Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Resolved Question

Vosteran Removal?

Jan 11, 2015 2:49AM PST

My PC seems to have been infected by vosteran. My browser is being hijacked on some forums.

I'm running Windows 7 Home Premium 64.

I've done a Malware Bytes scan and removed 3 vosteran items but the problem persists. Any help would be greatly appreciated, thanks.

Discussion is locked

BD_1994 has chosen the best answer to their question. View answer

Best Answer

- Collapse -
Try this.
Jan 11, 2015 3:16AM PST
- Collapse -
AdwCleaner txt
Jan 11, 2015 5:44AM PST

# AdwCleaner v4.107 - Report created 11/01/2015 at 19:36:51
# Updated 07/01/2015 by Xplode
# Database : 2015-01-11.2 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Admin - ADMIN-PC
# Running from : C:\Users\Admin\Desktop\adwcleaner_4.107.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : YahooAUService
Service Deleted : Skype C2C Service

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Yahoo! Companion
Folder Deleted : C:\Users\Admin\AppData\Local\Mobogenie
Folder Deleted : C:\Users\Admin\AppData\LocalLow\Yahoo! Companion
Folder Deleted : C:\Users\Admin\Documents\Mobogenie
Folder Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Folder Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
File Deleted : C:\Users\Admin\daemonprocess.txt
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage-journal
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage-journal
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorage
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorage-journal
File Deleted : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [mobilegeni daemon]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0B79C149-3B19-40DE-92BF-1A3AD9C1DA9D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{0E00B6F3-09F9-40F0-9424-86D8053018E7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1D8EE13A-3F7C-4CA7-BCF6-EDC8A4DB4B29}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{229C56BB-A36A-4323-8C82-B136DF45697D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{23350D56-A93F-4FE9-B302-37E262162DC1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{33E2B3CB-322E-4CBE-89F2-C06F5A35DB46}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4AFB2E61-86C2-438E-8C9C-CDF35F263B40}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4B4EF83F-BCE1-4710-BFAB-747A45C168F6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{51080E66-F357-4F2A-9BFC-2456695883B5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{537AD3CF-DE2B-4A1C-8279-C946B7E490D4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5BF7365D-25FF-40F3-8DEE-06ABEDF177CC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5F2BCFBC-A690-4040-BF9A-6C2F189B986F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{71B4D4DF-2777-4BFB-AF1A-B272AC1B9FC5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8BE98FDA-E827-48E0-9F23-0219A232072C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{949E891C-B272-4335-9576-F7ED6176F73A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97A8CB90-5927-425D-9D66-CCBE07DD5281}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9B44E3BB-905E-4E1D-B553-C4D81A906A4A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A10A1344-B533-4C9E-BE4E-4C5BC4953047}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BA94BCE1-7E60-422D-9E7D-B853BC03FE78}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BDC19F81-0023-40F3-9C92-84659A987582}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BDCE611F-FDAA-4B10-A8E8-220A7897A69F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BF3C706B-D6E9-4CFB-8DFB-A287DCD6CD37}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D0F1E414-1FAE-466C-B122-DE735B7BFF9D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E458510C-1DD5-4A05-8C4C-53BEF69C05E7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EDE422E5-541F-4AE4-B18E-ED950D8A23D7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23350D56-A93F-4FE9-B302-37E262162DC1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{8DCB7100-DF86-4384-8842-8FA844297B3F}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{23350D56-A93F-4FE9-B302-37E262162DC1}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{8BE98FDA-E827-48E0-9F23-0219A232072C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{BDC19F81-0023-40F3-9C92-84659A987582}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{23350D56-A93F-4FE9-B302-37E262162DC1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\WI3C8A~1\Datamngr\datamngr.dll

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420


-\\ Google Chrome v39.0.2171.71

[C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
[C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.webaddresshelp.bt.com/index?ClientLocation=uk&ParticipantID=mg76cjr54t8kx45jjw4j4k9j5hsr5m26&Implementation=33&LinkID=U1LapX8AAAEAAGn0UFMAAAC9&FailureMode=5&pvf=1&pvi=0&SearchQuery={searchTerms}&searchbtn=Search
[C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [7276 octets] - [11/01/2015 19:29:13]
AdwCleaner[S0].txt - [7319 octets] - [11/01/2015 19:36:51]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7379 octets] ##########

