Hi Mate I will try help you get rid of this pest
Spybot Search & Destroy
http://www.majorgeeks.com/downloadget.php?
id=2471&file=11&evp=2470f9bfb0cc682334ff8c4459556118
will delete this as will
Ad-aware SE
http://www.majorgeeks.com/downloadget.php?
id=506&file=11&evp=8dbaff7daca8f4b55bf695220993fc0f
but you need to be in safe mode usually and then try the
MS Antispy in safe mode also but will give you as much on
it as i can so you can find a way to remove it forever
note for removing the files manually which ive listed
below you should also go into safe mode.
First i'll explain a bit about it
Lop.com
Variants
lop/Trinity is an old variant of the software, which only
adds the shortcuts and does the homepage/search
hijacking.
lop/Dialer is a plain porn dialler delivered with the
startup task.
lop/Toolbar: includes the startup task and an IE toolbar
with more lop links.
lop/Rnd: a version of lop/Toolbar that uses completely
random class IDs as well as pseudo-random filenames,
making it difficult to detect.
lop/AYB: a URL protocol module used by the MP3Search (or
similar) minibrowser launched by the startup task.
having it is usually a sign you may have lop/Toolbar or
lop/Rnd as well.
lop/Loader: an installer process that opens a small
progress window in the middle of the screen and loads and
runs both lop/AYB and either lop/Toolbar or lop/Rnd.
lop/IMZ: an installer process like lop/Loader, but
installing lop/Rnd and FavoriteMan/IMZ. lop/AYB is not
installed, so the script at this script usually cannot
detect lop/IMZ installations.
lop/Active: an update of lop/Rnd which monitors web pages
viewed for keywords, and sets the buttons in the toolbar
to match. This also opens a floating window on the
desktop on startup. Can also hijack to active-max.com,
mysearchnow.com, searchwebnow.com or find-quick.com as
well as one of the traditional four-letter domains.
Also known as
C2 by Spybot, after the company (C2 Media) that makes it.
Troj/Tubmo by Sophos anti-virus, for unknown reasons.
Installed by ActiveX from many sites, often pop-up ads.
There are often pop-up loops (pop-ups opening pop-ups
endlessly) for sites claiming to be MP3 search and
download tools, which try to exploit the confusion caused
by this to install lop. However, lop downloaders have
also appeared on some mainstream ad networks.
The executable file pointed to by the ActiveX downloader
is likely to have a name like:
mp3.exe
mp3search.exe
mp3_finder.exe
mp3_plugin.exe
mp3Software_plugin.exe
napster2.exe
FreeMP3.exe
freemp3s.exe
freemp3z.exe
FreeMP3Music.exe
free_deals.exe
free_plugin.exe
freeplugin.exe
Software_Plugin.exe
Download_Plugin.exe
download_file.exe
The_Ultimate_Browser_Enhancer.exe
sex_viewer.exe
free_sex_viewer.exe
Adult_Software.exe
keygen33win.exe
download_serial.exe
free_warez.exe
Also bundled with software downloads from edonkey.com
(note: the real 'eDonkey' software site is at
edonkey2000.com), fake 'cracks' or key generators from
software-piracy sites, and Patchou's MSN Messenger Plus.
Some shortcut icons are added to the desktop. Many more
are added to the Favorites menu. More are on an IE
toolbar called 'Accessories'. The process run on startup
also occasionally pops up adverts
The startup process can download and execute arbitrary
code from its controlling server.
lop/Toolbar installations normally put a round icon in
the system tray, try right-clicking this,
choosing 'Menu', then on the resulting window,
clicking 'Help', then 'Uninstall'.
lop/Rnd installations do not put the icon in the system
tray, but may add an entry to the Control Panel's
Add/Remove Programs list, which can be used to uninstall
in the same way. The name of the uninstall option varies
randomly but tend to follow a pattern, eg.:
Browser Enhance r
Brows er Enhancer
Ultimate Browse r Enhancer
Ultimate Browser En hancer
L.O P. Un insta11
L O.P. Un instal1
Live 0n line Portal
Live.0nli ne Porta1
lop/Active installations have an additional 'Window
Active' entry that should also be removed.
