Hosts/IE privacy and restrictions

[ljc1174]

Which one is causing you trouble (sorry, it was not quite clear to me)?
Jooske suggested that I search my zones to see if d/l and/or searchalot were "allowed" in any zone. In the content advisor for allowed sites I have 8 listed. One that I wasn't sure of because I already have an msn site, but the other was arc5.msn.com.
The site that I have no idea who it belongs to is view.atdmt.com. When I searched it I found that geocites page and from what I read there it's listed as a spammer site I do believe, but I'm not sure. So I don't know if I should remove it or not.
in HOSTS there are a lot of lines like for example:
127.0.0.1 view.atdmt.com
all those lines begin with 127.0.0.1
that is your own computer
Are you saying that the view.atdmt.com is ok and leave it there?

OK, I found this:
view.atdmt.com in the group Avenue [iballs]
arc5.msn.com in the group Not-for-everyone
and there is no site mentioned in my HOSTS with adtmt in it.
I'm not sure what this means, "Not-For-Everyone", do I leave this arc5 site alone?

I d/l'd IE6 from my Window's Update in my start menu along with all security patches and updates from them as well, including the one from a few days ago.

So now my main issue is should I continue to search for d/l and seachalot on my pc and remove it or should I install the IE-Spyad and block it? And how to identify which hosts are not ok to have in the "allowed" zones. I ask that because of the adtmt site that is allowed. I have't checked the other zones yet. I left my window open at content advisor.

Jooske,
I haven't been back to the MS newsgroups, I like the help I'm recieving here better!

Thnx,
Lori

Hi Lori,

HOSTS is a completely other thing than your Internet Zones in Internet Explorer.

I do not know how to get rid of your problem, sorry!
Others might be of more help here.

Do I understand you right that view.atdmt.com is in your trusted zone of Internet Explorer?
I do know one thing for sure: that site view.atdmt.com should definitely not be in your trusted zone of IE.
I also see no reason why arc5.msn.com should be there, but it seems to me that that is not the main issue here.

Do I understand it right that you have 8 sites mentioned in your trusted zone of IE?
Could you give the names of them here?
For some of them there might be a good reason why they are there (for example: I have this forum site put in there).

I suggest that you install IE-SPYAD and put every thing in the restricted zone of IE at the highest possible security.
Go to the following site of Eric Howes to download it and to get more info about it and how to put every thing in your restricted zone on the highest possible security:
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

Another question:
Is ActiveX disabled or enabled in your internet zone?

[ljc1174]

Hi,

Active X is disabled on everything.

These sites are under content advisor then settings, listed as approved sites,
arc5.msn.com
e.my.yahoo.com
go.msn.com
loginnet.passport.com
view.atdmt.com
www.cleveland.com
www.sunnews.com
zone.msn.com

so should I just remove the atdmt site from the list and add it to block?

Hi Lori,

I will have a look whether the sites you mentioned, are in the HOSTS file of S. Martin.

Sorry, I have only the Dutch version of IE 5.5.
Could someone please help with this quote from Lori:
"content advisor then settings, listed as approved sites".
Does this mean the trusted zones in IE, or am I making a stupid mistake? Thanks !

a quick search in HOSTS:

arc5.msn.com

is in group Not-for-everyone, so make your own decision.
if it is needed for some reason, stay with it for the moment....

e.my.yahoo.com

is not in HOSTS

go.msn.com

is not in HOSTS

loginnet.passport.com

is not in HOSTS

view.atdmt.com

is in HOSTS in the group Aveunua [iballs]
get rid of this one, delete it, block it

www.cleveland.com

is not in HOSTS

www.sunnews.com

is not in HOSTS

zone.msn.com

is not in HOSTS

[hr]

So the important thing:

view.atdmt.com

is in HOSTS in the group Aveunua [iballs]
get rid of this one, delete it, block it

[ljc1174]

Consider it gone.

Do you have any other sites that offer IE-Spyad?

I've d/l 7zip and PowerArchive to extract the program, but it's not working.

