Ad Serve

[Juris Zagarins]

My XP is infested with something called "Ad Serve - Microsoft Internet Explorer Provided By Verizon Online". It serves up unsolicited advertisments in windows frames and I need to get rid of it. (Other users of my LAN are not infested). AdAware and SpyBot and SpyWareBlaster do not work. So I ran HijackThis and the following is the log it gave me. Does anybody here see anything worth deleting?

Juris

Logfile of HijackThis v1.97.7
Scan saved at 10:33:32, on 2004.01.18.
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LinguaType European\Pianists.exe
C:\Program Files\Tildes Datorvardnica\mdiction.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\WINDOWS\system32\pgtools\tatss.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\DinhAH.exe
C:\WINDOWS\System32\Qdrc4j1S.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AproposClient\Apropos.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.lv/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.lv/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D69A6D29-9163-4201-97F9-7A1A19D9974E} - C:\WINDOWS\System32\phnetcfg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: (no name) - {5BBD3ACC-93E7-4586-A5CE-6763E14D570E} - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Pianists] C:\Program Files\LinguaType European\Pianists.exe
O4 - HKLM\..\Run: [WLUser] "C:\Program Files\WinLogs\USetup\UStarter.exe" "WinLogs" "C:\Program Files\WinLogs\USetup\Unisetup.exe"
O4 - HKLM\..\Run: [mdiction] C:\Program Files\Tildes Datorvardnica\mdiction.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [3TJ2MNK3TQ52GT] C:\WINDOWS\System32\QoleC1Kc.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [Tat] C:\WINDOWS\system32\pgtools\tatss.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Pianists] C:\Program Files\WinLogs\Pianists.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - Startup: Mopy Points Collector.lnk = C:\MOPYFISH\GETPOINT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0806ec5889767aa89f00/netzip/RdxIE6.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.clarkcolor.com/ClarkUploader.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37559.799224537
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security3.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

[siljaline]

"Juris Zagarins" <anon...@discussions.microsoft.com> wrote:
> My XP is infested with something called "Ad Serve - Microsoft Internet Explorer
Provided By Verizon Online". It serves up unsolicited advertisments in windows
frames and I need to get rid of it. (Other users of my LAN are not infested).
AdAware and SpyBot and SpyWareBlaster do not work. So I ran HijackThis and the
following is the log it gave me. Does anybody here see anything worth deleting?
>
> Juris

<snipped>

Please post your logs in a Forum that can offer Expert help.
As follows: (your choice) - *all offer excellent Spyware Support* -
http://forums.spywareinfo.com/
http://tomcoyote.org/forums/
http://www.lavasoftsupport.com/
http://forums.net-integration.net/
http://boards.cexx.org/
http://www.dslreports.com/forum/security,1

Regards & good luck.

--
siljaline

MS - MVP Windows IE/OE
______________________

(Reply to group, as return address
is invalid - that we may all benefit)

[George Hester]

You are really full of so much junk it is impossible to list them all here. You just have too much junk man. Real Verizon Symantec a lot of junk. Why do you need all that verzion stuff? I used Verizon used their dsl software can't recall name right now and I didn't have all that junk.

--
George Hester
__________________________________
"Juris Zagarins" <anon...@discussions.microsoft.com> wrote in message news:0CDC5E4A-36DA-4688...@microsoft.com...

[Sandi - Microsoft MVP]

"siljaline" <silj...@spamco.com> wrote in message
news:Oqc5$7f3DH...@TK2MSFTNGP11.phx.gbl...

> Please post your logs in a Forum that can offer Expert help.

Should we be offended?? <g>

--
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://www.mvps.org/inetexplorer

[siljaline]

"Sandi - Microsoft MVP" <sandi_h...@mvps.org> wrote:
> "siljaline" <silj...@spamco.com> wrote in message
> news:Oqc5$7f3DH...@TK2MSFTNGP11.phx.gbl...
>
> > Please post your logs in a Forum that can offer Expert help.
>
> Should we be offended?? <g>

Not at all, Sandi - IMO - "Hijack This" logs and others really should be
looked at by folks at Spyware Info, etc.
There's not enough of us floating around that are well enough equipped
to fully respond to those sorts of requests.

[Caus101]

Well here are a few ad/spyware files that I noticed while scrolling
through your highjack report.

C:\Program Files\AproposClient\Apropos.exe

C:\Program Files\AproposClient\AproposPlugin.dll

C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe

But don't take my word for it, do a search on these exe files that
these programs refer to: apropos, incredifind, clocksync.

My first suggestion would be to DL a free program called Bazooka
Scanner. This program will search for ad/spyware on your system but it
will not remove it for you. It does, however, instruct you on how to
manually remove the afflicting programs. Second, since manual removal
of registry files is a cumbersome task, I would find out why Ad Aware
wasn't working and get it up and running again.

My last recomendation would be to DL Zone Alarm as a software firewall.
Zone Alarm requires that programs ask permission before accessing the
internet. This will help monitor if there are programs trying to
push(spyware) or pull(adware) information. Though this will not be able
to prevent ad/spyware if the program has integrated itself in the
Internet Explorer program.

I have used spybot as well as other free ad/spyware scanner/remover
programs and find that Bazooka and Ad Aware in conjunction with Zone
Alarm works best. But maybe for me the keyword here is Free.

I was, however, suprised to see that you didn't have Precision Time as
one of the files. Precision Time and Clock Sync are commonly found
together.

Well now I'm just rambling. Hope this helps.

Caus

Caus101
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message296839.html

[thedoc44]

If anyone has a solution to the Ad Serve/adsrve problem, please let me
know!!

Tom
thed...@mindspring.com

siljaline wrote:

> *"Juris Zagarins" <anon...@discussions.microsoft.com> wrote:
> > My XP is infested with something called "Ad Serve - Microsoft
> Internet Explorer
> Provided By Verizon Online". It serves up unsolicited advertisments
> in windows
> frames and I need to get rid of it. (Other users of my LAN are not
> infested).
> AdAware and SpyBot and SpyWareBlaster do not work. So I ran
> HijackThis and the
> following is the log it gave me. Does anybody here see anything worth
> deleting?
> >
> > Juris
>

> <snipped>

>
> Please post your logs in a Forum that can offer Expert help.

> As follows: (your choice) - *all offer excellent Spyware Support* -
> http://forums.spywareinfo.com/
> http://tomcoyote.org/forums/
> http://www.lavasoftsupport.com/
> http://forums.net-integration.net/
> http://boards.cexx.org/
> http://www.dslreports.com/forum/security,1
>
> Regards & good luck.
>
>

> --
> siljaline
>
> MS - MVP Windows IE/OE
> ______________________
>
> (Reply to group, as return address

> is invalid - that we may all benefit) *

thedoc44