adult friend finder!/lop

Please follow the steps below:

- Did you install Messenger Plus! 3 (or another version of it). If so, uninstall it. It may be the cause of your LOP infection.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Please follow the directions I gave you for installing and running HJT. You are not running it properly and you did not exit browsers:
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\CLÉMENCE\LOCALS~1\Temp\Rar$EX00.344\HijackThis.exe

You are running HJT directly from the ZIP file. You will not get any backups of things we fix using HJT if you run it this way.


Now download and then install the latest version: Microsoft Windows AntiSpyware
Make sure you get the updates but do not run the scan yet. First reboot into safe mode. Then run a full scan and fix what it finds (hopefully this will fix iSearch). Then reboot into normal mode and continue with the steps in my next message.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes. (Note: What I'm showing here is for you to kill any Internet Explorer sessions that are still running. Sometimes with LOP infections there may be some running even though you have closed all of your sessions.)
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ybrnnvnqoukpotjpre.com/7aUjbqiFTKZVde/IfcBtE_AiteWDUEYvsLR6BC6qYfVwtS0H0FrHLWI6wttEbljk.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {85DD3943-1390-3856-4C22-C606CBF1B789} - C:\DOCUME~1\CLÉMENCE\APPLIC~1\MPEGFR~1\Love Slow.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [idlebytecampthird] C:\Documents and Settings\All Users\Application Data\newcoolidlebyte\EGGS AXIS.exe
O4 - HKCU\..\Run: [mail setup] C:\DOCUME~1\CLÉMENCE\APPLIC~1\HELPSU~1\Frag Mfcd.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\isrvs <--- the whole folder if found
C:\Documents and Settings\CLÉMENCE\Application Data\MPEGFR~1\Love Slow.exe
C:\Documents and Settings\All Users\Application Data\newcoolidlebyte\EGGS AXIS.exe
C:\Documents and Settings\CLÉMENCE\Application Data\HELPSU~1\Frag Mfcd.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

You need to post a HJT log from after the time that it came back. It is possible that you may need to remove (uninstall) some of the protection programs to completely remove this. Sometimes the good programs get in the way of manual cleanup procedures. We may need to uninstall MS Antispyware and maybe some other items temporarily while fixing.

Is the below something you installed? Are you sure it is safe:

D:\spyware And Virus\PhishGuard\PhishGuard.exe

Did you really install Acrobat Reader as below:
D:\Reader\reader_sl.exe

Do you recognize all the below IP addresses to be valid for you:
O17 - HKLM\System\CCS\Services\Tcpip\..\{09C0DFCB-44D2-4254-BD4C-9AF2FE52A776}: NameServer = 209.47.15.118,64.157.143.38,69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DA995C4-5D07-4A24-B786-30C29F34B815}: NameServer = 206.47.244.60 206.47.244.104

 

All of the 209.47.x.x addresses are for

Code:

 
[url="http://samspade.org/t/whois?a=209.47.15.118;server=auto"][color=#0000ff]209.47.15.118[/color][/url] = [ ] 
 
OrgName:	UUNET Technologies Inc. 
OrgID:	 UU 
Address:	22001 Loudoun County Parkway 
City:	 Ashburn 
StateProv: VA 
PostalCode: 20147 
Country:	US 
NetRange: [url="http://samspade.org/t/whois?a=209.47.0.0;server=auto"][color=#0000ff]209.47.0.0[/color][/url] - [url="http://samspade.org/t/whois?a=209.47.255.255;server=auto"][color=#0000ff]209.47.255.255[/color][/url] 

Does this look familiar?

Is the below your ISP

Code:

[url="http://samspade.org/t/whois?a=69.57.146.14;server=auto"][color=#0000ff]69.57.146.14[/color][/url] = [ [url="http://samspade.org/t/whois?a=ev1s-69-57-146-14.ev1servers.net;server=auto"][color=#0000ff]ev1s-69-57-146-14.ev1servers.net[/color][/url] ] 
 
OrgName:	Everyones Internet Inc. 
OrgID:	 EVRY 
Address:	390 Benmar 
Address:	Suite 200 
City:	 Houston 
StateProv: TX 

As I said below, you must post a new HJT log from after the point that your problem came back.

