Hi! :-[

I got a PC in my office thats loaded with lop.com (a spyware). It alters the startup page and loads a bar with links to many porn sites etc.

I'm aware that softwares like Ad-aware or SpyBot S&D can remove it (I'm using such softwares in my home)

However, office policy prohibits the installation and use of 3rd-party softwares.

So, the questions are:-

1) where is this lop.com file(s) residing,
2) what is the filename(s) and
3) how to remove it from the harddisk/registry completely?

The office PC is using Office XP (Home Ed) which I'm not familiar with. (I'm using W2K at home)

Thanks

Sorry!

"The office PC is using Office XP (Home Ed) which I'm not familiar with. (I'm using W2K at home)"

It should read Win XP (Home Ed) instead of Office XP (Home Ed)

This is a typical situation whereby even if you know of softwares that can do the job but you're tied to the old-fashioned way of digging out the responsible files and registry entries that are causing the problem.

Thanks again.

Hi WE Sim,

Would it be allowed to run HijackThis on that computer?
This program is not really a install that would cause any problems and removing it is as easy as dragging it to the Recycled folder. ;)

To give you an idea what you're up against: http://www.spywareinfoforum.com/yabbse/showthread.php?t=2334

Regards,

Pieter

Hi Pieter_Arntz!

Thanks for the rapid reply.

I think I'm going to faint after reading the long info from the link. :-\

I thought Ad-aware and/or SpyBot would do a clean job but apparently they doesn't.

There was also mentioned of removing MSN messenger. I don't think this could be done as Hotmail/Outlook Express via MSN messenger is being used.

I just downloaded and tried HijackThis v1.91 on my own laptop and it discovered 100+ hijacked domains which HijackThis recommends to fix. Should I do it? I mean all of them?

So, what am I supposed to look for if HijackThis is to be installed on my office PC?

Thanks

Hi WE Sim,

Spybot S&D and Adaware 6 (NOT 5.83) will do a clean job on lop.com
I just gave you a link to a thread where they were fighting a new variant, so you would have an idea how widespread this will be on the infected computer.

As to running HijackThis on your own computer. I think you´re reading the logs wrong, but I´d have to see them to make sure (feel free to post them or mail them to me).
If you´re using a hosts file for instance you could get a lot of entries.

Regards,

Pieter

Hi Pieter_Arntz!


During scanning using HijackThis on my laptop a pop-up alert states

"You have an particularly large amount of hijacked domains. Its probably better to delete the file itself then to fix each item (and create a backup).

If you see the same IP address in all the reported 01 items, consider deleting the Hosts file, which is located at C:\WINNT\system32\etc\hosts"

