Vosteran , WSE_Vosteran , Storm Watch , Google Chrome , Google Toolbar , Internet Explorer

I am looking very closely at a Windows 7 32-bit computer which has been infected with what I believe is a new type of virus/malware which I shall call "deep Vosteran".

This is NOT the covert vosteran.com browser intercept virus, it is an overt takeover attempt of the PC's Internet Browser by replacing it with a compromised version of Google Chrome.   I have never seen anything like this one.

At the time of writing the malwaretips.com solution for vosteran.com is totally irrelevant, so please don't post it.

The user originally clicked on a sucker "Adobe Flash Player Update" on a normally legitimate site. In the space of two minutes this has installed the following packages visible from "Programs and Features":

Vosteran                          (a compromised version of Google Chrome)

WSE_Vosteran                (a known rogue browser plug-in)

Storm Watch                   (a known rogue browser plug-in)

Arcade Giant                   (no idea what this is !)

On the same day, I see installed - albeit a few minutes after the main infection:

Google Toolbar for I.E.     (known security leak)

There is no "Google Chrome" listed in "Programs and Features" and Google Chrome was not previously installed. I suspect that the user was suckered into installing the "Google Toolbar" by Google.

What is unusual is that "Vosteran" (a compromised version of Google Chrome) appears in the W7 Start Menu and pinned to the Taskbar AND starts when the PC starts (via the "run" Registry Key").  When the user uses the ready-loaded browser, it is infested with POP-UPS which mostly warn of ficticious virus infections an suggest the user purchases remedial software. Obvious fraud.

This is an awesome virus/malware infection. Parallel research reveals that "Uninstall" from "Programs and Features" is pointless.

I have saved a list of every file created that day to a text file and homed in on the infection point - perversely by using the "History" from the compromised and renamed "Google Chrome".

@PA Bear.  Please, please stay off this thread.

Anybody know how to get rid of this short of a cold build?  User has data backups.

 

Question Info


Last updated October 25, 2018 Views 12,157 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

I got the same browser problem.  on a windows 8.1, on restart it would get to the login window then go black.  Cntl/alt/dlt would bring up a visible task manager, and by right clicking could get to search of files and then run many programs.... but never could get the explorer screen. by pressing (holding)the Shift key and doing a restart  ....got to a safe mode  My system restore did not find any restore points, but in safe mode it did..

System seems OK But did get another Java update message   (I Don't trust it)

A error message before the restart said there was a Java error  was 1.8 but should have been 1.7  ???? (in the registry , I believe.....

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Sorry to hear maybe yours is caused because of the difference in browser or OS.  I still have good old Win XP and do not have the Vosteran problem anymore.   I am not a tech and explained what I did that got rid of the problem.  My removal of the problem was accidental.  Good luck to all.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

....what's worse is the zero-day vulnerability in the current version of Adobe Flash Player (16.0.0.287)

http://helpx.adobe.com/security/products/flash-player/apsa15-01.html 

Now see http://helpx.adobe.com/security/products/flash-player/apsa15-03.html 

--
~Robear Dyer (PA Bear)
Microsoft MVP (Windows Client) since October 2002

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

After considerable research I had a successful attempt to remove this team of viruses from this fully-patched Windows 7 (32-bit) desktop PC.

Just for the record (and this is NOT instructions for other users who "think that they have the same problem").

1) Using a clean PC download:

Revo Unistaller

Malwarebytes

Copy both to a USB stick and then copy to a known loaction of your choice on the Hard Drive on the infected computer. Do not install or run them yet.

Because this complex infection inferferes with the Windows TCP/IP Stack it is very important that we do not use the infected computer to download software. The "Arcade Giant" software intercepts Browser Pages and injects malicious adverts.

2) Unpin "Vosteran" from the Taskbar. An earlier excellent indirect post advises that you must Unpin software from the Taskbar or you cannot remove that software.

3) Install "Revo Unintaller"

4) Fire-up "Revo Unistaller" and remove in strict order:

Storm Watch

WSE_Vosteran

Vosteran

Arcade Giant

(I got the uninstall order from analysing temporary files created by each installation and reversing the installation order).

During each uninstallation do keep aware of background windows asking for uninstall confirmation and confirm the lot. If "Revo Uninstaller" wants to delete something, check the boxes.

"Arcade Giant" even fires up an irrelevant web page which you must close before confirming other background prompts and letting "Revo Unistaller" finish.

5) Install Malwarebytes

Then update (which is automatic in the current version) and run a full scan. Quarantine everything it finds. In my case it was just debris in the Registry and in the Filesystem Tree left after "Revo Uninstaller".

6) Reboot (important)

7) Verify that "Vosteran Browser" is no longer autostarting and running in foreground.

Check all your Internet Browsers for unexpected "Add-ins". I found none.

Check all your Interent Browsers for wonky home pages. I found none (to my surprise).

Check all your Internet Browser for bad alternative Search Providers.  I deleted "not available" Vosteran.

8) Run a Full Scan with your Ant-virus software

Mine was clean.

9) Check the TCP/IP stack

From the Windows "cmd" prompt:

netsh winsock show catalog | more

There should predominantly mention mswsock.dll and definitely not have any mention of "Catalytix" in the text. The "Arcade Giant" virus messes with the TCP/IP Stack and intercepts Web Requests so it can inject adverts into any and every Internet Browser. Very nasty virus.

Phew

Information provided "as is" with no warranties or guarantees.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

@salmonsoule

You do not have the same problem. Please start a clean thread.

Information provided "as is" with no warranties or guarantees.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

@PA Bear

I do wish that you would stay off my technical threads. We can all Google and post inane solutions.

In my post #1.

// sucker "Adobe Flash Player Update" //

What part of this do you not understand? There is a well-known worldwide problem with websites which display a FAKE Adobe/Java/Cisco update which leads to a Malware Installation.

The fact that Adobe Products are major security risks is well-known. Similarly Oracle Java.

Information provided "as is" with no warranties or guarantees.

2 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi guys, Wanna know what 'WSE Vosteran' is? It's not a virus really. It's just a program that invades your default browser. It's a pain in the **** to get rid of. It's in the installed program list, but you can't just uninstall it. I tried. I installed ADW cleaner, and that thing kicked its **** off my computer, among other items. I highly recommend it if you are having issues with this program.

Good luck, Lunar

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.