Nothing apparent in the Startuplist, but we really need to see the Scanlog...
-
IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
[Resolved] LOP: Making sure it's really all gone?
Hello,
When I woke up and turned my computer on this morning I was greeted by 10 new icons, and a little win-xp style menu bar. "Hmmm I thought... this can't be good." As it turns out, my sister (who has been told countless times not to download ANYTHING) had managed to download the LOP spyware (http://www.spywareinfo.com/articles/lop/). It seemed to trick my sister into believing she was downloading some new great mp3 finding software.
Anyway, this sent me on a quest for removal of this new LOP beast. Here is what I have done so far:
1) Opened Zone Alarm and disabled all the dodgy programs I could find. (ADGKNQ.exe, Download.exe, Kuy1.exe, Winactive.exe)
2) I updated Spybot and did a scan. Ahh nice... 40 or so new problems to fix. So I fixed them then rebooted.
3) Downloaded Ad-Aware 6, updated it and gave it a go. Ahh even better another 40 items. I deleted them and rebooted.
4) Ran Regcleaner 4.3, removed all old entries.
5) Then seeing as I was still getting a advertising window at the bottom of IE, I searched the web looking for more information. Then I remembered I good old Hijack This (which I used the last time my sister downloaded something).
6) Ran Hijack This and deleted:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
O2 - BHO: (no name) - {4ada0832-a920-48f1-bb4a-ec201390468e} - C:\DOCUME~1\JAMES\APPLIC~1\poolyshgstea.dll
7) I headed to LadyBugSoft and found a plug-in for Internet Sweeper Pro. So I gave it a shot. It seemed to run some sort of uninstaller (which needed to connect to the internet to remove). That seemed scary to me, but I ran it anyway.
8) More internet searching. Found that lop.com provide their own uninstaller for lop. It all screamed dodgy at me, and I read 4 reports of the file actually being a trojan. So I steered clear of the 'official' option.
9) Ran StartMan and made sure all the dodgy programs were disabled.
10) Deleted the winactive folder in Program Files
11) Ran Vet (CA anti-virus) just for good measure.
Now I'm unsure what to do next. I really want to make sure this little program is gone for good. Have I missed anything crucial? The thing that is most worrying me is the ad-bar at the bottom of IE. It was removed fine after deleting the 4 entries in Hijack This. But is it still stored on my computer somewhere and I've simply disabled it from being shown in IE?
Any tips or suggestions for what else might still be left behind?
Here is my Hijack This log just to make sure I removed everything I needed to:
StartupList report, 29/09/2003, 12:13:33 PM
StartupList version: 1.52
Started from : C:\Downloads\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Vet\VetTray.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AME_CSA = rundll32 amecsa.cpl,RUN_DLL
VetTray = C:\Vet\VetTray.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
FinePrint Dispatcher v5 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Download Program Files:
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab
[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.9470486111
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 4,499 bytes
Report generated in 0.070 seconds
Thanks for taking the time to read all this. Any suggestions are welcome. And I hope this has been a good lesson for everyone, never ever let your sister download a single file from the internet.
Or it might just be the dreaded LOP spyware.
Thanks.
When I woke up and turned my computer on this morning I was greeted by 10 new icons, and a little win-xp style menu bar. "Hmmm I thought... this can't be good." As it turns out, my sister (who has been told countless times not to download ANYTHING) had managed to download the LOP spyware (http://www.spywareinfo.com/articles/lop/). It seemed to trick my sister into believing she was downloading some new great mp3 finding software.
Anyway, this sent me on a quest for removal of this new LOP beast. Here is what I have done so far:
1) Opened Zone Alarm and disabled all the dodgy programs I could find. (ADGKNQ.exe, Download.exe, Kuy1.exe, Winactive.exe)
2) I updated Spybot and did a scan. Ahh nice... 40 or so new problems to fix. So I fixed them then rebooted.
3) Downloaded Ad-Aware 6, updated it and gave it a go. Ahh even better another 40 items. I deleted them and rebooted.
4) Ran Regcleaner 4.3, removed all old entries.
5) Then seeing as I was still getting a advertising window at the bottom of IE, I searched the web looking for more information. Then I remembered I good old Hijack This (which I used the last time my sister downloaded something).
6) Ran Hijack This and deleted:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
O2 - BHO: (no name) - {4ada0832-a920-48f1-bb4a-ec201390468e} - C:\DOCUME~1\JAMES\APPLIC~1\poolyshgstea.dll
7) I headed to LadyBugSoft and found a plug-in for Internet Sweeper Pro. So I gave it a shot. It seemed to run some sort of uninstaller (which needed to connect to the internet to remove). That seemed scary to me, but I ran it anyway.
8) More internet searching. Found that lop.com provide their own uninstaller for lop. It all screamed dodgy at me, and I read 4 reports of the file actually being a trojan. So I steered clear of the 'official' option.