I tried the regular .exe file but it's downloading in the same format as the zip file. Both link's downloaded Spyad as an SIG file. (whatever that means) If this helps the icon for it has blue horizontal lines and a large red A on the bottom right.

Lori,

I just tried downloading both the zipped and the exe file, and both went fine here.
So, alas, it seems we have first to solve another problem with that SIG file extension on your system; I'm sorry !

[ljc1174]

I dunno what just happened. Windows just gave me an error message and was wanting to reboot in safe mode, I opted for normal and the same error message was appearing, ERROR:OE:0177:BFF7B018

While in Safe Mode, I deleted the IE Spyad and Powerarchive, rebooted and all was well again.

What is a SIG file extention and what do I need to do?
Oh, don't be sorry, I should be apologizing for all the "problems" I have! I really do appreciate all the help!

~Lori

[ljc1174]

I am sooooooo disappointed!

I opened IE and that freakin' d/lalot appeared AGAIN!!!!

I dunno what to do to stop it... it's in the restricted web sites section and not listed in any of the allowed or approved sites!
Just b4 I opened IE, I did a scan with Spybot and AdAware and nothing was found.

I'm ready to cry!

[Jooske]

Tears are good for the eyes, but not for the keyboard. But if you look in the browser after you wiped dry, and Tools > Options > Homepage; which one is displayed there?
Make it any other you like, apply, OK, restart browser and see what is there.
You are still on no system recovery are you? Go have a look please to make really sure.

Have you written the people from that site how to remove it?


Jan, was your question the Internet Options > Content (inhoud) > enable Restricted zone ?
I don't touch that button, as when you start touching it it's really hard to get rid of it again
But there is the place yes to write the sites you really don't want to connect to from this computer.
And with adding those sites to the HOST file as Lori discovered that already if it was not there yet in a line starting 127.0.0.1 ........ .... thne there must be a trojan like behavior.
I visited that site and did not click anything else but going to that search page at the bottom and did not click at the bottom there "make home page"
Could it be anywhere in the favorites? It must be somehow in the settings either in startup or browser settings.
Is it in other browsers too, like Netscape?

I'm just looking in the Internet Options > Programs; where is at the bottom the button for IE default pages. Did you use that, and apply and OK ?
close browser and what happens?

In Internet Options > Privacy for the cookies, is there anything you can block as cookie?

Trying to follow your list of problems:
There is the browser hijacking homepage
If you change that setting IE crashes, forces to reboot and works fine again with that hijack thing.
Some programs don't want to install right
The SIG problem? Jan? Others? Could you not install it at all?
I get more blue screen / fatal error OE..... too like many people with IE 6 so that not necessarily needs to be your fault.
Where did you get the IE 6.0 version? did i overlook your answer on that?
As even with the update on the Windows Update site it should go back to default.
You could test one stupid thing. You did those settings with the browser etc.
Try to enable the sysem restore, make it also a point for recovery if you have to in future, reboot.
See what the browser has now in store.
If it is still that d/l thing than this did not work and is there a trojan kind of behavior stubborn thing. And then better do again disable the restore and reboot.


So if you look in Windows > Start > Programs > Startup and Program Files > Startup is there only the stuff starting with windows startup what is really allowed to?
If not delete what you dont need.

In TDS > System analyses > Autostart; look at all there is started.
Is there anything you don't recognize?
Unfortunately you can't copy that page to the clipboard, so you might like to make a screenshot.
Only if you see something with downloadalot rightclikc and delete that one key, but only that for the moment if you are rfeally freally sure as you can't put it back.
Also have a look in the Processes list, once your browser is open for there might run such an enhancement. Not?
Ok, has netstat any connection while you did not connect nada yet?
If so all except your own dial kill it or if you're offline in the netstat > remote connections should be nothing.

That part is all checked?
Still no solutions?
In that same Autostart thing in TDS, you can also look in the config.sys, autoexec, win.ini and system.ini; just walk through them without changing anything at the moment.
Look under the next button in the Startfiles. (should be the same as the Startup you just checked under the Start button). See anywhere that name you don't want to see?

