Jump to content

Need verification I purged Vosteran


Recommended Posts

Hi All ...Not being all that tech savvy or even semi educated at malware removal I was hoping if someone out there can view my logs and verify if I have purged this malware from my system First I ran AdwCleaner  then I ran Junk Removal Tool and last I ran Malware bytes as per someones instruction on this forum...I have attached the log files. But I also have a couple questions that hopefully someone can answer.

I first became aware of this malware when MBAM first detected it....I had like 28 item all of them were this Vosteran after a scan I quarantined all and ran another scan I then had 27 objects...I had to run multiple scans and each one was only removing one item??? I was unable to checkmark anything and all these objects were indicated as quarantine as the desired action yet it made no difference if I clicked on quarantine all or apply action...only one item was removed??? After like 25 scans MBAM listed my computer as clean. Due to the veracity of this virus the unusual behavior of MBAM the fact my Norton product could not connect to the internet I decided to follow the advice I read on this forum and remove ALL traces.

 

Thus brings me to question 2

 

It looks like the junk removal tool went ahead and deleted some stuff that may have been of value??

Thanks

Link to post
Share on other sites

:welcome:

You did not attach any reports.  You also did not provide 2 FRST diagnostic reports as per the top sticky note 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt).
  • Please just only Attach all reports.

 

In addition, you ought to do a Threat scan like this:

Start the Anti-Malware program.

Click the Settings icon at the top bar.   Then click on Detection and Protection.

Look at yours selections there:

Especially look at the Non-Malware protection
For each of the lines marked
PUP
PUM

be sure your setting is made to Treat detections as malware


Click the Scan icon at the top bar.

Take a first look at the Scan window.

Do you see a green tick mark and a green line of text  ( like from the last scheduled scan).

If you see a button marked Main menu at the bottom right, then click it.

In any event, have the selection selected for Threat scan and then click Scan now.

If it displays a orange sign with Updates are available, press the Update now button.

Have lots of patience as it gets and processes the Update.  Even if your Windows bar shows ( not responding) keep patient and it eventually finishes after a bit.



A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In some cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.



Click on the History tab  > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click **'Copy to Clipboard'**
Paste the contents of the clipboard into your reply.
then in the body of  reply box, do a Paste by pressing CTRL+V keys on the keyboard.

NOTE: If you cannot manage to do a copy / paste then send as attachments physical copies of the Scan logs.
At this point, set your Windows Explorer  ( windows File Manager) to show all folders, by doing as described for your version of Windows at this page
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

I need the most current scan log(s)  that starts with the name mbam-log-2015-01    ( with the latest time & Date stamp)
If you are on Version 2.0 of our program, the log will be under this folder  with an **XML** extenstion
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs

Link to post
Share on other sites

Here is a paste of a scan I just did ...as for the FRST scan ..yes I do know what bit rate my OS is but my norton product removes it as a threat...so at this time I have not ran this program...go figure, Norton alarms at this but let that Volstran program install...as did MBAM ....I can only assume it was installed via a website or link while watching videos  (my children) hopefully and perhaps thankfully they were only able to use the user accounts and were ( I believe ) locked out of the admin.

After receiving no reply to my post I tried to remove my entry from the forum thinking I may have posted it wrong somehow...so actually the logs were up for two days before I took them down....so here they are again...hope you can gleen some useable intel from them..

Prior to running these programs I believe MBAM did remove this malware however like I said it took one scan to remove one object....and I had twenty plus objects and MBAM did not give me the option to "Quarantine All"...when I would click that button  the objects would disappear like they were taken care of but in fact only one had been....another scan would reveal the same objects but minus one...so multiple scans later MBAM found nothing and declared my computer clean.However during this process and due to the odd behavior of MBAM and Norton and Firefox and having no advice to go on I used the scorched earth method and uninstalled any and all programs which I knew to be infected...for example firefox...then I ran these programs and posted the info hoping to hear from someone who could guide me a bit with this nasty one.

So I ask you where do I go from here ...can you tell if I have eradicated it? Anything else you need to be able to tell? Or should I continue my scorched earth procss and delete the user accounts and all their files? This PC sits dorment and offline until I can certify it to rejoin the network

I also have all the MBAM scans as I was removing it as well as the MBAM Protection and Scan logs if they are of any help

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/1/2015
Scan Time: 3:57:02 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.01.06
Rootkit Database: v2014.12.30.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: JJ

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 547094
Time Elapsed: 11 min, 37 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)AdwCleanerS0.txtJRT.txtMBAM.txt

Link to post
Share on other sites

Your Windows 7 is the 64-bit version, thus you do need to get the 64-bit version of FRST.  You will need to temporarily turn off your Norton Antivirus so that it does not interfere with FRST64.   Norton is a bit infamous in blocking the use of FRST for not a good reason.

I need the diagnostic data from the FRST tool  and this is the tool we will use to do fixes as well ( as needed) to squash any remains of the infection.

 

FRST is a very safe tool. We would never ask you to download an unsafe tool. Norton constantly has false positives on this tool, and the community continuously reports it. Norton fixes it and then the tool gets updated, and Norton detects it again. This tool is used by thousands of people across the globe every day without issue. Norton seems to be the only vendor deleting it.

https://www.virustotal.com/en/file/9a92493668d313771db011c6fd2bf7b894b97281bc5e3c3dee5c104372a33dca/...

Please disable Norton temporarily during the download and scan with FRST.

 

Kindly turn off Norton & then get & Save & the run FRST64.

