First of all, I'm not sure if this is even the correct place to post this...If this post should be moved elsewhere, please do so.

But again, the blasted d/lalot opened when I clicked a new window for IE.

I emailed the NIPC(sp) and they replied with an email telling me to contact my ISP. Which doesn't seem like a solution to me.

Would contacting the BBB be a good idea?

If anyone knows of anyone else I can contact to report this annoyance, please let me know.

Or if anyone has any further suggestions to stop them from loading as my homepage (which is still set to about:blank), please by all means help.

IE-Spyad has been installed, this search and d/lalot have been added to my restricted sites and all cookies have been blocked.

I'm going to run TDS auto start up to see if maybe it'll show up in there and I'm also going to run the What's Happenning program. And whatever else I have on here to see if they show up. There has to be a program out there to block these jerks!

Thanks,
Lori http://www.plauder-smilies.de/smash.gif

Just a thought, but would unistalling IE6 from my programs then reinstall, would that be helpful or harmful? ???

I don't see how it could be harmful but you'd have to be very thorough to make sure it helps. What OS are you using?

Regards,

Pieter

Windows ME

My restoration cd has IE5, I would have to go through all the updates again, but... if that's my only option... hopefully it isn't though!

~Lori

Lori,

Have a look at this one: http://www.litepc.com/ieradicator.html
Make sure you download the installer for you new version of IE (may I recommend IE 5.5 SP2 ) before you eradicate the old version.
This one is thorough but does not work for win2k SP2 or XP (That's why I asked) ME should be no problem.
I hope it gets rid of your problem as well.

Regards,

Pieter

PS You can ifnd the installer for IE 5.5SP2 here: http://www.microsoft.com/windows/ie/downloads/recommended/ie55sp2/default.asp

I had the IE5.5SP2 installed but everyone kept telling me to update to IE6 and that it would fix the problem.

Whatever the problem is it's attached it IE somewhere in my pc. I've searched every folder I could open for anything relating to d/l or searchalot.

So since I am using IE6 would it make sense to d/l IE5.5sp2?

I only mentioned IE5 b4 because that is what's on my restoration cd. Removing IE from my pc would mean I would have to d/l msn explorer and I don't want to do that not even for temp useage. That's why I am looking for any other ways to solve this annoying issue!

I scanned with Ad-Aware, Spybot, TDS (updated it first) and what's happenning. Nothing is found. Or that I can tell anyway. Everything "appears" normal. But I was reading about Optix Lite and just to be on the safe side I'm going to run TDS autostart again. I'm sure I'd have some sort of clue if I had that Optix thing, but, I'd rather db'l check anyhow.

~Lori

At this point I really can't remember what you have or haven't tried, but I don't think reinstalling IE 6.0 or reverting to 5.5 SP2 will change anything.

Pieter's proposal of running IEradicator is drastic but it may stand a chance, as it truly eradicates all IE related files, folders and registry keys.

However, if your uninvited guest is not part of it, it obviousl;y won't be affected one bit.

I forget, but have you tried running BHODemon (http://www.definitivesolutions.com/bhodemon.htm)?

If not, download it, launch the program, and tell us what BHOs it detects.

Yes, I have BHO Demon...
It only detects ACROIEHELPER.OCX and YCOMP4,0,2,8.DLL.
Isn't that yahoo and adobe acorbat(sp) reader?

If all else fails, and if I'm going to remove IE from my pc, then yes, I will use the IEradicator. But you said you don't think it will delete the annoyance? If I've searched everything on my pc and can't find anything wouldn't that mean that it is more then likely attached to my IE somewhere or is it just attached somewhere to my hard drive? If that's that case then wiping out my hard drive would be the only solution to getting rid of it, correct?

~Lori

In regards to removing IE from my pc... I was curious as to what the opinions were towards the other browser's... I was also curious about the opinion's of others, if I do remove IE, should I reinstall it? Or continue to just use a different browser.

But this is if I don't figure out someway to remove the d/l-searchalot garbage. Which is highly unlikely!

