MSN MESSENGER + Addon has built in LOP.com adware/IE hijacker

Avoid a MSN Messenger add-on called Patchou's MSN MEssenger PLus of any version. It has a very hard to remove adware threat variant of LOP.com packaged with it. It hijacks your home page and adds a hard to remove toolbar in IE. The variant i am dealing with as i speak uses searchweb2.com as the hijacked home page.

When i successfully remove this from my client's PC i have here, i shall put how i did it here. I am still battling it as i write this. I only knwo the cause so far not the cure. Keep you posted.

 

Hi

After messengerplus has been uninstalled
Go to Add/remove programs, find:
"Window Search" or "winactive" And uninstall it.
(you will be asked to insert code as shown on
your screen, do so and proceed!)
Reboot to complete!

If its not listed in addremove Run this uninstaller:
http://lop.com/new_uninstall.exe
And reboot.

Or from here >Lop uninstaller
http://members.rogers.com/rjmac/new_uninstall.exe

If the PC has multiple profiles you might need to run the uninstaller in each.

 

Searchweb2.com removed

OK i nailed the sucker.

Not sure if your way works or not lonnie i got it before i read your reply, which was fast. Thanks.

I did this, as most of the threads i saw on the net about this were ambiguous, even to me.

Most of these steps could be taken to remove many different adware threats.

1) I uninstalled Messenger Plus via Add/Remove Programs
2) I started the PC in Safe Mode
3) I manually went to the following folders (in ALL profiles) and
deleted EVERYTHING under/inside them, files AND folders:

C:\Documents and Settings\[Profile Name]\Local Settings\Temp

C:\Documents and Settings\[Profile Name\Local Settings\Temporary
Internet Files

C:\Windows\Temp

4) I also had to delete various folders in ALL profiles under the following locations, which are the guts of the malware.

C:\Documents and Settings\[Profile Name]\Application Data

C:\Documents and Settings\[Profile Name]\Local Settings\Application Data

The folders i had to remove from these folders had weird names that were obvious to me to remove. Examples i had a folder in both above locations called "Dent Ace Funk" and one called "Bin Locks ". Inside these folders were many files with the strangest names you ever saw.

It is my understanding that the weird names i mentioned above may vary for everyone and they are random names. Just look for unusual names. If unsure, post the names of the folders you have in these locations here and i will tell you if they are ok.

5) Still in Safe Mode i ran hijackthis! and removed any and all suspect looking entrys, and for good measure ran Spybot as well.

6) Empty the recycle bin and create a new System Restore point. Reboot i normal mode

----------------------------------------------------------------------
I had tried a few things by themself as cures early on that didnt work unless with all other steps above. The sucker regenerates very quickly. You need to bombard it all at once or it comes back. Throw everything at it lol.

When i first ran spybot by itself, while the PC was still infected, it found LOP.com, which this adware is a variant off, but failed to remove it properly. Yes i had it updated. Maybe future updates will cover the problem so you wont have to do all this.

I had also ran HijackThis by itself to fix it, and the entries regenerated with new names. Nortons Internet Security didnt detect it at all yet.

This problem is very widespread and BBS boards everywhere have many threads on it, and few who know how to fix it. Hope they find this place, i am too busy to post the cure at all those.