[Resolved] LOP: Making sure it's really all gone?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

AtreideS

Thread Starter
Joined
Aug 20, 2001
Messages
651
Hello,
When I woke up and turned my computer on this morning I was greeted by 10 new icons, and a little win-xp style menu bar. "Hmmm I thought... this can't be good." As it turns out, my sister (who has been told countless times not to download ANYTHING) had managed to download the LOP spyware (http://www.spywareinfo.com/articles/lop/). It seemed to trick my sister into believing she was downloading some new great mp3 finding software.
Anyway, this sent me on a quest for removal of this new LOP beast. Here is what I have done so far:
1) Opened Zone Alarm and disabled all the dodgy programs I could find. (ADGKNQ.exe, Download.exe, Kuy1.exe, Winactive.exe)
2) I updated Spybot and did a scan. Ahh nice... 40 or so new problems to fix. So I fixed them then rebooted.
3) Downloaded Ad-Aware 6, updated it and gave it a go. Ahh even better another 40 items. I deleted them and rebooted.
4) Ran Regcleaner 4.3, removed all old entries.
5) Then seeing as I was still getting a advertising window at the bottom of IE, I searched the web looking for more information. Then I remembered I good old Hijack This (which I used the last time my sister downloaded something).
6) Ran Hijack This and deleted:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
O2 - BHO: (no name) - {4ada0832-a920-48f1-bb4a-ec201390468e} - C:\DOCUME~1\JAMES\APPLIC~1\poolyshgstea.dll
7) I headed to LadyBugSoft and found a plug-in for Internet Sweeper Pro. So I gave it a shot. It seemed to run some sort of uninstaller (which needed to connect to the internet to remove). That seemed scary to me, but I ran it anyway.
8) More internet searching. Found that lop.com provide their own uninstaller for lop. It all screamed dodgy at me, and I read 4 reports of the file actually being a trojan. So I steered clear of the 'official' option.
9) Ran StartMan and made sure all the dodgy programs were disabled.
10) Deleted the winactive folder in Program Files
11) Ran Vet (CA anti-virus) just for good measure.

Now I'm unsure what to do next. I really want to make sure this little program is gone for good. Have I missed anything crucial? The thing that is most worrying me is the ad-bar at the bottom of IE. It was removed fine after deleting the 4 entries in Hijack This. But is it still stored on my computer somewhere and I've simply disabled it from being shown in IE?
Any tips or suggestions for what else might still be left behind?
Here is my Hijack This log just to make sure I removed everything I needed to:
StartupList report, 29/09/2003, 12:13:33 PM
StartupList version: 1.52
Started from : C:\Downloads\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Vet\VetTray.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AME_CSA = rundll32 amecsa.cpl,RUN_DLL
VetTray = C:\Vet\VetTray.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
FinePrint Dispatcher v5 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.9470486111

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,499 bytes
Report generated in 0.070 seconds

Thanks for taking the time to read all this. Any suggestions are welcome. And I hope this has been a good lesson for everyone, never ever let your sister download a single file from the internet.;) Or it might just be the dreaded LOP spyware.
Thanks.:)
 

AtreideS

Thread Starter
Joined
Aug 20, 2001
Messages
651
Oh of course, silly me.:) I will post it as soon as I get the chance. Thanks Rollin' Rog.:)
 

AtreideS

Thread Starter
Joined
Aug 20, 2001
Messages
651
Logfile of HijackThis v1.97.2
Scan saved at 8:41:44 PM, on 29/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Vet\VetTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Downloads\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.9470486111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DFC9C4B-5963-4876-A843-E55CBEF5785E}: NameServer = 202.161.124.17 202.161.124.18
 

Metallica

Malware Specialist
Joined
Jan 28, 2003
Messages
692
That's a clean log, but check your favorites. I'm not sure about the Windows active variant, but the old ones added some folders to your favorites.

Regards,
Pieter
 
Joined
Oct 4, 2002
Messages
76
For Ad-aware 6 please use BUILD 181 and the latest reference file , to update the reference file click on the globe icon in AA6.

Set it up according to these instructions: AA6 Setup
 
Joined
Mar 9, 2003
Messages
4,699
In Hijack This, check ALL of the following items.
Next, close all browser Windows, and have HT fix all checked.

