Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vosteran - Help Please


  • This topic is locked This topic is locked
10 replies to this topic

#1 ssdirk

ssdirk

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 04 February 2015 - 09:16 PM

I have attempted to remove using Avast, AdwCleaner, Malwarebytes, & HitmanPro, based on information found on sites before finding bleepingcomputer.  Hoping you can help!  Requested files attached.  Please advise what other information you might need to help.
 

Thank you,

 

ssdirk

Attached Files



BC AdBot (Login to Remove)

 


#2 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:11:57 AM

Posted 05 February 2015 - 08:25 AM

Hi. I'm checking your log now and will reply with instructions soon.

#3 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:11:57 AM

Posted 05 February 2015 - 10:51 AM

It appears that you are running 2 antivirus programs: Avast and Symantec. Running more than 1 AV in real-time will slow down your computer and could cause conflicts as they may flag each other as malware which could lead to file corruption, hangs, crashes or other problems. So, I recommend to uninstall one of them.

Also, do you recognize these files?

C:\Users\Dirk Harris\Downloads\bxla12052013.exe
C:\Users\Dirk Harris\Downloads\upgr12072013.exe


If not, go to Virustotal
Click the 'Choose File' button
Navigate to this file C:\Users\Dirk Harris\Downloads\bxla12052013.exe
Click on the Open button
Click on the Scan it! button
Do the same for C:\Users\Dirk Harris\Downloads\upgr12072013.exe
Copy and paste the results into your next reply.

Next, follow these steps:

1.- Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it to your Desktop as fixlist.txt
 
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR HomePage: Default -> hxxp://vosteran.com/?f=1&a=vst_ggfc_15_05_ie&cd=2XzuyEtN2Y1L1QzutDtDtBtByCyEtBtAtBtCyB0F0E0E0EyDtN0D0Tzu0StCtCtBtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyBtAtD0F0F0AzytCtG0C0AtB0EtG0D0BtD0DtGzy0B0AtBtGyEyBtC0AyBtA0FyB0DyCtByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyD0BtC0Azy0FtAtGyCtCzz0DtGyE0C0FtDtG0ByE0AyEtG0A0E0C0FyCyEtAyDzz0DtAtA2Q&cr=810824005&ir=
CHR StartupUrls: Default -> "hxxp://vosteran.com/?f=7&a=vst_ggfc_15_05_ie&cd=2XzuyEtN2Y1L1QzutDtDtBtByCyEtBtAtBtCyB0F0E0E0EyDtN0D0Tzu0StCtCtBtCtN1L2XzutAtFyBtFtBtFtCtN1L1CzutCyEtBzytDyD1V1BtAtN1L1G1B1V1N2Y1L1Qzu2SyBtAtD0F0F0AzytCtG0C0AtB0EtG0D0BtD0DtGzy0B0AtBtGyEyBtC0AyBtA0FyB0DyCtByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzyyD0BtC0Azy0FtAtGyCtCzz0DtGyE0C0FtDtG0ByE0AyEtG0A0E0C0FyCyEtAyDzz0DtAtA2Q&cr=810824005&ir=", "hxxp://search.conduit.com/?ctid=CT3310511&SearchSource=48&CUI=UN26835722921207342&UM=2"
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.94\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (         "name": "",) - C:\Users\abctech\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmdfpnpdmnjaffhcdbobdjpolhpacaem\1.0.5_0\chromeNPAPI.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.170.2) - C:\Windows\SysWOW64\npDeployJava1.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
CHR Extension: (Solution Real) - C:\Users\abctech\AppData\Local\Google\Chrome\User Data\Default\Extensions\obemdemamldcfdmhlohodidgomlchimk [2015-01-29]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2015-01-28 11:26 - 2014-05-18 08:34 - 00000000 ____D () C:\ProgramData\boost_interprocess
Task: {A8A61943-3ADD-4D26-8404-F12CFB359C62} - System32\Tasks\{79F02A8A-83ED-495E-BFF5-AC6020F94E3D} => pcalua.exe -a "C:\Users\Dirk Harris\Downloads\bxla12052013.exe" -d "C:\Users\Dirk Harris\Downloads"
Task: {F486D022-44F7-48C1-AEEB-D60B6E1D336C} - System32\Tasks\{FD35CA0B-6511-43C9-A444-E533A5FDADDC} => pcalua.exe -a "C:\Users\Dirk Harris\Downloads\upgr12072013.exe" -d "C:\Users\Dirk Harris\Downloads"
CMD: DIR c:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7 /s
EmptyTemp:
NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST and press the Fix button just once and wait.
The tool will make a log on your desktop (Fixlog.txt) please post it to your reply.

