LOP not dealt with

[Lee]

So Last night I thought I had LOP dealt with after using
adaware, spy ferret, spybot, noadware and MS Antispy.

SO I am using the computer today znd suddenly I start to
see evidence of LOP again. Antispy blocks efforts to
change my homepage but toolbars are added.

I then run Antispy to try and Id the spyware, it finds
nothing. I then run Spy Ferret and it finds two lop
applications including in the registry and a halfdozen
lop cookies!!!

 

[Andre Da Costa]

Hi Paul


Lop.com (Live Online Portal) is owned by C2Media,Lop is
distributed by sites such as MP3Search.com,

Lops very difficult to detect and remove due to random
filenames and so many different variants,you may need to
use programs like Microworlds Escan or Hijack this to
find the entries for this then you can manually remove
them.

Omegasearch like you say is affiliated to
lop.com .Omega's entries will be obvious in hijack this
so maybe use that if the scanners below dont clear it up.




Here's some info from Lop's site :

----------------------------------------------------------
----------------------------------------------------------


How do I uninstall one of your software products?


There are several methods available to you should you
wish to uninstall any of our software products you had
previously chosen to install:

- You can go to your Start Menu--Control Panel, then
choose the 'Add / Remove Programs' option. Depending on
which version of the software you have installed
locate 'Lop.com' or 'LOP SEARCH' or 'Window Searching'
or ''Window Active' or "Browser Enhancer" or "Ultimate
Browser Enhancer" or "Search Plugin" from the menu to run
the uninstaller.

- Depending on your version You may also be able to
locate a globe type icon in the bottom right hand corner
of your screen (near the clock), right click on it then
click Menu. From the main menu you will see a help button
on the top right hand corner. Click the help button then
choose 'uninstall'.

- Additionally a separate universal uninstall program may
be downloaded here

http://l(Modified)new_uninstall.exe (DO NOT USE
THIS !!!!)

----------------------------------------------------------
----------------------------------------------------------


I downloaded the uninstaller to test it before posting it
but its infected with a trojan downloader so this is just
going to add to the problems,it may remove lop but will
download a trojan that will try to download more crap,
and with it being infected i dont think its worth the
hassle.

Here's the results of the unistaller after being scanned
at Jordi's site (http://virusscan.jotti.org/)



AntiVir Found TR/Dldr.Swizzor.CK
Avast Found Win32:Trojan-gen. {Other}
AVG Antivirus Found Downloader.Swizzor.4.C
BitDefender Found Trojan.Downloader.Swizzor.CK
ClamAV Found Trojan.Downloader.Swizzor-17
Dr.Web Found Trojan.Swizzor
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-
Downloader.Win32.Swizzor.ck
mks_vir Found Trojan.Downloader.Swizzor.Ck
NOD32 Found Win32/TrojanDownloader.Swizzor.CK
Norman Virus Control Found W32/Swizzor.BO
VBA32 Found Trojan-Downloader.Win32.Swizzor.ck




First steps are Try these other Adware removers



Spybot Search & Destroy

http://ejrs.com/spybot/spybot.exe



Adaware SE

http://www.download.com/3000-2144-10045910.html?
part=69274&subj=dlpage&tag=button


Also download Ccleaner and use on all three settings to
clear any temp or unused files

Ccleaner

http://download.ccleaner.com/download119bin.asp



Run a Online Virus Scan at any of these sites:


Trend Micro http://housecall.antivirus.com/


Panda http://www.pandasoftware.com/activescan/

Bitdefender
http://www.bitdefender.com/scan/Msie/index.php



If the problems are still there after using these
download Microworlds Escan & Hijack This and post the
results.


Download Microworlds Escan :

ftp://ftp.microworldsystems.com/download/tools/mwav.exe


There's nothing to install, Save to your desktop

Double click to run eScan's Mwav scan
It will self extract

Select all local drives & make sure you scan all files,
press 'SCAN' and when it is completed, anything found
will be displayed in the lower pane.


This may take awhile, let it finish

In the Virus Log Information Pane

Left click and Highlight all the info in the Lower pane---
Use "CTRL and the C" keys on your Keyboard to copy all
found in the lower pane and Paste it back here


****If prompted that a Virus was found and you need to
purchase the product to remove the malware, just close
out the prompt and let it continue scanning*****



Download Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip


Unpack it to its own folder(either c/drive or desktop)Run
Hijack this and choose scan & save logfile

when hijack this finishes scanning it will open the
results page in notepad.Copy all the text and paste it
here




Here's abit more info on lop and the swizzer trojan they
provide



http://securityresponse.symantec.com/avcenter/venc/data/ad
ware.lop.html

http://securityresponse.symantec.com/avcenter/venc/data/do
wnload.adware.lop.html

http://www.doxdesk.com/parasite/lop.html

Regards Andy
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[AndyManchesta]

I think the main problem is your choice of spyware
removers,it wouldnt suprise me if these are connected to
LOP please check these links:

Thanks to spyware warrior !

http://www.safer-
networking.org/en/compatibility/spyferret.html

http://www.safer-networking.org/en/news/2003-07-01.html


Then this comment posted by a 'EX' ferret user

I ran SpyFerret on my computer and it indicated that it
was full of spyware and trojans. I bought SpyFerret, ran
it and clicked to clean my PC as recommended. Result a
complete PC crash. So I tried to get my money back AS
ADVERTISED - Nothing not even a response. So beware of
that particular piece of junk

And from another user :

I ran the SpyFerret.exe on a new PC never been used and
lo and behold - it was full of spyware and trojans!!!
Obviously a ploy to panic the unwary into buying a
product that is designed as a large expensive virus in
it's own right.. These are the people that collected my
money (e-mail address removed) - joint thieves it seems!