Thanx in advance for thoughts!
~Lori

{QUOTE-> quoting: Lori link=board=21;threadid=3427;start=0#23113 date=1031067128]
Yes, I have BHO Demon...
It only detects ACROIEHELPER.OCX and YCOMP4,0,2,8.DLL.
Isn't that yahoo and adobe acorbat(sp) reader?
<-QUOTE}

Yep. I now seem to remember we did do that one before... ::)

About Ieradicator, as we don't know what exactly this is, or where it 'lives', there's no telling whether removing iE will help.

Did you already do a registry search by keyword searchalot?

Try it. After the first found instance press F3 to go to the next one.

Tell us the exact and complete registry keys they're located in, if they're there at all.

A registry search with autostart on the TDS program?
If not, I don't know where to find the registry keys.

(sometimes ignorance isn't bliss) :-[

No, this has nothing to do with TDS-3

Start > Run > Regedit

Edit > Search

HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA

this is what i did, clicked start, clicked run, typed Regedit and hit ok. correct?

Yup!

Now do a searchalot keyword search.

In the Search box, make sure 'Keys' AND 'values' are checked.

Hi again, sorry to see you have that d/l thing back.
You remember whou did the "repair instal" i guess, did you ever visit that d/lalot searchalot with this version of IE or with the former 5.5?
How about trying to put all back to your blank homepage, then do that "back to former version" (still with the restore disabled), you'll have to reboot,
see what happens after reboot. After you might like to go to the Windows update sind grab their latest 6.0 and see what it will be. The security updates for 6 are not so really many yet, so that's better than keeping this frustration.

I must say read a lot of very wonderful advices here; learning new things each day!

I see you posted in the meantime about the registry part, i leave that part to the guys who really know how to guide you there sep by step.

{QUOTE-> quoting: TonyKlein link=board=21;threadid=3427;start=0#23137 date=1031073845]
Yup!

Now do a searchalot keyword search.

In the Search box, make sure 'Keys' AND 'values' are checked.


<-QUOTE}

where am i typing in searchalot?
start, run, type in searchalot?

No, read what I posted:

After launching Regedit, go to Edit > then to Find

Hi Jooske,

I am running IE6 with all available updates and patches MS has.

I can't put my pc back on disable system restore, it was booting up with the blue screen,
ERROR:OE:0177:BFF7B018

I posted previously about it on the other thread, but I don't think anything was mentioned about it.

Also, I have updated all the updates for my pc including the system restore update/fix.

When I use Window's Update, all it has to offer me are the conversion tools. Which I don't need.

~Lori
BTW:
Yes, I did visit search and d/l alot to find ways to email them. After that, I had the IE-Spyad installed. And my homepage setting hasn't been changed by me, it still reads About:Blank.

Soooooooooooooo...

Everything that shows up on this search is only for searchalot and should be deleted? ::)

Well, I'd like to know what it is first.

Everything you delete in the Registry doesn't end up in the recycle bin, but is gone forever.

Maybe first back up your registry: what version of Windows were you running?

I have windows ME

does this help? i saved it then opened it with word pad...

