Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vosteran browser hijacker


  • This topic is locked This topic is locked
59 replies to this topic

#1 Lifes

Lifes

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 PM

Posted 02 February 2015 - 09:10 PM

When downloading MP3Rocket that captures YouTube music, I Unchecked all the downloads it wanted to do.  But it loaded Vosteran browser hijacker.   

 

I can't tell whether I have 32 or 64 bit from the instructions here:  http://www.bleepingcomputer.com/tutorials/32-bit-or-64-bit-windows/

(No menu called "Computer" -- have My Computer.)  Right click Properties doesn't open the Control Panel.  Whether right-click My Computer or C, or looking in the Control Panel, it gives same screen but no tab for "System Type".  It does not list any bit type under Computer info System Properties screen.   (If I recall correctly, the bit info is in one of the Advanced areas of one of the Tabs on System Properties--but I don't remember which Tab or which Advanced button.) ( I *think* its a 64 bit??)  I don't know which version of the tool to download.

 

Systemax (old laptop)

WinXPro2002 SP 3

Chrome - nothing added there... just my regular 3 addons

AVGFree - shows nothing

Malawarebytes--shows nothing

old Frontpage2000 now shown as associated with Vosteran browser AND Chrome-- need this fixed.  Changing Associations under Properties did not help.

 

I made Vosteran stop loading concurrent with Chrome.

I reset browser to load only to Google.

No symptoms of this garbage Vosteran BUT I know pieces of it are still present.  

It also shows under Start>All Programs as still in my system.

 

I had already run AdwCleaner by xPlode.  But I only had it remove what I could figure out was safest to do.  I'm attaching the log that shows what was AND was NOT deleted through AdwCleaner.   I need to know what else in this log is safe to delete, please?  And, HOW to do it safely?

 

Lifes

 

Attached File  AdwCleanerS0_jan-31-2015.txt   14.62KB   4 downloads



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 PM

Posted 03 February 2015 - 02:30 AM

Hello Lifes and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes

Download AdwCleaner again from here and save it to your desktop.

  • run AdwCleaner
  • when it has finished, allow AdwCleaner to deleteeverything it found, then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system, which is 32-bit.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called FRST.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.

Logs to include with next post:

AdwCleaner log
JRT.txt
FRST.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Lifes

Lifes
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 PM

Posted 04 February 2015 - 02:21 PM

Please note due to physical limitations, I might need a little extra time to reply.  I plan to post my logs today.



#4 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 PM

Posted 04 February 2015 - 04:58 PM

Take your time. As long as you keep in touch I'll be here and will wait until you're capable of following the instructions.

 

If you have any questions, don't be afraid to ask.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 Lifes

Lifes
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 PM

Posted 04 February 2015 - 05:06 PM

I assume on AdwCleaner, if I want to keep a program just uncheck those items?

 

I'm nervous about deleting Registry keys when I know zero about The Registry.  Is AdwCleaner "conservative" in what it lists to do, like CCleaner is supposed to be?

 

Lifes



#6 Lifes

Lifes
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 PM

Posted 04 February 2015 - 06:01 PM

Here are the logs.  I'm quite "lost" about all this, so please give "baby step" guidance in your reply.  I'm hoping you'll say nothing else needs done?  :-)    I will not be able to reply for at least 1 to 2 days from now.  Thank you for your help!!

Attached Files



#7 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 PM

Posted 05 February 2015 - 02:07 AM

Thank you for letting me know about your delay in responding.

 

AdwCleaner is safe to allow to delete everything it finds and it did indeed get rid of a lot.

 

I'll check the FRST log and send further instructions that you can carry out and reply to when you are able.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#8 Lifes

Lifes
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 PM

Posted 05 February 2015 - 04:55 AM

FRST file has at top::
Internet Explorer Version 8 (Default browser: Vosteran)  --- This will need changed--How?  Default browser should be Chrome.  But I leave IE installed for older programs.
 
 
Other problems noted since this issue began:
1.
Xenu Linkchecker requires IE to open and display Xenu's results.
New error message:
"Unable to open browser error 5: Access is denied."
for opening of file:///C:\Docum~1\name\Locals~1\Temp\TGHF66.htm  (a Xenu temporary HTML page to display results).
 
