Shoutbox

And yet another example... - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Messenger Plus! for Live Messenger (/forumdisplay.php?fid=4)
+---- Forum: WLM Plus! Help (/forumdisplay.php?fid=12)
+----- Thread: And yet another example... (/showthread.php?tid=35369)

And yet another example... by Nitemistress on 12-07-2004 at 10:48 PM

I have been looking through one of my favourite torrent sites for new versions of programs etc and ran across a C2 Media/ Lop Spyware Remover, unfortunately at the moment no one has it seeded. Have been waiting over an hour for it to kick in. The person who posted the torrent originally gave a very long and detailed description of it along with what it can remove etc. At one point he says:

quote:
Also bundled with software downloads from edonkey.com (note: the real 'eDonkey' software site is at edonkey2000.com), fake 'cracks' or key generators from software-piracy sites, and Patchou's MSN Messenger Plus.


My reply was:

quote:
Thank you for this, am hoping someone seeds it. I will make sure to once I get it. I have many people who could benefit from this though I have to say that
QUOTE 
and Patchou's MSN Messenger Plus.

is not totally accurate. MSN Messenger Plus is an excellent messenger add-on and Patchou does indeed have a sponsor BUT, and I stress this, it is COMPLETELY VOLUNTARY whether you use it or not. When installing Plus! you are given the option to install with OR WITHOUT the sponsor.

Hopefully this link will work but if not I have saved the original posting.

http://www.phoenix-torrents.com/index.php?showtopic=67156&st=0
RE: And yet another example... by CookieRevised on 12-08-2004 at 04:05 AM

quote:
Originally posted by Nitemistress
Also bundled with software downloads from edonkey.com (note: the real 'eDonkey' software site is at edonkey2000.com), fake 'cracks' or key generators from software-piracy sites, and Patchou's MSN Messenger Plus.
too small quote to judge, especially if it is from a bigger readme.

quote:
Originally posted by Nitemistress
Hopefully this link will work but if not I have saved the original posting.
http://www.phoenix-torrents.com/index.php?showtopic=67156&st=0
guests are not allowed on that forum...

RE: And yet another example... by Nitemistress on 12-08-2004 at 04:16 AM

It's very long but here is the entire post.

Description.
---------------------
To use this tool:
Click on the removelop.exe icon (VB) then as you think nought is happening, reboot and Voila!
Your system is free from ALL below:-
---------------------------------------------------------------
LOP is a family of programs that set your start page and IE's search features to use the site lop.com ('Live Online Portal') or one of its clone sites. Known lop sites include:

* aavc.com
* acjp.com
* ebch.com
* ebdv.com
* ebdw.com
* ebjp.com
* ebkn.com
* ebky.com
* eblv.com
* ebmu.com
* ebvr.com
* ecmh.com
* ecpm.com
* ecwz.com
* ecyb.com
* eduy.com
* eeev.com
* ibmx.com
* icwb.com
* icwo.com
* icwp.com
* iddh.com
* idhh.com
* ifiz.com
* iguu.com
* samz.com
* saoe.com
* sbjr.com
* sbnl.com
* sbnt.com
* sbvr.com
* scbm.com
* sckr.com
* scrk.com
* sdry.com
* seld.com
* sfux.com
* sipo.com
* smds.com
* srib.com
* srox.com
* srsf.com
* ssaw.com
* ssby.com
* surj.com
* tbvg.com
* tdak.com
* tdko.com
* tdmy.com
* tefs.com
* tfil.com
* thko.com
* tjar.com
* tjaw.com
* tjdo.com
* tjem.com
* tjgo.com
* torc.com
* wabq.com
* wabu.com
* wbkb.com
* wfix.com
* wflu.com

Also sbee.com and scmb.com, which no longer house lop clones, are believed to have been used in the past.

In newer variants, changing your home page back results in the new home page being 'framed' by a 'passthrough' frameset from lop, which adds a lop search bar to the bottom of the page.

It also adds shortcuts to advertisers. Finally it adds a task to run on startup which sets your homepage and search back to lop if you change them.
Variants

lop/Trinity is an old variant of the software, which only adds the shortcuts and does the homepage/search hijacking.

lop/Dialer is a plain porn dialler delivered with the startup task.

lop/Toolbar: includes the startup task and an IE toolbar with more lop links. This variant can be detected by the script at this site.

lop/Rnd: a version of lop/Toolbar that uses completely random class IDs as well as pseudo-random filenames, making it difficult to detect.

lop/AYB: a URL protocol module used by the MP3Search (or similar) minibrowser launched by the startup task. This variant can be detected by the script at this site; having it is usually a sign you may have lop/Toolbar or lop/Rnd as well.

