AGAIN

Discussion in 'privacy problems' started by ljc1174, Sep 3, 2002.

Thread Status:
Not open for further replies.
  1. ljc1174
    Offline

    ljc1174 Registered Member

    First of all, I'm not sure if this is even the correct place to post this...If this post should be moved elsewhere, please do so.

    But again, the blasted d/lalot opened when I clicked a new window for IE.

    I emailed the NIPC(sp) and they replied with an email telling me to contact my ISP. Which doesn't seem like a solution to me.

    Would contacting the BBB be a good idea?

    If anyone knows of anyone else I can contact to report this annoyance, please let me know.

    Or if anyone has any further suggestions to stop them from loading as my homepage (which is still set to about:blank), please by all means help.

    IE-Spyad has been installed, this search and d/lalot have been added to my restricted sites and all cookies have been blocked.

    I'm going to run TDS auto start up to see if maybe it'll show up in there and I'm also going to run the What's Happenning program. And whatever else I have on here to see if they show up. There has to be a program out there to block these jerks!

    Thanks,
    Lori http://www.plauder-smilies.de/smash.gif
  2. ljc1174
    Offline

    ljc1174 Registered Member

    Just a thought, but would unistalling IE6 from my programs then reinstall, would that be helpful or harmful? o_O
  3. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    I don't see how it could be harmful but you'd have to be very thorough to make sure it helps. What OS are you using?

    Regards,

    Pieter
  4. ljc1174
    Offline

    ljc1174 Registered Member

    Windows ME

    My restoration cd has IE5, I would have to go through all the updates again, but... if that's my only option... hopefully it isn't though!

    ~Lori
  5. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Lori,

    Have a look at this one: http://www.litepc.com/ieradicator.html
    Make sure you download the installer for you new version of IE (may I recommend IE 5.5 SP2 ) before you eradicate the old version.
    This one is thorough but does not work for win2k SP2 or XP (That's why I asked) ME should be no problem.
    I hope it gets rid of your problem as well.

    Regards,

    Pieter

    PS You can ifnd the installer for IE 5.5SP2 here: http://www.microsoft.com/windows/ie/downloads/recommended/ie55sp2/default.asp
  6. ljc1174
    Offline

    ljc1174 Registered Member

    I had the IE5.5SP2 installed but everyone kept telling me to update to IE6 and that it would fix the problem.

    Whatever the problem is it's attached it IE somewhere in my pc. I've searched every folder I could open for anything relating to d/l or searchalot.

    So since I am using IE6 would it make sense to d/l IE5.5sp2?

    I only mentioned IE5 b4 because that is what's on my restoration cd. Removing IE from my pc would mean I would have to d/l msn explorer and I don't want to do that not even for temp useage. That's why I am looking for any other ways to solve this annoying issue!

    I scanned with Ad-Aware, Spybot, TDS (updated it first) and what's happenning. Nothing is found. Or that I can tell anyway. Everything "appears" normal. But I was reading about Optix Lite and just to be on the safe side I'm going to run TDS autostart again. I'm sure I'd have some sort of clue if I had that Optix thing, but, I'd rather db'l check anyhow.

    ~Lori
  7. TonyKlein
    Offline

    TonyKlein Security Expert

    At this point I really can't remember what you have or haven't tried, but I don't think reinstalling IE 6.0 or reverting to 5.5 SP2 will change anything.

    Pieter's proposal of running IEradicator is drastic but it may stand a chance, as it truly eradicates all IE related files, folders and registry keys.

    However, if your uninvited guest is not part of it, it obviousl;y won't be affected one bit.

    I forget, but have you tried running BHODemon?

    If not, download it, launch the program, and tell us what BHOs it detects.
  8. ljc1174
    Offline

    ljc1174 Registered Member

    Yes, I have BHO Demon...
    It only detects ACROIEHELPER.OCX and YCOMP4,0,2,8.DLL.
    Isn't that yahoo and adobe acorbat(sp) reader?

    If all else fails, and if I'm going to remove IE from my pc, then yes, I will use the IEradicator. But you said you don't think it will delete the annoyance? If I've searched everything on my pc and can't find anything wouldn't that mean that it is more then likely attached to my IE somewhere or is it just attached somewhere to my hard drive? If that's that case then wiping out my hard drive would be the only solution to getting rid of it, correct?

