Hosts/IE privacy and restrictions

Discussion in 'privacy problems' started by ljc1174, Sep 1, 2002.

Thread Status:
Not open for further replies.
  1. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Which one is causing you trouble (sorry, it was not quite clear to me)?
    Jooske suggested that I search my zones to see if d/l and/or searchalot were "allowed" in any zone. In the content advisor for allowed sites I have 8 listed. One that I wasn't sure of because I already have an msn site, but the other was arc5.msn.com.
    The site that I have no idea who it belongs to is view.atdmt.com. When I searched it I found that geocites page and from what I read there it's listed as a spammer site I do believe, but I'm not sure. So I don't know if I should remove it or not.
    in HOSTS there are a lot of lines like for example:
    127.0.0.1 view.atdmt.com
    all those lines begin with 127.0.0.1
    that is your own computer

    Are you saying that the view.atdmt.com is ok and leave it there?

    OK, I found this:
    view.atdmt.com in the group Avenue [iballs]
    arc5.msn.com in the group Not-for-everyone
    and there is no site mentioned in my HOSTS with adtmt in it.
    I'm not sure what this means, "Not-For-Everyone", do I leave this arc5 site alone?

    I d/l'd IE6 from my Window's Update in my start menu along with all security patches and updates from them as well, including the one from a few days ago.

    So now my main issue is should I continue to search for d/l and seachalot on my pc and remove it or should I install the IE-Spyad and block it? And how to identify which hosts are not ok to have in the "allowed" zones. I ask that because of the adtmt site that is allowed. I have't checked the other zones yet. I left my window open at content advisor.

    Jooske,
    I haven't been back to the MS newsgroups, I like the help I'm recieving here better!

    Thnx,
    Lori
     
  2. FanJ

    FanJ Guest

    Hi Lori,

    HOSTS is a completely other thing than your Internet Zones in Internet Explorer.

    I do not know how to get rid of your problem, sorry!
    Others might be of more help here.

    Do I understand you right that view.atdmt.com is in your trusted zone of Internet Explorer?
    I do know one thing for sure: that site view.atdmt.com should definitely not be in your trusted zone of IE.
    I also see no reason why arc5.msn.com should be there, but it seems to me that that is not the main issue here.

    Do I understand it right that you have 8 sites mentioned in your trusted zone of IE?
    Could you give the names of them here?
    For some of them there might be a good reason why they are there (for example: I have this forum site put in there).

    I suggest that you install IE-SPYAD and put every thing in the restricted zone of IE at the highest possible security.
    Go to the following site of Eric Howes to download it and to get more info about it and how to put every thing in your restricted zone on the highest possible security:
    http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

    Another question:
    Is ActiveX disabled or enabled in your internet zone?
     
  3. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Hi,

    Active X is disabled on everything.

    These sites are under content advisor then settings, listed as approved sites,
    arc5.msn.com
    e.my.yahoo.com
    go.msn.com
    loginnet.passport.com
    view.atdmt.com
    www.cleveland.com
    www.sunnews.com
    zone.msn.com

    so should I just remove the atdmt site from the list and add it to block?
     
  4. FanJ

    FanJ Guest

    Hi Lori,

    I will have a look whether the sites you mentioned, are in the HOSTS file of S. Martin.

    Sorry, I have only the Dutch version of IE 5.5.
    Could someone please help with this quote from Lori:
    "content advisor then settings, listed as approved sites".
    Does this mean the trusted zones in IE, or am I making a stupid mistake? Thanks !
     
  5. FanJ

    FanJ Guest

    a quick search in HOSTS:

    arc5.msn.com

    is in group Not-for-everyone, so make your own decision.
    if it is needed for some reason, stay with it for the moment....

    e.my.yahoo.com

    is not in HOSTS

    go.msn.com

    is not in HOSTS

    loginnet.passport.com

    is not in HOSTS

    view.atdmt.com

    is in HOSTS in the group Aveunua [iballs]
    get rid of this one, delete it, block it

    www.cleveland.com

    is not in HOSTS

    www.sunnews.com

    is not in HOSTS

    zone.msn.com

    is not in HOSTS

    [hr]

    So the important thing:

    view.atdmt.com

    is in HOSTS in the group Aveunua [iballs]
    get rid of this one, delete it, block it
     
  6. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Consider it gone.

    Do you have any other sites that offer IE-Spyad?

    I've d/l 7zip and PowerArchive to extract the program, but it's not working.

    I tried the regular .exe file but it's downloading in the same format as the zip file. Both link's downloaded Spyad as an SIG file. (whatever that means) If this helps the icon for it has blue horizontal lines and a large red A on the bottom right.
     
  7. FanJ

    FanJ Guest

    Lori,

    I just tried downloading both the zipped and the exe file, and both went fine here.
    So, alas, it seems we have first to solve another problem with that SIG file extension on your system; I'm sorry !
     
  8. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I dunno what just happened. Windows just gave me an error message and was wanting to reboot in safe mode, I opted for normal and the same error message was appearing, ERROR:OE:0177:BFF7B018

    While in Safe Mode, I deleted the IE Spyad and Powerarchive, rebooted and all was well again.

    What is a SIG file extention and what do I need to do?
    Oh, don't be sorry, I should be apologizing for all the "problems" I have! I really do appreciate all the help!

    ~Lori
     
  9. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I am sooooooo disappointed! :doubt:

    I opened IE and that freakin' d/lalot appeared AGAIN!!!!

    I dunno what to do to stop it... it's in the restricted web sites section and not listed in any of the allowed or approved sites!
    Just b4 I opened IE, I did a scan with Spybot and AdAware and nothing was found.

    I'm ready to cry! :'(
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Tears are good for the eyes, but not for the keyboard. But if you look in the browser after you wiped dry, and Tools > Options > Homepage; which one is displayed there?
    Make it any other you like, apply, OK, restart browser and see what is there.
    You are still on no system recovery are you? Go have a look please to make really sure.

    Have you written the people from that site how to remove it?


    Jan, was your question the Internet Options > Content (inhoud) > enable Restricted zone ?
    I don't touch that button, as when you start touching it it's really hard to get rid of it again :)
    But there is the place yes to write the sites you really don't want to connect to from this computer.
    And with adding those sites to the HOST file as Lori discovered that already if it was not there yet in a line starting 127.0.0.1 ........ .... thne there must be a trojan like behavior.
    I visited that site and did not click anything else but going to that search page at the bottom and did not click at the bottom there "make home page"
    Could it be anywhere in the favorites? It must be somehow in the settings either in startup or browser settings.
    Is it in other browsers too, like Netscape?

    I'm just looking in the Internet Options > Programs; where is at the bottom the button for IE default pages. Did you use that, and apply and OK ?
    close browser and what happens?

    In Internet Options > Privacy for the cookies, is there anything you can block as cookie?

    Trying to follow your list of problems:
    There is the browser hijacking homepage
    If you change that setting IE crashes, forces to reboot and works fine again with that hijack thing.
    Some programs don't want to install right
    The SIG problem? Jan? Others? Could you not install it at all?
    I get more blue screen / fatal error OE..... too like many people with IE 6 so that not necessarily needs to be your fault.
    Where did you get the IE 6.0 version? did i overlook your answer on that?
    As even with the update on the Windows Update site it should go back to default.
    You could test one stupid thing. You did those settings with the browser etc.
    Try to enable the sysem restore, make it also a point for recovery if you have to in future, reboot.
    See what the browser has now in store.
    If it is still that d/l thing than this did not work and is there a trojan kind of behavior stubborn thing. And then better do again disable the restore and reboot.


    So if you look in Windows > Start > Programs > Startup and Program Files > Startup is there only the stuff starting with windows startup what is really allowed to?
    If not delete what you dont need.

    In TDS > System analyses > Autostart; look at all there is started.
    Is there anything you don't recognize?
    Unfortunately you can't copy that page to the clipboard, so you might like to make a screenshot.
    Only if you see something with downloadalot rightclikc and delete that one key, but only that for the moment if you are rfeally freally sure as you can't put it back.
    Also have a look in the Processes list, once your browser is open for there might run such an enhancement. Not?
    Ok, has netstat any connection while you did not connect nada yet?
    If so all except your own dial kill it or if you're offline in the netstat > remote connections should be nothing.

    That part is all checked?
    Still no solutions?
    In that same Autostart thing in TDS, you can also look in the config.sys, autoexec, win.ini and system.ini; just walk through them without changing anything at the moment.
    Look under the next button in the Startfiles. (should be the same as the Startup you just checked under the Start button). See anywhere that name you don't want to see?

    Dig for the nastie in your favorites, cookies, everywhere.
    Send an support email to MS support and tell them terrorists are hijacking your start page and that is illigal as MS alsways wants that for themselves. Write the president, fbi, if the d/l guys don't come with a proper step-by-step solution.
    Worst case: reformat and install all from scratch from original clean software from the original developers. But as that is complicated on WinME rather not.
    But before that worst case there are still people here trying to help you with much better ideas.

    Which infection(s) did you disinfect from your system?
     
  11. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    About:Blank is still set as my homepage. I don't want to click anything on that d/lalot page to email them. And when I go to view the privacy policy, they have none.

    I've searched my entire pc all folders I could open and nothing appears for d/lalot. Last night, I did a search with spybot and adaware nothing was found, I checked the cookie folder and there were two cookies set again for d/lalot. These cookies were set after I put them in my block list for cookies and restricted the viewing of that site and searchalot. I don't have any other browser's, I've tried d/l Netscape and Opera, but they will NOT install. I'm sure this d/lalot has something to do with it.

    I've been to the browser hyjacking page and I've followed the instructions and installed all the neccessary patches for security.

    IE6 came from my window's update link. I turned on System Restore and checked my start up and nothing was there, then I went back to turn it off again and recieved the same error message as yesterday that I posted. I had to boot up in safe mode and turn system restore back on then reboot again and everything loaded, so yes, system restore is on now and seems to want to stay on.
    In my start up there is MS Office, MS Calander, PowerRegSchedularV2 (i dunno what that is) and Bit Defender for start up, yahoo, msn and icq.

    TDS System Analize:AutoStart: nothing appeared out of the ordinary or relating to d/l or searchalot.
    On the registry, or other items mentioned nothing appeared.
    On system files these appeared:
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP
    I don't know what any of that means so I decieded to post those results.

    Previous infections were SirCam, JSNOCLOSE and two others that I don't remember their names. All but the JSNOCLOSE forced me to write zero's through my hard drive and start from scratch.

    My only guess is that I'll have to wait for the d/lalot to appear again and then go through this whole process again. To see if it'll show where it is coming from.

    BTW, I haven't changed anything or added anything pertaining to the HOSTS file. If I should do something with it please give details/directions as to what to do with it.
    And what do I need to do to d/l the Hostess program to block this d/lalot site?

    ~Lori
     
  12. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I found in my TEMP folder another folder for atdmp, there is even an icon for setup, the lil'l computer with tool box. But this is for my printer, why would it be in this folder if it's a "nastie"? Could spyware or this nastie been d/l in the software for my printer? Which was just installed within the last two months... coincidence?

    I haven't deleted the file yet, only because the setup for my printer is in there.

    there is also a setup for internet communications.
    the rest of the icons are mainly all .dll's, .cn, .sm, .ex, or .dl files. As well as Setup information files for each of the prior mentioned files.

    ~lori
     
  13. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I think I remember someone mentioning that seachalot/d'lalot claims they no longer "track" people, or was that AvenueA? But everytime d/lalot appears, AvenueA appears in spybot and/or ad-aware, so they must be linked somehow.

    this is searchalot's privacy statement
    http://www.searchalot.com/privacy.htm

    what ticks me off is I've never agreed or allowed them to set anything on my pc!!!!

    And I'm also not finding anything for d/lalot on their site or that they are even affiliated. But I know they are, my first use of Ad-Aware found searchalot and under that was url's for d/lalot.

    I was looking for ways to email them on either site and there is nothing except a comment form. And I'm not using that.
     
  14. FanJ

    FanJ Guest

    Hey Lori,

    Do you also have the set-up file for your printer somewhere else on your PC? Do you perhaps have it also on CD-ROM?
    I'm asking because: if you have it also in another place, and if there is no other "important" file in that atdmp folder in your windows- temp folder, I would suggest to delete it.
    BTW: was it really atdmp? I remember you also talked about sites with atdmt in it and sites with adtmt in it.
     
