address bar hijack

[Guest]

When I type www in my address bar I get www1.dealtime.com. It drives me
nuts... don't go to dealtime.com. Spybot and Adaware don't work. What can I
do to remove it?
Thanks
Earle

 

[Hans Le Roy]

Hi,

"Don't work" is rather cryptic. Do you mean they don't find anything, they
can't remove it, or something else?

I can only advise you to try CWShredder (www.merijn.org). If it doesn't
help, please come back with details.

Kind regards

Hans Le Roy
MS MVP Win/IE-OE

 

[Guest]

Thank you I will try cwshredder. I mean't that when I ran spybot and adaware
they did not remove www1.dealtime from my address bar. I thought maybe it
was put in the registry somewhere so I may be able to delete it but I will
try your suggestion.

 

[Guest]

Hans
CW shredder does not work either.

Hi,

"Don't work" is rather cryptic. Do you mean they don't find anything, they
can't remove it, or something else?

I can only advise you to try CWShredder (www.merijn.org). If it doesn't
help, please come back with details.

Kind regards

Hans Le Roy
MS MVP Win/IE-OE

 

[Guest]

Boy I sure could use help on this as well. When I clear the address bar, then
hit the up or down arrow, I see EVERY web address I've ever typed in. I tried
to clear history by going to Options, then clicking Clear History. I've also
tried SPy bot and CWSSpredder as suggested. I still can't delete my previous
addresses.
bruce

 

[Airman Thunderbird]

http://www.techspot.com/vb/topic16122.html
"In registry go to HKCU\Software\Microsoft\Internet Explorer\TypedURLs\
and delete everything under that key."

 

[Guest]

Where do I find this? I've gone to my C: drive and searched. I dont see a
"TypedURLs" folder. I have XP operating system.

 

[Guest]

I figured out how to open the registry using regedit. I found the "TypedURLs"
folder. I deleted the folder and rebooted. Stil not fixed. In fact, when I
opened the registry after rebooting, I noticed that the "TypedURLs" is still
there.

 

[Frank Saunders, MS-MVP IE/OE]

I figured out how to open the registry using regedit. I found the
"TypedURLs" folder. I deleted the folder and rebooted. Stil not
fixed. In fact, when I opened the registry after rebooting, I noticed
that the "TypedURLs" is still there.

See
Delete the damaged History folder- a new one will be created on restart.
http://mvps.org/winhelp2002/delcache.htm

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

 

[Gary Smith]

I figured out how to open the registry using regedit. I found the "TypedURLs"
folder. I deleted the folder and rebooted. Stil not fixed. In fact, when I
opened the registry after rebooting, I noticed that the "TypedURLs" is still
there.

Did you close down IE before doing that? IE will rewrite the TypedURLs
key when it closes, so changes made while it's open have no effect.

 

[Guest]

Hey now I feel like my question got hijacked Just joking Bruce.
So let me ask you again if anyone can help me with the first question in
this thread? I do not have anything in typed urls I do not have a problem
with deleting websites in the address bar drop down list. But I cannot seem
to get rid of this www1.dealtime when I try to type in an address. So it is
somewhere but not in the obvious places. It is not in typed urls or dropdown.

If I turn off inline autocomplete in the advanced options then that will of
course temporarily cure the problem...
But I cannot turn off inline autocomplete because it brings up a different
issue. Frank Saunders gave me a solution in the registry for an autosearch
hijacking however it will revert if I uncheck inline autocomplete see "Auto
Search Malady".
So please I need your help here.
I have run Norton Programs, Free Surfer, AdAware, Spybot, CW Shredder, and
I searched through HiJack This.
Thanks Earle

 

[Robert Aldwinckle]

When I type www in my address bar I get www1.dealtime.com.

Please be more specific about what you are seeing--
a complete URL with protocol prefix or something else?
(If there is no protocol prefix it could be a Favorite that you
are overlooking. It could also be a symptom of an AutoSearch
hijacking.)


What happens if you start typing dea... instead?

Notice that if you are trying to use AutoComplete for Web Addresses
that you should *not* be typing the www. prefix anyway.
Type whatever the first letter of the domain name is and enough of the
following characters or just cursor down into the list that such typing
generates. Notice also that if it is something you use frequently you
could create a Favorite for it and if necessary rename the Favorite
to accelerate the search and minimize the amount typing or cursor
movement you would otherwise need to do.

