Some content of TEMP:
====================
C:\Users\Denna\AppData\Local\Temp\ICReinstall_Firefox_Setup (2).exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-01-24 09:50

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:03 AM

Posted 29 January 2015 - 08:47 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

We need to remove some programs with Revo Uninstaller Free:


Note: Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.
Note: If the program you want to uninstall is not listed by Revo, let me know and we will try an altenate method of removal.

  • Please download and install Revo Uninstaller Free
    note: there is no need to click anything on that page, the download will start automatically
  • Double click Revo Uninstaller to run it
  • From the list of programs double click on the listed program(s), or anything similar, to remove it:
    ace race
    
    Extended Update
    
    Vosteran
    
    WSE_Vosteran
    
    unchecky
  • When prompted if you want to uninstall click Yes
  • Be sure the Moderate option is selected then click Next
  • The program will run, If prompted again click Yes
  • When the built-in uninstaller is finished click on Next
  • Once the program has searched for leftovers click Next
  • Check the items in bold only on the list then click Delete
    note: you may have to expand some folders by clicking the "+" mark
  • When prompted click on Yes and then on Next
  • Put a check on any folders that are found and select Delete
  • When prompted select Yes then Next
  • Once done click Finish

 

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

 

 

 

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

 

Attached Files


Edited by TB-Psychotic, 29 January 2015 - 08:47 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 stick1387

stick1387
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 01 February 2015 - 01:38 AM

Thanks Marius, I have followed your instructions as best as I can. 

 

Here is the Malwarebytes log

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/1/2015
Scan Time: 12:06:14 AM
Logfile: 
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.01.01
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Denna

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 367101
Time Elapsed: 18 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 8
PUP.Optional.AceRace.A, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{68182220-3C75-49D9-A9C4-4093D3986279}, Quarantined, [5de813061e6c51e5c2f901f4ea18fb05], 
PUP.Optional.AceRace.A, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{68182220-3C75-49D9-A9C4-4093D3986279}, Quarantined, [5de813061e6c51e5c2f901f4ea18fb05], 
PUP.Optional.AceRace.A, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\ace race, Quarantined, [4afb3ddcacdefd391d1d493bef14768a], 
PUP.Optional.Vosteran.A, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Vosteran Browser, Quarantined, [41041702c3c781b58ad3e81fc44130d0], 
PUP.Optional.Vosteran.A, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\wse_vosteran, Quarantined, [2421c4556a200f27787ba561689dac54], 
PUP.Optional.Vosteran.A, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\oilkkkefbalmbfppgjmgjoefbclebkce, Quarantined, [e95c8891543696a00f9c681ecb38817f], 
PUP.Optional.InstallCore.A, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE\1I1T1Q1S, Quarantined, [f550bf5a2763f93d012c8d3b36cda759], 
PUP.Optional.InstallCore.A, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, Quarantined, [8cb93edbc7c35ed8033e815d25dff010], 

Registry Values: 2
PUP.Optional.InstallCore.A, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, 0Z1B1L2Z1S, Quarantined, [8cb93edbc7c35ed8033e815d25dff010]
PUP.Optional.Vosteran, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Vosteran, Quarantined, [13325cbdbecced4936ecf31624e14eb2]

