lop.com

Discussion in 'adware, spyware & hijack cleaning' started by beed, Feb 22, 2004.

Thread Status:
Not open for further replies.
  1. beed

    beed Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    3
    I've been infected with lop.com and I already tried to clean up my PC.
    My start page is http://netsearchsoft.com/? When I changed the start page, the next tile I start IE it is again http://netsearchsoft.com/.

    Somebody can help me

    Thanks in advance


    Beed
     
  2. LonnyRJones

    LonnyRJones Spyware Expert

    Joined:
    Apr 3, 2003
    Posts:
    61
    Sure they can
    But first Please fallow the three steps
    If you've already used adaware and spybot say so when you post a hijackthis log
    http://www.wilderssecurity.com/showthread.php?t=15913

    Regards
    Lonny
     
  3. beed

    beed Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    3
    See attachments

    regards
     

    Attached Files:

  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi beed,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com

    F1 - win.ini: run=c:\windows\system32\unldr16.exe

    O2 - BHO: (no name) - {4377C019-BE37-2EB1-E79F-7BCD57A98F3E} - C:\PROGRA~1\FORKEE~1\globaldent.dll

    O3 - Toolbar: Bias bib defy - {40738A3E-9B6C-99AA-A565-2BB6AF651292} - C:\PROGRA~1\FORKEE~1\globaldent.dll

    O4 - HKLM\..\Run: [Idecntl] c:\windows\system32\idecntl.exe

    O4 - HKLM\..\Run: [Cddrv32] c:\windows\system32\cddrv32.exe

    O4 - HKCU\..\Run: [Dvraudio] c:\windows\system32\dvraudio.exe
    O4 - HKCU\..\Run: [Unldr16] c:\windows\system32\unldr16.exe
    O4 - HKCU\..\Run: [Idecntl] c:\windows\system32\idecntl.exe

    O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.7adpower.com/dialer/A091103.exe

    O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_1029_XP.cab
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.oyunfabrikasi.com/be/2/058898be.exe

    Then reboot.

    Could you please zip up:
    c:\windows\system32\idecntl.exe
    c:\windows\system32\cddrv32.exe
    c:\windows\system32\dvraudio.exe
    c:\windows\system32\unldr16.exe
    and mail them to the address in my profile please?

    Regards,

    Pieter
     
  5. beed

    beed Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    3
    Thanks for the information

    I did what you said, but I forgot to keep the exe pgm (sorry)

    Unfortunately, the start page still to be - http://netsearchsoft.com/
     

    Attached Files:

  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi beed,

    Try something for me.
    Fix these:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = netsearchsoft.com

    O4 - HKLM\..\Run: [anti type] C:\PROGRA~1\Blahref\coal bash.exe

    Then reboot.
    If that works I would appreciate a copy of:
    C:\PROGRAM FILES\Blahref\coal bash.exe
    at the address in my profile.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.