# Solved: Lop.com in Registry backup key



## ozegirl (Jun 21, 2003)

Spyhunter has detected lop.com in the following key:

HKCU\Software\Microsoft\Windows\Current Version\Backup

There are several values within the Backup key. I don't know which value it is. Can any one help?

Win98SE OS - I have trial version only of Spyhunter so can't remove using it.


----------



## cybertech (Apr 16, 2002)

Spyhunter is on the rogue list so I would suggest removal and I will help you do that. This log should help us determine if you have lop infection as well.

Create a *permanent folder* on your hard drive for Hijackthis, like My Documents\HJT
Click on this link: http://www.thespykiller.co.uk/files/HijackThis.exe and "Save" hijackthis to the folder you have created.

Double click on the program to run hijackthis, click "scan" then click on "Save Log".

Post a copy back here and someone will be happy to review it.

*Don't make any changes until instructed to do so.*


----------



## ozegirl (Jun 21, 2003)

Thanks - I had a funny feeling about Spyhunter as the problems appear to have gotten worse since using it.

Yesterday I got Win32.SillyDL.FV virus - VET picked it up & deleted it, but there was heaps of spyware junk left on the system eg Sidefind, Webrebates amongst others. I removed them all with either Spybot or manually using Hijack this analysers as a guide. When I finished, I had lost all my desktop icons, the taskbar, and Explorer didn't work. When I rebooted a window came up to start installing windows. I rebooted into safe mode and got the same sort of result.

At this stage I went into DOS and reinstated the registry from the previous day - hallelujah! I got an operating system back. All the entries in the registry for the spyware rubbish was gone - and I then finished off deleting the program folders for the "rubbish" not removed by uninstall. I then ran Spyhunter to do a checkover the system and it found this lop.com in the registry (obviously it was still there from the day before), and a few files of sidewinder in the recycle bin and in the temp file, all of which I deleted.

Everything seems to be working OK now - except I would like to get rid of this lop.com in the key I mentioned before, and now it seems I should also uninstall Spyhunter. I await your instructions. Hijack log follows.

Logfile of HijackThis v1.99.1
Scan saved at 8:33:21 AM, on 8/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\VET\ISAFE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\VET\VETTRAY.EXE
C:\VET\VETMSG.EXE
C:\PROGRAM FILES\A4TECH\KEYBOARD\IKEYMAIN.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\NCLTOOLS\NCLTRAY.EXE
C:\PROGRAM FILES\NOKIA\NOKIA PC SUITE 5\DATALAYER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\SERVICES\SERVICELAYER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.fastfours.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by @Home Network - Version 1.7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [Vet Alert] C:\VET\VETMSG.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4TECH\KEYBOARD\IKEYMAIN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Vet\isafe.exe
O4 - Startup: AutoDownload.lnk = C:\Vet\AutoDown.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...w.viewpoint.com

*Close all applications and browser windows before you click "fix checked".*

Restart in Safe Mode and delete the folder: c:\program files\Spyhunter if it's present.

I do not see any signs of lop infection.


----------



## ozegirl (Jun 21, 2003)

I did exactly as you said, except that I also emptied the recycle bin after deleting the Enigma Software folder which contains the Spyhunter folder.

Spyhunter is still listed on my Add/remove Programs list.

Is there further uninstall necessary? Win98SE OS.


----------



## ozegirl (Jun 21, 2003)

P.S. Should I for example also try the add/remove uninstall - and/or use Regcleaner to remove entries for Spyhunter from the registry?


----------



## ozegirl (Jun 21, 2003)

Well I just ran Ad aware (after already running Spybot) and it picked up 71 objects that Spybot didn't, including multiple entries for lop in the registry. Also some other nasties I recognised like coolweb search. I have deleted all these.

I checked and there were no entries for Spyhunter in the software section of the registry and I just deleted Spyhunter from Add/remove programs as it came up as already being uninstalled, so I guess it's gone.

Here is my latest hijack this logfile. Do you think it's clean now?

Please note that I have another hijack this log thread going - BUT IT'S FOR A DIFFERENT COMPUTER.

Logfile of HijackThis v1.99.1
Scan saved at 12:24:31 PM, on 8/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\VET\ISAFE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\VET\VETTRAY.EXE
C:\VET\VETMSG.EXE
C:\PROGRAM FILES\A4TECH\KEYBOARD\IKEYMAIN.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\NCLTOOLS\NCLTRAY.EXE
C:\PROGRAM FILES\NOKIA\NOKIA PC SUITE 5\DATALAYER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\SERVICES\SERVICELAYER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.fastfours.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by @Home Network - Version 1.7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [Vet Alert] C:\VET\VETMSG.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4TECH\KEYBOARD\IKEYMAIN.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Vet\isafe.exe
O4 - Startup: AutoDownload.lnk = C:\Vet\AutoDown.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab


----------



## cybertech (Apr 16, 2002)

The log looks fine now.


----------



## ozegirl (Jun 21, 2003)

Thank you again for your help.


----------



## cybertech (Apr 16, 2002)

My pleasure!!

Security Help Tools 

So how did I get infected in the first place?


----------