Dig for the nastie in your favorites, cookies, everywhere.
Send an support email to MS support and tell them terrorists are hijacking your start page and that is illigal as MS alsways wants that for themselves. Write the president, fbi, if the d/l guys don't come with a proper step-by-step solution.
Worst case: reformat and install all from scratch from original clean software from the original developers. But as that is complicated on WinME rather not.
But before that worst case there are still people here trying to help you with much better ideas.

Which infection(s) did you disinfect from your system?

[ljc1174]

about:Blank is still set as my homepage. I don't want to click anything on that d/lalot page to email them. And when I go to view the privacy policy, they have none.

I've searched my entire pc all folders I could open and nothing appears for d/lalot. Last night, I did a search with spybot and adaware nothing was found, I checked the cookie folder and there were two cookies set again for d/lalot. These cookies were set after I put them in my block list for cookies and restricted the viewing of that site and searchalot. I don't have any other browser's, I've tried d/l Netscape and Opera, but they will NOT install. I'm sure this d/lalot has something to do with it.

I've been to the browser hyjacking page and I've followed the instructions and installed all the neccessary patches for security.

IE6 came from my window's update link. I turned on System Restore and checked my start up and nothing was there, then I went back to turn it off again and recieved the same error message as yesterday that I posted. I had to boot up in safe mode and turn system restore back on then reboot again and everything loaded, so yes, system restore is on now and seems to want to stay on.
In my start up there is MS Office, MS Calander, PowerRegSchedularV2 (i dunno what that is) and Bit Defender for start up, yahoo, msn and icq.

TDS System Analize:AutoStart: nothing appeared out of the ordinary or relating to d/l or searchalot.
On the registry, or other items mentioned nothing appeared.
On system files these appeared:
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
I don't know what any of that means so I decieded to post those results.

Previous infections were SirCam, JSNOCLOSE and two others that I don't remember their names. All but the JSNOCLOSE forced me to write zero's through my hard drive and start from scratch.

My only guess is that I'll have to wait for the d/lalot to appear again and then go through this whole process again. To see if it'll show where it is coming from.

BTW, I haven't changed anything or added anything pertaining to the HOSTS file. If I should do something with it please give details/directions as to what to do with it.
And what do I need to do to d/l the Hostess program to block this d/lalot site?

~Lori

[ljc1174]

I found in my TEMP folder another folder for atdmp, there is even an icon for setup, the lil'l computer with tool box. But this is for my printer, why would it be in this folder if it's a "nastie"? Could spyware or this nastie been d/l in the software for my printer? Which was just installed within the last two months... coincidence?

I haven't deleted the file yet, only because the setup for my printer is in there.

there is also a setup for internet communications.
the rest of the icons are mainly all .dll's, .cn, .sm, .ex, or .dl files. As well as Setup information files for each of the prior mentioned files.

~lori

[ljc1174]

I think I remember someone mentioning that seachalot/d'lalot claims they no longer "track" people, or was that AvenueA? But everytime d/lalot appears, AvenueA appears in spybot and/or ad-aware, so they must be linked somehow.

this is searchalot's privacy statement
http://www.searchalot.com/privacy.htm

what ticks me off is I've never agreed or allowed them to set anything on my pc!!!!

And I'm also not finding anything for d/lalot on their site or that they are even affiliated. But I know they are, my first use of Ad-Aware found searchalot and under that was url's for d/lalot.

I was looking for ways to email them on either site and there is nothing except a comment form. And I'm not using that.

Quote:

quoting: Lori link=board=21;threadid=3383;start=0#22893 date=1030979437]
I found in my TEMP folder another folder for atdmp, there is even an icon for setup, the lil'l computer with tool box. But this is for my printer, why would it be in this folder if it's a "nastie"? Could spyware or this nastie been d/l in the software for my printer? Which was just installed within the last two months... coincidence?