    ~Lori
  9. ljc1174
    Offline

    ljc1174 Registered Member

    In regards to removing IE from my pc... I was curious as to what the opinions were towards the other browser's... I was also curious about the opinion's of others, if I do remove IE, should I reinstall it? Or continue to just use a different browser.

    But this is if I don't figure out someway to remove the d/l-searchalot garbage. Which is highly unlikely!

    Thanx in advance for thoughts!
    ~Lori
  10. TonyKlein
    Offline

    TonyKlein Security Expert

    Yep. I now seem to remember we did do that one before... :rolleyes:

    About Ieradicator, as we don't know what exactly this is, or where it 'lives', there's no telling whether removing iE will help.

    Did you already do a registry search by keyword searchalot?

    Try it. After the first found instance press F3 to go to the next one.

    Tell us the exact and complete registry keys they're located in, if they're there at all.
  11. ljc1174
    Offline

    ljc1174 Registered Member

    A registry search with autostart on the TDS program?
    If not, I don't know where to find the registry keys.

    (sometimes ignorance isn't bliss) :oops:
  12. TonyKlein
    Offline

    TonyKlein Security Expert

    No, this has nothing to do with TDS-3

    Start > Run > Regedit

    Edit > Search
  13. ljc1174
    Offline

    ljc1174 Registered Member

    HKEY_CLASSES_ROOT
    HKEY_CURRENT_USER
    HKEY_LOCAL_MACHINE
    HKEY_USERS
    HKEY_CURRENT_CONFIG
    HKEY_DYN_DATA

    this is what i did, clicked start, clicked run, typed Regedit and hit ok. correct?
  14. TonyKlein
    Offline

    TonyKlein Security Expert

    Yup!

    Now do a searchalot keyword search.

    In the Search box, make sure 'Keys' AND 'values' are checked.
  15. Jooske
    Offline

    Jooske Registered Member

    Hi again, sorry to see you have that d/l thing back.
    You remember whou did the "repair instal" i guess, did you ever visit that d/lalot searchalot with this version of IE or with the former 5.5?
    How about trying to put all back to your blank homepage, then do that "back to former version" (still with the restore disabled), you'll have to reboot,
    see what happens after reboot. After you might like to go to the Windows update sind grab their latest 6.0 and see what it will be. The security updates for 6 are not so really many yet, so that's better than keeping this frustration.

    I must say read a lot of very wonderful advices here; learning new things each day!

    I see you posted in the meantime about the registry part, i leave that part to the guys who really know how to guide you there sep by step.
  16. ljc1174
    Offline

    ljc1174 Registered Member

    where am i typing in searchalot?
    start, run, type in searchalot?
  17. TonyKlein
    Offline

    TonyKlein Security Expert

    No, read what I posted:

    After launching Regedit, go to Edit > then to Find
  18. ljc1174
    Offline

    ljc1174 Registered Member

    Hi Jooske,

    I am running IE6 with all available updates and patches MS has.

    I can't put my pc back on disable system restore, it was booting up with the blue screen,
    ERROR:OE:0177:BFF7B018

    I posted previously about it on the other thread, but I don't think anything was mentioned about it.

    Also, I have updated all the updates for my pc including the system restore update/fix.

    When I use Window's Update, all it has to offer me are the conversion tools. Which I don't need.

    ~Lori
    BTW:
    Yes, I did visit search and d/l alot to find ways to email them. After that, I had the IE-Spyad installed. And my homepage setting hasn't been changed by me, it still reads About:Blank.
  19. ljc1174
    Offline

    ljc1174 Registered Member

    Soooooooooooooo...

    Everything that shows up on this search is only for searchalot and should be deleted? :rolleyes:
  20. TonyKlein
    Offline

    TonyKlein Security Expert

    Well, I'd like to know what it is first.

    Everything you delete in the Registry doesn't end up in the recycle bin, but is gone forever.

    Maybe first back up your registry: what version of Windows were you running?
  21. ljc1174
    Offline

    ljc1174 Registered Member

    I have windows ME

    does this help? i saved it then opened it with word pad...

    REGEDIT4

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0]
    "VerStamp"=dword:00000003
    "HelpUrl"="http://www.searchalot.com/?IE6"
    "BodyBarPath"="http://www.searchalot.com/ie6advert.htm"
    "ShowBodyBar"=dword:00000001
    "HideFolderBar"=dword:00000001
    "Tree"=dword:00000001
    "Show Outlook Bar"=dword:00000000
    "ShowStatus"=dword:00000001
    "Show Contacts"=dword:00000000
    "Tip of the Day"=dword:00000000
    "ShowToolbarIEAK"=dword:00000001
    "Toolbar Text"=dword:00000001
    "SpellDontIgnoreDBCS"=dword:00000001
    "MSIMN"=dword:00000001
    "StoreMigratedV5"=dword:00000001
    "ConvertedToDBX"=dword:00000001
    "Settings Upgraded"=dword:00000007
    "Running"=dword:00000000
    "Store Root"="C:\\WINDOWS\\Application Data\\Identities\\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\\Microsoft\\Outlook Express\\"
    "PrevToolbarTextStyle"=dword:00000001
    "Outlook Bar Settings"=hex:01,00,00,00,00,00,00,00,00,00,00,00,05,00,00,00,00,\
    00,00,00,00,00,00,00,04,00,00,00,05,00,00,00,06,00,00,00,07,00,00,00,08,00,\
    00,00
    "Launch Inbox"=dword:00000000
    "Migration Done"=dword:00000001
    "Saved Toolbar Settings"=hex:11,9e,00,00,ff,ff,ff,ff,01,9d,00,00,ff,ff,ff,ff,\
    07,9d,00,00,c4,9c,00,00
    "Saved Toolbar Settings Version"=dword:00000011
    "Browser Bands"=hex:11,00,00,00,04,00,00,00,64,00,00,00,80,02,00,00,64,00,00,\
    00,66,00,00,00,02,00,00,00,16,00,00,00,65,00,00,00,01,02,00,00,64,00,00,00,\
    67,00,00,00,09,00,00,00,64,00,00,00
    "Toolbar Icon Size"=dword:00000001
    "BodyBarPos"=dword:00000032
    "Nav Pane Width"=dword:000000c8
    "Nav Pane Split"=dword:00000042
    "BrowserPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,64,00,00,00,51,00,00,00,bc,02,00,00,e6,01,00,00
    "SpoolerDlgPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,\
    ff,ff,ff,ff,ff,ff,ff,ff,ff,9c,00,00,00,56,00,00,00,84,02,00,00,ed,00,00,00
    "SpoolerTack"=dword:00000000
    "Show Deleted Messages"=dword:00000001
    "Show Replies To My Messages"=dword:00000000

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List]
    "File0"="Clear Day.htm"
    "File1"="Nature.htm"
    "File2"="Maize.htm"
    "File3"="Sunflower.htm"
    "File4"="Citrus Punch.htm"
    "File5"="Blank.htm"
    "File6"="Leaves.htm"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Mail]
    "ShowHybridView"=dword:00000001
    "Show Header Info"=dword:00000001
    "SplitDir"=dword:00000000
    "Welcome Message"=dword:00000000
    "Accounts Checked"=dword:00000001
    "SplitHorzPct"=dword:00000032
    "SplitVertPct"=dword:00000032
    "Default_CodePage"=dword:00006faf

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules]

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Mail]

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter]
    "Version"=dword:00050000
    "Order"="FFA FFB FFC FFF"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\MRU List]

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA]
    "Name"="Show All Messages"
    "Enabled"=dword:00000001
    "Version"=dword:00000004

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Criteria]
    "Order"="000"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Criteria\000]
    "Type"=dword:00000014
    "Logic"=dword:00000000
    "Flags"=dword:00000000

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Actions]
    "Order"="000"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Actions\000]
    "Type"=dword:0000000f
    "Flags"=dword:00000000
    "ValueType"=dword:00000013
    "Value"=dword:00000001

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB]
    "Name"="Hide Read Messages"
    "Enabled"=dword:00000001
    "Version"=dword:00000004

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Criteria]
    "Order"="000"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Criteria\000]
    "Type"=dword:0000001c
    "Logic"=dword:00000000
    "Flags"=dword:00000000

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Actions]
    "Order"="000"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Actions\000]
    "Type"=dword:0000000f
    "Flags"=dword:00000000
    "ValueType"=dword:00000013
    "Value"=dword:00000002

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC]
    "Name"="Show Downloaded Messages"
    "Enabled"=dword:00000001
    "Version"=dword:00000004

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Criteria]
    "Order"="000"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Criteria\000]
    "Type"=dword:00000019
    "Logic"=dword:00000000
    "Flags"=dword:00000000