  15. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    yes the folder is labeled like this ~~atdmp~ .

    and yes, I have my printer software on cdrom.

    i will delete the folder, i just hope my pc doesn't crash on me! lol

    there are 76files total 152 items in this folder... named with misc. letters (meaning not spelling a word, more like abreviations) and numbers as .dll's, .dl's, .ex, .sm, .tb, etc... along with setup files for all.
     
  16. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    About your weird zipfile problem, Eric Howes also offers IE-SPYAD as a self-extracting ZIP file, which you can just double-click on to extract the files inside.

    You won't need an external unzipper.

    Here's a direct download link: http://www.staff.uiuc.edu/~ehowes/ie-spyad.exe
     
  17. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I tried the regular .exe file d/l and it to d/l'd as a .SIG file.
    What is an SIG file anyway?

    Any thoughts as to how to fix this?
     
  18. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    :eek: WoW!
    That link worked! Thanx Tony!

    But now what do I do with it? I unziped to c:\ie-spyad.
    I opened the ie-spyad folder and this is all that is in there...

    Folders for "old" and "repair", one copying file, ie-ads registration entry, ie-ads-uninst registration entries, and read me. Am I missing something?
     
  19. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    No, you're not.
    Doubleclick Ie-Spyad.reg, and the contents will be merged into the Registry.

    Reboot, and you're done.
     
  20. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    Besides, Lori, there's a Readme.txt file included explaining EVERYTHING.

    Read it, and all will become clear.
     
  21. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    :D DuH!

    ;) thnx,
    lori
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    No prob! :D
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Wasn't around to react sooner about the alot connections.
    Viva TDS with the easy resolve and whois:

    2-9 23:04:06 [DNS] Resolve Name: www.searchalot.com
    2-9 23:04:06 [DNS] Full name: www.searchalot.com
    2-9 23:04:06 [DNS] IP address 1: 64.14.40.138
    2-9 23:04:07 [DNS] Resolve time: 0,328125 seconds.
    2-9 23:04:30 [DNS] Resolve Name: www.downloadalot.com
    2-9 23:04:30 [DNS] Full name: downloadalot.com
    2-9 23:04:30 [DNS] IP address 1: 64.14.40.146
    2-9 23:04:30 [DNS] Alias 1: www.downloadalot.com
    2-9 23:04:30 [DNS] Resolve time: 0,3828125 seconds.


    Domain Name: DOWNLOADALOT.COM
    Registrar: NETWORK SOLUTIONS, INC.
    Whois Server: whois.networksolutions.com
    Referral URL: http://www.networksolutions.com
    Name Server: DNS02.EXODUS.NET
    Name Server: DNS03.EXODUS.NET
    Name Server: DNS01.EXODUS.NET
    Name Server: DNS04.EXODUS.NET
    Updated Date: 03-jun-2002


    >>> Last update of whois database: Mon, 2 Sep 2002 04:45:22 EDT <<<
    Registrant:
    Downloadalot.com (DOWNLOADALOT3-DOM)
    Villa Maria Spanish Point
    County Clare, IE
    IE

    Domain Name: DOWNLOADALOT.COM

    Administrative Contact, Technical Contact:
    Services, Support (CAXVHTEWVI)      download@DOWNLOADALOT.COM
    Downloadalot.com
    Villa Maria Spanish Point
    County Clare, IE
    IE
    +351-999-999

    Record expires on 15-Feb-2011.
    Record created on 15-Feb-2000.
    Database last updated on 2-Sep-2002 17:06:56 EDT.