9) Ran StartMan and made sure all the dodgy programs were disabled.
10) Deleted the winactive folder in Program Files
11) Ran Vet (CA anti-virus) just for good measure.
Now I'm unsure what to do next. I really want to make sure this little program is gone for good. Have I missed anything crucial? The thing that is most worrying me is the ad-bar at the bottom of IE. It was removed fine after deleting the 4 entries in Hijack This. But is it still stored on my computer somewhere and I've simply disabled it from being shown in IE?
Any tips or suggestions for what else might still be left behind?
Here is my Hijack This log just to make sure I removed everything I needed to:
StartupList report, 29/09/2003, 12:13:33 PM
StartupList version: 1.52
Started from : C:\Downloads\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Vet\VetTray.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AME_CSA = rundll32 amecsa.cpl,RUN_DLL
VetTray = C:\Vet\VetTray.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
FinePrint Dispatcher v5 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Download Program Files:
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab
[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.9470486111
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 4,499 bytes
Report generated in 0.070 seconds
Thanks for taking the time to read all this. Any suggestions are welcome. And I hope this has been a good lesson for everyone, never ever let your sister download a single file from the internet.
Or it might just be the dreaded LOP spyware.Thanks.
- Status
1 - 16 of 16 Posts
Oh of course, silly me. I will post it as soon as I get the chance. Thanks Rollin' Rog.
I will post it as soon as I get the chance. Thanks Rollin' Rog.
Nitehawk: I don't believe that msgplus.exe is spyware. When you install Messenger Plus 2 it has an option of whether or not to install the 'sponsor' program. Which I'm guessing is LOP.com according to that spyware info article. I've had msgplus.exe on here for a long time with no problems. It was a different download (by my sister from an mp3 site) which included lop.com. Or have I been fooled, and infact Messenger Plus always includes lop.com regardless of my choice in the installation?
normmork: Yep Yep, thankyou. I had already done that, but I'm sure many people don't realise you can update the program. I guess they just assume the latest download is the latest version.
Metallica: Yes, you are right. My favourites were 3 times as long as before. And mostly filled with 'adult entertainment' links. Surely it is illegal for lop.com to install such favourites on someone's computer without checking the user's age? My sister who installed lop.com (by accident) certainly isn't of a legal age to view such material. But anyway, it's all gone now.
Thanks everyone for your help. Thankyou especially nitehawk for that revelation on msgplus. I'm kind of shocked about that, as patchou has always been a 'top bloke' in my opinion. But if the lop.com spyware is automatically installed with msgplus with no choice given.... then I'm not so sure anymore.
Thanks.
normmork: Yep Yep, thankyou. I had already done that, but I'm sure many people don't realise you can update the program. I guess they just assume the latest download is the latest version.
Metallica: Yes, you are right. My favourites were 3 times as long as before. And mostly filled with 'adult entertainment' links. Surely it is illegal for lop.com to install such favourites on someone's computer without checking the user's age? My sister who installed lop.com (by accident) certainly isn't of a legal age to view such material. But anyway, it's all gone now.
Thanks everyone for your help. Thankyou especially nitehawk for that revelation on msgplus. I'm kind of shocked about that, as patchou has always been a 'top bloke' in my opinion. But if the lop.com spyware is automatically installed with msgplus with no choice given.... then I'm not so sure anymore.
Thanks.
That's quite alright. As long as I don't have LOP, I'm happy. Thanks once again for your help.
. Thanks once again for your help.
TopKat,
Basically there are two things. If you pay close attention when you install Messenger Plus! 2 you can opt out of the sponsor portion.
The second is, even if you don't opt out, you get a second chance since it installs a LOP BHO and toolbar. Per Tony, once you fix these in HJT (and preferably delete the associated files) Messenger Plus! 2 will work fine without them. Hence, trash the LOP and keep the Messenger Plus! 2.
If Tony says it, you can take it to the bank!! I too was going by the best available information from pacs-portal. However, after a few PM's with Tony, I have been enlightened. That's the great thing about TSG, you can always learn something new.
Now I feel bad for all the people that I told to delete Messenger Plus! 2.
Basically there are two things. If you pay close attention when you install Messenger Plus! 2 you can opt out of the sponsor portion.
The second is, even if you don't opt out, you get a second chance since it installs a LOP BHO and toolbar. Per Tony, once you fix these in HJT (and preferably delete the associated files) Messenger Plus! 2 will work fine without them. Hence, trash the LOP and keep the Messenger Plus! 2.
If Tony says it, you can take it to the bank!! I too was going by the best available information from pacs-portal. However, after a few PM's with Tony, I have been enlightened.
That's the great thing about TSG, you can always learn something new.Now I feel bad for all the people that I told to delete Messenger Plus! 2.
1 - 16 of 16 Posts
- Status
