Hi, I'm looking for someone to advise me on a program called Nielsen Netratings (or Netmeter). What is this program? Is it malicious? Undesirable? Safe? I've searched the web and found nothing more detailed than various reports of "this is a suspicious process" or "this is a safe process". Can you tell me any more about what this program does?

Here's my situation: a family member installed this program (or tried to) earlier today. She allowed the addition of a global startup entry. Later, I logged on and the program tried to add two more startup entries, which I blocked with Spybot. Despite this, the program already had three processes running as seen in the task manager. I killed the processes and removed the original startup entry.

Anyway, my question is... where should I go from here? Should I allow the program to run? I was going to uninstall it, but the program is conspicuously absent from the add/remove programs list...

Has any damage been done by this program being allowed to run previously? Am I just being overly paranoid? Please let me know if you need more information or an HJT log. My HJT results look OK to me, (no change compared to results before installation) but I'm no expert. ;)

Here are the entries in my Spybot S&D log file:


3/4/2009 9:40:03 AM Allowed (based on user decision) value "NielsenOnline" (new data: "C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe") added in System Startup global entry!
3/4/2009 4:54:41 PM Denied (based on user decision) value "NetMeter" (new data: "C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe") added in System Startup global entry!
3/4/2009 4:54:43 PM Denied (based on user decision) value "NetMeterInstall" (new data: "rundll32.exe "C:\Program Files\NetRatingsNetmeter\NetMeter\nmobsvr.dll",InstallComponent") added in System Startup global entry!
3/4/2009 4:56:19 PM Allowed (based on user decision) value "NielsenOnline" (new data: "") deleted in System Startup global entry!

hi xx521xx,

Nielsen Netratings and Netmeter are two different things. Netmeter is a bandwidth monitor. The other sounds like something bundled as a third party add-on to monitor web sites visited or something like that, probably not anything useful. You can post your add/remove programs list using hjt, like this:

Iam in linux now and doing this from (bad) memory, should be close;

Start hjt, click on 'open misc tools section'
click on 'uninstall manager'
click on 'uninstall list'

something like that anyway. You can copy/paste the list in your reply.

Thanks for the reply. When I searched for info on NielsenOnline.exe, I only found results relating to NetRatings, but I guess Nielsen has multiple programs out there using the same filename.

Here is my rather lengthy uninstall list. Two notes: I know CouponBar is considered adware, but I have a family member that uses it. Also, Homescan is another Nielsen program and is also used by a family member.

hi xx521xx,

I dont see anything in the list. After a closer look it looks like Netmeter is part of the 'package' You say you have hjt installed? Please scan and post a hjt log for me.

Sure thing.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:54 PM, on 3/7/2009

End of file - 10990 bytes

hi,

Dont see anything relating to it in the log. I doubt its any worse than CouponBar thats installed. I am surprised its not listed in the add/remove programs panel. Take a look in these two folders:

C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe"
See if you see a uninstall icon, may also be called unwise.exe or unins000.exe.

and also this one
C:\Program Files\NetRatingsNetmeter\NetMeter\NielsenOnline.exe"

Well, I don't see any obvious uninstaller in either folder. There is apparently an installer in each one. These are the EXEs I found in those folders:

C:\Program Files\NetRatingsNetmeter\NetMeter\NeilsenOnline.exe
C:\Program Files\NetRatingsNetmeter\NetMeter\NeilsenOnlineInstall.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\NetRatingsNetSight\NetSight\nsmgrutil.exe
C:\Program Files\NetRatingsNetSight\NetSight\NSSetup.exe
C:\Program Files\NetRatingsNetSight\NetSight\download\npiptool.exe
C:\Program Files\NetRatingsNetSight\NetSight\download\npshtool.exe
C:\Program Files\NetRatingsNetSight\NetSight\download\nsstmt.exe
C:\Program Files\NetRatingsNetSight\NetSight\meter1\npiptool.exe
C:\Program Files\NetRatingsNetSight\NetSight\meter1\npshtool.exe
C:\Program Files\NetRatingsNetSight\NetSight\meter1\nsstmt.exe

thanks for the info. Does Spybot flag these items after a scan? If so I would let Spybot remove them. A last resort would be to manually delete the folders from C:/Program files.

