1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] LOP: Making sure it's really all gone?

Discussion in 'Virus & Other Malware Removal' started by AtreideS, Sep 28, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. AtreideS

    AtreideS Thread Starter

    Joined:
    Aug 20, 2001
    Messages:
    651
    Hello,
    When I woke up and turned my computer on this morning I was greeted by 10 new icons, and a little win-xp style menu bar. "Hmmm I thought... this can't be good." As it turns out, my sister (who has been told countless times not to download ANYTHING) had managed to download the LOP spyware (http://www.spywareinfo.com/articles/lop/). It seemed to trick my sister into believing she was downloading some new great mp3 finding software.
    Anyway, this sent me on a quest for removal of this new LOP beast. Here is what I have done so far:
    1) Opened Zone Alarm and disabled all the dodgy programs I could find. (ADGKNQ.exe, Download.exe, Kuy1.exe, Winactive.exe)
    2) I updated Spybot and did a scan. Ahh nice... 40 or so new problems to fix. So I fixed them then rebooted.
    3) Downloaded Ad-Aware 6, updated it and gave it a go. Ahh even better another 40 items. I deleted them and rebooted.
    4) Ran Regcleaner 4.3, removed all old entries.
    5) Then seeing as I was still getting a advertising window at the bottom of IE, I searched the web looking for more information. Then I remembered I good old Hijack This (which I used the last time my sister downloaded something).
    6) Ran Hijack This and deleted:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
    O2 - BHO: (no name) - {4ada0832-a920-48f1-bb4a-ec201390468e} - C:\DOCUME~1\JAMES\APPLIC~1\poolyshgstea.dll
    7) I headed to LadyBugSoft and found a plug-in for Internet Sweeper Pro. So I gave it a shot. It seemed to run some sort of uninstaller (which needed to connect to the internet to remove). That seemed scary to me, but I ran it anyway.
    8) More internet searching. Found that lop.com provide their own uninstaller for lop. It all screamed dodgy at me, and I read 4 reports of the file actually being a trojan. So I steered clear of the 'official' option.
    9) Ran StartMan and made sure all the dodgy programs were disabled.
    10) Deleted the winactive folder in Program Files
    11) Ran Vet (CA anti-virus) just for good measure.

    Now I'm unsure what to do next. I really want to make sure this little program is gone for good. Have I missed anything crucial? The thing that is most worrying me is the ad-bar at the bottom of IE. It was removed fine after deleting the 4 entries in Hijack This. But is it still stored on my computer somewhere and I've simply disabled it from being shown in IE?
    Any tips or suggestions for what else might still be left behind?
    Here is my Hijack This log just to make sure I removed everything I needed to:
    StartupList report, 29/09/2003, 12:13:33 PM
    StartupList version: 1.52
    Started from : C:\Downloads\hijackthis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Vet\VetTray.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\NotifyPhoneBook.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    AME_CSA = rundll32 amecsa.cpl,RUN_DLL
    VetTray = C:\Vet\VetTray.exe
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    FinePrint Dispatcher v5 = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.9470486111

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 4,499 bytes
    Report generated in 0.070 seconds

    Thanks for taking the time to read all this. Any suggestions are welcome. And I hope this has been a good lesson for everyone, never ever let your sister download a single file from the internet.;) Or it might just be the dreaded LOP spyware.
    Thanks.:)
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Nothing apparent in the Startuplist, but we really need to see the Scanlog...
     
  3. AtreideS

    AtreideS Thread Starter

    Joined:
    Aug 20, 2001
    Messages:
    651
    Oh of course, silly me.:) I will post it as soon as I get the chance. Thanks Rollin' Rog.:)
     
  4. AtreideS

    AtreideS Thread Starter

    Joined:
    Aug 20, 2001
    Messages:
    651
    Logfile of HijackThis v1.97.2
    Scan saved at 8:41:44 PM, on 29/09/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Vet\VetTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Downloads\hijackthis\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
    O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.9470486111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2DFC9C4B-5963-4876-A843-E55CBEF5785E}: NameServer = 202.161.124.17 202.161.124.18
     
  5. Metallica

    Metallica Malware Specialist

    Joined:
    Jan 28, 2003
    Messages:
    692
    That's a clean log, but check your favorites. I'm not sure about the Windows active variant, but the old ones added some folders to your favorites.

    Regards,
    Pieter
     
  6. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
    For Ad-aware 6 please use BUILD 181 and the latest reference file , to update the reference file click on the globe icon in AA6.