2.- Download AdwCleaner by Xplode onto your Desktop.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, this time click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt ('n' represents the most recent report).
3.- Download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.
4.- Please download RogueKiller and Save to the desktop.
Note: Do NOT click the Delete button, unless otherwise instructed.
  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • Once the scan is done, click on Report.
  • A log file will open, please copy/paste the context of that file into your next reply.


#4 ssdirk

ssdirk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 05 February 2015 - 12:52 PM

Thank you, Rootk.  It will be a few hours before I'm able to do these things but will revert back as soon as I'm able.  I appreciate your help!

 

-ssdirk



#5 ssdirk

ssdirk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 06 February 2015 - 05:34 AM

1)  - I believe both of these files relate to my Bloomberg terminal installation / upgrade.  I attempted to submit the bxla... file to Virustotal, but received an error that the file was too large.  I searched, but could not find the upgr... file on my computer.

2) Fixlog.txt log attatched.

 

3) Adwcleaner log attached.

 

4) JRT.txt file attached.

 

5) RougueKiller file attached.

 

Thanks again for your help.

 

-ssdirk

Attached Files



#6 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:11:57 AM

Posted 06 February 2015 - 12:42 PM

Follow these steps:
 
1.- Please open Malwarebytes Anti-Malware

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Please update the database by clicking on the Update Now button as shown below.
Capture1_zps47821576.jpg
  • Following the update, Click Settings > Detection and Protection and make sure Scan for Rootkits it checked.
MBAM%20rootkit%20setting.jpg
  • Click on Dashboard, then click on the large green Scan Now button to begin the Threat Scan.If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
MBAMThreatScan_zpsc6c6daeb.jpg
  • After viewing the results, please click on the Copy to Clipboard button > OK.
  • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.
2.-  Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes and if it finds anything, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#7 ssdirk

ssdirk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 08 February 2015 - 11:53 AM

Sorry for the delay.  

 

Logs of both requested scans attached.

Attached Files



#8 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:11:57 AM

Posted 09 February 2015 - 06:37 PM

Your logs looks OK. How are things running now?

#9 ssdirk

ssdirk
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 11 February 2015 - 11:51 AM

Yes, everything appears to be working fine now.  Thank you for your help!  I sincerely appreciate it!  I'd be curious to know what protection software (anti-virus &/or anti-malware, etc) you would recommend installing on my computers?



#10 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:11:57 AM

Posted 11 February 2015 - 06:49 PM

You are welcome.
 

Yes, everything appears to be working fine now.  Thank you for your help!  I sincerely appreciate it!  I'd be curious to know what protection software (anti-virus &/or anti-malware, etc) you would recommend installing on my computers?


I personally use Microsoft Security Essentials and MBAM, but there are a lot of choices out there: http://www.bleepingcomputer.com/forums/t/405/antivirus-antimalware-and-antispyware-resources/

If the computer is running fine and you're not having any other problem, then follow these final steps:

Create a System restore point.

Open System by clicking the Start button , right-clicking Computer, and then clicking Properties.
In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
Click the System Protection tab, and then click Create.
In the System Protection dialog box, type a description, and then click Create.

Remove ESET Online Scanner:

Click on Start, Settings, Control Panel
Double click on Add/Remove Programs
Find: Eset Online Scanner in the list of installed programs and click on Change/Remove to uninstall it.

Run Delfix

This program will remove the tools used and its logs. If anything remains, you can delete manually delete them.
Please download Delfix and save it to your desktop.
Double click on Delfix.exe to run the tool and click on the Run button.

Finally, to help protect your computer in the future I recommend you to read this article: So how did I get infected in the first place?. I also recommend running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

Be sure to post back if you have any more problems.

#11 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:11:57 AM

Posted 06 April 2015 - 07:07 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users