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"


IF you are running ME or XP Disable SYSTEM RESTORE : How to disable or enable System Restore in Windows ME

How to disable or enable System Restore in Windows XP


Next reboot into Safe Mode and remove the following files and folders that are bolded

C:\Program Files\Messenger Plus! 2\MsgPlus.exe

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Reboot into normal mode.

Before you re-enable system restore I would strongly recommend that you do an online virus scan at least one and preferably 2 of the following sites:

http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

RE-ENABLE SYSTEM RESTORE and create a NEW restore point


Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks
 
Joined
Mar 9, 2003
Messages
4,699
This is what pacs-portal has to say about Messenger Plus! 2

MsgPlus.exe Third party MSN Messenger extension that hides banner ads and adds archiving and other useful features. Appears not to work unless checked, but may be activated after startup. Not recommended as it includes Lop.com - see here
 

AtreideS

Thread Starter
Joined
Aug 20, 2001
Messages
651
Nitehawk: I don't believe that msgplus.exe is spyware. When you install Messenger Plus 2 it has an option of whether or not to install the 'sponsor' program. Which I'm guessing is LOP.com according to that spyware info article. I've had msgplus.exe on here for a long time with no problems. It was a different download (by my sister from an mp3 site) which included lop.com. Or have I been fooled, and infact Messenger Plus always includes lop.com regardless of my choice in the installation?

normmork: Yep Yep, thankyou. I had already done that, but I'm sure many people don't realise you can update the program. I guess they just assume the latest download is the latest version.

Metallica: Yes, you are right. My favourites were 3 times as long as before. And mostly filled with 'adult entertainment' links. Surely it is illegal for lop.com to install such favourites on someone's computer without checking the user's age? My sister who installed lop.com (by accident) certainly isn't of a legal age to view such material. But anyway, it's all gone now. :)

Thanks everyone for your help. Thankyou especially nitehawk for that revelation on msgplus. I'm kind of shocked about that, as patchou has always been a 'top bloke' in my opinion. But if the lop.com spyware is automatically installed with msgplus with no choice given.... then I'm not so sure anymore.
Thanks.
 
Joined
Mar 9, 2003
Messages
4,699
Actually Tony Klein pointed out to me after I made that post that the LOP component of Messenger Plus 2 can be removed and the base program be kept. In your case, that's been done, so you can hang onto Messenger Plus 2.

Sorry for the confusion, I was going with the best knowledge I had at the time.
 

AtreideS

Thread Starter
Joined
Aug 20, 2001
Messages
651
That's quite alright. As long as I don't have LOP, I'm happy:). Thanks once again for your help.
 
Joined
Aug 10, 2003
Messages
401
Originally posted by NiteHawk:
Actually Tony Klein pointed out to me after I made that post that the LOP component of Messenger Plus 2 can be removed and the base program be kept.
How's that then? Can you just fix the following in HT?
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

Does it mean a fresh install of messenger plus 2 ensuring not to select the lop.com install option, as AtreideS has done?
I was also under the (mistaken, it seems) impression that uninstalling completely (as NiteHawk indicates) was necessary.

Can someone explain this please?
 
Joined
Mar 9, 2003
Messages
4,699
TopKat,

Basically there are two things. If you pay close attention when you install Messenger Plus! 2 you can opt out of the sponsor portion.

The second is, even if you don't opt out, you get a second chance since it installs a LOP BHO and toolbar. Per Tony, once you fix these in HJT (and preferably delete the associated files) Messenger Plus! 2 will work fine without them. Hence, trash the LOP and keep the Messenger Plus! 2.

If Tony says it, you can take it to the bank!! I too was going by the best available information from pacs-portal. However, after a few PM's with Tony, I have been enlightened. :) That's the great thing about TSG, you can always learn something new.

Now I feel bad for all the people that I told to delete Messenger Plus! 2. :( :eek: :confused:
 
Joined
Aug 10, 2003
Messages
401
Thanks for reply Nitehawk. I mentioned fixing this in HT:
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
I assume you should then delete:
C:\Program Files\Messenger Plus! 2\MsgPlus.exe

Is this correct now?
 
Joined
Mar 9, 2003
Messages
4,699
Actually, if you take care of the O2 and O3 entries, BHO and toolbar that has LOP, you can leave the

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

alone and then obviously NOT delete.

I'm sure that will make a lot of people that use this Messenger Plus! 2 very happy.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top