I haven't deleted the file yet, only because the setup for my printer is in there.

there is also a setup for internet communications.
the rest of the icons are mainly all .dll's, .cn, .sm, .ex, or .dl files. As well as Setup information files for each of the prior mentioned files.

~lori

Hey Lori,

Do you also have the set-up file for your printer somewhere else on your PC? Do you perhaps have it also on CD-ROM?
I'm asking because: if you have it also in another place, and if there is no other "important" file in that atdmp folder in your windows- temp folder, I would suggest to delete it.
BTW: was it really atdmp? I remember you also talked about sites with atdmt in it and sites with adtmt in it.

[ljc1174]

yes the folder is labeled like this ~~atdmp~ .

and yes, I have my printer software on cdrom.

i will delete the folder, i just hope my pc doesn't crash on me! lol

there are 76files total 152 items in this folder... named with misc. letters (meaning not spelling a word, more like abreviations) and numbers as .dll's, .dl's, .ex, .sm, .tb, etc... along with setup files for all.

[TonyKlein]

About your weird zipfile problem, Eric Howes also offers IE-SPYAD as a self-extracting ZIP file, which you can just double-click on to extract the files inside.

You won't need an external unzipper.

Here's a direct download link: http://www.staff.uiuc.edu/~ehowes/ie-spyad.exe

[ljc1174]

I tried the regular .exe file d/l and it to d/l'd as a .SIG file.
What is an SIG file anyway?

Any thoughts as to how to fix this?

[ljc1174]

WoW!
That link worked! Thanx Tony!

But now what do I do with it? I unziped to c:\ie-spyad.
I opened the ie-spyad folder and this is all that is in there...

Folders for "old" and "repair", one copying file, ie-ads registration entry, ie-ads-uninst registration entries, and read me. Am I missing something?

[TonyKlein]

No, you're not.
Doubleclick Ie-Spyad.reg, and the contents will be merged into the Registry.

Reboot, and you're done.

[TonyKlein]

Besides, Lori, there's a Readme.txt file included explaining EVERYTHING.

Read it, and all will become clear.

[ljc1174]

DuH!

thnx,
lori

[TonyKlein]

No prob!

[Jooske]

Wasn't around to react sooner about the alot connections.
Viva TDS with the easy resolve and whois:

2-9 23:04:06 [DNS] Resolve Name: www.searchalot.com
2-9 23:04:06 [DNS] Full name: www.searchalot.com
2-9 23:04:06 [DNS] IP address 1: 64.14.40.138
2-9 23:04:07 [DNS] Resolve time: 0,328125 seconds.
2-9 23:04:30 [DNS] Resolve Name: www.downloadalot.com
2-9 23:04:30 [DNS] Full name: downloadalot.com
2-9 23:04:30 [DNS] IP address 1: 64.14.40.146
2-9 23:04:30 [DNS] Alias 1: www.downloadalot.com
2-9 23:04:30 [DNS] Resolve time: 0,3828125 seconds.


Domain Name: DOWNLOADALOT.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: DNS02.EXODUS.NET
Name Server: DNS03.EXODUS.NET
Name Server: DNS01.EXODUS.NET
Name Server: DNS04.EXODUS.NET
Updated Date: 03-jun-2002


>>> Last update of whois database: Mon, 2 Sep 2002 04:45:22 EDT <<<
Registrant:
Downloadalot.com (DOWNLOADALOT3-DOM)
Villa Maria Spanish Point
County Clare, IE
IE

Domain Name: DOWNLOADALOT.COM

Administrative Contact, Technical Contact:
Services, Support (CAXVHTEWVI)******download@DOWNLOADALOT.COM
Downloadalot.com
Villa Maria Spanish Point
County Clare, IE
IE
+351-999-999

Record expires on 15-Feb-2011.
Record created on 15-Feb-2000.
Database last updated on 2-Sep-2002 17:06:56 EDT.