Attached is the log file which I just ran HijackThis:-

Logfile of HijackThis v1.91.2
Scan saved at 4:10:23 PM, on 01-Feb-03
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://sg.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.mystarhub.com.sg:8080
O1 - Hosts: 203.169.65.239 #2002-01-07 19:29:34
O1 - Hosts: 195.124.234.138 195.124.234.138 #2002-01-18 21:25:07
O1 - Hosts: 202.42.22.80 202.42.22.80 #2001-12-06 09:31:47
O1 - Hosts: 206.61.52.48 206.61.52.48 #2001-12-06 09:31:47
O1 - Hosts: 207.33.111.124 207.33.111.124 #2001-12-06 09:31:47
O1 - Hosts: 209.203.251.149 209.203.251.149 #2002-01-12 22:53:14
O1 - Hosts: 195.92.250.15 5star.freeserve.com #2001-12-06 09:34:26
O1 - Hosts: 64.4.8.250 64.4.8.250 #2002-01-08 18:34:48
O1 - Hosts: 192.41.8.207 a2zsolutions.com #2001-12-06 09:34:29
O1 - Hosts: 64.75.34.136 adcop.org #2001-12-06 09:34:32
O1 - Hosts: 63.237.136.5 adshield.org #2002-01-08 20:54:06
O1 - Hosts: 64.170.98.21 adsl.com #2001-12-06 09:34:34
O1 - Hosts: 216.22.145.138 aiserv1.albumpictures.com #2001-12-06 09:34:35
O1 - Hosts: 62.146.43.82 ants.ewido.net #2001-12-06 09:34:37
O1 - Hosts: 66.111.67.62 appian.com #2001-12-06 09:34:38
O1 - Hosts: 216.65.5.69 archives.sonixdownloads.com #2001-12-06 09:34:38
O1 - Hosts: 202.79.213.3 asia.cnet.com #2002-01-08 18:42:58
O1 - Hosts: 203.116.23.60 asiaone.com #2002-01-06 09:15:14
O1 - Hosts: 202.27.17.120 asiaonemarkets.com #2001-12-06 09:34:39
O1 - Hosts: 64.226.35.114 aspergantis.com #2001-12-06 09:34:43
O1 - Hosts: 207.68.181.229 astrology.msn.com #2002-01-06 21:20:25
O1 - Hosts: 216.136.131.172 astrology.yahoo.com #2002-01-06 21:17:36
O1 - Hosts: 209.73.164.147 babel.altavista.com #2001-12-06 09:34:46
O1 - Hosts: 64.158.138.25 beta.profusion.com #2001-12-06 09:34:48
O1 - Hosts: 204.179.240.77 bloomberg.com #2001-12-06 09:34:50
O1 - Hosts: 210.104.132.11 bok.or.kr #2001-12-06 09:34:50
O1 - Hosts: 202.126.2.77 bondsinasia.com #2001-12-06 09:34:51
O1 - Hosts: 202.27.17.125 business-times.asia1.com.sg #2001-12-06 09:34:51
O1 - Hosts: 204.127.135.37 cable-dsl.home.att.net #2001-12-06 09:34:52
O1 - Hosts: 216.205.148.162 camtech2000.net #2001-12-06 09:34:52
O1 - Hosts: 203.116.232.177 can.com.sg #2001-12-06 09:34:53
O1 - Hosts: 216.200.121.30 cartogra.com #2001-12-06 09:34:54
O1 - Hosts: 64.124.237.131 catchup.cnet.com #2002-01-09 21:27:25
O1 - Hosts: 64.56.196.55 cdrfaq.org #2001-12-06 09:34:54
O1 - Hosts: 208.230.143.112 chrisdeepmind.windowpictures.com #2001-12-06 09:34:56
O1 - Hosts: 204.198.135.194 come.to #2001-12-06 09:34:56
O1 - Hosts: 64.124.237.128 computers.cnet.com #2002-01-19 20:45:24
O1 - Hosts: 202.27.17.128 computertimes.asia1.com.sg #2001-12-06 09:35:13
O1 - Hosts: 202.27.17.128 computertimes.asiaone.com.sg #2002-01-07 23:23:48
O1 - Hosts: 63.236.73.130 cws.internet.com #2001-12-06 09:35:14
O1 - Hosts: 198.175.98.32 developer.intel.com #2002-01-07 23:36:17
O1 - Hosts: 209.202.192.40 dir.lycos.com #2001-12-06 09:35:14
O1 - Hosts: 204.71.200.74 docs.yahoo.com #2002-01-08 18:37:57
O1 - Hosts: 205.210.42.11 domains.dslreports.com #2002-01-09 23:03:38
O1 - Hosts: 198.31.34.202 dpf.deerfield.com #2001-12-06 09:35:15
O1 - Hosts: 128.121.251.213 driverzone.com #2001-12-06 09:35:16
O1 - Hosts: 64.39.26.79 dsl.com #2001-12-06 09:35:17
O1 - Hosts: 216.26.144.52 dvddemystified.com #2001-12-06 09:35:19
O1 - Hosts: 216.136.227.7 edit.yahoo.com #2002-01-06 09:13:00
O1 - Hosts: 64.45.60.18 eforums.electic.com #2002-01-17 22:53:57
O1 - Hosts: 205.150.121.224 electrofuel.com #2001-12-06 09:35:20
O1 - Hosts: 64.95.118.42 epinions.com #2001-12-06 09:35:21
O1 - Hosts: 128.11.45.117 equip.zdnet.com #2001-12-06 09:35:23
O1 - Hosts: 205.252.89.39 fileforum.betanews.com #2002-01-07 20:29:05
O1 - Hosts: 216.115.107.7 finance.yahoo.com #2001-12-06 09:35:25
O1 - Hosts: 63.240.14.150 firstgov.gov #2001-12-06 09:35:26
O1 - Hosts: 213.189.207.69 forum.ixbt.com #2002-01-10 22:46:38
O1 - Hosts: 209.15.11.15 forum.karf.net #2001-12-06 09:35:26
O1 - Hosts: 64.45.60.18 forums.electic.com #2002-01-17 22:51:57
O1 - Hosts: 64.49.204.225 forums.winguides.com #2001-12-06 09:35:27
O1 - Hosts: 129.250.247.194 fototime.com #2001-12-06 09:35:28
O1 - Hosts: 209.202.196.140 freehomepages1.tripod.com #2001-12-06 09:35:28
O1 - Hosts: 206.161.202.1 freeware32.efront.com #2001-12-06 09:35:29
O1 - Hosts: 128.9.176.20 ftp.isi.edu #2001-12-06 09:35:29
O1 - Hosts: 66.40.230.115 gaijininvestor.com #2001-12-06 09:35:30
O1 - Hosts: 155.69.24.133 gemsweb.ntu.edu.sg #2001-12-06 09:35:31
O1 - Hosts: 207.71.92.193 grc.com #2001-12-06 09:35:31
O1 - Hosts: 211.99.196.135 greenguard.nsfocus.com #2001-12-06 09:35:31
O1 - Hosts: 216.115.97.140 groups.yahoo.com #2001-12-06 09:35:32
O1 - Hosts: 128.164.127.252 gwis2.circ.gwu.edu #2001-12-06 09:35:32
O1 - Hosts: 157.238.201.66 hardcore2.erosway.com #2002-01-12 22:49:14
O1 - Hosts: 209.86.229.212 help.mindspring.com #2001-12-06 09:35:32
O1 - Hosts: 209.202.197.70 hlfxcat.tripod.com #2001-12-06 09:35:33
O1 - Hosts: 208.185.127.40 home.about.com #2001-12-06 09:35:33