So it is somewhere not in the obvious places.

Such as?

Have you tried clearing your History?
Have you tried searching your History.IE5\index.dat (even after that)?

Open a command window, navigate to the History.IE5 directory
(e.g. with dir/ad and chdir commands) and enter:

find /i "dealtime.com" index.dat

What do you see?


Good luck

Robert Aldwinckle

 

[Guest]

I am experiencing the same problem as Earle but with
"http://www3.pornhive.com/free_zone/topgalle/bama/dbama07.html"
which is obvously a nice address to keep appearing when you type www...
I really do have no idea how it got there.

I have cleaned cache, searched the registry, searched my entire hard disk
for text lines, run spybot, adaware, ccleaner and spysubtract, even
reinstalled IE6...nothing is finding it or deleting it.

It is restricted to just one user account on this system...ie if I log on as
administrator it doesn't appear.

There are no other symptoms I am aware of. Search is clear and having
trawled the registry for all "www" references, nothing seems out of the
ordinary.

Your help is appreciated

Thanks

Rob

 

[Guest]

Finally solved it.

http://mvps.org/winhelp2002/delcache.htm
and downloaded "DelTypedURL."
Save it and then right click and install
This INF file will remove ALL entries.

Thanks

Rob

 

[Robert Aldwinckle]

"dagtuz",

I usually only reply to "Me too!" which refer to the entire thread.
Your post makes no reference to *any* of my suggestions
for Earle.

when you type www...

I said:

I have cleaned cache, searched the registry, searched my entire hard disk

I said:


Notice that the History folder may not be searchable by normal tools.
My point about searching it the way I suggested after clearing it is that
we suspect that certain registry entries (e.g. for form data and saved
password associations) seed the History after it is cleared.


Most importantly I asked for:

and

So in your case it would have been useful for you to have
at least included a detailed description of what happens
if you start typing por...


Earle has already had his thread hijacked once by someone
with a different symptom. Please start your own thread.
Even better continue with the next step in your malware diagnosis.
You haven't mentioned if you have tried HijackThis! yet.
I strongly suspect you are still infected. Notice that if URL characters
are stored encoded or even as Unicode strings standard search tools
will not find them.


Robert

 

[Guest]

Hi Robert thanks for the help. The problem is still there. When I type www
in order to enter and address. The address bar shows www1.dealtime.com note
1 before the dot. I do not have this in my favourites or history or drop
down nor do I wish to keep it. It is disappointing that Dagtuz did not give
his solution. I am not sure what a protocal prefix is. When I type dea...
nothing comes up.
I am not trying to use autocomplete at all I just cannot shake this thing.
I cannot turn off autocomplete because of another anomaly.
Thanks
Earle

 

[Guest]

Hi Again Robert:
I am a novice so I am finding your directions re. IE5 too cryptic. Can you
please give me the baby steps. I did search the folders and found dat files
with no specific info re. dealtime but the date it was modified seemed to
coincide. So I trashed all 4 dat files, they are still in the bin and can be
recovered. I restarted and the problem is still there.
I cannot believe that these companies actually think I will do anything but
loathe them. Its like a door to door salesman that keeps ringing the doorbell
and won't leave.
Again, Can you please give me the baby steps?
Earle

 

[Robert Aldwinckle]

Hi Robert thanks for the help. The problem is still there. When I type www
in order to enter and address. The address bar shows www1.dealtime.com note
1 before the dot. I do not have this in my favourites or history or drop
down nor do I wish to keep it. It is disappointing that Dagtuz did not give
his solution. I am not sure what a protocal prefix is.

A protocol prefix is http://

When I type dea... nothing comes up.

Ok. I see now that that idea only works with a www. prefix.
But that really wasn't the point. Why are you typing www
in the Address bar? If whatever it is that you are really trying
to enter is in your AutoSuggest list and *it* starts with www.
then I'm suggesting that you start typing the *next* character
(e.g. the first character in the domain name of whatever site it is.)
The point is that if you get into the habit of not typing www.
unnecessarily you will hardly ever notice those unwanted
alias prefixes such as www1. Note in particular that doing that
has the secondary benefit (normally) of providing a protocol
prefix to your URLs without resorting to AutoSearch's quirky
(and sometimes infiltrated) machinery.

I am not trying to use autocomplete at all I just cannot shake this thing.