    Set it up according to these instructions: AA6 Setup
     
  7. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    In Hijack This, check ALL of the following items.
    Next, close all browser Windows, and have HT fix all checked.

    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"


    IF you are running ME or XP Disable SYSTEM RESTORE : How to disable or enable System Restore in Windows ME

    How to disable or enable System Restore in Windows XP


    Next reboot into Safe Mode and remove the following files and folders that are bolded

    C:\Program Files\Messenger Plus! 2\MsgPlus.exe

    See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

    Reboot into normal mode.

    Before you re-enable system restore I would strongly recommend that you do an online virus scan at least one and preferably 2 of the following sites:

    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/

    RE-ENABLE SYSTEM RESTORE and create a NEW restore point


    Now download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  8. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    This is what pacs-portal has to say about Messenger Plus! 2

    MsgPlus.exe Third party MSN Messenger extension that hides banner ads and adds archiving and other useful features. Appears not to work unless checked, but may be activated after startup. Not recommended as it includes Lop.com - see here
     
  9. AtreideS

    AtreideS Thread Starter

    Joined:
    Aug 20, 2001
    Messages:
    651
    Nitehawk: I don't believe that msgplus.exe is spyware. When you install Messenger Plus 2 it has an option of whether or not to install the 'sponsor' program. Which I'm guessing is LOP.com according to that spyware info article. I've had msgplus.exe on here for a long time with no problems. It was a different download (by my sister from an mp3 site) which included lop.com. Or have I been fooled, and infact Messenger Plus always includes lop.com regardless of my choice in the installation?

    normmork: Yep Yep, thankyou. I had already done that, but I'm sure many people don't realise you can update the program. I guess they just assume the latest download is the latest version.

    Metallica: Yes, you are right. My favourites were 3 times as long as before. And mostly filled with 'adult entertainment' links. Surely it is illegal for lop.com to install such favourites on someone's computer without checking the user's age? My sister who installed lop.com (by accident) certainly isn't of a legal age to view such material. But anyway, it's all gone now. :)

    Thanks everyone for your help. Thankyou especially nitehawk for that revelation on msgplus. I'm kind of shocked about that, as patchou has always been a 'top bloke' in my opinion. But if the lop.com spyware is automatically installed with msgplus with no choice given.... then I'm not so sure anymore.
    Thanks.
     
  10. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Actually Tony Klein pointed out to me after I made that post that the LOP component of Messenger Plus 2 can be removed and the base program be kept. In your case, that's been done, so you can hang onto Messenger Plus 2.

    Sorry for the confusion, I was going with the best knowledge I had at the time.
     
  11. AtreideS

    AtreideS Thread Starter

    Joined:
    Aug 20, 2001
    Messages:
    651
    That's quite alright. As long as I don't have LOP, I'm happy:). Thanks once again for your help.
     
  12. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    How's that then? Can you just fix the following in HT?
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

    Does it mean a fresh install of messenger plus 2 ensuring not to select the lop.com install option, as AtreideS has done?
    I was also under the (mistaken, it seems) impression that uninstalling completely (as NiteHawk indicates) was necessary.

    Can someone explain this please?
     
  13. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    TopKat,

    Basically there are two things. If you pay close attention when you install Messenger Plus! 2 you can opt out of the sponsor portion.

    The second is, even if you don't opt out, you get a second chance since it installs a LOP BHO and toolbar. Per Tony, once you fix these in HJT (and preferably delete the associated files) Messenger Plus! 2 will work fine without them. Hence, trash the LOP and keep the Messenger Plus! 2.

    If Tony says it, you can take it to the bank!! I too was going by the best available information from pacs-portal. However, after a few PM's with Tony, I have been enlightened. :) That's the great thing about TSG, you can always learn something new.

    Now I feel bad for all the people that I told to delete Messenger Plus! 2. :( :eek: :confused:
     
  14. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    Thanks for reply Nitehawk. I mentioned fixing this in HT:
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    I assume you should then delete:
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe

    Is this correct now?
     
  15. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Actually, if you take care of the O2 and O3 entries, BHO and toolbar that has LOP, you can leave the

    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

    alone and then obviously NOT delete.

    I'm sure that will make a lot of people that use this Messenger Plus! 2 very happy.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [Resolved] Making sure
  1. Kannaj2136
    Replies:
    1
    Views:
    322
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168178

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice