AGAIN

[TonyKlein]

Quote:

I copied what you had in bold to notepad, db'l clicked it and it asked if I wanted to enter it to the registry. Was that correct?

Yep, you did that very well.

The entries should be gone now.

As for your FilesNamedMRU list, that contains only items you did a search for.

They're harmless.

Let's try looking further when you have the time.

Thanks to the miracle of time zones, I'll probably be sound asleep by that time, but I'm sure other people here will be happy to offer further advice.

[Jooske]

It's in that "helpUrl" too and in the second posting....... it is really bad behavior of that program, same the gohip did if i remember well. Strange it is not more know i guess, for googling around there is only little comment about it in newsgroups.
Glad you see it now in the registry keys. There might be more places, like in software.

You're a great help Tony, certainly the reg part here is higher knowledge.

BTW Lori, in the earlier posting i did not mean a Windows back to the former version, but IE ( add/memove panel, dig for IE, click once, try the "reinstal former IE version", so certainly not windows.
But you might be right, maybe winME does not allow that without the restore option enabled, and i don't know if that then would cause other stuff you're now happy to be rid of to get that back.

[TonyKlein]

I just learnt something new:

From a PestPatrol explanation of SubSeven startup methods:

"new method #2 [explorer]" HKEY_CURRENT_USER: Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU may hold three keys named 000, 001, and 002, whose values are, respectively, qkjs*.exe, sdiamd.exe, and rege There may be another identical entry *3 keys) at HKEY_USERS\S-1-5-2-83952215-1935644697-1343024091-500\Software\Microsoft\Internet Explorer\Explorer Bars\C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU"

I have never ever heard about that one, and would love to hear from the guys at DiamondCS, for example.

Well, highlight the two EXODUS.NET entries in the right hand pane of that Registry subkey, as well as the searchalot and downloadalot values, and hit 'delete'.

I can't imagine that's it, but who am I to argue with the makers of PestPatrol...

[Paul Wilders]

Tony,

Quote:

...I have never ever heard about that one..

True, as far as I know. Doesn't seem the issue here as I see it.

Awesome job, btw! .

A small request: would you mind removing/altering the "www" in regard to searchalot.com and downloadalot.com? I would hate seeing someone by accident clicking those links .

regards.

paul

[TonyKlein]

Quote:

quoting: Forum Admin link=board=21;threadid=3427;start=15#23180 date=1031083376]

A small request: would you mind removing/altering the "www" in regard to searchalot.com and downloadalot.com? I would hate seeing someone by accident clicking those links

Done!

Thank you, by the way!

I don't think it could possibly be a startup location either.
Dont know what went through their minds.

I'm thinking of deleting that posting altogether.

About Searchalot/downloadalot, to my mind there must be more entries in Lori's registry, so she does need to keep searching until everything has been found/removed.

[Paul Wilders]

Tony,

Thanks!

Agreed: most probably there will be more entries.

regards.

paul

Hey guys,

If Lori has HOSTS installed, would it be also a wise decision to add there two lines:
both beginning with 127.0.0.1
then the spaces as in the other already existing lines
then those two sites (of course both of them beginning with that www.).

Anf if she has already Hostess installed, the adding of those two sites would be easier.

This way her computer can never again connect to those two sites, as long as HOSTS is enabled.

This whole adding of those two sites might not fix the existing problem, but at least her PC wiil never be able to connect again to those two sites.

BTW: I will search in my most recent HOSTS file to see whether those sites might be already in it.
I'll let you know.

Tony, you did a GREAT job !!!!!

[TonyKlein]

Thanks Jan.

However, we're not finished yet.

Good idea about the hosts file as well, BTW.

searchalot is not included in HOSTS

downloadalot is not included in HOSTS

[ljc1174]

I'm looking through the entire registry and deleting anything with d/l and search.

I'll post back when I am done and then maybe FanJ can help me with the hosts thing

Thanx!
Lori

[ljc1174]

All finished with both those names and I even tried a find for exodus.net and all was gone... is there anything else I should search for?

I searched for exodus in my HOSTS file.
I found several sites mentioned with the name exodus in it; two of them belonging to exodus.net

See the screenshot.

[ljc1174]

I didn't get to d/l HOSTS yesterday, I don't think, from what I remember all I managed to d/l was IE-Spyad.

Do you have a link for HOSTS?

~Lori

Hi Lori,

Here is the link:

http://www.smartin-designs.com/

You will also find there the link to Hostess.

Maybe it's better first to read the info on the site to get a little bit familiar with the idea.
In case you need help, please feel free to ask and we could try to help you with it.

