Please advise on Nielsen NetRatings

[xx521xx]

After reading your posts here, I thought I was fine, but I decided to run a full system scan with MBAM, and I think I might have a problem!

Malwarebytes' Anti-Malware 1.34
Database version: 1832
Windows 5.1.2600 Service Pack 3

3/10/2009 5:15:53 PM
mbam-log-2009-03-10 (17-15-49).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 401998
Time elapsed: 51 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\toolband.ttb000000 (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{9ba983b1-0c05-2daf-9d1d-7e160077caf4} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0d700d4a-f8c1-8888-c5ba-cb09d464a4e8} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6d69b86a-b94c-59ee-bcb8-5f5df46b2be8} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\toolband.ttb000000.1 (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttb000001.ttb000001toolbar (Adware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> No action taken.
C:\WINDOWS\CouponBarIE.dll (Adware.BHO) -> No action taken.
C:\WINDOWS\Expert\Apps\Support.exe (Backdoor.VBBot.H) -> No action taken.

Most of these are CouponBar entries, but Driver.Fake and Backdoor.VBBot.H don't sound good. Before I remove these, how can I be sure these aren't false positives? Is there a chance of me messing up my system even worse if I remove these entries? Could I have other, hidden problems on my system? I'm so paranoid... Hope you can advise me on these quickly!

[shelf life]

hi,

looks like pretty much everything is from the Coupons software. If you want to keep this software then you can uncheck each of the entries before having MBAM remove the rest.

C:\WINDOWS\Expert\Apps\Support.exe (Backdoor.VBBot.H) -> No action taken. this may just be some type of remote access software so with your ok your machine could be accessed like if you called customer support about a problem.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver)
not sure about this one. Its possible to have stray harmless registry leftovers, like maybe you had malware before and it was removed but left behind registry entries. Its safe to have MBAM fix these items by leaving them checked.

Nothing about NetRatings. Guess its not considered any type of malware.

[xx521xx]

After my last post, I researched a little more and discovered a thread at Malwarebytes' forum suggesting Fake.Driver may be a false positive:
http://www.malwarebytes.org/forums/i...howtopic=12426

I suspect the backdoor detection is also a false positive (the file appears to be part of a game) and have asked about it at Malwarebytes' forum. So, I guess I probably panicked over nothing, and I'll see what the verdict is there on those two items.

Thanks for your help! I have one last question for this thread. Now that they're no longer needed, is it possible to remove the HJT log and uninstall list I posted earlier? I figure if someone should want to compromise my system, it would be best if they have as little information about it as possible. I don't see any way to edit my own posts here, am I missing it?

[shelf life]

ok. Your welcome. Good Luck. I think i can edit those out for you.

Actually some hjt logs would be good easy sources for potential exploits especially if the ip was provided.

If all is good, then happy safe surfing, and of course;

Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS,(Windows) browser (IE, FireFox) and other Software up to date to "patch" possible vulnerabilities that could be exploited.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, links or popups.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and know the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.