REGEDIT4

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0]
"VerStamp"=dword:00000003
"HelpUrl"="http://www.searchalot.com/?IE6"
"BodyBarPath"="http://www.searchalot.com/ie6advert.htm"
"ShowBodyBar"=dword:00000001
"HideFolderBar"=dword:00000001
"Tree"=dword:00000001
"Show Outlook Bar"=dword:00000000
"ShowStatus"=dword:00000001
"Show Contacts"=dword:00000000
"Tip of the Day"=dword:00000000
"ShowToolbarIEAK"=dword:00000001
"Toolbar Text"=dword:00000001
"SpellDontIgnoreDBCS"=dword:00000001
"MSIMN"=dword:00000001
"StoreMigratedV5"=dword:00000001
"ConvertedToDBX"=dword:00000001
"Settings Upgraded"=dword:00000007
"Running"=dword:00000000
"Store Root"="C:\\WINDOWS\\Application Data\\Identities\\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\\Microsoft\\Outlook Express\\"
"PrevToolbarTextStyle"=dword:00000001
"Outlook Bar Settings"=hex:01,00,00,00,00,00,00,00,00,00,00,00,05,00,00,00,00,\
00,00,00,00,00,00,00,04,00,00,00,05,00,00,00,06,00,00,00,07,00,00,00,08,00,\
00,00
"Launch Inbox"=dword:00000000
"Migration Done"=dword:00000001
"Saved Toolbar Settings"=hex:11,9e,00,00,ff,ff,ff,ff,01,9d,00,00,ff,ff,ff,ff,\
07,9d,00,00,c4,9c,00,00
"Saved Toolbar Settings Version"=dword:00000011
"Browser Bands"=hex:11,00,00,00,04,00,00,00,64,00,00,00,80,02,00,00,64,00,00,\
00,66,00,00,00,02,00,00,00,16,00,00,00,65,00,00,00,01,02,00,00,64,00,00,00,\
67,00,00,00,09,00,00,00,64,00,00,00
"Toolbar Icon Size"=dword:00000001
"BodyBarPos"=dword:00000032
"Nav Pane Width"=dword:000000c8
"Nav Pane Split"=dword:00000042
"BrowserPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,64,00,00,00,51,00,00,00,bc,02,00,00,e6,01,00,00
"SpoolerDlgPos"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,9c,00,00,00,56,00,00,00,84,02,00,00,ed,00,00,00
"SpoolerTack"=dword:00000000
"Show Deleted Messages"=dword:00000001
"Show Replies To My Messages"=dword:00000000

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List]
"File0"="Clear Day.htm"
"File1"="Nature.htm"
"File2"="Maize.htm"
"File3"="Sunflower.htm"
"File4"="Citrus Punch.htm"
"File5"="Blank.htm"
"File6"="Leaves.htm"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Mail]
"ShowHybridView"=dword:00000001
"Show Header Info"=dword:00000001
"SplitDir"=dword:00000000
"Welcome Message"=dword:00000000
"Accounts Checked"=dword:00000001
"SplitHorzPct"=dword:00000032
"SplitVertPct"=dword:00000032
"Default_CodePage"=dword:00006faf

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules]

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Mail]

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter]
"Version"=dword:00050000
"Order"="FFA FFB FFC FFF"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\MRU List]

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA]
"Name"="Show All Messages"
"Enabled"=dword:00000001
"Version"=dword:00000004

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Criteria]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Criteria\000]
"Type"=dword:00000014
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFA\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000001

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB]
"Name"="Hide Read Messages"
"Enabled"=dword:00000001
"Version"=dword:00000004

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Criteria]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Criteria\000]
"Type"=dword:0000001c
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFB\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000002

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC]
"Name"="Show Downloaded Messages"
"Enabled"=dword:00000001
"Version"=dword:00000004

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Criteria]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Criteria\000]
"Type"=dword:00000019
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFC\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000001

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF]
"Name"="Hide Read or Ignored Messages"
"Enabled"=dword:00000001
"Version"=dword:00000004

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria]
"Order"="000 001"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria\000]
"Type"=dword:0000001b
"Logic"=dword:00000001
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000002

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Criteria\001]
"Type"=dword:0000001c
"Logic"=dword:00000000
"Flags"=dword:00000000

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Actions]
"Order"="000"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Rules\Filter\FFF\Actions\000]
"Type"=dword:0000000f
"Flags"=dword:00000000
"ValueType"=dword:00000013
"Value"=dword:00000002

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\News]
"ShowHybridView"=dword:00000001
"Show Header Info"=dword:00000001
"SplitDir"=dword:00000000
"Accounts Checked"=dword:00000001
"SplitHorzPct"=dword:00000032
"SplitVertPct"=dword:00000032
"ThreadArticles"=dword:00000001
"Saved Toolbar Settings"=hex:12,9e,00,00,f2,9c,00,00,f0,9c,00,00,f4,9c,00,00,\
ff,ff,ff,ff,b4,9c,00,00,dd,9c,00,00,ff,ff,ff,ff,01,9d,00,00,ff,ff,ff,ff,07,\
9d,00,00,c4,9c,00,00,79,9d,00,00,06,9d,00,00
"Saved Toolbar Settings Version"=dword:00000011

