Microsoft hotmail spyware ADSAdClient Advertising Delivery Service

[Susan Sharm]

Do you know how to prevent the Microsoft Advertisind Delivery Service
(ADSAdClient31.dll) from attempting to download EVERY single time we
log into our hotmail accounts and view any hotmail page?

On a brand new PC, I noticed that EVERY time I visit a hotmail page the
message comes up (which I cancel every time):
---------------------------------------
Opening ADSAdClient31.dll
You have chosen to open
ADSAdClient31.dll
which is a: Application Extension
from http://rad.msn.com

What should Netscape do with this file?
(x) Open with dllfile (default)
( ) Save to Disk
----------------------------------------
I googled and found that this is a well-known Microsoft Ad Server
spyware program (http://www.kuro5hin.org/story/2001/8/17/11541/1217)
but I did not find how to PREVENT it from installing! Apparently this
program pops up ads AFTER you view the web page! So it's a prime cause
of pop-up annoyances and is a known spyware program from Microsoft.

I tried putting 127.0.0.1 rad.msn.com into my hosts file but I STILl
get the annoying Microsoft Advertising Delivery Service download
attempt (which I cancel every time) when I visit any hotmail web page.

Someone out there must be an anti-spyware expert who can tell us how to
ELIMINATE the chance of this Microsoft-built adware/spyware?

PLEASE! If you are a Windows expert, you'll know how to stop this
program!

Thank you in advance,
Susan Sharm

 

[Canopus]

Do you know how to prevent the Microsoft Advertisind Delivery Service
(ADSAdClient31.dll) from attempting to download EVERY single time we
log into our hotmail accounts and view any hotmail page?

On a brand new PC, I noticed that EVERY time I visit a hotmail page the
message comes up (which I cancel every time):
---------------------------------------
Opening ADSAdClient31.dll
You have chosen to open
ADSAdClient31.dll
which is a: Application Extension
from http://rad.msn.com

I hardly ever visit my Hotmail Page as I use OE to download and send via
Hotmail if I need to. However, after seeing your post I did visit it to
see what would happen. Noting happened, no notice like you got, no pop-up
ads. I do have the Google Tool-bar with a pop-up stopper on it, but, it
didn't register any hits so nothing was attempted. Do you have MSN
Messenger installed? That could be doing it by activating when you visit
the Hotmail site.

Possibly the reason I'm not seeing it is because I have SpyBot Search and
Destroy installed and IE inoculated. Download SpyBot
http://www.spybot.info/ install it and update it, then run it to see if
you have any spy-ware and delete any you find. Then use its Inoculate
feature, it will load references to bad cookies into IE so you will never
download them and also load a list of dangerous web sites that can
download things behind your back like certain adverts.

 

[J-Walker]

Is there a ADSAdClient31.dll loaded on your machine? Find it, erase it.

Block all cookies, and allow only those you use.

Get CleanUp!. In Custom CleanUp! mode configure to Erase Recycle Bins,
Scan local drives for temporary files, CleanUp! All Users, and Fully
Erase (Wipe Clean).

Get Cookies Manager, configured to keep cookies you need & delete those
you don't.

Reboot.

CleanUp! - http://home.comcast.net/~sgould4567/software/cleanup/

Cookies Manager -
http://home.nordnet.fr/~pmdevigne/CookiesManager_e.html

 

[Susan Sharm]

Susan Sharm asked:

What happens when you use IE? or Firefox? It may be a Netscape
problem, not Microsoft/Windows.

Good suggestion. Since this is a very well known problem (judging from
the many google hits I found for it yesterday), there MUST be a
solution out there.

Following your helpful suggestion, I just doublechecked using all the
suggested browsers (IE 6.0.2900.2180.spxp_sp2_gdr.050301-1519, Netscape
8.0.2, & Firefox 1.0.6) by logging into my hotmail email account.

NETSCAPE:
For each repeated attempt to connect to the onerous Microsoft
Advertising Server (rad.msn.com), Netscape 8.0.2 constantly pops up
forms saying "That domain name cannot be found", probably due to the
127.0.0.1 loopback interface I added to the WinXP hosts file for that
Microsoft Repeat Advertising Server "rad.msn.com". So this is a
workaround, but, not a good one.