 

Download link for **64-Bit Version**: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/?rha=1

save it to your desktop.   Once the download page starts do not click on any other links on that page.



RIGHT-click FRST64.exe and select Run as Administrator and allow it to start.   Reply YES when prompted by Windows.
When the tool opens click Yes to disclaimer.
Press the Scan button.
It will make a log ( FRST.txt ) in the same directory the tool is run.

Please attach that log to your reply.
The first time the tool is run, it makes a second log ( Addition.txt ).
Please attach that to your reply as well

 

reminder, please always "attach" all your report files.   Thank you.

 

Link to post
Share on other sites

I do not see leftover remains of Vosteran.  So on that count, your pc is in the clear.

I do see some remains of McAfee that should be removed.  Seeing that the pc has Norton.

 

Save the attached file Fixlist.txt    to the same location where you have FRST64.exe   -- the Downloads folder-- thats important for the Fix to work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST64) program (If asked to overwrite an existing one please allow)

Run FRST64 again but this time press the "Fix" button just once and wait.

When finished, it will make a log ( fixlog.txt ) next to FRST.
Please attach the Fixlog.txt  into a reply.    <<---- that will be the file I need from you

Link to post
Share on other sites

Ok here is ...I hope the log that you need..hope it tells you something....another tidbit for ya ...after multiple scans and MBAM claiming my PC clean ...and even after I sent you the logs ...a recent scan found the dreaded MYSEARCHDIAL in a scan I ran last night....only downloads I have done are from mybleepingcomputer ....cannot remember a add on or opt out being optional on any of those downloads??? Yet this forum and those downloads are the only action this PC has had in the past few days....other then lowering my firewall (i attached that mbam scan for whatever reason) ...has that been lurking or did it come in on one of the downloads??   Thanks again  88Fixlog.txtmbam.txt

Link to post
Share on other sites

The Fix run was fine.  Your MBAM log shows <<Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections>>

 

If you have P U P  ( potential unwanted programs ) then you ought to do a scan like this.

 

Start the Anti-Malware program.

Click the Settings icon at the top bar.   Then click on Detection and Protection.

Look at yours selections there:

Especially look at the Non-Malware protection
For each of the lines marked
PUP
PUM

be sure your setting is made to Treat detections as malware


Click the Scan icon at the top bar.

Take a first look at the Scan window.

Do you see a green tick mark and a green line of text  ( like from the last scheduled scan).

If you see a button marked Main menu at the bottom right, then click it.

In any event, have the selection selected for Threat scan and then click Scan now.

If it displays a orange sign with Updates are available, press the Update now button.

Have lots of patience as it gets and processes the Update.  Even if your Windows bar shows ( not responding) keep patient and it eventually finishes after a bit.



A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In some cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.
 

Link to post
Share on other sites

Ok it would seem that my PC has been purged of this one as no further scans...(and there have been many) have came up with anything...and yes my settings were and always have been to treat PUP and PUM as malware and I do have the self protection enabled....all the above on all my PC...updated daily if not hourly also even on my norton product....for what little bit of good it does....You never did answer my questions ..like the odd behavior of MBAM only removing one item at a time ....or for that matter how MYSEARCHDIAL was allowed to slip through the cracks??

But at any rate...I believe that with your help .... my PC is fixed....Thanks for your help Maurice

88fingers

Link to post
Share on other sites

You asked <<how MYSEARCHDIAL was allowed to slip through the cracks??>>

One could ask several security-practices questions of you --

do you browse the internet while logged in with administrator-level rights?

If so, better to only do that when using a standard user account.

 

Plus practice safer internet use:  Never click email links from unsolicited email  ---- however enticing it might be.

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you cancel the install and not use the free software.

 

Tighten up the security settings in each of your internet browser(s).

Plus use something like Adblock Plus

FireFox:  https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
Chrome: https://adblockplus.org/category/adblock-plus-chrome/

Internet Explorer:  https://adblockplus.org/releases/adblock-plus-13-for-ie-released

 

Keeping all browsers updated with all recent updates and security fixes.

 

Get and put in place our  Anti-Exploit Premium
http://www.malwarebytes.org/products/antiexploit/

Have a hardware router between the incoming internet-modem and your computer.

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
 

Check on other update issues as well, by getting, installing and using Secunia Personal Software Inspector (PSI) on a monthly basis.
See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
http://www.bleepingcomputer.com/tutorials/tutorial174.html

 

Take extreme care if you share USB-flash/thumb drives from other people {even from friends, roommates, relatives}
Don't plug in an unknown flash/thumb drive into your PC.
IF you must do so, hold down the SHIFT-key when you insert the drive.
Scan any file with your Antivirus prior to opening or using.

 

And finally, no one single security app by itself is going to provide a perfect bubble of impermeable protection.

A multi-phased multi layer approach to keeping secure is needed.

 

No one single security application can detect and remove all threats, it's a statistical impossibility.

We update MBAM as many as a dozen times per day and are always researching and adding new detection and removal routines to the database.
Our research team is constantly analyzing and reviewing new infections for inclusion into our database. With the prevalence of new variants and infections the staff is working around the clock.
All security programs will still not be able to catch Everything at some point, this is a given known fact and is the main reason why security professionals across the globe strongly advocate a 'layered' approach to security:

Dedicated antivirus

Dedicated antimalware

Third party firewalls

Additionally, users should also always practice safe computing by doing the steps below:
1-Always back up data, both locally(on your system) and on either an external drive or on the cloud, all three for those who are super cautious

2-Make Windows back up disks

3-Make back ups of programs purchased

 

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.