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Trident]

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Trident\International]

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Trident\Settings]

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Trident\Main]
"Move System Caret"="no"

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0\Columns]
"News Column Info"=hex:10,00,00,00,07,00,00,00,10,00,00,00,09,00,00,00,ff,ff,\
ff,ff,16,00,00,00,09,00,00,00,ff,ff,ff,ff,17,00,00,00,09,00,00,00,ff,ff,ff,\
ff,02,00,00,00,01,00,00,00,ff,ff,ff,ff,01,00,00,00,01,00,00,00,ff,ff,ff,ff,\
04,00,00,00,03,00,00,00,ff,ff,ff,ff,05,00,00,00,01,00,00,00,ff,ff,ff,ff

And just for the record, after the last time I had to write zero's through my hard drive, I haven't used outlook express. I used it once and ended up with a virus, which forced me to write out my hard drive and reinstall. I haven't used it since and never plan to again.

Lori,

Copy the bold to Notepad, save as Del.reg, and doubleclick to enter into the registry:

REGEDIT4

[HKEY_CURRENT_USER\Identities\{8E222FBD-1A52-4095-9FB3-436B46EFE989}\Software\Microsoft\Outlook Express\5.0]
"HelpUrl"=-
"BodyBarPath"=-

That will get rid of the two Searchalot entries.

There may however be more.

Start all over again, and show us what else it finds.

Post it here.

Next, type F3 in order to go to a possible next instance.

clicking start, run and typing regedit gave me all the info for searchalot again w/o typing in searchalot under find.


So, I typed in downloadalot and got this...

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
"000"="DNS01.EXODUS.NET"
"001"="Hostess"
"002"="ie spyad"
"003"="IE-spyad"
"004"="hosts"
"005"=" DNS01.EXODUS.NET"
"006"="www.searchalot.com"
"007"="www.downloadalot.com"
"008"="searchalot"
"009"="Spybot S&D"
"010"="BHODemon"
"011"="Ad-Aware"
"012"="Kazaa"
"013"="shelliconcache"
"014"="tweakui.exe"
"015"="TweekUI(1).exe"
"016"="Tweak"
"017"="ndetect"
"018"="mgi"
"019"="picture works"
"020"="b3d projector"
"021"="DOWNLOADWARE"
"022"="wink.exe"
"023"="Norton"
"024"="downloadalot"

I copied what you had in bold to notepad, db'l clicked it and it asked if I wanted to enter it to the registry. Was that correct?

I will be away from my pc for awhile... I should be back on around 4 or 5.

~Lori

{QUOTE-> I copied what you had in bold to notepad, db'l clicked it and it asked if I wanted to enter it to the registry. Was that correct?
<-QUOTE}

Yep, you did that very well.

The entries should be gone now.

As for your FilesNamedMRU list, that contains only items you did a search for.

They're harmless.

Let's try looking further when you have the time.

Thanks to the miracle of time zones, I'll probably be sound asleep by that time, but I'm sure other people here will be happy to offer further advice.

It's in that "helpUrl" too and in the second posting....... it is really bad behavior of that program, same the gohip did if i remember well. Strange it is not more know i guess, for googling around there is only little comment about it in newsgroups.
Glad you see it now in the registry keys. There might be more places, like in software.

You're a great help Tony, certainly the reg part here is higher knowledge.

BTW Lori, in the earlier posting i did not mean a Windows back to the former version, but IE ( add/memove panel, dig for IE, click once, try the "reinstal former IE version", so certainly not windows.
But you might be right, maybe winME does not allow that without the restore option enabled, and i don't know if that then would cause other stuff you're now happy to be rid of to get that back.

