Lop.com is an unwelcome parasite that I can not remove

I have been trying to remove Lop.com from my Wife’s home computer for three months without success. I am a knowledgeable computer user, self-taught from the DOS days, who likes to solve computer problems for others, but the Lop.com adware program has me stumped.

We are running Windows XP Home Edition with SP2, and all current security updates are installed. The Lop toolbars and redirection tricks occur in Outlook 2003 which I installed as a part of Office 2003 Professional for which I routinely install security updates.

I started by trying the most common solutions: Ad-Aware SE, Spybot-Search and Destroy and Norton Antivirus, all of which I ran in Normal Mode and Safe Mode after disabling System Restore. I then tried Giant Antispyware and Webroot SpyBlaster without success. I tried to manually remove Lop.com by following the instructions on the Symantec web site and followed the directions provided in Lop.com removal threads in the support forums on the Lavasoft website for Ad-Aware SE. Reluctantly, I even downloaded the uninstaller that C2 Media makes available on its website, but it simply removes the toolbars from the current Windows session. Rebooting brings Lop.com back in all of its horrible glory.

Having tried all of these approaches without success, I feel that I am not wasting the time of the Major Geeks without first exhausting all of my other ideas. I have read and carefully followed all four of the steps in the Sticky thread "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal". After performing online scans with Trend Micro’s Free Online Virus Scan, Symantec Security Check and McAfee AVERT Stinger (in Safe Mode), I ran the following programs in safe mode three times after closing all open browsers and applications, rebooting to Safe Mode each time: CCleanear, Ad-Aware SE with the Ad-Aware VX2 Cleaner Plug-In, Spybot with the DSO Exploit patch; CWShredder (selecting Fix), and Kill2me. I also ran about:Buster and HSRemove twice even though I don’t believe I have the HomeSearchAssistant hijacks.

I consider the recommendations in this Sticky thread to be an outstanding formula for removing malware, but the Lop.com toolbar returned the first time I rebooted to Normal Mode. As you can probably detect from the tone of this message, I have devoted far too many hours to eradicating this unwelcome parasite. Since my Wife uses this computer to manage her private studio, she is pressuring me to reformat the hard disk, but I know there must be a better way. Could you please help us?

Bill

 

C2 Media are the boneheads responsible for lop.com, I fear that downloading and running there stuff to remove it, may have not been a good idea...
http://www.spywareinfo.com/articles/lop/

More info available here.

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

As suggested, I downloaded HijackThis 1.99.1, unzipped to HijackThis.exe into a folder named C:\Program Files\HJT from where I ran HijackThis.

I believe that my web browser, e-mail client, instant messenger and all applications were all closed before I ran HijackThis.exe, but I am sure you can tell me if I inadvertently left something open. I have attached my log to this message and certainly hope that someone can help me eliminate this pest.

I have also read the thread "NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting". I am studying the tutorial to learn as much as I can about this powerful tool.

I will really appreciate help eliminating this parasite because I have spent dozens of hours trying to eradicate it without success

Thank you.

 

Are you familiar with WinTV?


Be sure you close ALL browsers, you had 2 instances running.

Scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
(If you need this, leave it as is)

O2 - BHO: (no name) - {96AEAE4C-A56B-F5BE-0D5D-0B58F835B83B} - (no file)
O2 - BHO: (no name) - {CD6D5BEA-38B5-F1E6-5B64-10BE3CE020F7} - (no file)

O4 - HKLM\..\Run: [filedrawmeowpop] C:\Documents and Settings\All Users\Application Data\Face comp file draw\atom sixth.exe
O4 - HKLM\..\Run: [Chin Bold Extra Idol] C:\Documents and Settings\All Users\Application Data\EachTransChinBold\Stop Mp3.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Documents and Settings\All Users\Application Data\Face comp file draw ←–– Delete this whole folder if it exist!

C:\Documents and Settings\All Users\Application Data\EachTransChinBold ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

BJGarrick,

I thank you for your efforts to help me eliminate lop.com from our computer. After following the directions in your earlier message, the Lop toolbars in the Internet Explorer window are gone, and I have not seen the frequent ads that haunted us in the past. I am cautiously optimistic that we have eliminated this horrible parasite, but I won’t be convinced until we do not see the toolbars or popups for several days.

I provide the following responses to the comments, questions and directions in your email. I am sorry that I left browsers open when I ran HijakThis the first time because I thought that I had closed all applications. This time I ran HijakThis in Normal Windows Mode, as you requested, before connecting to the Internet. I also used Task Manager to confirm there were no open applications.

WinTV is an application that we use to open a window on the monitor for Satellite TV. We could easily live without this software if you believe that it serves as a conduit for malware, but I doubt that it contributed to the problems we have been experiencing.

You suggested that I could leave the following entry if I needed it, “R1 – HKCU\Software\Microsoft\Windows\Current Version\Internet Settings, ProxyOverride = 127.0.0.1”. I think this entry may relate to the tunnel that I needed to create through Norton Personal Firewall to access computers on my home network. Does this sound like a reasonable explanation to you?

The only problem that I experienced when following your directions is that there was no “Run” command when I went to “Start” after running CCleaner. Therefore, I went to “Command Prompt” and ran “cleanmgr” after confirming that I had selected “Temporary Files”, “Temporary Internet Files”, and “Recycle Bin”.

Since I have read that lop.com is sometimes introduced to computers when Microsoft Messenger is installed, should I be concerned with item “O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} –C:\Program Files\Messenger\msmsgs.exe” or the following entry?

I have attached the log I created by running HijakThis in Normal Mode after carefully following all of the directions in your earlier email. I do not see the offending entries that you suggested I delete, but please advise me if you see any other suspicious entires that I should delete.

I wish to thank you again for the time that you have devoted to helping me solve this persistent problem that has made our lives miserable for several months.

Bill K.

 

Okay! Leave it as is.

It should be ok, just leave it as is to avoid any problems.

No, this entry is legit!

What you read was most likely referring to Messenger Plus! 3 which is a cause for this and many more baddies!

NOW:
Scan with Hijack This and have it fix this entry:

O15 - Trusted Zone: http://*.windowsupdate.com

After you remove this entry, you will be clean!

Are you having any further problems?