Ahhh Netster's got me Please Help

Discussion in 'adware, spyware & hijack cleaning' started by Aosi, Apr 22, 2004.

Thread Status:
Not open for further replies.
  1. Aosi

    Aosi Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    4
    Listed is the file from HiJackThis... I've ran Adaware, Spybot and Spyblaster. But if I mistype an address in my address bar, it takes me to im.Netster.com. I've checked and made sure that Google is my default search engine. It does this in IE 6.0, Mozilla and FireFox.

    Thanks in advance for any help.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:33:44 PM, on 4/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\gearsec.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Desktop Architect\datray.exe
    C:\WINNT\twain_32\S6U12BX\WATCH.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Unzipped\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wblivesurf.com/main_wxflash.cfm
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Watch.lnk = C:\WINNT\twain_32\S6U12BX\WATCH.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38068.9359606481
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Aosi,

    There is no apparent reason for that to happen in your log.

    Please surf to http://www.billsway.com/vbspage/ and scroll down to
    Registry Search Tool
    Download, unzip and run RegSrch.vbs
    Copy and paste this in the dialog box: netster.com

    After a while a prompt will come up. Click OK to write the results to wordpad and post them.

    Regards,

    Pieter
     
  3. Aosi

    Aosi Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    4
    Pieter,

    Thanks for the info... I ran the VB program, and it came back saying that No instances of Netster.com were found (sorry there didn't seem to be a file produced to copy and paste) however; below is the site that I'm sent to if I misspell an address in my address bar.

    hxxp://it.netster.com/Index.asp?Site=d2VjdHR2LmNvbQ==

    Thanks,
    Aosi
     
    Last edited by a moderator: Apr 23, 2004
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    In HijackThis click Config > Misc Tools > generate Startuplist
    This will create a text file. Post the content of that one please.

    Regards,

    Pieter
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  6. doxboi

    doxboi Guest

    Ok, but how do you keep Netster from downloading on workstations using Spyware blaster? I find the setup and configuring a little confusing. How do youblock things like netster from even installing? I could not find a way to find CLSID's without actually going to pestcontrol (or some other anti-spyware site) for the CLSID. I would think the only other way is to download spy and ad ware and get the info. This would not be easy to the basic home user.
     
  7. Aosi

    Aosi Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    4
    Once again thank you for your attention Pieter, Below is the script from HiJackThis that you asked for.

    StartupList report, 4/23/2004, 7:09:12 PM
    StartupList version: 1.52
    Started from : C:\Unzipped\HijackThis.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\gearsec.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Desktop Architect\datray.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\twain_32\S6U12BX\WATCH.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Unzipped\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Watch.lnk = C:\WINNT\twain_32\S6U12BX\WATCH.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    nwiz = nwiz.exe /install
    UpdReg = C:\WINNT\UpdReg.EXE
    AHQInit = C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
    Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    AVG_CC = C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    NvCplDaemon = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    Synchronization Manager = mobsync.exe /logon
    SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    NvMediaCenter = RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    Desktop Architect = "C:\Program Files\Desktop Architect\datray.exe" -S

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINNT\system32\HELLFI~1.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

    [{33564D57-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    [InstallShield Setup Player 2K2]
    CODEBASE = http://www.ipswitch.com/_installs/wsftp_le/setup.exe

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38068.9359606481

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [iTunesDetector Class]
    InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx
    CODEBASE = http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\system32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 5,508 bytes
    Report generated in 0.703 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  8. Aosi

    Aosi Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    4

    Hey Doxboi,

    I agree about things being confusing, I'm not exactly a "basic" home user but I'm not an IT or a systems person either but somewhat savvy. I sent several nasty emails to Netster.com to which I got one reply where the guy called me a "f*cking Retard" and that Netster.com is running a campain... yata...yata and that I must have requested and answered Okay for them to install this crap on my pc... needlesstosay I reply'd with my own little nasty gram.. At any rate I guess Running all the spy/ad software, virus detection, firewalls is about all you can do, and be careful about what you download and run on your system, I feel pretty sure that, that is how I got it... o_O a program called MYIE2o_O But the people on this forum have been real nice and very helpful.. Kutos to you all!

    Aosi
     
Thread Status:
Not open for further replies.