Open the Application Data folder. This can be found
inside the Windows folder on Windows 95/98/Me; on Windows
2000 and XP it is inside your user folder in 'Documents
and Settings', but it's hidden, so go to Tools->Folder
Options->View and turn on 'Show hidden files and folders'
to see it. In Windows NT 4.0 it is in the user folder
inside 'WinNT\Profiles'.
The filenames of lop files can vary for each different
installation, but usually under Windows there should not
be any files inside Application Data (only folders), so
it's generally easy to pick out the culprits. Known
filenames for the toolbar DLL (lop/Toolbar, lop/Rnd) or
ayb: protocol DLL (lop/AYB) include:
search for and delete any of these files if found as you
can see this is a nightmare to remove manually as its
hard to know what variant you have and what its saved
itself as
logobi~1
showsupport
shopping and gifts
delete.me
elsewa~1
plugins
internetwasherpro
proxyn~1
roamju~1
showsu~1
showsupport
sitein~1
waveba~1
wavesu~1
waymov~1
wayvga~2
window active
1111.exe
11739.exe
2443.exe
14599.exe
24701.exe
2dimensionofexploits.asm
2dimensionofexploitsenc.hta
2dimensionofexploitsenc.php
agreement-.htm
ante.exe
antedefault.dll
aswnk.exe
aswwxs.reg
atiupdate2.exe
backup.reg
bike poke.dll
binsect.exe
bitsplaygrid.exe
ckcoofrunea.exe
ckcoofrunea.exe
ckcoofrunea.exe
rem18c.exe
store funk.dll
deafdoes.dll
copy data.dll
rulefindcamp.exe
media else rdr.exe
cast idle.dll
ckouvcrcgcea.dll
corn bold media.exe
cyd1.exe
adult.lnk
gambling and online casinos.lnk
mp3 music search.lnk
news and sports.lnk
online movies.lnk
download_plugin.exe
each cdrom memo.exe
eshglkfvcr.dll
etu1.exe
exploit1.htm
entertainment.url
adult chat.url
amateur photo.url
asian sex.url
ebony.url
fetish.url
gay and lesbian.url
hardcore.url
live video feeds.url
matchmaking.url
xxx cartoons.url
b to b.url
banking.url
business.url
careers.url
credit cards.url
finance.url
insurance.url
office.url
printing.url
computer games.url
computer stores.url
dedicated server.url
domain names.url
hardware.url
laptops.url
software.url
web design.url
web hosting.url
mobile phones.url
telecommunication.url
telephone.url
text sms messaging.url
auction.url
classifieds.url
free emails.url
free homepages.url
free services.url
school essays and homework.url
services.url
adult entertainment.url
adult entertainment.url
automotive.url
dvd.url
entertainment.url
hot games and gaming.url
mp3.url
travel.url
gambling.url
black jack.url
chips.url
craps.url
multi player.url
online casinos.url
poker.url
roulette.url
slots.url
sports books.url
games.url
mp3 music.url
news.url
art.url
astrology.url
books.url
community.url
ebooks.url
education.url
training.url
beauty.url
health and fitness.url
pharmacy.url
construction.url
furniture.url
home and garden.url
real estate.url
utilities.url
kids.url
magazines.url
matchmaking.url
pets.url
self help.url
wine.url
women.url
accessories.url
apparel.url
cards.url
electronics.url
flowers.url
gifts.url
jewlery.url
retail products.url
shoes.url
shopping.url
toys.url
games.url
film.exe
filmpeak.dll
freemp3z.exe
fullscreenbar.htm
fwpesprd.exe
ghrxblvci.exe
glzchtb.lib
header (1).htm
header (2).htm
header (3).htm
header.htm
heart setup inside.bin
hpt1.exe
install.htm
install.txt
installation report download_plugin.htm
jlgxuzqp.exe
keyhost.exe
khzc256.tmp
kobmaahh.exe
ktbxbllyth.dll
links.txt
lite cake loud.exe
lop notes.txt
lrgluoot.exe
mp3.exe
mp3_plugin.exe
mp3serch.exe
onlinecontent.lnk
passthrough[1].htm
pkajulyt.exe
plus size.exe
popupbaropener[1].htm
aybgwarn.htm
aybwarn.htm
brsswthg.exe
chblgrstd.lib
ckcoofrunea.exe
ddinxmdb.exe
deskicon.lib
dgpxzhtb.exe
djgxsbcl.exe
drstesprpee.dll
efjwxjsl.exe
eneqckap.exe
flmgvmas.exe
fqbhyhjh.exe
frlyjeebtrn.dll
frlyjeebtru.dll
frsezaeaast.dll
frsezaeaav.dll
gchmfrea.exe
glckqksdr.dll
gqlfiqii.exe
gzxqpghe.exe
hlsctpay.exe
hlyvjncf.exe
idixbdmf.exe
ieeblostqly.dll
kmigeuhh.exe
lckqdcvd.exe
lkxelvrg.exe
llssalycshh.dll
lopsearch.exe
mspuztbg.exe
muqhatod.exe
muxibdom.exe
mycvbdqu.exe
nimylprv.exe
nshelstpgl.dll
oostshthptrv.dll
ovnolxvi.exe
pbgqwhoj.exe
plg_ie0.dll
prnshgrdssb.dll
qhiqikdr.exe
qtufbghm.exe
qwxgxlrv.exe
sefiqovd.exe
srytuikb.exe
taecoidy.exe
trmugnsu.exe
trstlskb.exe
uljpmexe.exe
vlluafrq.exe
vygaeifz.exe
wa_inst.exe
xxdfwvli.exe
ysaebwco.exe
zaeoxdiu.exe
zdmlfhmh.exe
zvpkxxtu.exe
zvxcypnh.exe
zxenmgrbl.dll
ayw17f.exe
bae1.exe
bvj13.exe
den1.exe
fbf1.exe
hqe1.exe
now1.exe
pfn1.exe
pnt1.exe
prab.exe
pyo25.exe
qhy81.exe
rem15.exe
rem24.exe
rem25.exe
rem2ea.exe
rny1.exe
sml1.exe
szwe.exe
txo1.exe
uqg1.exe
vyz1.exe
wry1.exe
znp1.exe
sta3.exe
rule keep.dll
barbboob.dll
chin mfcd.bin
16537.exe
store funk.dll
3549.exe
antitype.dll
hole title.dll
longpuresoft.bin
bdvcnypx.exe
64bikeabout.exe
16021.exe
thatlong.dll
manager free.exe
removelop.exe
pile inter grim.bins
deafdoes.dll
1072.exe
acid slow.bin
peak that.dll
phone internet.dll
curbuser.exe
sizebuildlogo.exe
14599.exe
19205.exe
24758.exe
29923.exe
copy data.dll
dent team.dll
citydog.exe
more.exe
realaudio.exe
salrukuu.exe
roam.exe
delete play.exe
rulefindcamp.exe
window skip.exe
ewgcgvzk.exe
jxmiyjlq.exe
lfgaukbm.exe
media else rdr.exe
nnzmpuhm.exe
wtmtyuls.exe
media else rdr.exe
eksthzea.exe
gcvbdwdc.exe
intramemocomp.exe
jeursyec.exe
lsocnmju.exe
ocyixkfk.exe
uyibygkh.exe
zgplkbke.exe
eygfyuoe.exe
rppzstyl.exe
32437.exe
aim 1.dll
20044.exe
7310.exe
acid team.dll
elsemode.dll
1716.exe
great ante.dll
moreamok.bin
acid stop.bin
curb bind.dll
info wait.dll
unbzip2s.dll
refslow.exe
rgg1.exe
setup close.exe
setup time.dll
sfx71e4.tmp
sfxbe.tmp
software_plugin.exe
