Solved

NETSTER ATTACK !!

Posted on 2004-09-07
14
182 Views
Last Modified: 2010-04-11
I am having problems with NETSTER. I don't know where I got intected from since I am pretty safe in that regard and use Ad-Aware and Spybot regularly. I find that whenever I hit somesites like www.erecruting.com etc. NETSTER gets activated and takes me to http://search.netster.com/Index.asp?Site=ZXJlY3J1dGluZy5jb20%3D

I want to get rid of it but none of the spyware tools are able to it. Only a netster cookie gets detected. Also I tried in vain to find netster.dll/ netseter.dll.

Is there any one who can help me in this regard ?

thanks much
anantha
0
Comment
Question by:anant_27
14 Comments
 
LVL 21

Expert Comment

by:jvuz
Comment Utility
Run Hijackthis and post the log here:

You can find the software here:

http://www.majorgeeks.com/download3155.html
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
0
 

Author Comment

by:anant_27
Comment Utility
I ran HIJACKTHIS and I am posting the log of the same. I have tried in vain the steps mentioned in the pest patrol site and unfortunately there appear to be no traces of the Netster.dll file or any of the registry keys mentioned there.

I  hope there is some way to get it out of my system, because its a scary thing to have such a stealthy piece of spyware/adware.

thanx.

============================================
Logfile of HijackThis v1.97.7
Scan saved at 10:05:18 AM, on 9/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\WebDrive\wdservice.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
C:\program files\Yahoo!\Messenger\YPager.exe
E:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
E:\my downloads\Spyware Removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [EasyMessage] E:\Program Files\Easy Message\em2.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\Program Files\AutoCAD 2002\AcPreview.ocx
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
anant_27, its looking like u are using the old version of hijackthis.exe, i.e. 1.97.7 and that's why its not catching which it shud :)
the new version is v1.98.2, so Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then u will have two options.....

1. Post here that LOG file, and we will tell u that what is BAD in it and how to remove them :)

2. Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, if u can trust it, go on and delete everything which it asks u to delete :)

!! Good Luck !!
0
 

Author Comment

by:anant_27
Comment Utility
This is the latest log file, and apparently again no signs of NETSTER.

thanks
=============================================
Logfile of HijackThis v1.98.2
Scan saved at 1:53:54 PM, on 9/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\WebDrive\wdservice.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
C:\program files\Yahoo!\Messenger\ymsgr_tray.exe
E:\program files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Anantha Narayan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [EasyMessage] E:\Program Files\Easy Message\em2.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\Program Files\AutoCAD 2002\AcPreview.ocx
0
 
LVL 4

Expert Comment

by:net_sec_guru
Comment Utility
manual removal is quick & simple for this spyware with is a BHO (Browser Help Object):

Remove these files:
netseter.dll
profilepath+\netster.dll
systemroot+\system\_netster.dll
systemroot+\system\netster.dll
systemroot+\system32\_netster.dll
systemroot+\system32\netster.dll

Remove these registry items:
HKEY_CLASSES_ROOT\clsid\{359f7e49-1ea0-4671-92e9-61e32fe25c5e}
HKEY_CLASSES_ROOT\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_CLASSES_ROOT\clsid\{acc63168-5876-439b-95bc-3bae59ca860c}
HKEY_CLASSES_ROOT\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_CLASSES_ROOT\interface\{aa644580-8f8a-4f8b-9263-42e14c7c2fcb}
HKEY_CLASSES_ROOT\interface\{b4fadc3f-7c5f-4fc8-a050-dbeb2c119dd5}
HKEY_CLASSES_ROOT\interface\{eed9bcbf-d40e-408f-8080-e4afc9fddb36}
HKEY_CLASSES_ROOT\interface\{f5619700-a76a-462b-abdd-6372ff10eab7}
HKEY_CLASSES_ROOT\netster.bho
HKEY_CLASSES_ROOT\netster.bho.1
HKEY_CLASSES_ROOT\netster.initscript
HKEY_CLASSES_ROOT\netster.initscript.1
HKEY_CLASSES_ROOT\netster.netsterband
HKEY_CLASSES_ROOT\netster.netsterband.1
HKEY_CLASSES_ROOT\netster.netsterph
HKEY_CLASSES_ROOT\netster.netsterph.1
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_CLASSES_ROOT\typelib\{e1c643a6-8b7b-4f28-b652-f712fe4f7402}
HKEY_LOCAL_MACHINE\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\classes\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\classes\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\netster

