login | register | shoutbox

 What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Messenger Plus! for Live Messenger » WLM Plus! Help » And yet another example...

And yet another example...
Author: Message:
Nitemistress
Full Member
***

Do your parents know you read this?

Posts: 150
66 / Female / –
Joined: Feb 2003
O.P. RE: And yet another example...
It's very long but here is the entire post.

Description.
---------------------
To use this tool:
Click on the removelop.exe icon (VB) then as you think nought is happening, reboot and Voila!
Your system is free from ALL below:-
---------------------------------------------------------------
LOP is a family of programs that set your start page and IE's search features to use the site lop.com ('Live Online Portal') or one of its clone sites. Known lop sites include:

* aavc.com
* acjp.com
* ebch.com
* ebdv.com
* ebdw.com
* ebjp.com
* ebkn.com
* ebky.com
* eblv.com
* ebmu.com
* ebvr.com
* ecmh.com
* ecpm.com
* ecwz.com
* ecyb.com
* eduy.com
* eeev.com
* ibmx.com
* icwb.com
* icwo.com
* icwp.com
* iddh.com
* idhh.com
* ifiz.com
* iguu.com
* samz.com
* saoe.com
* sbjr.com
* sbnl.com
* sbnt.com
* sbvr.com
* scbm.com
* sckr.com
* scrk.com
* sdry.com
* seld.com
* sfux.com
* sipo.com
* smds.com
* srib.com
* srox.com
* srsf.com
* ssaw.com
* ssby.com
* surj.com
* tbvg.com
* tdak.com
* tdko.com
* tdmy.com
* tefs.com
* tfil.com
* thko.com
* tjar.com
* tjaw.com
* tjdo.com
* tjem.com
* tjgo.com
* torc.com
* wabq.com
* wabu.com
* wbkb.com
* wfix.com
* wflu.com

Also sbee.com and scmb.com, which no longer house lop clones, are believed to have been used in the past.

In newer variants, changing your home page back results in the new home page being 'framed' by a 'passthrough' frameset from lop, which adds a lop search bar to the bottom of the page.

It also adds shortcuts to advertisers. Finally it adds a task to run on startup which sets your homepage and search back to lop if you change them.
Variants

lop/Trinity is an old variant of the software, which only adds the shortcuts and does the homepage/search hijacking.

lop/Dialer is a plain porn dialler delivered with the startup task.

lop/Toolbar: includes the startup task and an IE toolbar with more lop links. This variant can be detected by the script at this site.

lop/Rnd: a version of lop/Toolbar that uses completely random class IDs as well as pseudo-random filenames, making it difficult to detect.

lop/AYB: a URL protocol module used by the MP3Search (or similar) minibrowser launched by the startup task. This variant can be detected by the script at this site; having it is usually a sign you may have lop/Toolbar or lop/Rnd as well.

lop/Loader: an installer process that opens a small progress window in the middle of the screen and loads and runs both lop/AYB and either lop/Toolbar or lop/Rnd.

lop/IMZ: an installer process like lop/Loader, but installing lop/Rnd and FavoriteMan/IMZ. lop/AYB is not installed, so the script at this script usually cannot detect lop/IMZ installations.

lop/Active: an update of lop/Rnd which monitors web pages viewed for keywords, and sets the buttons in the toolbar to match. This also opens a floating window on the desktop on startup. Can also hijack to active-max.com, mysearchnow.com, searchwebnow.com or find-quick.com as well as one of the traditional four-letter domains.
Also known as

C2 by Spybot, after the company (C2 Media) that makes it. Troj/Tubmo by Sophos anti-virus, for unknown reasons.
Distribution

Installed by ActiveX from many sites, often pop-up ads.

There are often pop-up loops (pop-ups opening pop-ups endlessly) for sites claiming to be MP3 search and download tools, which try to exploit the confusion caused by this to install lop. However, lop downloaders have also appeared on some mainstream ad networks.

