Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

[Resolved] LOP: Making sure it's really all gone?

6947 Views 15 Replies 6 Participants Last post by  Topkat
When I woke up and turned my computer on this morning I was greeted by 10 new icons, and a little win-xp style menu bar. "Hmmm I thought... this can't be good." As it turns out, my sister (who has been told countless times not to download ANYTHING) had managed to download the LOP spyware ( It seemed to trick my sister into believing she was downloading some new great mp3 finding software.
Anyway, this sent me on a quest for removal of this new LOP beast. Here is what I have done so far:
1) Opened Zone Alarm and disabled all the dodgy programs I could find. (ADGKNQ.exe, Download.exe, Kuy1.exe, Winactive.exe)
2) I updated Spybot and did a scan. Ahh nice... 40 or so new problems to fix. So I fixed them then rebooted.
3) Downloaded Ad-Aware 6, updated it and gave it a go. Ahh even better another 40 items. I deleted them and rebooted.
4) Ran Regcleaner 4.3, removed all old entries.
5) Then seeing as I was still getting a advertising window at the bottom of IE, I searched the web looking for more information. Then I remembered I good old Hijack This (which I used the last time my sister downloaded something).
6) Ran Hijack This and deleted:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
O2 - BHO: (no name) - {4ada0832-a920-48f1-bb4a-ec201390468e} - C:\DOCUME~1\JAMES\APPLIC~1\poolyshgstea.dll
7) I headed to LadyBugSoft and found a plug-in for Internet Sweeper Pro. So I gave it a shot. It seemed to run some sort of uninstaller (which needed to connect to the internet to remove). That seemed scary to me, but I ran it anyway.
8) More internet searching. Found that provide their own uninstaller for lop. It all screamed dodgy at me, and I read 4 reports of the file actually being a trojan. So I steered clear of the 'official' option.
9) Ran StartMan and made sure all the dodgy programs were disabled.
10) Deleted the winactive folder in Program Files
11) Ran Vet (CA anti-virus) just for good measure.

Now I'm unsure what to do next. I really want to make sure this little program is gone for good. Have I missed anything crucial? The thing that is most worrying me is the ad-bar at the bottom of IE. It was removed fine after deleting the 4 entries in Hijack This. But is it still stored on my computer somewhere and I've simply disabled it from being shown in IE?
Any tips or suggestions for what else might still be left behind?
Here is my Hijack This log just to make sure I removed everything I needed to:
StartupList report, 29/09/2003, 12:13:33 PM
StartupList version: 1.52
Started from : C:\Downloads\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options

Running processes:

C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe


Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:

AME_CSA = rundll32 amecsa.cpl,RUN_DLL
VetTray = C:\Vet\VetTray.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
FinePrint Dispatcher v5 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe


Autorun entries from Registry:

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

End of report, 4,499 bytes
Report generated in 0.070 seconds

Thanks for taking the time to read all this. Any suggestions are welcome. And I hope this has been a good lesson for everyone, never ever let your sister download a single file from the internet.;) Or it might just be the dreaded LOP spyware.
See less See more
Not open for further replies.
1 - 16 of 16 Posts
Oh of course, silly me.:) I will post it as soon as I get the chance. Thanks Rollin' Rog.:)
Logfile of HijackThis v1.97.2
Scan saved at 8:41:44 PM, on 29/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DFC9C4B-5963-4876-A843-E55CBEF5785E}: NameServer =
See less See more
That's a clean log, but check your favorites. I'm not sure about the Windows active variant, but the old ones added some folders to your favorites.

For Ad-aware 6 please use BUILD 181 and the latest reference file , to update the reference file click on the globe icon in AA6.

Set it up according to these instructions: AA6 Setup
In Hijack This, check ALL of the following items.
Next, close all browser Windows, and have HT fix all checked.

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

IF you are running ME or XP Disable SYSTEM RESTORE : How to disable or enable System Restore in Windows ME

How to disable or enable System Restore in Windows XP

Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\Program Files\Messenger Plus! 2\MsgPlus.exe

See here for how to start in safe mode if you don't know how.

Reboot into normal mode.

Before you re-enable system restore I would strongly recommend that you do an online virus scan at least one and preferably 2 of the following sites:

RE-ENABLE SYSTEM RESTORE and create a NEW restore point

Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED


Last, run HJT again and post your log again to see if anything was missed.

See less See more
This is what pacs-portal has to say about Messenger Plus! 2

MsgPlus.exe Third party MSN Messenger extension that hides banner ads and adds archiving and other useful features. Appears not to work unless checked, but may be activated after startup. Not recommended as it includes - see here
Nitehawk: I don't believe that msgplus.exe is spyware. When you install Messenger Plus 2 it has an option of whether or not to install the 'sponsor' program. Which I'm guessing is according to that spyware info article. I've had msgplus.exe on here for a long time with no problems. It was a different download (by my sister from an mp3 site) which included Or have I been fooled, and infact Messenger Plus always includes regardless of my choice in the installation?

normmork: Yep Yep, thankyou. I had already done that, but I'm sure many people don't realise you can update the program. I guess they just assume the latest download is the latest version.

Metallica: Yes, you are right. My favourites were 3 times as long as before. And mostly filled with 'adult entertainment' links. Surely it is illegal for to install such favourites on someone's computer without checking the user's age? My sister who installed (by accident) certainly isn't of a legal age to view such material. But anyway, it's all gone now. :)

Thanks everyone for your help. Thankyou especially nitehawk for that revelation on msgplus. I'm kind of shocked about that, as patchou has always been a 'top bloke' in my opinion. But if the spyware is automatically installed with msgplus with no choice given.... then I'm not so sure anymore.
See less See more
Actually Tony Klein pointed out to me after I made that post that the LOP component of Messenger Plus 2 can be removed and the base program be kept. In your case, that's been done, so you can hang onto Messenger Plus 2.

Sorry for the confusion, I was going with the best knowledge I had at the time.
That's quite alright. As long as I don't have LOP, I'm happy:). Thanks once again for your help.
Originally posted by NiteHawk:
Actually Tony Klein pointed out to me after I made that post that the LOP component of Messenger Plus 2 can be removed and the base program be kept.
How's that then? Can you just fix the following in HT?
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

Does it mean a fresh install of messenger plus 2 ensuring not to select the install option, as AtreideS has done?
I was also under the (mistaken, it seems) impression that uninstalling completely (as NiteHawk indicates) was necessary.

Can someone explain this please?

Basically there are two things. If you pay close attention when you install Messenger Plus! 2 you can opt out of the sponsor portion.

The second is, even if you don't opt out, you get a second chance since it installs a LOP BHO and toolbar. Per Tony, once you fix these in HJT (and preferably delete the associated files) Messenger Plus! 2 will work fine without them. Hence, trash the LOP and keep the Messenger Plus! 2.

If Tony says it, you can take it to the bank!! I too was going by the best available information from pacs-portal. However, after a few PM's with Tony, I have been enlightened. :) That's the great thing about TSG, you can always learn something new.

Now I feel bad for all the people that I told to delete Messenger Plus! 2. :( :eek: :confused:
Thanks for reply Nitehawk. I mentioned fixing this in HT:
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
I assume you should then delete:
C:\Program Files\Messenger Plus! 2\MsgPlus.exe

Is this correct now?
Actually, if you take care of the O2 and O3 entries, BHO and toolbar that has LOP, you can leave the

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

alone and then obviously NOT delete.

I'm sure that will make a lot of people that use this Messenger Plus! 2 very happy.
Thanks for that Nitehawk, much appreciated!
1 - 16 of 16 Posts
Not open for further replies.