Hi there, I have some strange happenings on my computer. Firstly I happened to check my list of programs today and found wse vosteran listed. I googled it and went to bleeping computer and followed their advise on removal - downloaded ADWcleaner and Malwarebytes and quaranteed threats. Now internet explorer is behaving strangely on start up. It won’t open correctly - gets stuck on blank page, until I click on the home buttom, and then its fine. But I have ?gws_rd=ssl tacked on the end of google address in the address bar. Am I still infected? Look forward to your advice. 
see instructions https://forum.avast.com/index.php?topic=53253.0
scroll down to Farbar Recovery Scan Tool … run as instructed and attach the two diagnostic logs
Here they are…
now you wait for a malware expert … it may take some hours
Ok thank you.
Hi Let me know how it is after this fix
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-2835797480-3305802549-2058157893-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION CHR HomePage: Default -> hxxp://Vosteran.com/?f=1&a=vst_wnzp01_14_51_ie&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CtAtDtD0DtAtB0B0FzytN0D0Tzu0StCtDzzyEtN1L2XzutAtFyCtFtCtDtFyBtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2SyByCtA0CtB0ByCtCtGzzzytA0EtGyE0DtCtDtGyCzytBtCtGtA0EyByCzy0F0CzzyEzy0FtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0CyD0Ezz0FzyyCtG0CtC0FyEtGyEtCzy0DtG0B0BzzyBtG0AyD0C0BtDyE0AyC0B0D0A0F2Q&cr=1174906246&ir= CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Elizabeth\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Elizabeth\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File Task: {4688E0AD-7728-4419-998B-15FDB6C0A9E8} - System32\Tasks\{5A229D8A-7B0F-4390-BFC0-97A59C80973B} => pcalua.exe -a "C:\Users\Elizabeth\Downloads\SpyHunter-Installer (1).exe" -d C:\Users\Elizabeth\Desktop Task: {BDC2755D-248F-4E05-9239-DA1DA4B0EF0D} - System32\Tasks\{BB895EB4-695A-4A29-AE2E-BE44AAE0FEC6} => pcalua.exe -a "C:\Users\Elizabeth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\42UCA2XT\setupconsumerc2rolw.exe" -d C:\Users\Elizabeth\Desktop EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
I can’t seem to find the file. It isn’t on my desktop where the others were saved! ???
Maybe I did something wrong? I clicked on fix without running a scan first - should I have done that?
No, place the fixlist next to FRST and then just press fix. It will reboot on completion and the fixlog will appear on your desktop
Ok, here it is…
How are the browsers running now ?
When I open IE, it is the same. I get a box asking me to allow google toolbar to make changes to my computer.
On a new tab, I am still getting the google address plus the extra letters - https://www.google.co.uk/?gws_rd=ssl
And when I copy and paste I get asked whether I want to allow Windows spell check??
Could you post a screenshot please. Also allow google to make changes to your homepage first
Then run a fresh FRST scan
Hi there, I’ve pressed allow many times on opening up and it just keeps waiting, with the little circle going round and round on the tab at the top. If I open up a new tab, that’s fine. And forgive my ignorance, but how do I do a screenshot??
Use the snipping tool http://www.7tutorials.com/how-use-snipping-tool
Then go to control panel > internet options > click reset
Also could you run a fresh FRST scan
Hi there, so sorry for the delay. Here are a couple of screen shots. One of IE and the other of Chrome which I never normally use. Will now reset internet options and run the scan.
Here’s the FRST scan.
Hi bear with whilst I check that out as it appears to be normal(ish) for chrome