lop/Loader: an installer process that opens a small progress window in the middle of the screen and loads and runs both lop/AYB and either lop/Toolbar or lop/Rnd.

lop/IMZ: an installer process like lop/Loader, but installing lop/Rnd and FavoriteMan/IMZ. lop/AYB is not installed, so the script at this script usually cannot detect lop/IMZ installations.

lop/Active: an update of lop/Rnd which monitors web pages viewed for keywords, and sets the buttons in the toolbar to match. This also opens a floating window on the desktop on startup. Can also hijack to active-max.com, mysearchnow.com, searchwebnow.com or find-quick.com as well as one of the traditional four-letter domains.
Also known as

C2 by Spybot, after the company (C2 Media) that makes it. Troj/Tubmo by Sophos anti-virus, for unknown reasons.
Distribution

Installed by ActiveX from many sites, often pop-up ads.

There are often pop-up loops (pop-ups opening pop-ups endlessly) for sites claiming to be MP3 search and download tools, which try to exploit the confusion caused by this to install lop. However, lop downloaders have also appeared on some mainstream ad networks.

The executable file pointed to by the ActiveX downloader is likely to have a name like:

* mp3.exe
* mp3search.exe
* mp3_finder.exe
* mp3_plugin.exe
* mp3Software_plugin.exe
* napster2.exe
* FreeMP3.exe
* freemp3s.exe
* freemp3z.exe
* FreeMP3Music.exe
* free_deals.exe
* free_plugin.exe
* freeplugin.exe
* Software_Plugin.exe
* Download_Plugin.exe
* download_file.exe
* The_Ultimate_Browser_Enhancer.exe
* sex_viewer.exe
* free_sex_viewer.exe
* Adult_Software.exe
* keygen33win.exe
* download_serial.exe
* free_warez.exe

Also bundled with software downloads from edonkey.com (note: the real 'eDonkey' software site is at edonkey2000.com), fake 'cracks' or key generators from software-piracy sites, and Patchou's MSN Messenger Plus.
What it does
Advertising

Yes. Some shortcut icons are added to the desktop. Many more are added to the Favorites menu. More are on an IE toolbar called 'Accessories'. The process run on startup also occasionally pops up adverts.
Privacy violation

No.
Security issues

Yes. The startup process can download and execute arbitrary code from its controlling server.
Stability problems

Running the software may cause many 'dial-up connection' requests to appear if you are not connected. Windows seems to hang temporarily for a few minutes when this happens.
Removal

lop/Toolbar installations normally put a round icon in the system tray, try right-clicking this, choosing 'Menu', then on the resulting window, clicking 'Help', then 'Uninstall'. With newer variants you will have to answer an annoying riddle before it will go away.

lop/Rnd installations do not put the icon in the system tray, but may add an entry to the Control Panel's Add/Remove Programs list, which can be used to uninstall in the same way. The name of the uninstall option varies randomly but tend to follow a pattern, eg.:

* Browser Enhance r
* Brows er Enhancer
* Ultimate Browse r Enhancer
* Ultimate Browser En hancer
* L.O P. Un insta11
* L O.P. Un instal1
* Live 0n line Portal
* Live.0nli ne Porta1

lop/Active installations have an additional 'Window Active' entry that should also be removed.
Manual removal

Open the Application Data folder. This can be found inside the Windows folder on Windows 95/98/Me; on Windows 2000 and XP it is inside your user folder in 'Documents and Settings', but it's hidden, so go to Tools->Folder Options->View and turn on 'Show hidden files and folders' to see it. In Windows NT 4.0 it is in the user folder inside 'WinNT\Profiles'.

The filenames of lop files can vary for each different installation, but usually under Windows there should not be any files inside Application Data (only folders), so it's generally easy to pick out the culprits. Known filenames for the toolbar DLL (lop/Toolbar, lop/Rnd) or ayb: protocol DLL (lop/AYB) include:

* blztstull[letter 'a', 'c', 'j', 'p', 's', 't' or 'y'].dll
* blztstull['pr', 'tr' or 'oo'].dll
* chksbdrlya.dll
* dmvcrthl.exe
* eaeeishllblc.dll
* eelykofrllfrpr.dll
* eelykofrllfrj.dll
* ealymfrprwch.dll
* epllkeeoopr.dll
* freabrlaouw.dll
* gldqumssfrie.dll
* hglllyxrxw.dll
* icdrhwno.dll
* heeachmstll.dll
* meepajlr.dll
* ousszidrta.dll
* plg_ie[any digit].dll
* prxzoustustgr.dll
* prnouestssstx.dll
* quizbt[any digit].dll
* quglwachfs.dll
* sstroallhqch.dll
* tblchepruprgr.dll
* trdzhtxf.exe
* trstshcrscksr.dll
* ukfroigl.dll
* upckeetoutw.dll
* veaeyglckr.dll
* woafrquzn.dll
* yeecrsoustoull.dll
* ziebaeeoaeepr.dll