INTERNET EXPLORER:
Instead of popping up a separate dialog box, IE displays an inline
warning for every repeated Microsoft ADSAdClient Advertising Delivery
Service attempt, saying:

"The page cannot be displayed. The page you are looking for is
currently unavailable. The Web site might be experiencing technical
difficulties, or you may need to adjust your browser settings."

Again, this is probably due to the hosts file localhost loopback I
added for the rad.msn.com repeate advertising server.

FIREFOX:
Only in Firefox (my preferred browser), does the separate request to
download the Microsoft Advertising Server dynamic linked library (dll)
repeatedly pop up as noted in the original posting (even though I have
the rad.msn.com site listed in my standard hosts file from
http://www.infonomicon.org/text/hosts

IMPORTANT NOTE:
This rad.msn.com (spyware adware trojan) is so very commonly a problem
for so many users that it is in almost all (if not all) hosts files I
could find on the Internet, for example all these have "rad.msn.com"
redirected to localhost!
http://forums.springheadmedia.com/PHPexamples/viewtopic.php?p=38
http://www.genericgeek.com/index.php?q=node/538
http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=16799

END RESULT:
1. This is a very well known problem which the spybot and others fail
to remove (according to my google searches) but which can be worked
around for all but the Firefox browser by redirecting the loopback for
the rad.msn.com repeat advertising server.

2. For now, I'm forced to use Netscape or (heaven forbid) IE as my
browser but I really really prefer Firfox (and so do many other people)
so I think this is still a problem that isn't solved yet (for Firefox).

3. Since this is so very well known, anyone who tested it who does NOT
see the problem is probably ALREADY infected! Apparently the standard
Ad-Aware, Spybot Search & Destroy, SpywareBlaster, etc programs can
REMOVE the problem but they can't PREVENT the annoyance each time
(which is the main intent) as noted in many google searches today.
http://defectivehw.blogspot.com/2005/04/msn-messenger-7-is-out.html
http://forums.serverlogistics.com/viewtopic.php?p=522&sid=82f7afe392df201533f5ec9d90873603
http://forums.spywareinfo.com/lofiversion/index.php/t45897.html

So, I think we STILL have a huge problem considering the millions of
hotmail users who also use any of the browsers above (Firefox is the
worst, but it's not transparent even on IE or Netscape).

I do very much thank you for the advice (which I've followed to a T,
having had all the spyware/adware scanners & blockers already
installed) that we still need is a Windows expert who can solve this
problem for the millions of us who use Hotmail and any of the three
browsers above.

Do experts know how to totally prevent the Microsoft Ad Delivery
Service from bothering the user EVERY time they log into their Hotmail
account on Firefox?

Thank you in advance, for all of us,
Susan Harm

 

[Susan Sharm]

Is there a ADSAdClient31.dll loaded on your machine? Find it, erase it.

There is MORE than just the Microsoft spyware ADSAdClient31.dll on an
infected system.

Apparently, based on my google searches, anyone who does NOT get the
request, is ALREADY infected!

So, only the lucky (uninfected) people see the request.

Checking for the following files should give you a good idea on whether
or not you've been infected by the Microsoft repeat advertising server
(rad.msn.com) software:

ADSInet.dll
Accipiter.Ini
ADSAdClient31.dbg
ent31.dll
SYSTEM\CurrentControlSet\Services\EventLog\Application\ADSAdClient31
SYSTEM\CurrentControlSet\Services\ADSAdClient31 ADSAdClientPerf31

Based on my google searches of the web and google groups, it's going to
take a real expert to solve this problem TRANSPARENTLY without being
infected!

Thank you in advance for your help for all of us,
Susan Harm

 

[J-Walker]

Thanks for the heads up, Susan.

A Desktop search for the .dlls, and .dbg files came up negative,
however, both registry items were present. They're gone now. )

 

[Kerry Brown]

Do you know how to prevent the Microsoft Advertisind Delivery Service
(ADSAdClient31.dll) from attempting to download EVERY single time we
log into our hotmail accounts and view any hotmail page?

