Ad Serve

[Guest]

How do I get rid of an infestation of unsolicited advertisements from Microsoft Ad Serve? (I have a pop-up stopper but Microsoft apparently has installed a tracker or something on my PC that circumvents it.)

Juris Zagarins

 

[purplehaz]

Never heard of microsoft ad serve. I don't think its ms doing this. Sounds
like spyware or messenger service popup ads.


Sounds like spyware or a home page hijacker.

Run these tools weekly
spybot -- http://www.safer-networking.org/
ad-aware -- http://www.lavasoftusa.com/
HiJackThis - http://mjc1.com/mirror/hjt/



Secure your hacker prone computer:

If they say messenger service in the title bar, these pop ups have nothing
to do with MSN messenger or Windows messenger. What this is a new way for
spammers to attack your computer and send you pop-up ads. If you receive
these ads it means that your computers netbios ports are wide open to the
internet and this could be a real security problem. What you should do is
install a good firewall that will block the ports the spammers use and stop
the ads. A good place to start is Zone Alarm ( www.zonelabs.com ) for an
inbound/outbound blocking firewall or use the inbound blocking only firewall
built in to XP. If needed configure the firewall to block ports 135, 137-139
and 445. Zone Alarm will block these ports by default.

Use this site to test some of your ports security:
https://grc.com/x/ne.dll?bh0bkyd2

You can/should also disable the messenger service, which is the service the
spammers exploit, but it isn't needed to stop the ads and disabling the
service will not block the open netbios ports.

Note: If the Messenger service is stopped, messages from the Alerter
service (notifications from your antivirus software, for example) are
not transmitted. If the Messenger service is turned off, any services
that explicitly depend on the Messenger service do not start, and an
error message is logged in the System event log. For this reason,
Microsoft recommends that you install a firewall and configure it to
block NetBIOS and RPC traffic instead of turning off the Messenger
service. To turn off the service goto, control panel, administrative tools,
services, find messenger, right click, properties, hit the stop button, set
startup type to manual or disabled. (be sure to stay patched at windows
update as well)

If the pop-ups appear while surfing web pages then download and install one
of the many pop-up blocker programs. Search www.download.com for popup
blocker, you'll find many free ones.

Also get a good spyware cleaner:

Spybot - http://www.safer-networking.org/

Ad-aware - http://www.lavasoft.com

 

[Jim Macklin]

Microsoft DID NOT do this to you, spammers just love to hide
behind the name.

Get SpyBot Search and Destroy from www.safer-networking.org
also, get Ad-Aware from www.lavasoftusa.com

These are free and either one should remove the
spyware/adware.

I installed SpyBot on a neighbors computer and it found 384
evil files, afterward her computer ran very much faster.

Also get a good firewall, I use the free version of Zone
Alarm www.zonelabs.com


in message
| How do I get rid of an infestation of unsolicited
advertisements from Microsoft Ad Serve? (I have a pop-up
stopper but Microsoft apparently has installed a tracker or
something on my PC that circumvents it.)
|
| Juris Zagarins

 

[Malke]

How do I get rid of an infestation of unsolicited advertisements from
Microsoft Ad Serve? (I have a pop-up stopper but Microsoft apparently
has installed a tracker or something on my PC that circumvents it.)

Juris Zagarins

I don't think Microsoft has installed a tracker on your PC. Remove
spyware with Spybot Search & Destroy from www.security.kolla.de and
Ad-aware from www.lavasoftusa.com. Be sure to update these programs
before running them. It is best to run antivirus and spyware removal
tools in Safe Mode. Be sure you have a current (post-2002 version using
updated definitions) antivirus program installed.

Cheers,

Malke

 

[Guest]

Thanks, guys!

I've run everything you suggested and nothing works. Now this is what "hijackthis" found. Is there anything in this list for me to delete?

Juris

Logfile of HijackThis v1.97.7
Scan saved at 10:33:32, on 2004.01.18.
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LinguaType European\Pianists.exe
C:\Program Files\Tildes Datorvardnica\mdiction.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\WINDOWS\system32\pgtools\tatss.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\DinhAH.exe
C:\WINDOWS\System32\Qdrc4j1S.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AproposClient\Apropos.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.lv/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.lv/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D69A6D29-9163-4201-97F9-7A1A19D9974E} - C:\WINDOWS\System32\phnetcfg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: (no name) - {5BBD3ACC-93E7-4586-A5CE-6763E14D570E} - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Pianists] C:\Program Files\LinguaType European\Pianists.exe
O4 - HKLM\..\Run: [WLUser] "C:\Program Files\WinLogs\USetup\UStarter.exe" "WinLogs" "C:\Program Files\WinLogs\USetup\Unisetup.exe"
O4 - HKLM\..\Run: [mdiction] C:\Program Files\Tildes Datorvardnica\mdiction.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [3TJ2MNK3TQ52GT] C:\WINDOWS\System32\QoleC1Kc.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [Tat] C:\WINDOWS\system32\pgtools\tatss.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Pianists] C:\Program Files\WinLogs\Pianists.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0806ec5889767aa89f00/netzip/RdxIE6.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.clarkcolor.com/ClarkUploader.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37559.799224537
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security3.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab