How to completely eliminate remnants of lops.com popups?

[laminate]

After I had 98% of this posting typed, my computer crashed and I lost
all of it. I'm going to attempt to recreate the necessary details
though.

On December 22, I stupidly downloaded something called mp3.plugin.exe.
Of course it was spyware, and within an hour or two of using
hijackthis, spybot, and adaware, I had my PC pretty much back as I
wanted.

However, an annoying remnant of that spyware infusion remains on my
computer. Sporadically in IE 6 (which is not my default browser;
Netscape 7.1 is), I will get a popup from lops.com. This happens at
odd times too - like on my about:blank start page, or when surfing
sites that I know are popup-free.

Determined to track it down, I ran Spybot, Ad-aware 6.0, and a free
trial version of something called SpyHunter 1.1.29. All had updated
reference files.

Spybot found nothing.

Ad-aware found one item, something called TopSearch.dll that is
associated with KazaaLite. I've had KazaaLite on my computer for over
a year, and it's supposed to be spyware-free. I'm not worried.

SpyHunter found several things:

- LOTS and LOTS of registry entries for BackWeb lite. But some past
research I did on this indicated that it's part of my Kodak software's
checking for updates. Minimally pesky or invasive perhaps, but
nothing that bothers me.
- Two registry objects called AcroIEHelper.AcroIEHlprObj and
AcroIEHelper.AcroIEHlprObj.1 that I am not too concerned about either.
They sound like they have something to do with Acrobat Reader.
- release notes.lnk, something in my start menu for my HP printer.
I've had the printer for two years and I highly doubt that a link in
the start menu has anything to do with spyware.
- wa_inst.exe, a file in my Windows Application data folder. This
makes me VERY suspicious, and I comment on that in the next paragraph.

Finally, I browsed google groups and came upon this article:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=uM7GoVb1BHA.2680@tkmsftngp05&rnum=2

Among several other things, it recommends looking in
c:\windows\application data for odd files. Now I can't tell a good
file from an odd one in that folder. But I found it noteworthy that
there are only six files right under c:\windows\application data on my
computer (there are a LOT of folders in there, but only six files at
that level). Five of those files are dated shortly after noon on
December 22, which is when I remember I was messing around with
mp3.plugin.exe. Those files are:

- oablmyil.exe
- prckssoodki.lib
- uwtxdfql.exe
- wa_inst.exe
- wsprgaeoo.dll

The date/time stamp makes me VERY suspicious.

So for anyone who has read all of this, my questions:

1. Can I delete those five odd files in my Windows Application Data
folder?

2. What else should I look for to remove, once and for all, the
remnants of my mp3.plugin.exe adventure?

3. Any comments on the other stuff that I mentioned above found by my
spyware scans?

 

[Steven Burn]

First of all, delete the file's you've listed.

Next go to www.javacoolsoftware.com and download SpywareBlaster (freeware)

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)

 

[laminate]

In anticipation of being asked, I ran hijackthis on my computer and am
posting the logfile below:

Logfile of HijackThis v1.97.7
Scan saved at 2:57:45 PM, on 1/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS
SHARED\WKCALREM.EXE
C:\PROGRAM FILES\PYRENEAN\EDEXTER\EDEXTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EUDORA\EUDORA.EXE
C:\PROGRAM FILES\AGENT\AGENT.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://keyword.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/"); (C:\WINDOWS\Application
Data\Mozilla\Profiles\default\jbpktx4z.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src");
(C:\WINDOWS\Application
Data\Mozilla\Profiles\default\jbpktx4z.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} -
C:\PROGRAM FILES\E-BOOK SYSTEMS\FLIPVIEWER\FPLAUNCH.DLL
O2 - BHO: (no name) - {1a5a2ea0-3477-11d8-b43d-00500485e140} -
C:\WINDOWS\APPLICATION DATA\WSPRGAEOO.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton
Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead
Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Norton Auto-Protect]
C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON
ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
-atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton
Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program
Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: TimeSync.lnk = C:\Program Files\Tools For Selling\Time
Synchro\TSYN.EXE
O4 - Startup: eDexter.lnk = C:\Program
Files\Pyrenean\eDexter\eDexter.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box
- C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks
Upload UI Control) -
http://services.photoworks.com/Pixami/PixamiSFWUploader.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) -
http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print
ActiveX Plug-in) -
http://www.americangreetings.com/img/cp/install/AxCtp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37705.4612384259
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
Registry Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

 

[YoKenny]

In anticipation of being asked, I ran hijackthis on my computer and am
posting the logfile below:

Logfile of HijackThis v1.97.7
Scan saved at 2:57:45 PM, on 1/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.EXE

Please use Google and search on "SpyHunter." Other than the game of the
same name can you find one positive entry for this "spyware" application?

