Lop again - it just won't go away!

I got lop through mesenger plus - now uninstalled. I've run all the standard stuff (ad-aware,spybot,a2, norton av,cc cleaner) and it is still there at a deep level. When I launch ie browser, it is not there but after about 15 minutes it appears as a search bar & the pop ups start. any advice please. (I've also used hijack this & removed obvious bad stuff). Thanks - nothing in the existing threads seemed just like this.

 

Lets start with a General cleanup

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to your Program Files directory, right click on a blank spot in the window > choose New > Folder. Name this folder Spyware Tools. Now you can save the needed tools to this folder and if you prefer, create sub-folders named for each individual utility.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

To Repeat: Please be sure to reply in this thread if you need further assistance or have any questions. Someone WILL be along to help you as soon as they can. You can help us help you by following the above instructions and providing detailed information as to the difficulties you are having and/or continuing to have after you have completed the Basic Spyware, Trojan And Virus Removal tutorial. Just telling us you followed the tutorial does not give us enough information. You need to let us know the results...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

We all recognize that if you are here asking for help you are probably frustrated and maybe even angry that your computer has been taken over by some malicious program. Rest assured, we want to help you but that we get frustrated too when we are not given the requested information or when instructions are not followed. Don't be afraid to ask for additional help if you don't understand something! There is no such thing as a dumb question and we do not expect everyone who comes here to have vast computer knowledge, however you will be more educated and better prepared to prevent re-infestation when you leave here!

Good luck!

 

Hi again - thanks for reply - all tasks were done. Here are details. Note issue is a search bar that connects to lop that launches about 15 minutes after first connection to internet - probably a remanant of a full lop infestation that came with messenger plus.

system restore disabled.
step 2 - items not found
step 3 - already enabled
step 4 - 4 trackers removed with ad-aware, nothing found with VX2 plug-in
CC Cleaned - everything cleared - about 40 fixes - do I need to do all those?
spybot - clean
stinger 71856 clean files
CW shredder - nothing
Kill2me - nothing
about:buster - nothing
HSR remove nothing.

Also Norton AV and A2 clear.

Nothing obvious (to me or the on-line checkers) in Hijack this.

Hope this is enough - I recognise you get time wasters - the infection is a pain as it streams adverts (although spyblaster may stop that?).

Thanks again for any advice you can give.

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Thanks Bjgarrick.
Hijackthis 1.99 log file attached. 017 object line is a bit suspicious? I fixed it yesterday with Hijack this but it has come back. Of course it might be something I need - working at the limits of my knowledge.
All help appreciated.

 

Your log is clean! Other than this you pointed out.

What problems are you currently experiencing?

Do you know if this is part of your ISP?

 

Bryen,

Are you familiar with any of the below information regarding this O17 entry in HJT?

80.225.252.186 = [ manc-cache-2.ns.uk.tiscali.com ]

Registrant:
Tiscali SpA (TISCALIS839)
Piazza del Carmine 22
09124 Cagliari
IT
Domain name: tiscali.com
Technical contact:
S.p.A. Tiscali (TS1029)
Viale Trento 39
Cagliari Cagliari
IT
techc@IT.TISCALI.COM

 

Bjgarrick
Yes Tiscali is my ISP - so that entry is OK.
Problem is that about 15 minutes after I go onto the internet an extra search bar launches at the top of the page that connects through to lop. It then starts to stream pop-ups, mainly for casinos and on-line universities. Occassionally it also adds a bar at the bottom of the screen that covers the last part of a web-site. It still comes with spyblaster loaded and enabled, but now if I click on one of the buttons I get a warning that it might not be a good place to connect to. I think this is left over from a full lop infestation that I got when my daughter downloaded messenger plus.
Thanks for checking my hijack this log - any other thoughts welcome? I just can't understand why it launches after about 15 minutes - it doesn't seem to be web-site or search specific - it just pops up!
Bryen

 

I dont see it in your log, do you have Messenger Plus! 3 installed on your machine? If so, Uninstall it because thats the problem.

If not,
Lets give these a try before we go any further.

http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe

Note: You may get a security warning, use Firefox if you get this error.

 

Thanks - I was a bit worried about using something from lop itself - like trying to reply to unsubscribe on spam! But I gave it a try. Both downloads blocked by my security settings, with no obvious clue on how to change - do I make lop a trusted site??
On firefox, can you point me to a simple user guide to install without messing up my ie browser or my internet connection etc. I've seen alot on it being better than ie, but I stick to if it ain't broke don't fix it. - thanks for persevering.
Bryen
PS messenger plus uninstalled 2 months ago, and lop wittled back to poping up after 15 minutes by ad-aware,spybot & a2.

 

I installed firefox and it didn't do anything to either IE or my connection. IE still works fine. The only thing you would want to do if you prefer IE is to not let Firefox make itself your default browser. Just check the box for "don't ask me this again" and click the NO button when it asks you if you want to make Firefox your default browser. That is if I understood your question correctly, if not, just disregard!

 

I know this isn't recommended but I've run hijack this with ie open and the lop tool bar present (given it pops up after 15 minutes it may be hidden away somewhere? & not visible to hijack this when ie is shutdown) The only difference I can see from earlier log (posted further back in thread) is the second RO line, ending "Page=" Is this normal or should I delete/fix it?

Ray - thanks for giving me confidence in firefox - I will install tomorrow and then try lop.com downloads.

 

Never add anything to trusted sites. You will need Firefox to download the uninstallers.

Firefox is a simple install, it will not affect IE or your internet connection.

Download Mozilla Firefox 1.0.1

 

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

First:

Open the Application Data folder located in C:\Documents and Settings.

Note: Select your user account folder and locate the Application Data folder.

The filenames of lop files can vary for each different installation, but usually under Windows there should not be any files inside Application Data (only folders), so it's generally easy to pick out the culprits.

Second:

Always make a backup of your registry just to be safe!

Now, delete the following entries if you have them and they are not just blank:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion\r TelephonyDomainName

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesVxD\r MSTCPDomain

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpip\r ParametersDomain

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpip\r ParametersInterfaces{...check all interfaces...}Domain


Third:


Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Fourth:

Reboot and see if problem still exist.

 

BJ
Thanks for your help - firefox installed and lop uninstall programmes downloaded & run.
then checked the registry - all those items were blank in data field except the "VxD" one which did not exist.
Then reset the web settings - so far lop hasn't shown up - so fingers crossed.
Thanks again.
Bryen

 

Good Deal!

You should see this article on How to Protect yourself from malware!

Browse Safely!