www.google.co.uk/?gws_rd=ssl

[e.harvey]

Hi there, I have some strange happenings on my computer. Firstly I happened to check my list of programs today and found wse vosteran listed. I googled it and went to bleeping computer and followed their advise on removal - downloaded ADWcleaner and Malwarebytes and quaranteed threats. Now internet explorer is behaving strangely on start up. It won't open correctly - gets stuck on blank page, until I click on the home buttom, and then its fine. But I have ?gws_rd=ssl tacked on the end of google address in the address bar. Am I still infected? Look forward to your advice.

[Pondus]

see instructions  https://forum.avast.com/index.php?topic=53253.0
scroll down to Farbar Recovery Scan Tool ... run as instructed and attach the two diagnostic logs

[e.harvey]

Here they are..

[Pondus]

now you wait for a malware expert .... it may take some hours

[e.harvey]

Ok thank you.

[essexboy]

Hi Let me know how it is after this fix

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2835797480-3305802549-2058157893-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
CHR HomePage: Default -> hxxp://Vosteran.com/?f=1&a=vst_wnzp01_14_51_ie&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtD0CtAtDtD0DtAtB0B0FzytN0D0Tzu0StCtDzzyEtN1L2XzutAtFyCtFtCtDtFyBtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2SyByCtA0CtB0ByCtCtGzzzytA0EtGyE0DtCtDtGyCzytBtCtGtA0EyByCzy0F0CzzyEzy0FtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0CyD0Ezz0FzyyCtG0CtC0FyEtGyEtCzy0DtG0B0BzzyBtG0AyD0C0BtDyE0AyC0B0D0A0F2Q&cr=1174906246&ir=
CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Elizabeth\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Elizabeth\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2835797480-3305802549-2058157893-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Elizabeth\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
Task: {4688E0AD-7728-4419-998B-15FDB6C0A9E8} - System32\Tasks\{5A229D8A-7B0F-4390-BFC0-97A59C80973B} => pcalua.exe -a "C:\Users\Elizabeth\Downloads\SpyHunter-Installer (1).exe" -d C:\Users\Elizabeth\Desktop
Task: {BDC2755D-248F-4E05-9239-DA1DA4B0EF0D} - System32\Tasks\{BB895EB4-695A-4A29-AE2E-BE44AAE0FEC6} => pcalua.exe -a "C:\Users\Elizabeth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\42UCA2XT\setupconsumerc2rolw.exe" -d C:\Users\Elizabeth\Desktop
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[e.harvey]

I can't seem to find the file. It isn't on my desktop where the others were saved!

[e.harvey]

Maybe I did something wrong? I clicked on fix without running a scan first - should I have done that?

[essexboy]

No, place the fixlist next to FRST and then just press fix.  It will reboot on completion and the fixlog will appear on your desktop

[e.harvey]

Ok, here it is..

[essexboy]

How are the browsers running now ?

[e.harvey]

When I open IE, it is the same. I get a box asking me to allow google toolbar to make changes to my computer.
On a new tab, I am still getting the google address plus the extra letters - https://www.google.co.uk/?gws_rd=ssl
And when I copy and paste I get asked whether I want to allow Windows spell check??

[essexboy]

Could you post a screenshot please.  Also allow google to make changes to your homepage first

Then run a fresh FRST scan

[e.harvey]

Hi there, I've pressed allow many times on opening up and it just keeps waiting, with the little circle going round and round on the tab at the top. If I open up a new tab, that's fine. And forgive my ignorance, but how do I do a screenshot??

[essexboy]

Use the snipping tool http://www.7tutorials.com/how-use-snipping-tool

Then go to control panel > internet options > click reset


Also could you run a fresh FRST scan