Discussion in 'privacy problems' started by ljc1174, Sep 3, 2002.

Thread Status:
Not open for further replies.
  1. TonyKlein

    TonyKlein Security Expert

    Yep, you did that very well.

    The entries should be gone now.

    As for your FilesNamedMRU list, that contains only items you did a search for.

    They're harmless.

    Let's try looking further when you have the time.

    Thanks to the miracle of time zones, I'll probably be sound asleep by that time, but I'm sure other people here will be happy to offer further advice.
  2. Jooske

    Jooske Registered Member

    It's in that "helpUrl" too and in the second posting....... it is really bad behavior of that program, same the gohip did if i remember well. Strange it is not more know i guess, for googling around there is only little comment about it in newsgroups.
    Glad you see it now in the registry keys. There might be more places, like in software.

    You're a great help Tony, certainly the reg part here is higher knowledge.

    BTW Lori, in the earlier posting i did not mean a Windows back to the former version, but IE ( add/memove panel, dig for IE, click once, try the "reinstal former IE version", so certainly not windows.
    But you might be right, maybe winME does not allow that without the restore option enabled, and i don't know if that then would cause other stuff you're now happy to be rid of to get that back.
  3. TonyKlein

    TonyKlein Security Expert

    I just learnt something new:

    From a PestPatrol explanation of SubSeven startup methods:

    "new method #2 [explorer]" HKEY_CURRENT_USER: Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU may hold three keys named 000, 001, and 002, whose values are, respectively, qkjs*.exe, sdiamd.exe, and rege There may be another identical entry *3 keys) at HKEY_USERS\S-1-5-2-83952215-1935644697-1343024091-500\Software\Microsoft\Internet Explorer\Explorer Bars\C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU"

    I have never ever heard about that one, and would love to hear from the guys at DiamondCS, for example.

    Well, highlight the two EXODUS.NET entries in the right hand pane of that Registry subkey, as well as the searchalot and downloadalot values, and hit 'delete'.

    I can't imagine that's it, but who am I to argue with the makers of PestPatrol... :D
  4. Paul Wilders

    Paul Wilders Administrator


    True, as far as I know. Doesn't seem the issue here as I see it.

    Awesome job, btw! :cool:.

    A small request: would you mind removing/altering the "www" in regard to and I would hate seeing someone by accident clicking those links ;).


  5. TonyKlein

    TonyKlein Security Expert


    Thank you, by the way! :)

    I don't think it could possibly be a startup location either.
    Dont know what went through their minds.

    I'm thinking of deleting that posting altogether.

    About Searchalot/downloadalot, to my mind there must be more entries in Lori's registry, so she does need to keep searching until everything has been found/removed.
  6. Paul Wilders

    Paul Wilders Administrator



    Agreed: most probably there will be more entries.


  7. FanJ

    FanJ Guest

    Hey guys,

    If Lori has HOSTS installed, would it be also a wise decision to add there two lines:
    both beginning with
    then the spaces as in the other already existing lines
    then those two sites (of course both of them beginning with that www.).

    Anf if she has already Hostess installed, the adding of those two sites would be easier.

    This way her computer can never again connect to those two sites, as long as HOSTS is enabled.

    This whole adding of those two sites might not fix the existing problem, but at least her PC wiil never be able to connect again to those two sites.

    BTW: I will search in my most recent HOSTS file to see whether those sites might be already in it.
    I'll let you know.

    Tony, you did a GREAT job !!!!!
  8. TonyKlein

    TonyKlein Security Expert

    Thanks Jan. :)

    However, we're not finished yet.

    Good idea about the hosts file as well, BTW.
  9. FanJ

    FanJ Guest

    searchalot is not included in HOSTS

    downloadalot is not included in HOSTS
  10. ljc1174

    ljc1174 Registered Member

    I'm looking through the entire registry and deleting anything with d/l and search.

    I'll post back when I am done and then maybe FanJ can help me with the hosts thingo_O

  11. ljc1174

    ljc1174 Registered Member

    All finished with both those names and I even tried a find for and all was gone... is there anything else I should search for?
  12. FanJ

    FanJ Guest

    I searched for exodus in my HOSTS file.
    I found several sites mentioned with the name exodus in it; two of them belonging to

    See the screenshot.

    Attached Files:

  13. ljc1174

    ljc1174 Registered Member

    I didn't get to d/l HOSTS yesterday, I don't think, from what I remember all I managed to d/l was IE-Spyad.