Spybot doesn't detect any malware when I use it to scan those folders. Neither do AntiVir or MalwareBytes' Anti-Malware. I uploaded some of those files to VirusTotal, and some of them had detections from a few anti-malware programs. It was mostly heuristic detections, but there was one file specifically flagged by a single anti-malware program as "Riskware.AdTool.NeilsenOn.W32" (not 100% sure that was the exact name, but it was close).

On a somewhat-related note, you mentioned that it might not be any worse than CouponBar, but what is it that makes CouponBar a threat? As far as I know, it's disliked because it adds a toolbar to IE and doesn't remove all its files when uninstalled. Is there anything else I should know about it?

hi xx521xx,


CouponBar a threat?
I suppose its due to the information they can collect about you based on your web habits. It may not be classified as "spyware" but a nice collection (profile) of information could be collected using cookies, web beacons, sites visited, ads clicked on etc

there privacy policy:
http://www.coupons.com/corp/source/u_privacypolicy.asp?vf=y

"Consumer Profiling and Tracking Cookies "
http://www.worldprivacyforum.org/cookieoptout.html

Since Spybot and Malwarebytes dosnt flag either one as malware you can leave it if you want. Since its not flagged or in the add/remove programs panel the only resort I see is to manually delete the NetMeter and Netsight folders from C;/Program Files. Up to you.

After reading your posts here, I thought I was fine, but I decided to run a full system scan with MBAM, and I think I might have a problem!

Malwarebytes' Anti-Malware 1.34
Database version: 1832
Windows 5.1.2600 Service Pack 3

3/10/2009 5:15:53 PM
mbam-log-2009-03-10 (17-15-49).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 401998
Time elapsed: 51 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\toolband.ttb000000 (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{9ba983b1-0c05-2daf-9d1d-7e160077caf4} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0d700d4a-f8c1-8888-c5ba-cb09d464a4e8} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6d69b86a-b94c-59ee-bcb8-5f5df46b2be8} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\toolband.ttb000000.1 (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttb000001.ttb000001toolbar (Adware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> No action taken.
C:\WINDOWS\CouponBarIE.dll (Adware.BHO) -> No action taken.
C:\WINDOWS\Expert\Apps\Support.exe (Backdoor.VBBot.H) -> No action taken.
Most of these are CouponBar entries, but Driver.Fake and Backdoor.VBBot.H don't sound good. Before I remove these, how can I be sure these aren't false positives? Is there a chance of me messing up my system even worse if I remove these entries? Could I have other, hidden problems on my system? I'm so paranoid... Hope you can advise me on these quickly! :sick:

hi,

looks like pretty much everything is from the Coupons software. If you want to keep this software then you can uncheck each of the entries before having MBAM remove the rest.

C:\WINDOWS\Expert\Apps\Support.exe (Backdoor.VBBot.H) -> No action taken. this may just be some type of remote access software so with your ok your machine could be accessed like if you called customer support about a problem.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver)
not sure about this one. Its possible to have stray harmless registry leftovers, like maybe you had malware before and it was removed but left behind registry entries. Its safe to have MBAM fix these items by leaving them checked.

Nothing about NetRatings. Guess its not considered any type of malware.

After my last post, I researched a little more and discovered a thread at Malwarebytes' forum suggesting Fake.Driver may be a false positive:
http://www.malwarebytes.org/forums/index.php?showtopic=12426

I suspect the backdoor detection is also a false positive (the file appears to be part of a game) and have asked about it at Malwarebytes' forum. So, I guess I probably panicked over nothing, and I'll see what the verdict is there on those two items.

Thanks for your help! :bigthumb: I have one last question for this thread. Now that they're no longer needed, is it possible to remove the HJT log and uninstall list I posted earlier? I figure if someone should want to compromise my system, it would be best if they have as little information about it as possible. ;) I don't see any way to edit my own posts here, am I missing it?

ok. Your welcome. Good Luck. I think i can edit those out for you.

Actually some hjt logs would be good easy sources for potential exploits especially if the ip was provided.

If all is good, then happy safe surfing, and of course;

Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" possible vulnerabilities that could be exploited.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, links or popups.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*

8) Install and know the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)

10) If your habits include: warez, cracks etc or you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.