Aladdin Internet Cleanup keeps telling me I have lop.com spyware. Each time I delete it via Aladdin it just comes back. I also have Hijack This, but I cannot see anything that helps. I have trawled the internet and found lots of advice on what to do in regedit, but none that applies to anything I can find on my machine.

I have Windows XP. The Hijack This log is:

Logfile of HijackThis v1.98.0
Scan saved at 21:22:49, on 08/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Aladdin Systems\Internet Cleanup\Onictask.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Ian Pittaway\My Documents\programmes\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRA~1\ALADDI~1\INTERN~1\PopFiltr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\.. \Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\.. \Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\.. \Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\.. \Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\.. \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\.. \Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\.. \Run: [nwiz] nwiz.exe /install
O4 - HKLM\.. \Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\.. \Run: [NBMonitor] "C:\Program Files\Aladdin Systems\Internet Cleanup\NetBlockadeMonitor.exe"
O4 - HKLM\.. \Run: [WinFSG] "C:\Program Files\Aladdin Systems\Internet Cleanup\MSFG.exe"
O4 - HKLM\.. \Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\.. \Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\.. \Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\.. \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\.. \Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\.. \Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: IC Task Manager.lnk = C:\Program Files\Aladdin Systems\Internet Cleanup\Onictask.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Please help!

I notice you have sbybot installed, I assume you've done a full scan with this.

I would also scan with Adaware and MS antispyware as I trust both of these programs. I would also do a scan in safe mode if the normal scan doesn't work(F5 on startup).

Ad-aware
http://www.download.com/3000-2144-10045910.html
Antispyware
http://www.microsoft.com/athome/secu...e/default.mspx

Sorry if this is obvious and you've tried it but worth mentioning!

Thanks, StuMegu, done that, but that pesky lop.com spyware just keeps returning. I've had this problem on and off for months. Thought I'd got rid of it and back it comes. Nothing I've found on the web helps. Aaaaggghhhh!

Hi,
Open RegEdit (click Start > Run, and type 'regedit').

Delete the following keys:

HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\browser helper objects\{d44b5436-b3e4-4595-b0e9-106690e70a58}
HKEY_USERS\s-1-5-21-796845957-842925246-1060284298-500\software\trinityayb

You might try the above, but BE CAREFUL when you edit the Registry.
Always shut down your computer first, then restart it before editing. By restarting the computer, it will save a good Registry. If you delete something you need, you can always press F8 at boot up, then select "Last known good configuration", to restore the registry.
You might or might not have the above registry keys, but check it out.
Best of luck,
fredg
PS; The suggestion of running Adaware and SpyBot in Safe mode, running each about 3 times in a row, before re-booting is a good one.

Fredg, thanks for the response. Safe mode threw nothing significant up and the items you suggested were not present in regedit. Any other suggestions, anyone? Tearing my hair out here.

I can't vouch for these sites, (backup important documents first) but you will know if you've already tried the answers below:


http://www.doxdesk.com/parasite/lop.html
http://www.onlinepcfix.com/spyware/Lop.htm
http://www.spyany.com/program/article_spy_rm_Lop.html
http://www.scanspyware.net/info/lop.htm
http://www.2-spyware.com/remove-lop.html
http://www.free-web-browsers.com/remove-lop.shtml

Good luck

That suggests to me that you might be getting rid of it, but that you keep returning to the site that installs it and get it back. You might want to use a real time anti-spyware utility like Microsoft's which block these things before they are installed.

Hi,
I doubt if you have gotten rid of it, so returning to the same site where you got it might not be true.
Here is a link:

http://www3.ca.com/securityadvisor/p....aspx?id=59266

It's rather a long listing of LOP spyware files, etc. If you have the time, you might print it out. Then use Start/Search (or Start/Find) and search for some of these files on your computer. If you find any, you can delete them, then keep them in the recycle bin until you are sure they are not needed elsewhere.
Also, the Microsoft Antispyware program might be good, haven't tried it.
I use Spyware Blaster 3.3, which is a free program, with weekly downloadable AntiSpyware definitions. It integrates these URL's, etc, into Internet Explorer or other browsers, into the Restricted Zones sites.
I have not had one issue after installing this great program.
http://www.javacoolsoftware.com/sbdownload.html

If I find anything else on the web that might help, I will post back. And I do wish you Good Luck!
fredg

I just tried the Microsoft Antispyware beta program on a friends computer, as he just wants to 'drive it' after I tune it. And it found at least 900 hidden 'questionable' programs, even in the 'registry' and gave recommendations, and let you choose to keep it or not. Also has a scale of the 'threat' value of the software/malware found. This impresses me and so far it works. The nice part about it are two features: 1. It has a 'restore point, in case you make a mistake' and 2. When running on automatic, even tells you that 'installation is allowed' when you install new software- so it even checks that. So I think, at this point that Microsoft is really trying to keep it's customers happy. You can always send in your complaints and/or issues as they also send random surveys to ask if you are satisfied with them.

Chery,

I've been using the Microsoft A/S for several months and I've been very pleased. It did catch a few things before they were installed. Dollar Bill has really gotten a black eye (deservedly so) for security lapses. He is definitely trying harder.

Amen, scott, Have you seen the review of the upcoming SP3 for Windows? Just took a peak at the article from the guy who worked on it on a contract basis for them. Printed out the article with permission, so anyone interested, let me know..

Got a link?

http://www.computerworld.com/newslet....html?nlid=OS2

Hope this works, I subscribed to Computer World, so I get weeklys. Keep me posted.

It worked, interesting, thanks.

Scott<>

Welcome. If I find any other subjects of interest will let you know. Thanks again for helping me, and am always happy to return the favor when I can.

I subscribe to a lot of interesting things and love to share then.

Chery,and Scott.Hi.Glad you found Ethan Allen's site 'The Hotfix'.I too have been going there since a few weeks of it opening.As it says,the guy used to be a Microsoft beta tester.His site contains a lot of useful stuff,and has forums,just like here :D
Nice to be back on Ask me help desk again,after my "weeks" of working nights at work :(

Hi Nez

I just joined Hotfix, found it through Computer World and find it really interesting. I just am getting used to forums and this one here is my 'new family'. Just love it and most of the people.