Computer Help forum

Resolved Question

Vosteran Removal?

by BD_1994 / January 11, 2015 2:49 AM PST

My PC seems to have been infected by vosteran. My browser is being hijacked on some forums.

I'm running Windows 7 Home Premium 64.

I've done a Malware Bytes scan and removed 3 vosteran items but the problem persists. Any help would be greatly appreciated, thanks.

BD_1994 has chosen the best answer to their question. View answer
Discussion is locked
You are posting a reply to: Vosteran Removal?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Vosteran Removal?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Best Answer chosen by BD_1994

Collapse -
Try this.
by Dafydd Forum moderator / January 11, 2015 3:16 AM PST
In reply to: Vosteran Removal?
Collapse -
AdwCleaner txt
by BD_1994 / January 11, 2015 5:44 AM PST
In reply to: Try this.

# AdwCleaner v4.107 - Report created 11/01/2015 at 19:36:51
# Updated 07/01/2015 by Xplode
# Database : 2015-01-11.2 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Admin - ADMIN-PC
# Running from : C:\Users\Admin\Desktop\adwcleaner_4.107.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : YahooAUService
Service Deleted : Skype C2C Service

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Yahoo! Companion
Folder Deleted : C:\Users\Admin\AppData\Local\Mobogenie
Folder Deleted : C:\Users\Admin\AppData\LocalLow\Yahoo! Companion
Folder Deleted : C:\Users\Admin\Documents\Mobogenie
Folder Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Folder Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
File Deleted : C:\Users\Admin\daemonprocess.txt
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage-journal
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage-journal
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorage
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorage-journal
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [mobilegeni daemon]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0B79C149-3B19-40DE-92BF-1A3AD9C1DA9D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0E00B6F3-09F9-40F0-9424-86D8053018E7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1D8EE13A-3F7C-4CA7-BCF6-EDC8A4DB4B29}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{229C56BB-A36A-4323-8C82-B136DF45697D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{23350D56-A93F-4FE9-B302-37E262162DC1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{33E2B3CB-322E-4CBE-89F2-C06F5A35DB46}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4AFB2E61-86C2-438E-8C9C-CDF35F263B40}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4B4EF83F-BCE1-4710-BFAB-747A45C168F6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{51080E66-F357-4F2A-9BFC-2456695883B5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{537AD3CF-DE2B-4A1C-8279-C946B7E490D4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5BF7365D-25FF-40F3-8DEE-06ABEDF177CC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5F2BCFBC-A690-4040-BF9A-6C2F189B986F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{71B4D4DF-2777-4BFB-AF1A-B272AC1B9FC5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8BE98FDA-E827-48E0-9F23-0219A232072C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{949E891C-B272-4335-9576-F7ED6176F73A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97A8CB90-5927-425D-9D66-CCBE07DD5281}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9B44E3BB-905E-4E1D-B553-C4D81A906A4A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A10A1344-B533-4C9E-BE4E-4C5BC4953047}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BA94BCE1-7E60-422D-9E7D-B853BC03FE78}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BDC19F81-0023-40F3-9C92-84659A987582}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BDCE611F-FDAA-4B10-A8E8-220A7897A69F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BF3C706B-D6E9-4CFB-8DFB-A287DCD6CD37}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D0F1E414-1FAE-466C-B122-DE735B7BFF9D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E458510C-1DD5-4A05-8C4C-53BEF69C05E7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EDE422E5-541F-4AE4-B18E-ED950D8A23D7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23350D56-A93F-4FE9-B302-37E262162DC1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{8DCB7100-DF86-4384-8842-8FA844297B3F}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{23350D56-A93F-4FE9-B302-37E262162DC1}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{8BE98FDA-E827-48E0-9F23-0219A232072C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{BDC19F81-0023-40F3-9C92-84659A987582}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{23350D56-A93F-4FE9-B302-37E262162DC1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420


-\\ Google Chrome v39.0.2171.71

[C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
[C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.webaddresshelp.bt.com/index?ClientLocation=uk&ParticipantID=mg76cjr54t8kx45jjw4j4k9j5hsr5m26&Implementation=33&LinkID=U1LapX8AAAEAAGn0UFMAAAC9&FailureMode=5&pvf=1&pvi=0&SearchQuery={searchTerms}&searchbtn=Search
[C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [7276 octets] - [11/01/2015 19:29:13]
AdwCleaner[S0].txt - [7319 octets] - [11/01/2015 19:36:51]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7379 octets] ##########