I just learnt something new:

From a PestPatrol explanation of SubSeven startup methods (http://www.safersite.com/whitepapers/comparison/removing_subseven.asp):

"new method #2 [explorer]" HKEY_CURRENT_USER: Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU may hold three keys named 000, 001, and 002, whose values are, respectively, qkjs*.exe, sdiamd.exe, and rege There may be another identical entry *3 keys) at HKEY_USERS\S-1-5-2-83952215-1935644697-1343024091-500\Software\Microsoft\Internet Explorer\Explorer Bars\C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU"

I have never ever heard about that one, and would love to hear from the guys at DiamondCS, for example.

Well, highlight the two EXODUS.NET entries in the right hand pane of that Registry subkey, as well as the searchalot and downloadalot values, and hit 'delete'.

I can't imagine that's it, but who am I to argue with the makers of PestPatrol... ;D

Tony,

{QUOTE-> ...I have never ever heard about that one.. <-QUOTE}

True, as far as I know. Doesn't seem the issue here as I see it.

Awesome job, btw! 8).

A small request: would you mind removing/altering the "www" in regard to searchalot.com and downloadalot.com? I would hate seeing someone by accident clicking those links ;).

regards.

paul

{QUOTE-> quoting: Forum Admin link=board=21;threadid=3427;start=15#23180 date=1031083376]

A small request: would you mind removing/altering the "www" in regard to searchalot.com and downloadalot.com? I would hate seeing someone by accident clicking those links
<-QUOTE}

Done!

Thank you, by the way! :)

I don't think it could possibly be a startup location either.
Dont know what went through their minds.

I'm thinking of deleting that posting altogether.

About Searchalot/downloadalot, to my mind there must be more entries in Lori's registry, so she does need to keep searching until everything has been found/removed.

Tony,

Thanks!

Agreed: most probably there will be more entries.

regards.

paul

Hey guys,

If Lori has HOSTS installed, would it be also a wise decision to add there two lines:
both beginning with 127.0.0.1
then the spaces as in the other already existing lines
then those two sites (of course both of them beginning with that www.).

Anf if she has already Hostess installed, the adding of those two sites would be easier.

This way her computer can never again connect to those two sites, as long as HOSTS is enabled.

This whole adding of those two sites might not fix the existing problem, but at least her PC wiil never be able to connect again to those two sites.

BTW: I will search in my most recent HOSTS file to see whether those sites might be already in it.
I'll let you know.

Tony, you did a GREAT job !!!!!

Thanks Jan. :)

However, we're not finished yet.

Good idea about the hosts file as well, BTW.

searchalot is not included in HOSTS

downloadalot is not included in HOSTS

I'm looking through the entire registry and deleting anything with d/l and search.

I'll post back when I am done and then maybe FanJ can help me with the hosts thing???

Thanx!
Lori

All finished with both those names and I even tried a find for exodus.net and all was gone... is there anything else I should search for?

I searched for exodus in my HOSTS file.
I found several sites mentioned with the name exodus in it; two of them belonging to exodus.net

See the screenshot.

I didn't get to d/l HOSTS yesterday, I don't think, from what I remember all I managed to d/l was IE-Spyad.

Do you have a link for HOSTS?

~Lori

Hi Lori,

Here is the link:

http://www.smartin-designs.com/

You will also find there the link to Hostess.

Maybe it's better first to read the info on the site to get a little bit familiar with the idea.
In case you need help, please feel free to ask and we could try to help you with it.

Thank you much Fan J!!!

http://216.40.241.68/contrib/legionxs/wavey.gif

I'll post if I need ya!