Registry Data: 1
PUP.Optional.Vosteran.A, HKU\S-1-5-21-266589301-2800457582-3805976467-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://vosteran.com/?f=1&a=vst_dnldstr_15_05_ch&cd=2XzuyEtN2Y1L1QzutDtDzz0E0FtBzztCyDyDyBtBtBzy0CtBtN0D0Tzu0StCtCtBtAtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0D0A0E0EtA0AyBtGyByCtCtCtG0CzyyB0FtGzyzztCtBtGyByDzzyBzytDtA0CtA0F0EtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtC0B0A0A0EyE0CtGyB0EzytAtGyE0EtCtDtG0B0EyE0EtGzyyDtCyEzz0FtAyB0Ezy0AyD2Q&cr=1969787125&ir=, Good: (www.google.com), Bad: (http://vosteran.com/?f=1&a=vst_dnldstr_15_05_ch&cd=2XzuyEtN2Y1L1QzutDtDzz0E0FtBzztCyDyDyBtBtBzy0CtBtN0D0Tzu0StCtCtBtAtN1L2XzutAtFyBtFtCtFtBtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StA0D0A0E0EtA0AyBtGyByCtCtCtG0CzyyB0FtGzyzztCtBtGyByDzzyBzytDtA0CtA0F0EtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DtC0B0A0A0EyE0CtGyB0EzytAtGyE0EtCtDtG0B0EyE0EtGzyyDtCyEzz0FtAyB0Ezy0AyD2Q&cr=1969787125&ir=),Replaced,[ff461efbdcaeff37d8d538778c795ca4]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


#4 stick1387

stick1387
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 01 February 2015 - 01:51 AM

Marius, here's the log from the ESET scan

C:\AdwCleaner\Quarantine\C\Program Files\Conduit\Community Alerts\Alert.dll.vir	Win32/Toolbar.Conduit.Y potentially unwanted application	deleted - quarantined
C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdohfcdfbmkplifgaijhgccjenbcfjop\1.0.1_0\background.js	Win32/BrowseFox.Q potentially unwanted application	deleted - quarantined
C:\Users\Denna\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdohfcdfbmkplifgaijhgccjenbcfjop\1.0.1_0\content.js	Win32/BrowseFox.Q potentially unwanted application	deleted - quarantined
C:\Users\Denna\AppData\Local\Temp\ICReinstall_Firefox_Setup (2).exe	a variant of Win32/InstallCore.TR potentially unwanted application	deleted - quarantined
C:\Users\Denna\Downloads\Firefox_Setup (1).exe	a variant of Win32/InstallCore.TR potentially unwanted application	deleted - quarantined
C:\Users\Denna\Downloads\Firefox_Setup (2).exe	a variant of Win32/InstallCore.TR potentially unwanted application	deleted - quarantined
C:\Users\Denna\Downloads\Firefox_Setup.exe	a variant of Win32/InstallCore.TR potentially unwanted application	deleted - quarantined
C:\Windows.old\Documents and Settings\user\Local Settings\Application Data\SmileBox_EN\ldrtbSmil.dll	a variant of Win32/Toolbar.Conduit.P potentially unwanted application	deleted - quarantined
C:\Windows.old\Documents and Settings\user\Local Settings\Application Data\SmileBox_EN\tbSmil.dll	a variant of Win32/Toolbar.Conduit.B potentially unwanted application	deleted - quarantined
C:\Windows.old\Documents and Settings\user\Local Settings\Application Data\SmileBox_EN\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.8\bin\PriceGongIE.dll	a variant of Win32/PriceGong.A potentially unwanted application	deleted - quarantined
C:\Windows.old\Documents and Settings\user\Local Settings\Temp\is1242154493\92304054_stp\uninstaller.exe	Win32/InstallCore.PC potentially unwanted application	deleted - quarantined
C:\Windows.old\Documents and Settings\user\Local Settings\Temp\is1807810639\0FC852B7_stp\webget_setup.exe	a variant of Win64/BrowseFox.Z potentially unwanted application	deleted - quarantined
C:\Windows.old\Windows\system32\drivers\{55685567-4840-4a91-962b-49a412e9485a}t.sys	a variant of Win32/RiskWare.NetFilter.E application	cleaned by deleting - quarantined



#5 stick1387

stick1387
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 01 February 2015 - 02:01 AM

After I ran the above scans I restarted the computer and Vosteran is still there.  Am standing by for next instructions.

Thanks



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:03 AM

Posted 02 February 2015 - 05:34 AM

Please rescan with FRST (create a new  addition.txt as well) and pos the logs.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:03 AM

Posted 03 July 2015 - 02:28 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users