Collapse -
MalwareBytes txt
by BD_1994 / January 11, 2015 5:44 AM PST
In reply to: Try this.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/01/2015
Scan Time: 19:47:18
Logfile: MalWareBytes.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.11.10
Rootkit Database: v2015.01.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 357980
Time Elapsed: 13 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Collapse -
HitmanPro txt
by BD_1994 / January 11, 2015 5:45 AM PST
In reply to: Try this.

[code]
HitmanPro 3.7.9.234
www.hitmanpro.com

Computer name . . . . : ADMIN-PC
Windows . . . . . . . : 6.1.1.7601.X64/4
User name . . . . . . : Admin-PC\Admin
UAC . . . . . . . . . : Disabled
License . . . . . . . : Trial (30 days left)

Scan date . . . . . . : 2015-01-11 20:12:00
Scan mode . . . . . . : Normal
Scan duration . . . . : 11m 4s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 1
Traces . . . . . . . : 102

Objects scanned . . . : 2,124,074
Files scanned . . . . : 119,622
Remnants scanned . . : 755,522 files / 1,248,930 keys

Suspicious files ____________________________________________________________

C:\Users\Admin\AppData\Local\PunkBuster\BF3\pb\dll\wc002317.dll
Size . . . . . . . : 949,613 bytes
Age . . . . . . . : 673.9 days (2013-03-08 23:01:03)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 15059F09B1D62DEA6B5D22EF9E0D062411C167378D870AE339AAB50B0BDC7FC0
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.

C:\Users\Admin\AppData\Local\PunkBuster\BF3\pb\dll\wc002325.dll
Size . . . . . . . : 959,376 bytes
Age . . . . . . . : 679.2 days (2013-03-03 14:47:40)
Entropy . . . . . : 7.6
SHA-256 . . . . . : A85592ACDCFDA7C0293504A5F5279C2654ACC0E6D2398ED8958F6E03F05DCEB5
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.

C:\Users\Admin\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll
Size . . . . . . . : 963,480 bytes
Age . . . . . . . : 510.0 days (2013-08-19 20:08:02)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.

C:\Users\Admin\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
Size . . . . . . . : 969,032 bytes
Age . . . . . . . : 181.0 days (2014-07-14 20:05:06)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.

C:\Users\Admin\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
Size . . . . . . . : 969,032 bytes
Age . . . . . . . : 150.0 days (2014-08-14 19:22:21)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.

Collapse -
Well I see...
by Dafydd Forum moderator / January 11, 2015 5:59 AM PST
In reply to: HitmanPro txt
Collapse -
Thanks
by BD_1994 / January 11, 2015 6:17 AM PST
In reply to: Well I see...

All went well, the only one issue was that either step 4 or step 5 deleted my internet connection, hence the long downtime with no reply. Fortunately HitmanPro creates a restore point though.

Collapse -
Resolved
by BD_1994 / January 11, 2015 5:59 AM PST
In reply to: HitmanPro txt

It seems to have worked. Many thanks gwrach923! Happy

Collapse -
Great news!
by Dafydd Forum moderator / January 11, 2015 6:09 AM PST
In reply to: Resolved

Punkbuster seems bad news though.
Dafydd.

Collapse -
Punkbuster
by BD_1994 / January 11, 2015 6:27 AM PST
In reply to: Great news!

I believe that's the anti-cheat software for Call of Duty. Wink

I think it was HitmanPro deleting a registry key in my Admin Local that disabled my internet connection. It came up as an 'Access Denied'. Probably should have left that one. Laugh

Collapse -
Answer
remove it?
by huaxiaM / January 11, 2015 5:42 PM PST
In reply to: Vosteran Removal?

Have you remove it yet? If anti-virus can not remove it, you can remove it manually. The condition is that, you have some professional skills.

Collapse -
Yes, it's gone.
by BD_1994 / January 11, 2015 6:20 PM PST
In reply to: remove it?

Yeah I think it's gone.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?