    Do you have a link for HOSTS?

  14. FanJ

    FanJ Guest

    Hi Lori,

    Here is the link:

    You will also find there the link to Hostess.

    Maybe it's better first to read the info on the site to get a little bit familiar with the idea.
    In case you need help, please feel free to ask and we could try to help you with it.
  15. ljc1174

    ljc1174 Registered Member

  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Very old TDS database to not detect SubSeven, biased test ? :rolleyes:
    Also, soon after the release of 2.2 Wayne wrote an additional detection for new unknown/modified SubSeven 2.2 servers. We also have all 5 known variant signatures 2.2a - 2.2e as primary signatures (the 3rd, 4th and 5th were detected before analysis by the aforementioned additional detection, Advanced Signature Scanning)

    MRU = Most recently used, just a history gathering part of Windows, which is how you get entries in Windows menus for files you have recently used. No big deal and not a startup method, it shouldn't really be mentioned :rolleyes:

    The unknown method in SubSeven 2.2 is actually HKLM\Software\Microsoft\Active Setup\Installed Components (Some key with a string value of StubPath = server.exe) This is well known and used by quite a few trojans now, we have some trace detection on these and some better things planned for TDS4

    See for verification of all SubSeven 2.2 startup methods
  17. Jooske

    Jooske Registered Member

    Thanks Gavin,
    it sounded so logical in this problem,
    to get the recently visited d/lalot in a windows menu and never getting rid of them, but by brute force if i see what Lori all went through and we all learn on stage what and how to.

    I've been on those pages but the only danger i saw when you would on the searchalot page click on the "make homepage" which i did not do, i looked in the source of the page and tried to see what would happen, but did not really find something but an url "home" but i don't know if that page would install or add the registrykeys Lori now discovered and deleted.
    So i expect to happen anything with downloading anything from their pages or becoming an affiliate, such things.
  18. TonyKlein

    TonyKlein Security Expert

    Thanks for that, Gavin.

    I thought the PestPatrol article sounded a bit dodgy... :rolleyes:

    And Lori, you should continue to search your Registry for more instances of Searchalot and the other one.

    We removed those from your Outlook Express Registry key, but these probably aren't responsible for most of your problems.

    Please post details about other keys you find them in.
  19. ljc1174

    ljc1174 Registered Member

    I performed another search last night after an attempt from d/l alot... but nothing appeared. The only difference this time was the page began to open but would not continue. I immediately closed it, ran spybot and ad-aware and nothing produced.

    I haven't yet gone through the HOSTS process from FanJ, I've been having some issues at home and I want to give the HOSTS thing my undivided attention.

    Hopefully, things will be back to normal and I can start on HOSTS by Saturday the latest Monday evening.

    Thanx again for all the help from everyone.
    And again, I apologize for any annoyances I've caused anyone, since this has been annoying me, I feel like I've been annoying those on the forum for help... You are all greatly appreciated and I can't thank you enough!

  20. Jooske

    Jooske Registered Member

    Would not see it as annoyance Lori. think every visitor reading here can learn a lot if they did not already know those items and we can send the URLs to others in trouble, so don't thibnk it's wasted. Never is.
    Keep us informed how you're doing with the final steps, like maybe finding anything anywhere, and you had something with that file format.. SIG i think it was? And Spybot running correctly or not, and getting blue screens or not when you dis- er enabled the system restore, so there are several threads where you can add to the general education :)
    Good luck!
  21. FanJ

    FanJ Guest

    Hi Lori,

    No problem ;)
    Please take your time.
    As Jooske said, we can all learn from it !

    Best wishes, Jan.
  22. Prince_Serendip

    Prince_Serendip Registered Member

    :) Hi Lori! If you need help/rescue, this is the place to be! All these people here are LifeSavers! Helping people solve their problems with their PC's and the Net helps everyone! We don't abandon those in need and we don't annoy easily. Thanks for having the courage to come forward and the tenacity to work through this stuff. While you are learning more about your system and how to do things, you are also learning how to teach it! You are teaching us too! ;)
  23. ljc1174

    ljc1174 Registered Member

    You guys are sooo awesome!!

    Thankx for all the support!

  24. Jooske

    Jooske Registered Member

    [move][glow=red,20,300] AaaawSome!!![/glow][/move]
  25. Paul Wilders

    Paul Wilders Administrator

    [move]say what?[/move]
Thread Status:
Not open for further replies.