- Collapse -
MalwareBytes txt
Jan 11, 2015 5:44AM PST

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/01/2015
Scan Time: 19:47:18
Logfile: MalWareBytes.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.11.10
Rootkit Database: v2015.01.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 357980
Time Elapsed: 13 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

- Collapse -
HitmanPro txt
Jan 11, 2015 5:45AM PST

[code]
HitmanPro 3.7.9.234
www.hitmanpro.com

Computer name . . . . : ADMIN-PC
Windows . . . . . . . : 6.1.1.7601.X64/4
User name . . . . . . : Admin-PC\Admin
UAC . . . . . . . . . : Disabled
License . . . . . . . : Trial (30 days left)

Scan date . . . . . . : 2015-01-11 20:12:00
Scan mode . . . . . . : Normal
Scan duration . . . . : 11m 4s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 1
Traces . . . . . . . : 102

Objects scanned . . . : 2,124,074
Files scanned . . . . : 119,622
Remnants scanned . . : 755,522 files / 1,248,930 keys

Suspicious files ____________________________________________________________

C:\Users\Admin\AppData\Local\PunkBuster\BF3\pb\dll\wc002317.dll
Size . . . . . . . : 949,613 bytes
Age . . . . . . . : 673.9 days (2013-03-08 23:01:03)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 15059F09B1D62DEA6B5D22EF9E0D062411C167378D870AE339AAB50B0BDC7FC0
Fuzzy . . . . . . : 29.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.

C:\Users\Admin\AppData\Local\PunkBuster\BF3\pb\dll\wc002325.dll
Size . . . . . . . : 959,376 bytes
Age . . . . . . . : 679.2 days (2013-03-03 14:47:40)
Entropy . . . . . : 7.6
SHA-256 . . . . . : A85592ACDCFDA7C0293504A5F5279C2654ACC0E6D2398ED8958F6E03F05DCEB5
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.

C:\Users\Admin\AppData\Local\PunkBuster\BF3\pb\dll\wc002331.dll
Size . . . . . . . : 963,480 bytes
Age . . . . . . . : 510.0 days (2013-08-19 20:08:02)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 4693498864B2A4C15EECDD4D132FFDFEDE3F9E4BAFA427F77BC87046A7352D1E
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.

C:\Users\Admin\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
Size . . . . . . . : 969,032 bytes
Age . . . . . . . : 181.0 days (2014-07-14 20:05:06)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.

C:\Users\Admin\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
Size . . . . . . . : 969,032 bytes
Age . . . . . . . : 150.0 days (2014-08-14 19:22:21)
Entropy . . . . . : 7.6
SHA-256 . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
RSA Key Size . . . : 2048
Authenticode . . . : Valid
Fuzzy . . . . . . : 22.0
The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program contains PE structure anomalies. This is not typical for most programs.
Program is code signed with a valid Authenticode certificate.

- Collapse -
Well I see...
Jan 11, 2015 5:59AM PST
- Collapse -
Thanks
Jan 11, 2015 6:17AM PST

All went well, the only one issue was that either step 4 or step 5 deleted my internet connection, hence the long downtime with no reply. Fortunately HitmanPro creates a restore point though.

- Collapse -
Resolved
Jan 11, 2015 5:59AM PST

It seems to have worked. Many thanks gwrach923! Happy

- Collapse -
Great news!
Jan 11, 2015 6:09AM PST

Punkbuster seems bad news though.
Dafydd.

- Collapse -
Punkbuster
Jan 11, 2015 6:27AM PST

I believe that's the anti-cheat software for Call of Duty. Wink

I think it was HitmanPro deleting a registry key in my Admin Local that disabled my internet connection. It came up as an 'Access Denied'. Probably should have left that one. Laugh

- Collapse -
Answer
remove it?
Jan 11, 2015 5:42PM PST

Have you remove it yet? If anti-virus can not remove it, you can remove it manually. The condition is that, you have some professional skills.

- Collapse -
Yes, it's gone.
Jan 11, 2015 6:20PM PST

Yeah I think it's gone.