ssaxstxoaieoagrh.reg
asshuktr.exe
aybgwarn.htm
aybwarn.htm
bilyooas.exe
byb_save.exe
chksbdriya.dll
crgbeaoa.exe
dmvcrthl.exe
droxtrdchdoo.dll
eaeeishllblc.dll
ealymfrprwch.dll
eaymulyl.exe
eelykofrllfrj.dll
eelykofrllfrpr.dll
eeublidc.exe
epllkeeoopr.dll
freabrlaouw.dll
gldqumssfrie.dll
glxshmcr.exe
heeachmstll.dll
hglllyxrxw.dll
icdrhwno.dll
ijlysseb.exe
jqumysto.exe
kfriegbs.exe
llfggrdr.exe
lltckiey.exe
lopsearc.exe
meemnckyqbr.exe
meepajlr.dll
meepajlr.exe
mprcouie.exe
oofrkxpe.exe
ousszidrta.dll
peebqusz.exe
prnouestssstx.dll
prxzoustustgr.dll
quglwachfs.dll
quveioot.exe
shoucrck.exe
ssmeeibl.exe
sstroallhqch.dll
tblchepruprgr.dll
tchpeatr.exe
tglblrll.exe
trdzhtxf.exe
trstdris.exe
trstshcrscksr.dll
ukfroigl.dll
ulyuiexeechp.exe
upckeetoutw.dll
veaeyglckr.dll
vestufck.exe
vfthrcbr.exe
woafrquzn.dll
xogyfhp.exe
yeecrsoustoull.dll
ykphmbre.exe
ylynfste.exe
ziebaeeoaeepr.dll
b_dnserr.gif
desktop.htm
dnserror.htm
the_ultimate_browser_enhancer.exe
i_dnserr.gif
jexpoofro.htm
r_dnserr.gif
s_dnserr.gif
ubipwdk.exe
donk_bar.dll
plg_ie0.dll
npddeapi.dll
veg32.dll.dll
rem9b.exe
remd.exe
ubipwdk.exe
desktop.htm
desktop.swf
tchstlmmdrm.htm
toolbar_uninstall.exe
twunk001.mtx
ulyfchcrcrdcr.htm
uohiw.dll
waybait.exe
web default one.exe
winactive.exe
winactivej.exe
winactivej_unpacked.exe
wshbrybr.exe
xlj1.exe
ystck32.exe
yxogltoo.exe
adult.lnk
antedefault.dll
boldabout.exe
ckcoofrunea.exe
ckcoofrunea.exe
store funk.dll
axispoll.dll
baittick.dll
brdrsstl.exe
dkbrtfvz.dll
fblfssstoozl.exe
frymqbrproa.dll
hchdrllmsta.dll
rxesttrssck.dll
shxshoalldtrl.exe
trojandownloader.win32.small.bp.exe
trstbfkl.exe
ujstfrprssck.dll
blztstull[letter 'a', 'c', 'j', 'p', 's', 't' or 'y'].dll
blztstull['pr', 'tr' or 'oo'].dll
chksbdrlya.dll
dmvcrthl.exe
eaeeishllblc.dll
eelykofrllfrpr.dll
eelykofrllfrj.dll
ealymfrprwch.dll
epllkeeoopr.dll
freabrlaouw.dll
gldqumssfrie.dll
hglllyxrxw.dll
icdrhwno.dll
heeachmstll.dll
meepajlr.dll
ousszidrta.dll
plg_ie[any digit].dll
prxzoustustgr.dll
prnouestssstx.dll
quizbt[any digit].dll
quglwachfs.dll
sstroallhqch.dll
tblchepruprgr.dll
trdzhtxf.exe
trstshcrscksr.dll
ukfroigl.dll
upckeetoutw.dll
veaeyglckr.dll
woafrquzn.dll
yeecrsoustoull.dll
ziebaeeoaeepr.dll
Known filenames for the system tray task and hijacker
file include:
asshuktr.exe
bilyooas.exe
byb_save.exe
crgbeaoa.exe
eaymulyl.exe
eeublidc.exe
glxshmcr.exe
ijlysseb.exe
jqumysto.exe
kfriegbs.exe
llfggrdr.exe
lltckiey.exe
lopsearc.exe
meemnckyqbr.exe
meepajlr.exe
mprcouie.exe
oofrkxpe.exe
peebqusz.exe
quveioot.exe
shoucrck.exe
ssmeeibl.exe
tchpeatr.exe
tglblrll.exe
trstdris.exe
ulyuiexeechp.exe
vestufck.exe
vfthrcbr.exe
xogyfhp.exe
ykphmbre.exe
ylynfste.exe
Other files you may find with some versions include icon
libraries (known filenames tchejea.lib and iCndE.lib) and