~Lori

{QUOTE-> quoting: TonyKlein link=board=21;threadid=3427;start=15#23175 date=1031081044]
I just learnt something new:

From a PestPatrol explanation of SubSeven startup methods (http://www.safersite.com/whitepapers/comparison/removing_subseven.asp):
<-QUOTE}

Very old TDS database to not detect SubSeven, biased test ? ::)
Also, soon after the release of 2.2 Wayne wrote an additional detection for new unknown/modified SubSeven 2.2 servers. We also have all 5 known variant signatures 2.2a - 2.2e as primary signatures (the 3rd, 4th and 5th were detected before analysis by the aforementioned additional detection, Advanced Signature Scanning)

{QUOTE->
"new method #2 [explorer]" HKEY_CURRENT_USER: Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU may hold three keys named 000, 001, and 002, whose values are, respectively, qkjs*.exe, sdiamd.exe, and rege There may be another identical entry *3 keys) at HKEY_USERS\S-1-5-2-83952215-1935644697-1343024091-500\Software\Microsoft\Internet Explorer\Explorer Bars\C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU"

I have never ever heard about that one, and would love to hear from the guys at DiamondCS, for example.
<-QUOTE}

MRU = Most recently used, just a history gathering part of Windows, which is how you get entries in Windows menus for files you have recently used. No big deal and not a startup method, it shouldn't really be mentioned ::)

The unknown method in SubSeven 2.2 is actually HKLM\Software\Microsoft\Active Setup\Installed Components (Some key with a string value of StubPath = server.exe) This is well known and used by quite a few trojans now, we have some trace detection on these and some better things planned for TDS4

See http://www.dark-e.com/archive/trojans/subseven/22full/index.shtml for verification of all SubSeven 2.2 startup methods

Thanks Gavin,
it sounded so logical in this problem,
{QUOTE-> MRU = Most recently used, just a history gathering part of Windows, which is how you get entries in Windows menus for files you have recently used <-QUOTE}
to get the recently visited d/lalot in a windows menu and never getting rid of them, but by brute force if i see what Lori all went through and we all learn on stage what and how to.

I've been on those pages but the only danger i saw when you would on the searchalot page click on the "make homepage" which i did not do, i looked in the source of the page and tried to see what would happen, but did not really find something but an url "home" but i don't know if that page would install or add the registrykeys Lori now discovered and deleted.
So i expect to happen anything with downloading anything from their pages or becoming an affiliate, such things.

Thanks for that, Gavin.

I thought the PestPatrol article sounded a bit dodgy... ::)

And Lori, you should continue to search your Registry for more instances of Searchalot and the other one.

We removed those from your Outlook Express Registry key, but these probably aren't responsible for most of your problems.

Please post details about other keys you find them in.

I performed another search last night after an attempt from d/l alot... but nothing appeared. The only difference this time was the page began to open but would not continue. I immediately closed it, ran spybot and ad-aware and nothing produced.

I haven't yet gone through the HOSTS process from FanJ, I've been having some issues at home and I want to give the HOSTS thing my undivided attention.

Hopefully, things will be back to normal and I can start on HOSTS by Saturday the latest Monday evening.

Thanx again for all the help from everyone.
And again, I apologize for any annoyances I've caused anyone, since this has been annoying me, I feel like I've been annoying those on the forum for help... You are all greatly appreciated and I can't thank you enough!

http://users.telenet.be/eforum/emoticons4u/fingers/fing10.gif

~Lori

Would not see it as annoyance Lori. think every visitor reading here can learn a lot if they did not already know those items and we can send the URLs to others in trouble, so don't thibnk it's wasted. Never is.
Keep us informed how you're doing with the final steps, like maybe finding anything anywhere, and you had something with that file format.. SIG i think it was? And Spybot running correctly or not, and getting blue screens or not when you dis- er enabled the system restore, so there are several threads where you can add to the general education :)
Good luck!

Hi Lori,

No problem ;)
Please take your time.
As Jooske said, we can all learn from it !

Best wishes, Jan.

:) Hi Lori! If you need help/rescue, this is the place to be! All these people here are LifeSavers! Helping people solve their problems with their PC's and the Net helps everyone! We don't abandon those in need and we don't annoy easily. Thanks for having the courage to come forward and the tenacity to work through this stuff. While you are learning more about your system and how to do things, you are also learning how to teach it! You are teaching us too! ;)

You guys are sooo awesome!!

Thankx for all the support!

~Lori

AaaawSome!!!

say what?

8) 8) 8) 8) 8) 8) 8) 8) 8) 8) 8) 8)