I got a copy of their free scanner and scanned it for
malware heres the results:


Spy_Ferret.exe
Status: INFECTED/MALWARE
MD5 adbbe84f14aa53c2f4c8a409b963cb28

Packers detected: UPX

Scanner results

AntiVir Found nothing
ArcaVir Found W32.Generic
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Found nothing
NOD32 Found nothing
Norman Virus Found nothing
UNA Found nothing
VBA32 Found nothing



Its pretty clear this program is related to scumware even
though only one virus scanner detected a problem i think
you are best using Adaware SE and Spybot and then see if
you get the same detection

If this is something you have already tried then i think
you are safer using Hijack this and posting the log that
it produces because even though you have problems it may
be unconnected to LOP or even be caused by Spy Ferret

Regards

Andy

 

[AndyManc]

Hi Andre Good post

Trojan.Swizzor is Lop but referred to as a trojan i think
it was Norton who originally detected it as Trojan then
that seems to have gone round the AntiVirus vendors.Its
probably safe to use the uninstaller they post as long
are they are sure the infection is LOP because i think it
would have to contain LOP's signatures to remove the
infection and this is maybe what all the virus scanners
are detecting

Its a tough one to decide on though ,will it uninstall
lop or remove one variant and replace it with another ,I
know i cannot answer that so wouldn't use the file but
maybe its safe its really guesswork which usually means
dont use it alot of the time

Your comment about using Microworld's eScan & Hijack This
is best to see what the problem really is then the
uninstaller is always there as a last resort,plus once
they have Hijack this setup it will then be easier to
notice any changes after running the uninstaller LOP
provide


Regards

Andy

 

[Andre Da Costa]

Good post, LOL, its yours!
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[AndyManc]

Well i didnt want to say

I remembered the post and i followed up with my reply
about them being the same (Trojan Swizzor/Adware LOP)
so thought id best repeat that as maybe my view of it
adding to the problems may be wrong.

You could of changed the Hi Paul and omega search part to
suit his post , You can change my posts anytime you want
Andre as they are only my opinion and if they help users
i do not mind anyone reposting them even if they edit
them or dont mention me we are all here to help each
other so im happy to share my views

And you are a great help to these newsgroups and i always
read your posts as you dont repeat the same post to all
users like some people and you help out alot of people on
here so im sure everyone respects your help i know i do

Regards Andy

 

[Engel]

I´m unable to read the post from Andre, the rest show OK.

Do you see the last posts on popcaploader.
One of the post I answer myself on other NG is too long
and i'm unable to read. I'll look for that one.

Engel

 

[AndyManc]

Hi Engel

I can see all the posts on the popcap topic and can view
Andre's on here ,I know what you mean though there does
seem to be a problem that MS should really fix,

I've noticed some of Bill's posts say message unavailable
and saw the same with myown post the week before,I
appreciate we are here to comment on a beta spyware
remover but its a shame we have to treat these as beta
newsgroup's as well.

I use the http address to view and post replies ,I know
some users think i should use a newsreader but i find the
http address easy as i can view all the newsgroups at the
same time.If the problem is with the http address then MS
should shut it down and tell all users to use a
newsreader or fix the fault that makes messages say
unavailable after a couple of days.

What your describing is a different problem if you cannot
view messages unless they are short replies ,Im sure MS
can view all the topics so i suppose thats their only
concern so that they can collect feedback,

I think its just something we are going to have to live,I
noticed the search feature stopped working a long time
ago and says they are upgrading the site so maybe they
are going to upgrade its hard to comment on that.

Most posts work so its only a small fault and im not sure
myself whats causing it as there doesnt seem to be a
pattern with deleted posts,some work then drop after a
couple of days , some appear fine to some users but as
you are saying they dont appear for other users so its
hard to know whats going on


Andy

 

[Engel]

Thanks Andy

 

[Tom Emmelot]

Hi Engel of Enhel,

I use Mozilla Thunderbird for this newsgroup, I can see the whole text,
but I got also the reply sometimes the mail is not there anymore!
Maybe a bug in the news sever.

Regards >*< TOM >*<

Engel schreef:

 

[Steve Dodson [MSFT]]

I agree - Thanks Everyone

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Guest]

I am part way through using Andre's suggestions having
deleted spyferret, run adaware, spybot and Trend Micro.

This computer has two user profiles (xp 2nd SP). It would
appear that I have to run ther programs in both profiles
for it to completely restore IE to the non LOP state as
under one profile it appears to be all clear, but not
under the other!