loads of GIFs. These can all be deleted too. You might
also have some of the following files in the Windows
folder:
desktop.htm
dnserror.htm
jexpoofro.htm
i_dnserr.gif
s_dnserr.gif
r_dnserr.gif
b_dnserr.gif
tiejexpoo.gif
xiejexpoo.gif
oiejexpoo.gif
uiejexpoo.gif
Open the registry (Start->Run->regedit) and find the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run. If you have not used the uninstall feature there
should still be an entry with a value
like 'C:\WINDOWS\APPLIC~1\(task name).exe -QuieT'; delete
it. The name of this entry changes in different variants;
known names are:
abtu
brchfgl
brfrgroo
chytrw
eeullz
eedrtss
lldrlyk
lssxsh
stoafv
oooami
oooik
oucno
phqtr
pprwly
qncu
stjlee
uaouea
trglckea
xckja
ymste
zvoah
In the lop/Active variant, there will instead be
a 'winactive' entry pointing to winactive.exe. Delete
this too.
You should also delete the following entries if you have
them and they are not just blank:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Telephony\DomainName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\M
STCP\Domain
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip
\Parameters\Domain
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip
\Parameters\Interfaces\{...check all interfaces...}
\Domain
Also you can remove the lop settings key if you can find
it; it is inside HKEY_LOCAL_MACHINE\Software and has,
again, a varying name; known examples are:
ckotetlllyllshz
kseateasteestoe
rhvlveasteafpr
ssaxstxoaieoagrh
TrinityAYB (lop/Trinity variant)
You can also reset your homepage (from Internet Options-
General) and search settings (Internet Options->Programs-
Reset Web Settings), and delete the entries added to
your Favorites menu. If you use Netscape/Mozilla you will
need to reset the home page (Edit->Preferences-
Navigator) and remove the Bookmarks too.
You may also wish to check your computer for diallers, as
the lop.com site has been known to include dialler
installers. If you have the lop/IMZ variant it is also
possible that FavoriteMan/IMZ may have installed other
parasites such as BargainBuddy, IGetNet and n-Case.
FavoriteMan/F1, ZZ, IMZ, Icm/Int and ATPartners may offer
a removal feature: go to Add/Remove Programs in the
Control Panel, choose 'F1', 'ZZ', 'IMZ', 'Netpal Games'
or 'ATP' and click 'Remove'.
BargainBuddy - Some versions can be removed from the
Add/Remove Programs option in the Control Panel. This
option seems to be missing in the newer Net2Phone
version.
Then delete temp folders Start > Run > type %temp% and
delete all found in this folder as none are needed then
delete cookies Start > Control Panel > Internet Options
and then delete cookies
Like i say though Spybot & adaware target this company so
running them in safe mode might delete everyhting for you
Good luck Andy
)