2. AVG free keeps opening a new, not before seen box: "update required" .
But AVG is set to auto update itself, and it says it is fully updated inside the program.
I just x out the new box.
 
3. AVG setting off new Notifications of what IS/is not operating in AVG.  I cannot find any screen in AVG for notifications that is different from settings I saw there before.  The new notifications occurs at each instance of Windows start-up.
 
4. Cannot connect to FTP using Filezilla.  I use Frontpage2000 for webs.  Please take an extra look for anything that might interfere with Frontpage or Filezilla since the Vosteran forced takover.
 
5. I noticed Adw deleted info related to "Zynga".  Zynga is a game company through Facebook.  Will the Zynga game(s) just re-download or set up what it needs to run when I revisit the games?
 
 
Vosteran is NOT in Start Up>All Programs since doing the Adw scan/clean.  Yay--Progress!
 
 
Thank you for attending to these extra details.


#9 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 PM

Posted 05 February 2015 - 05:25 AM

Internet Explorer Version 8 (Default browser: Vosteran)

We look at your logs very thoroughly and I am aware of that: it will be dealt with in due course.
 

Xenu Linkchecker requires IE to open and display Xenu's results.
New error message:
"Unable to open browser error 5: Access is denied."
for opening of file:///C:\Docum~1\name\Locals~1\Temp\TGHF66.htm  (a Xenu temporary HTML page to display results).

That is probably not related but I should wait until we’ve finished and see if it is still a problem.
 

AVG free keeps opening a new, not before seen box: "update required" .
But AVG is set to auto update itself, and it says it is fully updated inside the program.

AVG is renowned for this problem and as far as I know have still not resolved it. This is an old article but the problem is current also.

Personally I would use an alternative free AV but if you wish to do that, please wait until you have the “all-clear” and I’ll give links to other recommended ones.

 

Cannot connect to FTP using Filezilla.  I use Frontpage2000 for webs.  Please take an extra look for anything that might interfere with Frontpage or Filezilla since the Vosteran forced takover.

I can appreciate that your website needs to be updated but until we finish cleaning what is found I’m afraid your only solution is to follow the instructions. These instructions are done in an order that investigates and eliminates/confirms infections. Only then can we deal with them in an effective way.
 

I noticed Adw deleted info related to "Zynga". 

Zynga, (and many other game-makers), ask for your permission to access your friends list and all your basic information, therefore it is regarded as adware/spyware. However, it is your choice if you wish to re-install it when we are finished.


I will be posting further instructions shortly as I have ust about finished analysing your logs.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 PM

Posted 05 February 2015 - 06:15 AM

Run Farbar Recovery Scan Tool

Open notepad (Start >All Programs > Accessories > Notepad). Please copy the entire contents of the code box below.


HKLM\...\Run: [jsg8jfgfdfhfhf] => C:\WINDOWS\TEMP\winlognn.exe <===== ATTENTION
HKU\S-1-5-21-1229272821-746137067-682003330-1003\...\Run: [jsg8jfgfdfhfhf] => C:\WINDOWS\TEMP\winlognn.exe <===== ATTENTION
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "http://www.google.com" <======= ATTENTION
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
Toolbar: HKU\S-1-5-21-1229272821-746137067-682003330-1003 -> No Name - {A057A204-BACC-4D26-9990-79A187E2698E} -  No File
Toolbar: HKU\S-1-5-21-1229272821-746137067-682003330-1003 -> No Name - {4982D40A-C53B-4615-B15B-B5B5E98D167C} -  No File
Toolbar: HKU\S-1-5-21-1229272821-746137067-682003330-1003 -> No Name - {4D503352-5636-006A-76A7-7A786E7484D7} -  No File
Toolbar: HKU\S-1-5-21-1229272821-746137067-682003330-1003 -> No Name - {4D503352-5637-006A-76A7-7A786E7484D7} -  No File
S3 Lavasoft Kernexplorer; \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys [X]
U1 WS2IFSL; No ImagePath
CustomCLSID: HKU\S-1-5-21-1229272821-746137067-682003330-1003_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> "C:\Documents and Settings\Judy\Local Settings\Application Data\Vosteran\Application\31.0.1650.23\de (the data entry has 27 more characters).
Task: C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job => ?
Task: C:\WINDOWS\Tasks\At1.job => C:\DOCUME~1\Judy\APPLIC~1\WSE_VO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
C:\WINDOWS\TEMP\winlognn.exe
C:\Program Files\Lavasoft\Ad-Aware
C:\Documents and Settings\Judy\Local Settings\Application Data\Vosteran
C:\WINDOWS\Tasks\Ad-Aware Update
C:\WINDOWS\Tasks\At1.job
CMD: ipconfig /flushdns
EmptyTemp:

NOTE: this script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here

  • on Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    autoclean;
    emptyalltemp;
    emptyclsid;
    FFdefaults;
    iedefaults;
    chrdefaults;
    
  • close any open programs
  • click the Run script button, and wait. It takes a few minutes to run
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

Logs to include with the next post:

Fixlog.txt
zoek-results.log


Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 Lifes

Lifes
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 PM

Posted 05 February 2015 - 03:09 PM

You said:  Open notepad (Start >All Programs > Accessories > Notepad). Please copy the entire contents of the code box below.

And you said:  save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work

========

 

Just to clarify--

Question 1:   Do you mean save the entire "code box" as just one file named fixlist/txt ?  

 

Question 2:  I ran FRST from the Desktop and saved its previous log to the Desktop.  And I can't recall if FRST made a Folder when I ran it before.  So do I save fixlist.txt to the Desktop also?

 

Thank you.

Lifes



#12 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 PM

Posted 05 February 2015 - 04:58 PM

Do you mean save the entire "code box" as just one file named fixlist/txt

What I mean is to open notepad (Start >All Programs > Accessories > Notepad), then copy all of the text in the “code box" and paste it into Notepad.

When you’ve done that:

  • save the Notepad file as fixlist.txt and save it to your desktop
  • run FRST again, then click Fix just once and wait
  • it will create a log, (Fixlog.txt), please post the log it produces in your reply.

Don’t worry about the other scan, we’ll deal with one step at  a time.

Satchfan
 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 Lifes

Lifes
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 PM

Posted 07 February 2015 - 08:13 AM

Dear Satchfan,

 

Thank you for your patience.  Attached is the fixlog.   I wish we hadn't had to delete cookies (or that I had advanced warning about this) since I need physical assistance to get to my paper list of login passwords and I need physical assistance to type them back into websites.  No one will be able to help me with that until Monday. :-(

 

 

Please instruct me on the next step(s) I need to do.

 

Thank you very much for your help.

 

Lifes

Attached Files



#14 satchfan

satchfan

  • Malware Response Team
  • 2,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:23 PM

Posted 07 February 2015 - 09:07 AM

I’m so sorry about the cookies: had I known about your physical restraints I could have given you instructions to run a different temporary file cleaner that would have allowed you to uncheck the cookies. That said, it restored 6 GB of space which is a vast amount and I would say that it was worth the extra bit of effort and patience to enable you to have a healthy computer.

We’ll run the other tool now minus the “empty temp" instructions.


Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    
    autoclean;
    emptyclsid;
    FFdefaults;
    iedefaults;
    chrdefaults;
    
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

Please run FRST again after you’ve done that and send the new log.

If you can, could you paste them into your reply instead of attaching them.

Take your time and respond as and when you can.

Logs to include with the next post:

zoek-results.log
New FRST.txt


Satchfan
 


Edited by satchfan, 07 February 2015 - 09:09 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 Lifes

Lifes
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:23 PM

Posted 07 February 2015 - 09:29 AM

Yes, I am very pleased to have 6 GB of space freed. 
 
Uh, I messed up with trying to hurry... I forgot to turn off AVG.  Why does AVG call Zoek a trojan?  Should I re-download Zoek from a different site?  Or is it safe to just turn off AVG and re-try the file I already downloaded?
 
Also, you said:   You can find instructions how to disable your security applications here.  
But, the link returns me to this thread.  Could you repost the link for me please?
 
I'll try to continue the process later today-- probably after 6pm eastern time.
 
Thank you,
Lifes





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users