The executable file pointed to by the ActiveX downloader is likely to have a name like:

* mp3.exe
* mp3search.exe
* mp3_finder.exe
* mp3_plugin.exe
* mp3Software_plugin.exe
* napster2.exe
* FreeMP3.exe
* freemp3s.exe
* freemp3z.exe
* FreeMP3Music.exe
* free_deals.exe
* free_plugin.exe
* freeplugin.exe
* Software_Plugin.exe
* Download_Plugin.exe
* download_file.exe
* The_Ultimate_Browser_Enhancer.exe
* sex_viewer.exe
* free_sex_viewer.exe
* Adult_Software.exe
* keygen33win.exe
* download_serial.exe
* free_warez.exe

Also bundled with software downloads from edonkey.com (note: the real 'eDonkey' software site is at edonkey2000.com), fake 'cracks' or key generators from software-piracy sites, and Patchou's MSN Messenger Plus.
What it does
Advertising

Yes. Some shortcut icons are added to the desktop. Many more are added to the Favorites menu. More are on an IE toolbar called 'Accessories'. The process run on startup also occasionally pops up adverts.
Privacy violation

No.
Security issues

Yes. The startup process can download and execute arbitrary code from its controlling server.
Stability problems

Running the software may cause many 'dial-up connection' requests to appear if you are not connected. Windows seems to hang temporarily for a few minutes when this happens.
Removal

lop/Toolbar installations normally put a round icon in the system tray, try right-clicking this, choosing 'Menu', then on the resulting window, clicking 'Help', then 'Uninstall'. With newer variants you will have to answer an annoying riddle before it will go away.

lop/Rnd installations do not put the icon in the system tray, but may add an entry to the Control Panel's Add/Remove Programs list, which can be used to uninstall in the same way. The name of the uninstall option varies randomly but tend to follow a pattern, eg.:

* Browser Enhance r
* Brows er Enhancer
* Ultimate Browse r Enhancer
* Ultimate Browser En hancer
* L.O P. Un insta11
* L O.P. Un instal1
* Live 0n line Portal
* Live.0nli ne Porta1

lop/Active installations have an additional 'Window Active' entry that should also be removed.
Manual removal

Open the Application Data folder. This can be found inside the Windows folder on Windows 95/98/Me; on Windows 2000 and XP it is inside your user folder in 'Documents and Settings', but it's hidden, so go to Tools->Folder Options->View and turn on 'Show hidden files and folders' to see it. In Windows NT 4.0 it is in the user folder inside 'WinNT\Profiles'.

The filenames of lop files can vary for each different installation, but usually under Windows there should not be any files inside Application Data (only folders), so it's generally easy to pick out the culprits. Known filenames for the toolbar DLL (lop/Toolbar, lop/Rnd) or ayb: protocol DLL (lop/AYB) include:

* blztstull[letter 'a', 'c', 'j', 'p', 's', 't' or 'y'].dll
* blztstull['pr', 'tr' or 'oo'].dll
* chksbdrlya.dll
* dmvcrthl.exe
* eaeeishllblc.dll
* eelykofrllfrpr.dll
* eelykofrllfrj.dll
* ealymfrprwch.dll
* epllkeeoopr.dll
* freabrlaouw.dll
* gldqumssfrie.dll
* hglllyxrxw.dll
* icdrhwno.dll
* heeachmstll.dll
* meepajlr.dll
* ousszidrta.dll
* plg_ie[any digit].dll
* prxzoustustgr.dll
* prnouestssstx.dll
* quizbt[any digit].dll
* quglwachfs.dll
* sstroallhqch.dll
* tblchepruprgr.dll
* trdzhtxf.exe
* trstshcrscksr.dll
* ukfroigl.dll
* upckeetoutw.dll
* veaeyglckr.dll
* woafrquzn.dll
* yeecrsoustoull.dll
* ziebaeeoaeepr.dll

Known filenames for the system tray task and hijacker file include:

* asshuktr.exe
* bilyooas.exe
* byb_save.exe
* crgbeaoa.exe
* eaymulyl.exe
* eeublidc.exe
* glxshmcr.exe
* ijlysseb.exe
* jqumysto.exe
* kfriegbs.exe
* llfggrdr.exe
* lltckiey.exe
* lopsearc.exe
* meemnckyqbr.exe
* meepajlr.exe
* mprcouie.exe
* oofrkxpe.exe
* peebqusz.exe
* quveioot.exe
* shoucrck.exe
* ssmeeibl.exe
* tchpeatr.exe
* tglblrll.exe
* trstdris.exe
* ulyuiexeechp.exe
* vestufck.exe
* vfthrcbr.exe
* xogyfhp.exe
* ykphmbre.exe
* ylynfste.exe

Other files you may find with some versions include icon libraries (known filenames tchejea.lib and iCndE.lib) and loads of GIFs. These can all be deleted too. You might also have some of the following files in the Windows folder:

* desktop.htm
* dnserror.htm
* jexpoofro.htm
* i_dnserr.gif
* s_dnserr.gif
* r_dnserr.gif
* b_dnserr.gif
* tiejexpoo.gif
* xiejexpoo.gif
* oiejexpoo.gif
* uiejexpoo.gif

Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you have not used the uninstall feature there should still be an entry with a value like 'C:\WINDOWS\APPLIC~1\(task name).exe -QuieT'; delete it. The name of this entry changes in different variants; known names are:

* abtu
* brchfgl
* brfrgroo
* chytrw
* eeullz
* eedrtss
* lldrlyk
* lssxsh
* stoafv
* oooami
* oooik
* oucno
* phqtr
* pprwly
* qncu
* stjlee
* uaouea
* trglckea
* xckja
* ymste
* zvoah

In the lop/Active variant, there will instead be a 'winactive' entry pointing to winactive.exe. Delete this too.

You should also delete the following entries if you have them and they are not just blank:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Telephony\DomainName
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP\Domain
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{...check all interfaces...}\Domain

Also you can remove the lop settings key if you can find it; it is inside HKEY_LOCAL_MACHINE\Software and has, again, a varying name; known examples are:

* ckotetlllyllshz
* kseateasteestoe
* rhvlveasteafpr
* ssaxstxoaieoagrh
* TrinityAYB (lop/Trinity variant)

Next, if you have not used the uninstall feature, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u [name of DLL]

substituting the full filename of the DLL, whatever its name is, in Application Data. Tip: You can drag the DLL file from Explorer onto the DOS command prompt window to put the name in so you don't have to type it all out.

Finally, reboot Windows and you should be able to delete all the files mentioned above, along with the shortcuts added to the desktop and the favorites menu. For the lop/Active variant you should delete the entire 'Active Window' folder inside Program Files.

You can also reset your homepage (from Internet Options->General) and search settings (Internet Options->Programs->Reset Web Settings), and delete the entries added to your Favorites menu. If you use Netscape/Mozilla you will need to reset the home page (Edit->Preferences->Navigator) and remove the Bookmarks too.

You may also wish to check your computer for diallers, as the lop.com site has been known to include dialler installers. If you have the lop/IMZ variant it is also possible that FavoriteMan/IMZ may have installed other parasites such as BargainBuddy, IGetNet and n-Case.
12-08-2004 04:16 AM
Profile E-Mail PM Find Quote Report
« Next Oldest Return to Top Next Newest »

Messages In This Thread
And yet another example... - by Nitemistress on 12-07-2004 at 10:48 PM
RE: And yet another example... - by CookieRevised on 12-08-2004 at 04:05 AM
RE: And yet another example... - by Nitemistress on 12-08-2004 at 04:16 AM
RE: And yet another example... - by CookieRevised on 12-08-2004 at 06:04 AM
RE: And yet another example... - by Nitemistress on 12-08-2004 at 09:21 AM


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts 		HTML is Off
myCode is On
Smilies are On
[img] Code is On