    Domain servers in listed order:

    DNS01.EXODUS.NET 209.1.222.244
    DNS02.EXODUS.NET 209.1.222.245
    DNS03.EXODUS.NET 209.1.222.246
    DNS04.EXODUS.NET 209.1.222.247


    REDIRECTED - Connecting to whois.networksolutions.com
    REDIRECTED - Connecting to whois.networksolutions.com


    Domain Name: SEARCHALOT.COM
    Registrar: NETWORK SOLUTIONS, INC.
    Whois Server: whois.networksolutions.com
    Referral URL: http://www.networksolutions.com
    Name Server: DNS02.EXODUS.NET
    Name Server: DNS03.EXODUS.NET
    Name Server: DNS01.EXODUS.NET
    Name Server: DNS04.EXODUS.NET
    Updated Date: 31-may-2002


    >>> Last update of whois database: Mon, 2 Sep 2002 04:45:22 EDT <<<

    Registrant:
    Searchalot, Inc. (SEARCHALOT2-DOM)
    350 South Center Street
    Suite 500
    Reno, NV 89501
    US

    Domain Name: SEARCHALOT.COM

    Administrative Contact, Technical Contact:
    Department, Billing (BD812:cool:      billing@SEARCHALOT.COM
    Searchalot, Inc.
    350 South Center Street, Suite 500
    Reno, NV 89501
    US
    775-333-5979 775-329-0852

    Record expires on 04-Apr-2010.
    Record created on 04-Apr-1999.
    Database last updated on 2-Sep-2002 17:08:22 EDT.

    Domain servers in listed order:

    DNS01.EXODUS.NET 209.1.222.244
    DNS02.EXODUS.NET 209.1.222.245
    DNS03.EXODUS.NET 209.1.222.246
    DNS04.EXODUS.NET 209.1.222.247


    REDIRECTED - Connecting to whois.networksolutions.com
    REDIRECTED - Connecting to whois.networksolutions.com

    Right column on searchalot "free software" goes to d/lalot,
    bottom at d/lalot goes to searchalot, same server, same more, what do you miss?
     
  24. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    :eek:
    That exodus.net is on my pc, i just don't remember where I found it, i think i ran that program what's happening... i'm looking now, i'll let ya know.
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    With your available anti-spy software you installed in the meantime you can now look for all spy and the kind; keep scanning for infections, as you were infected.
    Files you don't trust, rightclick scan them with TDS (or the whole folder/directory) , with your local or online scanners.
    Pest Patrol might be able to find pests like that, as they also find pests which are not immediately trojans/worms/viruses/spies/something else. Don't they have a trial? think it was www.safersite.com .

    You see for the IP addresses of those alots that even though they give addresses on both sides of the big pond they go via the same ISP,

    Thanks again TDS for this quick resolve:

    OrgName: Cable & Wireless
    OrgID: EXCW

    NetRange: 64.14.0.0 - 64.14.255.255
    CIDR: 64.14.0.0/16
    NetName: LEGACY-1
    NetHandle: NET-64-14-0-0-1
    Parent: NET-64-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS01.EXODUS.NET
    NameServer: DNS02.EXODUS.NET
    NameServer: DNS03.EXODUS.NET
    NameServer: DNS04.EXODUS.NET
    Comment: * Rwhois reassignment information for this block is available at:
    * rwhois.exodus.net 4321
    * For abuse please contact abuse@exodus.net
    RegDate:
    Updated: 2002-08-21

    TechHandle: ZC221-ARIN
    TechName: Cable & Wireless
    TechPhone: +1-919-465-4023
    TechEmail: ip@gnoc.cw.net

    OrgAbuseHandle: ABUSE11-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-877-393-7878
    OrgAbuseEmail: abuse@exodus.net

    OrgNOCHandle: NOC99-ARIN
    OrgNOCName: Network Operations Center
    OrgNOCPhone: +1-800-977-4662
    OrgNOCEmail: trouble@cw.net

    OrgTechHandle: EIAA-ARIN
    OrgTechName: Exodus IP Address Administration
    OrgTechPhone: +1-888-239-6387
    OrgTechEmail: ipaddressadmin@exodus.net

    OrgTechHandle: GIAA-ARIN
    OrgTechName: Global IP Address Administration
    OrgTechPhone: +1-919-465-4096
    OrgTechEmail: ip@gnoc.cw.net

    # ARIN Whois database, last updated 2002-09-01 19:05
    # Enter ? for additional hints on searching ARIN's Whois database.


    Oh yeah, in the other posting, without using online forms or going to the site, saw the email? use that and see what they give you for answer to poste here if it's informative :D

    Haha, who has no spam from exodus.net? Very black listed!
     
Loading...
Thread Status:
Not open for further replies.