 

You need to supply feedback on message # 10.

You should uninstall the very old version of Giant Antispyware that you are using and get the version that was release after Microsoft bought them.

Microsoft Windows AntiSpyware

Your LOP infection is back. See the lines below:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dfaurenepjwqbmyehtp.com/7aUjbqiFTKZVde/IfcBtE_AiteWDUEYvsLR6BC6qYfVFrydOgVzDVWI6wttEbljk.jsp
O2 - BHO: (no name) - {8B50176C-DD6E-4C14-A603-727A859337CD} - (no file)
O4 - HKLM\..\Run: [idlebytecampthird] C:\Documents and Settings\All Users\Application Data\newcoolidlebyte\ping rect.exe
O4 - HKCU\..\Run: [mail setup] C:\DOCUME~1\CLÉMENCE\APPLIC~1\HELPSU~1\Frag Mfcd.exe

Fix them like last time. I'm not sure where you are surfing but you could be picking it up from where you are going.

 

Is Everyones Internet Inc. your ISP?

Then you did not install Microsoft Antispyware properly. Uninstall it and reinstall it into the proper default folders that it suggests. You show it running from the root folder of drive D ( D:\gcasServ.exe ) which is a BAD idea.

 

You did not uninstall the software. It is still in your log. O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"

And you are suppose to be installing Microsoft Antispyware from the link I gave you. Not Giant Antispyware.

Make a folder on Drive D and name it D:\Program Files and install your programs there. This is similar to what would normally be done on drive C. If you are that low on space on drive C, you really should clean up. But that's not a discussion for this forum.

Have HJT fix the below lines too:

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09C0DFCB-44D2-4254-BD4C-9AF2FE52A776}: NameServer = 209.47.15.118,64.157.143.38,69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DA995C4-5D07-4A24-B786-30C29F34B815}: NameServer = 206.47.244.60 206.47.244.104
O17 - HKLM\System\CS1\Services\Tcpip\..\{09C0DFCB-44D2-4254-BD4C-9AF2FE52A776}: NameServer = 209.47.15.118,64.157.143.38,69.57.146.14,69.57.147.175

 

You are not installing MS Antispyware correctly. I said you should allow it to install in the defaults. So if you just change it to drive D you should have used as below.. It should show in your log like this for processes:

D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe

And like this for how it loads at Startup

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

Having just a a process like gcasServ.exe running from Program Files is a bad idea. It makes it unrecgonizable. And if you keep doing that, you will have dozens of different applications all running from the same folder and possible over writing files from each other.


Please download Lop Uninstaller on this site

And give it a run. But make sure all browser windows are closed first.

 

I just double checked and actually downloaded the file and then ran it. It's safe. I think Avast is just picking up on the C2 Media site.

 

You negelected to tell me one thing. Did you run the Lop uninstaller?

 

Okay here is what I would like you to do.

First, uninstall MS Antispyware and then reboot your PC. It may be getting in our way.
After reboot, continue with the below (hopefully the file names have not changed).



If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ugochrlynlofnrr.com/7aUjbqiFTKZVde/IfcBtE_AiteWDUEYvsLR6BC6qYfXnLC86mtaIg2I6wttEbljk.jpg
O4 - HKLM\..\Run: [idlebytecampthird] C:\Documents and Settings\All Users\Application Data\newcoolidlebyte\SoftwareBall.exe
O4 - HKCU\..\Run: [mail setup] C:\DOCUME~1\CLÉMENCE\APPLIC~1\HELPSU~1\Frag Mfcd.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\All Users\Application Data\newcoolidlebyte <--- the whole folder
C:\Documents and Settings\CLÉMENCE\APPLIC~1\HELPSU~1 <--- whatever the real name of this folder is, delete it

Make sure you tell me if you cannot find the above folders. They are where the problem is originating from and they could be renaming themselves.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.