[ljc1174]

Thank you much Fan J!!!

http://216.40.241.68/contrib/legionxs/wavey.gif

I'll post if I need ya!

~Lori

[Gavin - DiamondCS]

Quote:

quoting: TonyKlein link=board=21;threadid=3427;start=15#23175 date=1031081044]
I just learnt something new:

From a PestPatrol explanation of SubSeven startup methods:

Very old TDS database to not detect SubSeven, biased test ?
Also, soon after the release of 2.2 Wayne wrote an additional detection for new unknown/modified SubSeven 2.2 servers. We also have all 5 known variant signatures 2.2a - 2.2e as primary signatures (the 3rd, 4th and 5th were detected before analysis by the aforementioned additional detection, Advanced Signature Scanning)

Quote:

"new method #2 [explorer]" HKEY_CURRENT_USER: Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU may hold three keys named 000, 001, and 002, whose values are, respectively, qkjs*.exe, sdiamd.exe, and rege There may be another identical entry *3 keys) at HKEY_USERS\S-1-5-2-83952215-1935644697-1343024091-500\Software\Microsoft\Internet Explorer\Explorer Bars\C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU"

I have never ever heard about that one, and would love to hear from the guys at DiamondCS, for example.

MRU = Most recently used, just a history gathering part of Windows, which is how you get entries in Windows menus for files you have recently used. No big deal and not a startup method, it shouldn't really be mentioned

The unknown method in SubSeven 2.2 is actually HKLM\Software\Microsoft\Active Setup\Installed Components (Some key with a string value of StubPath = server.exe) This is well known and used by quite a few trojans now, we have some trace detection on these and some better things planned for TDS4

See http://www.dark-e.com/archive/trojans/subseven/22full/index.shtml for verification of all SubSeven 2.2 startup methods

[Jooske]

Thanks Gavin,
it sounded so logical in this problem,

Quote:

MRU = Most recently used, just a history gathering part of Windows, which is how you get entries in Windows menus for files you have recently used

to get the recently visited d/lalot in a windows menu and never getting rid of them, but by brute force if i see what Lori all went through and we all learn on stage what and how to.

I've been on those pages but the only danger i saw when you would on the searchalot page click on the "make homepage" which i did not do, i looked in the source of the page and tried to see what would happen, but did not really find something but an url "home" but i don't know if that page would install or add the registrykeys Lori now discovered and deleted.
So i expect to happen anything with downloading anything from their pages or becoming an affiliate, such things.

[TonyKlein]

Thanks for that, Gavin.

I thought the PestPatrol article sounded a bit dodgy...

And Lori, you should continue to search your Registry for more instances of Searchalot and the other one.

We removed those from your Outlook Express Registry key, but these probably aren't responsible for most of your problems.

Please post details about other keys you find them in.

[ljc1174]

I performed another search last night after an attempt from d/l alot... but nothing appeared. The only difference this time was the page began to open but would not continue. I immediately closed it, ran spybot and ad-aware and nothing produced.

I haven't yet gone through the HOSTS process from FanJ, I've been having some issues at home and I want to give the HOSTS thing my undivided attention.

Hopefully, things will be back to normal and I can start on HOSTS by Saturday the latest Monday evening.

Thanx again for all the help from everyone.
And again, I apologize for any annoyances I've caused anyone, since this has been annoying me, I feel like I've been annoying those on the forum for help... You are all greatly appreciated and I can't thank you enough!

http://users.telenet.be/eforum/emoti...ers/fing10.gif

~Lori

[Jooske]

Would not see it as annoyance Lori. think every visitor reading here can learn a lot if they did not already know those items and we can send the URLs to others in trouble, so don't thibnk it's wasted. Never is.
Keep us informed how you're doing with the final steps, like maybe finding anything anywhere, and you had something with that file format.. SIG i think it was? And Spybot running correctly or not, and getting blue screens or not when you dis- er enabled the system restore, so there are several threads where you can add to the general education
Good luck!

Hi Lori,

No problem
Please take your time.
As Jooske said, we can all learn from it !

Best wishes, Jan.

[Prince_Serendip]

Hi Lori! If you need help/rescue, this is the place to be! All these people here are LifeSavers! Helping people solve their problems with their PC's and the Net helps everyone! We don't abandon those in need and we don't annoy easily. Thanks for having the courage to come forward and the tenacity to work through this stuff. While you are learning more about your system and how to do things, you are also learning how to teach it! You are teaching us too!

[ljc1174]

You guys are sooo awesome!!

Thankx for all the support!

~Lori

[Jooske]

AaaawSome!!!

[Paul Wilders]

say what?