If the URL I typed in the internet explorer does not not exist a page from http://lop.com comes automatically.The Internet explorer's default "Page not found page" is not shown. How can I get out of this problem.

Lop.com's a true scourge.

Lop.com does offer two uninstallers, but, better still, download and install <a target="_blank" href=http://www.lurkhere.com/~nicefiles/aaw_57.exe>Ad-Aware</a> .
This is a program which scans your system for spyware.
This latest version also detects and removes Lop.com

Then have your drives and registry scanned for spyware, check all found files and reg keys, click continue, and have them removed.

Finally, reboot.

Good luck, Tony

hi! tony

Ad aware worked well.
Lop.com was removed.

Thank You Vey much

Saneef

You're welcome.

Tony

Running W98 w/ IE6 I'm running into a similar problem with namezero.com "hijacking" my page not found. I tried Ad-Aware but it did not remove this. I've looked at DLLs such as INET, INET16, WININET, etc. looking for an overlay with no success. And I've looked in the registry as well. Any ideas? Thanks! &gt;&gt;&gt; Mike

mfurlong,

Have you checked the startup locations:

backup the registry and/or export the following keys:
go to Start&gt;Run, type regedit. Navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices

Go to Start&gt;Run, type sysedit. Look over the autoexec.bat for unneccessary lines, click the win.ini and check for programs loading here:
[windows]
load=
run=

Check the Start&gt;Programs&gt;Startup folder for shorcuts.

reghakr

reghakr

Thanks for the reply! I had already checked the registry locations you mentioned and found nothing. How quickly we forget Windows 3.1/autoexec.bat/win.ini! However those were clean too. Before I was "infected" with this I seem to recall reading that a Winsock DLL was being replaced or the configuration modified in some way. As I remember, when IE gets a 404 returned and cannot resolve a page this DLL gets hit. Oh well I'll keep searching. I really do appreciate your time! Thanks! &gt;&gt;&gt; Mike

There are a couple more registry entries to check in XP for unwanted startups:

1) Check the "shell" line in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\current version\Winlogon

The default value should be "Shell"="Explorer.exe"

If it says "shell=explorer.exe nasty.exe", edit it.

2) Check these subkeys:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\explorer\User Shell Folders

- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

By setting it to anything other then C:\windows\start menu\programs\startup will lead to execution of ALL and EVERY executable inside set directory.

3) As in other operating systems, check for Registry Shell Spawning


[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="%1" %*
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="%1" %* [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="%1" %*

[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\ open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\ open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command] @="%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\ Open\Command] @= "%1" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\ open\command] @="%1" %*

The key should have a value of Value &lt;"%1" %*&gt;, if this is changed to &lt;server.exe "%1 %*"&gt;, the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.

Cheers, Tony

Win98...right?

IE5/6 Homepage Rewrite
backup the registry and/or export the following keys:
go to Start&gt;Run, type regedit.

Do a search in the registry for a key named restrictions under the HKEY_CURRENT_USER\Software\Policies\Microsoft\Inte rnet Explorer key and delete it. Then reboot your machine and add the key back and lock your homepage as described below.

Or search for the word policies and check the values for the number 1. The number 1 USUALLY indicates a restriction is in effect. Post back with your findings.

To prevent further problems,

Correct your home page to the one you prefer, then immediately do the following:

Backup the registry and/or export the following keys:
go to Start&gt;Run, type regedit. Navigate to:
HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\In ternet Explorer\
Right-click on the Internet Explorer key, choose new&gt;Key, name it Control Panel. Right-click on the Control Panel, chose new&gt;DWORD value, name it Homepage. Right-click on Homepage, choose modify and type in the number 1.

This should lock your home page, so no other web site can change it.

Then navigate here and verify the homepage is correct:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
look for the Start Page entry.

===============================
To restore the "default" search settings:
Open Notepad and copy and paste the following between the lines and save the file as searchfix.reg. Double-click on the file to merge the contents into the registry.
=============BEGINCUT============

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
"Provider"="yaho"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
==============ENDCUT==============

If you see a SearchBar entry under [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main], delete it.

reghakr

<blockquote><font class="small">In reply to:</font><hr>

Win98...right?

<hr></blockquote>

Sorry: I only paid attention to the operating system mentioned in Saneef's original post, which was XP.

However, the remarks about the Shell Folders, User Shell Folders, and Stub path entries certainly go for Win98 as well, and they're worth examining.

Tony & reghakr
Thanks for your replies. It took me a little while to work through all your materials. However, no luck! This is a most persistent problem! I have an identical un-infected machine so I copied all the Internet and Winsock related files (DLLS. VXDs, etc.) to the infected machine and still no luck. I was hopeful that might work based on your info. regarding the registry keys that control execution (especially the hta). It seems that a couple of DLLs SHDOCLC.DLL and SHDOCVW.DLL are hit when a 404 is returned. If you look inside these DLLs with a resource editor you can see the template for the 404 error page, but somehow they must be bypassed by this virus website. FYI...reghakr... my home page is okay. What's happening is that in a "page (website) not found" condition my browser is being redirected to namezero.com. I appreciate all your help and I will continue to research as well. I'm on a mission to eliminate this problem. Thanks! &gt;&gt;&gt; Mike

How about using a HOSTS file. Here's a Download and an explanation. You can add this address to it and see if that rids you of this problem.

http://accs-net.com/hosts/get_hosts.html

Sorry so long in replying -- we were on vacation. I'll take a look at this, although putting an entry in the hosts file is masking the symptoms rather than eliminating the problem. There's a similar way to mask the problem that I've used called Proxomitron. It's an interceptor that will filter TCP/IP traffic to remove ads, JavaScript, etc. It has a list of adservers, click trackers, etc. that it will just remove from the HTML before your browser gets it. Thanks for your time on this problem!

&gt;&gt;&gt; Mike

The problem may actually be in the hosts file.

<a target="_blank" href=http://www.radsoft.net/news/20011101,01.html>Hosts Alert!</a>


This advice is free.
You might only get what you paid for. /images/forums/icons/wink.gif

billydee,

they have removed the file? what to do?

when i try to dl Hosts Alert I get this message:

"Unfortunately the file you are looking for is no longer available. To subscribe to Extreme Power Tools, click here"

Sorry gangsta, I did not know the download was no longer available.
I can email it to you in a zip file if you like. It is only 5KB.

Go to the page suggested in an earlier post for more info on Hosts files.

<a target="_blank" href=http://www.accs-net.com/hosts/what_is_hosts.html>What is the Hosts file?</a>


This advice is free.
You might only get what you paid for. /images/forums/icons/wink.gif