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Actions]
    "Order"="000"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Actions\000]
    "Type"=dword:0000000f
    "Flags"=dword:00000000
    "ValueType"=dword:00000013
    "Value"=dword:00000001

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF]
    "Name"="Hide Read or Ignored Messages"
    "Enabled"=dword:00000001
    "Version"=dword:00000004

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria]
    "Order"="000 001"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria\000]
    "Type"=dword:0000001b
    "Logic"=dword:00000001
    "Flags"=dword:00000000
    "ValueType"=dword:00000013
    "Value"=dword:00000002

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria\001]
    "Type"=dword:0000001c
    "Logic"=dword:00000000
    "Flags"=dword:00000000

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Actions]
    "Order"="000"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Actions\000]
    "Type"=dword:0000000f
    "Flags"=dword:00000000
    "ValueType"=dword:00000013
    "Value"=dword:00000002

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\News]
    "ShowHybridView"=dword:00000001
    "Show Header Info"=dword:00000001
    "SplitDir"=dword:00000000
    "Accounts Checked"=dword:00000001
    "SplitHorzPct"=dword:00000032
    "SplitVertPct"=dword:00000032
    "ThreadArticles"=dword:00000001
    "Saved Toolbar Settings"=hex:12,9e,00,00,f2,9c,00,00,f0,9c,00,00,f4,9c,00,00,\
    ff,ff,ff,ff,b4,9c,00,00,dd,9c,00,00,ff,ff,ff,ff,01,9d,00,00,ff,ff,ff,ff,07,\
    9d,00,00,c4,9c,00,00,79,9d,00,00,06,9d,00,00
    "Saved Toolbar Settings Version"=dword:00000011

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Trident]

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Trident\International]

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Trident\Settings]

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Trident\Main]
    "Move System Caret"="no"

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Columns]
    "News Column Info"=hex:10,00,00,00,07,00,00,00,10,00,00,00,09,00,00,00,ff,ff,\
    ff,ff,16,00,00,00,09,00,00,00,ff,ff,ff,ff,17,00,00,00,09,00,00,00,ff,ff,ff,\
    ff,02,00,00,00,01,00,00,00,ff,ff,ff,ff,01,00,00,00,01,00,00,00,ff,ff,ff,ff,\
    04,00,00,00,03,00,00,00,ff,ff,ff,ff,05,00,00,00,01,00,00,00,ff,ff,ff,ff
  22. ljc1174
    Offline

    ljc1174 Registered Member

    And just for the record, after the last time I had to write zero's through my hard drive, I haven't used outlook express. I used it once and ended up with a virus, which forced me to write out my hard drive and reinstall. I haven't used it since and never plan to again.
  23. TonyKlein
    Offline

    TonyKlein Security Expert

    Lori,

    Copy the bold to Notepad, save as Del.reg, and doubleclick to enter into the registry:

    REGEDIT4

    [HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0]
    "HelpUrl"=-
    "BodyBarPath"=-


    That will get rid of the two Searchalot entries.

    There may however be more.

    Start all over again, and show us what else it finds.

    Post it here.

    Next, type F3 in order to go to a possible next instance.
  24. ljc1174
    Offline

    ljc1174 Registered Member

    clicking start, run and typing regedit gave me all the info for searchalot again w/o typing in searchalot under find.


    So, I typed in downloadalot and got this...

    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
    "000"="DNS01.EXODUS.NET"
    "001"="Hostess"
    "002"="ie spyad"
    "003"="IE-spyad"
    "004"="hosts"
    "005"=" DNS01.EXODUS.NET"
    "006"="www.searchalot.com"
    "007"="www.downloadalot.com"
    "008"="searchalot"
    "009"="Spybot S&D"
    "010"="BHODemon"
    "011"="Ad-Aware"
    "012"="Kazaa"
    "013"="shelliconcache"
    "014"="tweakui.exe"
    "015"="TweekUI(1).exe"
    "016"="Tweak"
    "017"="ndetect"
    "018"="mgi"
    "019"="picture works"
    "020"="b3d projector"
    "021"="DOWNLOADWARE"
    "022"="wink.exe"
    "023"="Norton"
    "024"="downloadalot"

    I copied what you had in bold to notepad, db'l clicked it and it asked if I wanted to enter it to the registry. Was that correct?
  25. ljc1174
    Offline

    ljc1174 Registered Member

    I will be away from my pc for awhile... I should be back on around 4 or 5.

    ~Lori
Thread Status:
Not open for further replies.