On a brand new PC, I noticed that EVERY time I visit a hotmail page the
message comes up (which I cancel every time):
---------------------------------------
Opening ADSAdClient31.dll
You have chosen to open
ADSAdClient31.dll
which is a: Application Extension
from http://rad.msn.com

What should Netscape do with this file?
(x) Open with dllfile (default)
( ) Save to Disk
----------------------------------------
I googled and found that this is a well-known Microsoft Ad Server
spyware program (http://www.kuro5hin.org/story/2001/8/17/11541/1217)
but I did not find how to PREVENT it from installing! Apparently this
program pops up ads AFTER you view the web page! So it's a prime cause
of pop-up annoyances and is a known spyware program from Microsoft.

I tried putting 127.0.0.1 rad.msn.com into my hosts file but I STILl
get the annoying Microsoft Advertising Delivery Service download
attempt (which I cancel every time) when I visit any hotmail web page.

Someone out there must be an anti-spyware expert who can tell us how to
ELIMINATE the chance of this Microsoft-built adware/spyware?

PLEASE! If you are a Windows expert, you'll know how to stop this
program!

I have just tested two computers. Both can visit hotmail with no problems.
There are no signs of this infection before or after visiting hotmail. I
searched for the files and registry entries you indicated in another post
both before and after visiting hotmail with IE and Firefox. Something other
than visiting hotmail is causing your problem. You have something installed
that is triggered by visiting hotmail. Looking at a google search I don't
draw the same conclusions you do. If anything most people have solved the
problem by running an antivirus scan. The virus is found by various names.
It appears to be a Java trojan of some sort. The other common item is most
of the people complaining had installed 3rd party add ons for Messenger.
Also most of the infected computers had a host file entry for rad.msn.com
that was suspicious. This may be the virus redirecting a legitimate site. I
would use LSPFix or MSAS Beta or something similar to check the Winsock
LSP's for anything suspicious. Then I would make sure my antivirus was up to
date and run a scan from safe mode.

Kerry

 

[Canopus]

Apparently, based on my google searches, anyone who does NOT get the
request, is ALREADY infected!

So, only the lucky (uninfected) people see the request.

Checking for the following files should give you a good idea on whether
or not you've been infected by the Microsoft repeat advertising server
(rad.msn.com) software:

ADSInet.dll
Accipiter.Ini
ADSAdClient31.dbg
ent31.dll
SYSTEM\CurrentControlSet\Services\EventLog\Application\ADSAdClient31
SYSTEM\CurrentControlSet\Services\ADSAdClient31 ADSAdClientPerf31

Well I don't get the request, none of those files are on my PC and I don't
get any adverts served out of the blue while on the Hotmail site or after
I navigate away from it. Should I be concerned that I'm not getting the
request and I don't get the pop-up ads? Am I infected? What can I do
about this complete lack of evidence that I am infected by no pop-ups or
ad server ads?

 

[Jbob]

Same here and I don't see the site listed in my current MVPS host file
either. I would say if it was in most if not all Hosts files it would be in
that one.

 

[Bob Thompson]

Same here and I don't see the site listed in my current MVPS host file
either. I would say if it was in most if not all Hosts files it would be in
that one.

I'm confused. Can someone summarize what the two problems are?

I don't think viruses or Windows setup have anything to do with the
problems since Microsoft openly admits to the use of both the
ADSAdClient Advertising Delivery Service dll files and to the redirect
to their rad.msn.com redirect advertising service.

It seems there are TWO problems all mixed up.
- Microsoft has a bunch of ways to force you to go to rad.msn.com
- One of those ways is to install the ADSAdClient Advertising Delivery
Service

There seems to be no doubt of these two problems but are they really
related?
What does one have to do with the other (they seem separate to me)?

Is the problem that the users get asked only once?
That would explain why some people don't get the request for the
installation and others don't because they are infected already.

Since this is a "legitimate" Microsoft service, it would seem that
people who say they don't get asked are doing something different
because Microsoft would not arbitrarily pick people at random to
infect?

It's all so confusing to me.
Interestingly I found I had the registry entries but not the files so
maybe my freeware downloaded malware cleaners did half a cleanup job.

Since so many people report the problem, it must be real.
But, what is the real problem?
Can someone summarize what the two problems are?

 

[Bob Thompson]

What can I do about this complete lack of evidence that I am infected
by no pop-ups or ad server ads?

I'm confused too.

