Please advise on Nielsen NetRatings

[xx521xx]

Well, I don't see any obvious uninstaller in either folder. There is apparently an installer in each one. These are the EXEs I found in those folders:

C:\Program Files\NetRatingsNetmeter\NetMeter\NeilsenOnline.exe
C:\Program Files\NetRatingsNetmeter\NetMeter\NeilsenOnlineInstall.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\NetRatingsNetSight\NetSight\nsmgrutil.exe
C:\Program Files\NetRatingsNetSight\NetSight\NSSetup.exe
C:\Program Files\NetRatingsNetSight\NetSight\download\npiptool.exe
C:\Program Files\NetRatingsNetSight\NetSight\download\npshtool.exe
C:\Program Files\NetRatingsNetSight\NetSight\download\nsstmt.exe
C:\Program Files\NetRatingsNetSight\NetSight\meter1\npiptool.exe
C:\Program Files\NetRatingsNetSight\NetSight\meter1\npshtool.exe
C:\Program Files\NetRatingsNetSight\NetSight\meter1\nsstmt.exe

[shelf life]

thanks for the info. Does Spybot flag these items after a scan? If so I would let Spybot remove them. A last resort would be to manually delete the folders from C:/Program files.

[xx521xx]

Spybot doesn't detect any malware when I use it to scan those folders. Neither do AntiVir or MalwareBytes' Anti-Malware. I uploaded some of those files to VirusTotal, and some of them had detections from a few anti-malware programs. It was mostly heuristic detections, but there was one file specifically flagged by a single anti-malware program as "Riskware.AdTool.NeilsenOn.W32" (not 100% sure that was the exact name, but it was close).

On a somewhat-related note, you mentioned that it might not be any worse than CouponBar, but what is it that makes CouponBar a threat? As far as I know, it's disliked because it adds a toolbar to IE and doesn't remove all its files when uninstalled. Is there anything else I should know about it?

[shelf life]

hi xx521xx,

CouponBar a threat?

I suppose its due to the information they can collect about you based on your web habits. It may not be classified as "spyware" but a nice collection (profile) of information could be collected using cookies, web beacons, sites visited, ads clicked on etc

there privacy policy:
http://www.coupons.com/corp/source/u...olicy.asp?vf=y

"Consumer Profiling and Tracking Cookies "
http://www.worldprivacyforum.org/cookieoptout.html

Since Spybot and Malwarebytes dosnt flag either one as malware you can leave it if you want. Since its not flagged or in the add/remove programs panel the only resort I see is to manually delete the NetMeter and Netsight folders from C;/Program Files. Up to you.

[xx521xx]

After reading your posts here, I thought I was fine, but I decided to run a full system scan with MBAM, and I think I might have a problem!

Malwarebytes' Anti-Malware 1.34
Database version: 1832
Windows 5.1.2600 Service Pack 3

3/10/2009 5:15:53 PM
mbam-log-2009-03-10 (17-15-49).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 401998
Time elapsed: 51 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\toolband.ttb000000 (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{9ba983b1-0c05-2daf-9d1d-7e160077caf4} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0d700d4a-f8c1-8888-c5ba-cb09d464a4e8} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6d69b86a-b94c-59ee-bcb8-5f5df46b2be8} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.
HKEY_CLASSES_ROOT\toolband.ttb000000.1 (Adware.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ttb000001.ttb000001toolbar (Adware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5bed3930-2e9e-76d8-bacc-80df2188d455} (Adware.BHO) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> No action taken.
C:\WINDOWS\CouponBarIE.dll (Adware.BHO) -> No action taken.
C:\WINDOWS\Expert\Apps\Support.exe (Backdoor.VBBot.H) -> No action taken.

Most of these are CouponBar entries, but Driver.Fake and Backdoor.VBBot.H don't sound good. Before I remove these, how can I be sure these aren't false positives? Is there a chance of me messing up my system even worse if I remove these entries? Could I have other, hidden problems on my system? I'm so paranoid... Hope you can advise me on these quickly!

[shelf life]

hi,

looks like pretty much everything is from the Coupons software. If you want to keep this software then you can uncheck each of the entries before having MBAM remove the rest.

C:\WINDOWS\Expert\Apps\Support.exe (Backdoor.VBBot.H) -> No action taken. this may just be some type of remote access software so with your ok your machine could be accessed like if you called customer support about a problem.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver)
not sure about this one. Its possible to have stray harmless registry leftovers, like maybe you had malware before and it was removed but left behind registry entries. Its safe to have MBAM fix these items by leaving them checked.

Nothing about NetRatings. Guess its not considered any type of malware.

[xx521xx]

After my last post, I researched a little more and discovered a thread at Malwarebytes' forum suggesting Fake.Driver may be a false positive:
http://www.malwarebytes.org/forums/i...howtopic=12426

I suspect the backdoor detection is also a false positive (the file appears to be part of a game) and have asked about it at Malwarebytes' forum. So, I guess I probably panicked over nothing, and I'll see what the verdict is there on those two items.

Thanks for your help! I have one last question for this thread. Now that they're no longer needed, is it possible to remove the HJT log and uninstall list I posted earlier? I figure if someone should want to compromise my system, it would be best if they have as little information about it as possible. I don't see any way to edit my own posts here, am I missing it?