Known filenames for the system tray task and hijacker file include:

* asshuktr.exe
* bilyooas.exe
* byb_save.exe
* crgbeaoa.exe
* eaymulyl.exe
* eeublidc.exe
* glxshmcr.exe
* ijlysseb.exe
* jqumysto.exe
* kfriegbs.exe
* llfggrdr.exe
* lltckiey.exe
* lopsearc.exe
* meemnckyqbr.exe
* meepajlr.exe
* mprcouie.exe
* oofrkxpe.exe
* peebqusz.exe
* quveioot.exe
* shoucrck.exe
* ssmeeibl.exe
* tchpeatr.exe
* tglblrll.exe
* trstdris.exe
* ulyuiexeechp.exe
* vestufck.exe
* vfthrcbr.exe
* xogyfhp.exe
* ykphmbre.exe
* ylynfste.exe

Other files you may find with some versions include icon libraries (known filenames tchejea.lib and iCndE.lib) and loads of GIFs. These can all be deleted too. You might also have some of the following files in the Windows folder:

* desktop.htm
* dnserror.htm
* jexpoofro.htm
* i_dnserr.gif
* s_dnserr.gif
* r_dnserr.gif
* b_dnserr.gif
* tiejexpoo.gif
* xiejexpoo.gif
* oiejexpoo.gif
* uiejexpoo.gif

Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you have not used the uninstall feature there should still be an entry with a value like 'C:\WINDOWS\APPLIC~1\(task name).exe -QuieT'; delete it. The name of this entry changes in different variants; known names are:

* abtu
* brchfgl
* brfrgroo
* chytrw
* eeullz
* eedrtss
* lldrlyk
* lssxsh
* stoafv
* oooami
* oooik
* oucno
* phqtr
* pprwly
* qncu
* stjlee
* uaouea
* trglckea
* xckja
* ymste
* zvoah

In the lop/Active variant, there will instead be a 'winactive' entry pointing to winactive.exe. Delete this too.

You should also delete the following entries if you have them and they are not just blank:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Telephony\DomainName
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP\Domain
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{...check all interfaces...}\Domain

Also you can remove the lop settings key if you can find it; it is inside HKEY_LOCAL_MACHINE\Software and has, again, a varying name; known examples are:

* ckotetlllyllshz
* kseateasteestoe
* rhvlveasteafpr
* ssaxstxoaieoagrh
* TrinityAYB (lop/Trinity variant)

Next, if you have not used the uninstall feature, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u [name of DLL]

substituting the full filename of the DLL, whatever its name is, in Application Data. Tip: You can drag the DLL file from Explorer onto the DOS command prompt window to put the name in so you don't have to type it all out.

Finally, reboot Windows and you should be able to delete all the files mentioned above, along with the shortcuts added to the desktop and the favorites menu. For the lop/Active variant you should delete the entire 'Active Window' folder inside Program Files.

You can also reset your homepage (from Internet Options->General) and search settings (Internet Options->Programs->Reset Web Settings), and delete the entries added to your Favorites menu. If you use Netscape/Mozilla you will need to reset the home page (Edit->Preferences->Navigator) and remove the Bookmarks too.

You may also wish to check your computer for diallers, as the lop.com site has been known to include dialler installers. If you have the lop/IMZ variant it is also possible that FavoriteMan/IMZ may have installed other parasites such as BargainBuddy, IGetNet and n-Case.


RE: And yet another example... by CookieRevised on 12-08-2004 at 06:04 AM

that's one hell of a realy confusing readme...

also now that I see the context of the quote. The quote is correct and there is nothing wrong with it.

quote:
Also bundled with software downloads from edonkey.com, fake 'cracks' or key generators from software-piracy sites, and Patchou's MSN Messenger Plus.
There is indeed a lop sponsor bundled with Messenger Plus!. He said nowhere which kind of lop sponsor version is optional with what software or not.

Although just picking out Messenger Plus! like he did isn't all to fair. There are many many more softwares that come with the lop sponsor in one way or the other...
RE: And yet another example... by Nitemistress on 12-08-2004 at 09:21 AM

That's pretty much what I thought when I read it too. I know that many different programs use variations of the lop sponsor but I didn't find it fair to specifically mention Plus! And yes, it is rather confusing especially to someone like me who isn't near as computer knowledgeable as so many of you in here are. Made my head spin I can tell ya!! LOL