Ok. Let's take it slowly then. (I usually try to give complete answers
but I suspect I would lose you. Notice that there are several
unanswered questions and untested suggestions below.)

One of the unanswered questions is "Have you tried clearing your History?"
Does the unwanted URL show up in History, View by Site? (Ctrl-h,Alt-w,i)
If it is there it would be listed under www1.dea... not under dea...


If it is listed there you could try using the History item delete function;
however, there is some question about its reliability for general cases
so I have a more detailed speculative reply that I have posted
in various forms from time to time. Keyword: recursion

http://groups.google.com/groups?q=r...6.browser&num=20&hl=en&lr=&c2coff=1&scoring=d

(Google Groups search for
recursion delete history author:aldwinckle group:microsoft.*.ie6.browser
)

I cannot turn off autocomplete because of another anomaly.

I'm hoping you will find out that you wouldn't want to even if you could.

 

[Guest]

Thank you Robert,

First let me clear up why I type "www". I use "ctrl/ enter" frequently so I
do not have to type in "www." and ".com" if I am going to a US website. I
love this feature, however, many websites I am looking for are international
so I cannot use that command properly. I just went back to the long way
because when I am doing research I alternate between entering ".com" and
".com.uk" etc. websites. I am open to any suggestions.

In response to the issue:
There is nothing in history or typed urls in the registry. I looked in IE5
History and Content to the best of my ability through search but I could see
no direct reference to "dealtime".

I was not able to follow your 2nd last posting where you wrote:
Have you tried searching your History.IE5\index.dat (even after that)?
Open a command window, navigate to the History.IE5 directory (e.g. with
dir/ad and chdir commands) and enter: find /i "dealtime.com" index.dat
This intrigues me if you would like to take me through it as I need to know
what to type specifically.

The problem could be in IE5 and though I did put some of it in the trash
previously and restarted but it had no effect so I recovered them as I was
flying blind.

I did notice something in the registry which I thought may be interesting in
HKey Current User/ Software/ Microsoft/ IE/ Toolbar: There is an entry in
blue called "brand lead in" Also there is a folder called "search hooks"
which I have not seen referenced anywhere.

So please if you could spell out the IE5 thing for me and tell me what to
delete. I am not concerned about passwords etc I or history.

I also just tried CC Cleaner but to no avail.

Thank you for your patience.

Earle

 

[Robert Aldwinckle]

Thank you Robert,

First let me clear up why I type "www". I use "ctrl/ enter" frequently so I
do not have to type in "www." and ".com" if I am going to a US website. I
love this feature, however, many websites I am looking for are international
so I cannot use that command properly. I just went back to the long way
because when I am doing research I alternate between entering ".com" and
".com.uk" etc. websites. I am open to any suggestions.

Earle,

It's not clear if you understand what I wrote.
Try using AutoComplete the way it is designed to work currently
using the AutoSuggest dropdown list. The Ctrl-Enter feature is an
anachronism, the only part of an old feature called AutoScan which
unfortunately IMO was left semi-operational in the new implementation.
As long as you have previously visited a site or have it in your Favorites
and it starts with www. you do not need to type the www. to get a match
in the AutoSuggest dropdown list. Therefore the only time you would
be bothered by the www1. site alias should be the first time you try to
visit a new site by typing it. Then my question would be why would you
be *typing* a new site? Probably only because you only *heard* of it?
Otherwise I expect that you would be either using a link to it or at most
copying and pasting a complete URL from another source
and both of those cases also avoid you having to be bothered by
seeing site aliases.

I'm not going to try to rewrite my tip about doing a find in the History.IE5
index.dat until I know specifically what there is that you don't understand.
Also I can't be more specific anyway because you have so far failed to
disclose your OS. The location of the History "folder" varies considerably
among OS. However, you should be able to find it with an Explorer
search of History, type Folder.

FWIW here is where mine starts:
%USERPROFILE%\Local Settings\History\
I can type that in an IE Address bar and AutoComplete shows the pseudo
subfolders of History. However, the actual subdirectories which implement
them are hidden and only accessible by typing them explicitly or by switching
to a command window and drilling down lower into the directory structure
using the dir/ad and cd commands I mentioned.

You *must* open a command window and navigate to that directory.
In my case I could enter this:

cd /d %USERPROFILE%\Local Settings\History\History.IE5

From there it is just the simple matter of using the find command
I previously specified to you in my first reply.


Good luck

Robert
---