It seems obvious that there definately is a "legitimate" Microsoft
ADSAdClient Advertising Delivery Service and there definately is a
"legitimate" rad.msn.com redirect advertising site run by Microsoft.
But why?

My question is what is the real PURPOSE of these two "legitimate"
things!

Will someone please summarize what the PURPOSE of these two Microsoft
actions are (the downloaded programs & registry keys vs the redirected
advertisements once the programs are downloaded)?

What does Microsoft get out of these two confusing things?

 

[Jbob]

I think someone earlier up the thread asked something about MSN. I only use
Hotmail and not MSN so perhaps that might be one probable cause. I just
went to hotmail.com again and still nothing in my registry and none of those
files present.

 

[Kerry Brown]

I'm confused. Can someone summarize what the two problems are?

I don't think viruses or Windows setup have anything to do with the
problems since Microsoft openly admits to the use of both the
ADSAdClient Advertising Delivery Service dll files and to the redirect
to their rad.msn.com redirect advertising service.

It seems there are TWO problems all mixed up.
- Microsoft has a bunch of ways to force you to go to rad.msn.com
- One of those ways is to install the ADSAdClient Advertising Delivery
Service

There seems to be no doubt of these two problems but are they really
related?
What does one have to do with the other (they seem separate to me)?

Is the problem that the users get asked only once?
That would explain why some people don't get the request for the
installation and others don't because they are infected already.

Since this is a "legitimate" Microsoft service, it would seem that
people who say they don't get asked are doing something different
because Microsoft would not arbitrarily pick people at random to
infect?

It's all so confusing to me.
Interestingly I found I had the registry entries but not the files so
maybe my freeware downloaded malware cleaners did half a cleanup job.

Since so many people report the problem, it must be real.
But, what is the real problem?
Can someone summarize what the two problems are?

I had some time to do a bit more research. It appears that this is a MS dll
that may be part of MSN. Other sires use it as well. It is to do with
serving banner ads not popups. I think it is supposed to run on the server
or possibly temporarily on the client as part of a java app. There is a
known buffer overflow exploit that could possibly be used to take over the
server. There is sample code in the wild to do this. It looks like one or
more current malware apps are trying to take advantage of this exploit.

Kerry

 

[Alceryes]

Someone out there must be an anti-spyware expert who can tell us how to

ELIMINATE the chance of this Microsoft-built adware/spyware?

It seems to not be a problem with a windows service per say, but an exploit
(or an attempted exploit) of this service by some virus/spyware/adware on
your system.
I use hotmail regularly (both in OE and via IE) and cannot find any of these
files or registry keys on my system.

 

[Jason]

* Susan Sharm <[email protected]>:


Is it just me? Doesn't anyone else smell troll here?

Jason

 

[Alias]

Firefox 1.0.6

1.0.7 is available now.

Alias

 

[Daniel Crichton]

Bob wrote on 31 Oct 2005 14:30:21 -0800:

I'm confused too.

It seems obvious that there definately is a "legitimate" Microsoft
ADSAdClient Advertising Delivery Service and there definately is a
"legitimate" rad.msn.com redirect advertising site run by Microsoft.
But why?

My question is what is the real PURPOSE of these two "legitimate"
things!

Will someone please summarize what the PURPOSE of these two Microsoft
actions are (the downloaded programs & registry keys vs the redirected
advertisements once the programs are downloaded)?

What does Microsoft get out of these two confusing things?

The legitimate one doesn't download any programs, or create registry keys -
the DLL is an ISAPI DLL that runs on the rad.msn.com server and spits out
some Javascript/HTML with a banner ad, and is used on Hotmail, MSN, and
possibly other sites. That's all it does.

It's possible that the attempted download of the DLL was a server glitch -
instead of executing the ISAPI DLL on the server it decided to send the
binary instead - in which case it's still harmless as the DLL would end up
in the TIF folder and do nothing else. There are however some posts on the
web in forums which indicate prior infection by something more malign, that
adds an entry to the hosts file to redirect requests to rad.msn.com to a
different IP (the one I saw earlier pointed to an IP that resolved to an
address in ev1servers.net) where a subsequent visit to Hotmail would cause a
malicious DLL with the same name as the MS ISAPI one to be download the TIF,
however it would still require a process on the PC to then do something with
that DLL.

Dan