Unlink these dll's (usually use regsvr32)
HKEY_CLASSES_ROOT\clsid\{359f7e49-1ea0-4671-92e9-61e32fe25c5e}
HKEY_CLASSES_ROOT\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_CLASSES_ROOT\clsid\{acc63168-5876-439b-95bc-3bae59ca860c}
HKEY_CLASSES_ROOT\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_CLASSES_ROOT\interface\{aa644580-8f8a-4f8b-9263-42e14c7c2fcb}
HKEY_CLASSES_ROOT\interface\{b4fadc3f-7c5f-4fc8-a050-dbeb2c119dd5}
HKEY_CLASSES_ROOT\interface\{eed9bcbf-d40e-408f-8080-e4afc9fddb36}
HKEY_CLASSES_ROOT\interface\{f5619700-a76a-462b-abdd-6372ff10eab7}
HKEY_CLASSES_ROOT\netster.bho
HKEY_CLASSES_ROOT\netster.bho.1
HKEY_CLASSES_ROOT\netster.initscript
HKEY_CLASSES_ROOT\netster.initscript.1
HKEY_CLASSES_ROOT\netster.netsterband
HKEY_CLASSES_ROOT\netster.netsterband.1
HKEY_CLASSES_ROOT\netster.netsterph
HKEY_CLASSES_ROOT\netster.netsterph.1
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_CLASSES_ROOT\typelib\{e1c643a6-8b7b-4f28-b652-f712fe4f7402}
HKEY_LOCAL_MACHINE\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\classes\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\classes\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\netster

Reboot and try again!
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:anant_27
Comment Utility
Thank you for your response, I did find this help in the pest patrol website and tried to do what is suggested there.

There is no trace of netster/ netseter , but if i type in some (not all ) wrong URL's , then it takes me to the netster page.

Also I noticed one another strange thing. My yahoo messenger would not connect to the internet sometimes, and after connection it would not let me add any new friends and no let me enter chat rooms. I dont know if the netster thing is related to my yahoo messenger or vice versa

thanks
anantha
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
anant.... tell me are u using Yahoo as ur stat(home) page and search assistant ??
coz look at these entries,,,, it shows that ur search assistant and start page is handled by yahoo !!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com


so if u have set them urself, they can be OK, other check them and click on Fix Checked !!
reboot and now check if any progress ??
0
 

Author Comment

by:anant_27
Comment Utility
hello all:

thanks for the support you are providing me. Yes, I did remove the instances of Yahoo being my search engine. YM ! had installed it by default.

Anyways, here is something that I want you to try for me.

can you please try to go to www.erecruting.com ( Yes ! erecruting and not erecruiting ) ? I have tried this on a couple of my room mates PC's and they take me to a netster page !! I dont know why this happens to only a few specific wrong URL's and not others. I have tried typing junk on my Address bar ( both IE and Mozilla ) but they dont take me to netster. But typing www.erecruting.com always takes me to netster. Do you agree with me on this ? can you try it ?

thanks much
Anantha
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
lol.... u are right... when i click on the above link ( www.erecruting.com )
it does take me to the Netster search page :)

i guess that site is down and that's why Netster is temporary sitting at its place... or may be some hacking shacking problem u know ;-D
0
 

Author Comment

by:anant_27
Comment Utility
lol..........so do i get to keep my 500 points ??

It was indeed an interesting problem since there was no trace of netster on my system but it did take me to netster page, and apparently netster has this quote

"PLEASE NOTE: You may have arrived at this site because you mistyped your desired Internet address or domain name, or the web site you are seeking may not be operational. Please make sure you typed the address or domain name correctly. You may use the "Back" button on your browser to return to your previous page, or you may use our search engine to find your intended destination."

Anyways, I guess this problem exists in all systems including yours truly's !!! So i am safe for the moment from the netster attack.

thank you all anyways
Anantha
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
lolz yeah indeed it baffled me too much :-S
:D

>> so do i get to keep my 500 points ??
never mind go and get a refind, atleast i have no objection as i was not able to solve ur problem, it still goes to NETSTER.... right ;-D

Happy Computing ^_^
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
Comment Utility
PAQed with points (500) refunded

DarthMod
Community Support Moderator
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now