Jump to content


Photo

lop.com infection...maybe a new BHO found?


  • Please log in to reply
3 replies to this topic

#1 ladydarke

ladydarke

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 June 2004 - 06:23 AM

Hello,

I seem to have a lop.com infection, in that whenever I type a search into the IE searchbar, I get the lop page. Also, whenever I start my computer, my homepage is changed to an amazingautosearch portal. (though, happily Spybot and Spysweeper catch this.)

I have read the FAQ, have run an updated Spybot S&D, and still have this problem. I also have ad-adware 6 and Spysweeper. I have tried running Tom's cleanall. I have run Hijack This, and gone over Mike Healan's list of steps. In accordance with this, I was checking BHO's from Hijack This log files against the list you kindly provide, and there is one for which I can't seem to match. Mike Healan asks that we post if this happens.

I wonder if great hold.dll could be the problem? If not, I would appreciate it very much if someone could help me with this persistant problem. I am including the hijack this log file below.

Thank you for your time and trouble.

Logfile of HijackThis v1.97.7
Scan saved at 7:38:52 AM, on 6/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LEXMARKX84-X85\ACMONITOR_X84-X85.EXE
C:\PROGRAM FILES\LEXMARKX84-X85\ACBTNMGR_X84-X85.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\OPEN TEST POKE\LESSDRAW.EXE
C:\PROGRAM FILES\DESKTOP ARCHITECT\DATRAY.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bravenet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bravenet.com
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {982210CF-E0A5-79FB-0114-C523286C9568} - C:\PROGRAM FILES\INTER ISO BOOK\GREAT HOLD.DLL
O2 - BHO: (no name) - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\PROGRAM FILES\SURFAPPS.COM\POPTHIS! FREE VERSION\POPTHIS.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ownsthe] C:\PROGRA~1\Open test poke\lessdraw.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRAM FILES\DESKTOP ARCHITECT\DATRAY.EXE" -S
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra 'Tools' menuitem: PopThis! Options... (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 29 June 2004 - 03:46 PM

LOP it is! You were certainly on the right track.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


O2 - BHO: (no name) - {982210CF-E0A5-79FB-0114-C523286C9568} - C:\PROGRAM FILES\INTER ISO BOOK\GREAT HOLD.DLL

O4 - HKLM\..\Run: [ownsthe] C:\PROGRA~1\Open test poke\lessdraw.exe

Reboot and delete

folders
C:\PROGRAM FILES\INTER ISO BOOK
C:\PROGRAM FILES\Open test poke

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 ladydarke

ladydarke

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 06:52 AM

Hello dave38!

I was very happy to get your response so promptly. Thank you. :love:

I have implemented the fixes that you suggested, and it certainly seems to have made some headway. I'm not getting hijacked to amazingautosearch on start up. My IE search bar no longer redirects to lop.com, but it doesn't appear to run functional searches, either. If I type in a compete url, I go there fine. But if I try to enter search words, the msn autosearch opens, but only brings up a page not found message. (I searched for stuff like Toronto. Something would be found!)

Also, Internet Explorer is crashing a lot. This came along with the infection, but I'd rather assumed it would go away with the infection. Interestingly, it crashes consistently on the same pages. For example, hotmail just after the inbox is found, and www.bravenet.com counter stats. Other sites (like this one) are fine.

Are these related to the infection, do you think?

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 30 June 2004 - 04:20 PM

Your problems could have been caused by the infestation. Post another Hijack this log, in case somethine was missed.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button