Consulting Google is like checking with the Better Business Bureau (BBB)
these days.

C:\PROGRAM FILES\PYRENEAN\EDEXTER\EDEXTER.EXE

Great application when using a HOSTS file for ad blocking.

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

It is best to put HijackThis into its own folder like C:\HJT to keep the
backup files it creates. The C:\WINDOWS\TEMP folder should be cleared
regularly especially if you install applications frequently.

O2 - BHO: (no name) - {1a5a2ea0-3477-11d8-b43d-00500485e140} -
C:\WINDOWS\APPLICATION DATA\WSPRGAEOO.DLL

No idea what this is,

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun

Warning! Insure that this file is indeed a valid MS file as some
viruses/worms overwrite this file.

O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.exe

As above.

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE

Not needed as it uses much unnecessary system rsources.

O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create and Print
ActiveX Plug-in) -
http://www.americangreetings.com/img/cp/install/AxCtp.cab

Obsolete.

 

[Guest]

http://www.doxdesk.com/parasite

----- laminate wrote: ----

After I had 98% of this posting typed, my computer crashed and I los
all of it. I'm going to attempt to recreate the necessary detail
though

On December 22, I stupidly downloaded something called mp3.plugin.exe
Of course it was spyware, and within an hour or two of usin
hijackthis, spybot, and adaware, I had my PC pretty much back as
wanted

However, an annoying remnant of that spyware infusion remains on m
computer. Sporadically in IE 6 (which is not my default browser
Netscape 7.1 is), I will get a popup from lops.com. This happens a
odd times too - like on my about:blank start page, or when surfin
sites that I know are popup-free

Determined to track it down, I ran Spybot, Ad-aware 6.0, and a fre
trial version of something called SpyHunter 1.1.29. All had update
reference files

Spybot found nothing

Ad-aware found one item, something called TopSearch.dll that i
associated with KazaaLite. I've had KazaaLite on my computer for ove
a year, and it's supposed to be spyware-free. I'm not worried

SpyHunter found several things

- LOTS and LOTS of registry entries for BackWeb lite. But some pas
research I did on this indicated that it's part of my Kodak software'
checking for updates. Minimally pesky or invasive perhaps, bu
nothing that bothers me
- Two registry objects called AcroIEHelper.AcroIEHlprObj an
AcroIEHelper.AcroIEHlprObj.1 that I am not too concerned about either
They sound like they have something to do with Acrobat Reader
- release notes.lnk, something in my start menu for my HP printer
I've had the printer for two years and I highly doubt that a link i
the start menu has anything to do with spyware
- wa_inst.exe, a file in my Windows Application data folder. Thi
makes me VERY suspicious, and I comment on that in the next paragraph

Finally, I browsed google groups and came upon this article

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=uM7GoVb1BHA.2680@tkmsftngp05&rnum=

Among several other things, it recommends looking i
c:\windows\application data for odd files. Now I can't tell a goo
file from an odd one in that folder. But I found it noteworthy tha
there are only six files right under c:\windows\application data on m
computer (there are a LOT of folders in there, but only six files a
that level). Five of those files are dated shortly after noon o
December 22, which is when I remember I was messing around wit
mp3.plugin.exe. Those files are

- oablmyil.ex
- prckssoodki.li
- uwtxdfql.ex
- wa_inst.ex
- wsprgaeoo.dl

The date/time stamp makes me VERY suspicious

So for anyone who has read all of this, my questions

1. Can I delete those five odd files in my Windows Application Dat
folder

2. What else should I look for to remove, once and for all, th
remnants of my mp3.plugin.exe adventure

3. Any comments on the other stuff that I mentioned above found by m
spyware scans