Domain servers in listed order:

DNS01.EXODUS.NET 209.1.222.244
DNS02.EXODUS.NET 209.1.222.245
DNS03.EXODUS.NET 209.1.222.246
DNS04.EXODUS.NET 209.1.222.247


REDIRECTED - Connecting to whois.networksolutions.com
REDIRECTED - Connecting to whois.networksolutions.com


Domain Name: SEARCHALOT.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: DNS02.EXODUS.NET
Name Server: DNS03.EXODUS.NET
Name Server: DNS01.EXODUS.NET
Name Server: DNS04.EXODUS.NET
Updated Date: 31-may-2002


>>> Last update of whois database: Mon, 2 Sep 2002 04:45:22 EDT <<<

Registrant:
Searchalot, Inc. (SEARCHALOT2-DOM)
350 South Center Street
Suite 500
Reno, NV 89501
US

Domain Name: SEARCHALOT.COM

Administrative Contact, Technical Contact:
Department, Billing (BD812******billing@SEARCHALOT.COM
Searchalot, Inc.
350 South Center Street, Suite 500
Reno, NV 89501
US
775-333-5979 775-329-0852

Record expires on 04-Apr-2010.
Record created on 04-Apr-1999.
Database last updated on 2-Sep-2002 17:08:22 EDT.

Domain servers in listed order:

DNS01.EXODUS.NET 209.1.222.244
DNS02.EXODUS.NET 209.1.222.245
DNS03.EXODUS.NET 209.1.222.246
DNS04.EXODUS.NET 209.1.222.247


REDIRECTED - Connecting to whois.networksolutions.com
REDIRECTED - Connecting to whois.networksolutions.com

Right column on searchalot "free software" goes to d/lalot,
bottom at d/lalot goes to searchalot, same server, same more, what do you miss?

[ljc1174]

That exodus.net is on my pc, i just don't remember where I found it, i think i ran that program what's happening... i'm looking now, i'll let ya know.

[Jooske]

With your available anti-spy software you installed in the meantime you can now look for all spy and the kind; keep scanning for infections, as you were infected.
Files you don't trust, rightclick scan them with TDS (or the whole folder/directory) , with your local or online scanners.
Pest Patrol might be able to find pests like that, as they also find pests which are not immediately trojans/worms/viruses/spies/something else. Don't they have a trial? think it was www.safersite.com .

You see for the IP addresses of those alots that even though they give addresses on both sides of the big pond they go via the same ISP,

Thanks again TDS for this quick resolve:

OrgName: Cable & Wireless
OrgID: EXCW

NetRange: 64.14.0.0 - 64.14.255.255
CIDR: 64.14.0.0/16
NetName: LEGACY-1
NetHandle: NET-64-14-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: DNS01.EXODUS.NET
NameServer: DNS02.EXODUS.NET
NameServer: DNS03.EXODUS.NET
NameServer: DNS04.EXODUS.NET
Comment: * Rwhois reassignment information for this block is available at:
* rwhois.exodus.net 4321
* For abuse please contact abuse@exodus.net
RegDate:
Updated: 2002-08-21

TechHandle: ZC221-ARIN
TechName: Cable & Wireless
TechPhone: +1-919-465-4023
TechEmail: ip@gnoc.cw.net

OrgAbuseHandle: ABUSE11-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-877-393-7878
OrgAbuseEmail: abuse@exodus.net

OrgNOCHandle: NOC99-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-800-977-4662
OrgNOCEmail: trouble@cw.net

OrgTechHandle: EIAA-ARIN
OrgTechName: Exodus IP Address Administration
OrgTechPhone: +1-888-239-6387
OrgTechEmail: ipaddressadmin@exodus.net

OrgTechHandle: GIAA-ARIN
OrgTechName: Global IP Address Administration
OrgTechPhone: +1-919-465-4096
OrgTechEmail: ip@gnoc.cw.net

# ARIN Whois database, last updated 2002-09-01 19:05
# Enter ? for additional hints on searching ARIN's Whois database.


Oh yeah, in the other posting, without using online forms or going to the site, saw the email? use that and see what they give you for answer to poste here if it's informative

Haha, who has no spam from exodus.net? Very black listed!