Solved

NETSTER ATTACK !!

Posted on 2004-09-07
14
189 Views
Last Modified: 2010-04-11
I am having problems with NETSTER. I don't know where I got intected from since I am pretty safe in that regard and use Ad-Aware and Spybot regularly. I find that whenever I hit somesites like www.erecruting.com etc. NETSTER gets activated and takes me to http://search.netster.com/Index.asp?Site=ZXJlY3J1dGluZy5jb20%3D 

I want to get rid of it but none of the spyware tools are able to it. Only a netster cookie gets detected. Also I tried in vain to find netster.dll/ netseter.dll.

Is there any one who can help me in this regard ?

thanks much
anantha
0
Comment
Question by:anant_27
14 Comments
 
LVL 21

Expert Comment

by:jvuz
ID: 12003726
Run Hijackthis and post the log here:

You can find the software here:

http://www.majorgeeks.com/download3155.html
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12004782
0
 

Author Comment

by:anant_27
ID: 12006562
I ran HIJACKTHIS and I am posting the log of the same. I have tried in vain the steps mentioned in the pest patrol site and unfortunately there appear to be no traces of the Netster.dll file or any of the registry keys mentioned there.

I  hope there is some way to get it out of my system, because its a scary thing to have such a stealthy piece of spyware/adware.

thanx.

============================================
Logfile of HijackThis v1.97.7
Scan saved at 10:05:18 AM, on 9/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\WebDrive\wdservice.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
C:\program files\Yahoo!\Messenger\YPager.exe
E:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
E:\my downloads\Spyware Removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [EasyMessage] E:\Program Files\Easy Message\em2.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\Program Files\AutoCAD 2002\AcPreview.ocx
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12007777
anant_27, its looking like u are using the old version of hijackthis.exe, i.e. 1.97.7 and that's why its not catching which it shud :)
the new version is v1.98.2, so Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then u will have two options.....

1. Post here that LOG file, and we will tell u that what is BAD in it and how to remove them :)

2. Post it at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, if u can trust it, go on and delete everything which it asks u to delete :)

!! Good Luck !!
0
 

Author Comment

by:anant_27
ID: 12009119
This is the latest log file, and apparently again no signs of NETSTER.

thanks
=============================================
Logfile of HijackThis v1.98.2
Scan saved at 1:53:54 PM, on 9/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\WebDrive\wdservice.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
C:\program files\Yahoo!\Messenger\ymsgr_tray.exe
E:\program files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Anantha Narayan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [EasyMessage] E:\Program Files\Easy Message\em2.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - E:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://E:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://E:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://E:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://E:\Program Files\AutoCAD 2002\AcPreview.ocx
0
 
LVL 4

Expert Comment

by:net_sec_guru
ID: 12009370
manual removal is quick & simple for this spyware with is a BHO (Browser Help Object):

Remove these files:
netseter.dll
profilepath+\netster.dll
systemroot+\system\_netster.dll
systemroot+\system\netster.dll
systemroot+\system32\_netster.dll
systemroot+\system32\netster.dll

Remove these registry items:
HKEY_CLASSES_ROOT\clsid\{359f7e49-1ea0-4671-92e9-61e32fe25c5e}
HKEY_CLASSES_ROOT\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_CLASSES_ROOT\clsid\{acc63168-5876-439b-95bc-3bae59ca860c}
HKEY_CLASSES_ROOT\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_CLASSES_ROOT\interface\{aa644580-8f8a-4f8b-9263-42e14c7c2fcb}
HKEY_CLASSES_ROOT\interface\{b4fadc3f-7c5f-4fc8-a050-dbeb2c119dd5}
HKEY_CLASSES_ROOT\interface\{eed9bcbf-d40e-408f-8080-e4afc9fddb36}
HKEY_CLASSES_ROOT\interface\{f5619700-a76a-462b-abdd-6372ff10eab7}
HKEY_CLASSES_ROOT\netster.bho
HKEY_CLASSES_ROOT\netster.bho.1
HKEY_CLASSES_ROOT\netster.initscript
HKEY_CLASSES_ROOT\netster.initscript.1
HKEY_CLASSES_ROOT\netster.netsterband
HKEY_CLASSES_ROOT\netster.netsterband.1
HKEY_CLASSES_ROOT\netster.netsterph
HKEY_CLASSES_ROOT\netster.netsterph.1
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_CLASSES_ROOT\typelib\{e1c643a6-8b7b-4f28-b652-f712fe4f7402}
HKEY_LOCAL_MACHINE\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\classes\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\classes\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\netster

Unlink these dll's (usually use regsvr32)
HKEY_CLASSES_ROOT\clsid\{359f7e49-1ea0-4671-92e9-61e32fe25c5e}
HKEY_CLASSES_ROOT\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_CLASSES_ROOT\clsid\{acc63168-5876-439b-95bc-3bae59ca860c}
HKEY_CLASSES_ROOT\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_CLASSES_ROOT\interface\{aa644580-8f8a-4f8b-9263-42e14c7c2fcb}
HKEY_CLASSES_ROOT\interface\{b4fadc3f-7c5f-4fc8-a050-dbeb2c119dd5}
HKEY_CLASSES_ROOT\interface\{eed9bcbf-d40e-408f-8080-e4afc9fddb36}
HKEY_CLASSES_ROOT\interface\{f5619700-a76a-462b-abdd-6372ff10eab7}
HKEY_CLASSES_ROOT\netster.bho
HKEY_CLASSES_ROOT\netster.bho.1
HKEY_CLASSES_ROOT\netster.initscript
HKEY_CLASSES_ROOT\netster.initscript.1
HKEY_CLASSES_ROOT\netster.netsterband
HKEY_CLASSES_ROOT\netster.netsterband.1
HKEY_CLASSES_ROOT\netster.netsterph
HKEY_CLASSES_ROOT\netster.netsterph.1
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_CLASSES_ROOT\typelib\{e1c643a6-8b7b-4f28-b652-f712fe4f7402}
HKEY_LOCAL_MACHINE\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\classes\clsid\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\classes\clsid\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{b98f79f4-3619-49fb-a7e7-b737e58c5727}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{856d6a8e-a24c-498a-a55a-2b25c606a6b4}
HKEY_LOCAL_MACHINE\software\netster

Reboot and try again!
0
 

Author Comment

by:anant_27
ID: 12009476
Thank you for your response, I did find this help in the pest patrol website and tried to do what is suggested there.

There is no trace of netster/ netseter , but if i type in some (not all ) wrong URL's , then it takes me to the netster page.

Also I noticed one another strange thing. My yahoo messenger would not connect to the internet sometimes, and after connection it would not let me add any new friends and no let me enter chat rooms. I dont know if the netster thing is related to my yahoo messenger or vice versa

thanks
anantha
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12010294
anant.... tell me are u using Yahoo as ur stat(home) page and search assistant ??
coz look at these entries,,,, it shows that ur search assistant and start page is handled by yahoo !!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com


so if u have set them urself, they can be OK, other check them and click on Fix Checked !!
reboot and now check if any progress ??
0
 

Author Comment

by:anant_27
ID: 12010334
hello all:

thanks for the support you are providing me. Yes, I did remove the instances of Yahoo being my search engine. YM ! had installed it by default.

Anyways, here is something that I want you to try for me.

can you please try to go to www.erecruting.com ( Yes ! erecruting and not erecruiting ) ? I have tried this on a couple of my room mates PC's and they take me to a netster page !! I dont know why this happens to only a few specific wrong URL's and not others. I have tried typing junk on my Address bar ( both IE and Mozilla ) but they dont take me to netster. But typing www.erecruting.com always takes me to netster. Do you agree with me on this ? can you try it ?

thanks much
Anantha
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12010365
lol.... u are right... when i click on the above link ( www.erecruting.com )
it does take me to the Netster search page :)

i guess that site is down and that's why Netster is temporary sitting at its place... or may be some hacking shacking problem u know ;-D
0
 

Author Comment

by:anant_27
ID: 12010412
lol..........so do i get to keep my 500 points ??

It was indeed an interesting problem since there was no trace of netster on my system but it did take me to netster page, and apparently netster has this quote

"PLEASE NOTE: You may have arrived at this site because you mistyped your desired Internet address or domain name, or the web site you are seeking may not be operational. Please make sure you typed the address or domain name correctly. You may use the "Back" button on your browser to return to your previous page, or you may use our search engine to find your intended destination."

Anyways, I guess this problem exists in all systems including yours truly's !!! So i am safe for the moment from the netster attack.

thank you all anyways
Anantha
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12010541
lolz yeah indeed it baffled me too much :-S
:D

>> so do i get to keep my 500 points ??
never mind go and get a refind, atleast i have no objection as i was not able to solve ur problem, it still goes to NETSTER.... right ;-D

Happy Computing ^_^
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 15921377
PAQed with points (500) refunded

DarthMod
Community Support Moderator
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The 21st century solution to antiquated pagers.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question