O1 - Hosts: 204.127.135.37 home.att.net #2001-12-06 09:35:33
O1 - Hosts: 203.193.19.13 home.boom.com.hk #2001-12-06 09:35:34
O1 - Hosts: 207.211.212.50 home.cfl.rr.com #2001-12-06 09:35:35
O1 - Hosts: 194.25.3.144 home.t-online.de #2001-12-06 09:35:35
O1 - Hosts: 62.253.162.19 homepage.ntlworld.com #2001-12-06 09:35:35
O1 - Hosts: 209.157.220.6 horoscopes.astrology.com #2002-01-06 09:17:50
O1 - Hosts: 205.181.112.68 hotfiles.zdnet.com #2002-01-19 20:46:34
O1 - Hosts: 207.46.133.40 hotfix.microsoft.com #2002-01-17 22:46:24
O1 - Hosts: 199.175.106.238 ibo-business.com #2001-12-06 09:35:36
O1 - Hosts: 194.125.133.230 indigo.ie #2001-12-06 09:35:36
O1 - Hosts: 64.158.138.41 info.intelliseek.com #2001-12-06 09:35:36
O1 - Hosts: 138.23.89.35 infomine.ucr.edu #2001-12-06 09:35:37
O1 - Hosts: 207.150.198.172 inklineglobal.com #2001-12-06 09:35:38
O1 - Hosts: 64.226.146.43 intelytics.com #2001-12-06 09:35:39
O1 - Hosts: 209.202.197.70 jhlavac.tripod.com #2001-12-06 09:35:39
O1 - Hosts: 216.34.13.245 jibreel.net #2001-12-06 09:35:40
O1 - Hosts: 202.27.17.155 jobsearch.asia1.com.sg #2001-12-06 09:35:40
O1 - Hosts: 213.171.193.9 jv16.org #2002-01-06 09:12:12
O1 - Hosts: 66.39.30.176 keir.net #2001-12-06 09:35:41
O1 - Hosts: 216.198.214.2 kickme.to #2001-12-06 09:35:41
O1 - Hosts: 202.126.159.128 kinokuniya.com.sg #2001-12-06 09:35:41
O1 - Hosts: 211.200.28.40 koreaherald.co.kr #2001-12-06 09:35:42
O1 - Hosts: 64.4.53.7 lc2.law5.hotmail.passport.com #2002-01-06 21:13:09
O1 - Hosts: 64.113.168.176 lists.gpick.com. #2001-12-06 16:41:47
O1 - Hosts: 64.58.76.99 login.yahoo.com #2002-01-06 09:13:41
O1 - Hosts: 64.4.8.250 lw9fd.law9.hotmail.msn.com #2002-01-06 21:10:50
O1 - Hosts: 192.170.88.41 lycosasia.shareinvestor.com #2001-12-06 09:35:59
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\utilities\adobe acrobat v5.x\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Utilities\FlipAlbum Pro 5.x\FpLaunch.dll
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - d:\UTILIT~1\ADSHIE~1.2X\AdShield.dll
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Utilities\NAV2003 Pro\NAV2003\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] D:\Utilities\AVG v6.x\avgcc32.exe /startup
O4 - HKLM\..\Run: [CP51NBtn] D:\UTILIT~1\EZButton\CP51NBtn.EXE
O4 - HKLM\..\Run: [Fix-It AV] D:\UTILIT~1\ONTRAC~2.X\MemCheck.exe
O4 - HKLM\..\Run: [Outpost Firewall] D:\UTILIT~1\OUTPOS~1\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [tcactive] D:\Utilities\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Utilities\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\UTILIT~1\NAV200~1\NAV2003\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\Utilities\PestPatrol Corp v4.1.x\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] D:\UTILIT~1\PESTPA~1.X\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\UTILIT~1\PESTPA~1.X\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [VCDPlayer] D:\UTILIT~1\VIRTUA~1.1\System\VCDPlay.exe
O4 - HKLM\..\Run: [Ad-watch] D:\Utilities\Ad-aware Plus v6.x\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [SpyCop ScanCheck] D:\Utilities\SpyCop Corp v5.x\MAIN.EXE /LASTSCAN
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [TextAloud] D:\Utilities\TextAloud MP3\TextAloud MP3\TextAloudMP3.exe -auto
O4 - Startup: Atomica.lnk = D:\Utilities\Atomica\Atomica Client\Atomica.exe
O4 - Startup: Shortcut to NetPerSec.lnk = D:\Utilities\NetPerSec v1.1\NetPerSec.exe
O4 - Startup: BHO Cop.lnk = D:\Utilities\BHOCop v1.x\BHOCop\BHOCop.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Holiday Lights.lnk = D:\Utilities\Holiday Lights v5.3\Holiday Lights\Holiday Lights.exe
O4 - Startup: TrayPlt.lnk = D:\Utilities\Tray Pilot Lite 1.10\Tray Pilot Lite\TrayPlt.exe
O4 - Startup: SpClDlx.lnk = D:\Utilities\Speaking Clock Deluxe v3.06c\Speaking Clock Deluxe\SpClDlx.exe
O4 - Startup: SpywareGuard Control Panel.lnk = D:\Utilities\SpywareGuard\SpywareGuard\spywareguardcp.exe
O4 - Startup: invipro4.lnk = D:\Utilities\Invisible Pro v4.x\invipro4.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Utilities\Adobe Acrobat v5.x\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Utilities\Office XP\Office10\OSA.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = D:\Utilities\LT Orinoco\CMLUC.EXE
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = D:\Utilities\Mini2 Digital Camera\Ulead Photo Express\CalCheck.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Bluetooth Connection Manager.lnk = D:\3COM Bluetooth Print Kit\BTCM.exe
O8 - Extra context menu item: &Maintain Block List... - d:\UTILIT~1\ADSHIE~1.2X\maintain.htm
O8 - Extra context menu item: Add to &Block List... - d:\UTILIT~1\ADSHIE~1.2X\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - d:\UTILIT~1\ADSHIE~1.2X\settings.htm
O8 - Extra context menu item: Atomica... - file:D:\UTILIT~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\UTILIT~1\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.1197222222
O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx

Please comment. Thanks

Hi WE Sim,

What I see in your hosts file is a reasonably normal list of favorites (I´m guessing you used FastNet99 to merge it with a restricting hosts file?).
Nothing wrong with that. If you don´t have any problems I see no reason to change it. You can check those and then ignore them, so they don´t show up in every scan.

Regards,

Pieter

Hi Pieter_Arntz!


You were right to say that I used FastNet99. It was a long time ago that I removed FastNet99 from my system.

However, if HijackThis were to be installed on my office PC what am I supposed to look for?

I would like to learn more of HijackThis. Is there an online manual or help file for it?

I supposed the removal of lop.com spyware still have to depend on SpyBot &/or Ad-aware?

Thanks

Hi WE Sim,

I am not aware of any on-line manual for HijackThis. There is a short description of the codes in the Help file.
You could ask any specific questions on Hijackthis at the board of SpywareInfo where Merijn (the creator of HijackThis) hangs out.
On this board you can find Tony´s list of BHO´s (http://www.wilderssecurity.com/showthread.php?t=4164;start=0) (updated weekly) to see if what you have under O2 is harmful or not.
Using Adaware 6 or Spybot S&D to remove Lop.com is the easiest way and I would recommend doing so. It is not something you can easily get rid off yourself.

Regards,

Pieter

Hi Pieter_Arntz!

Sorry for nor replying as I was waiting for Adware Personal v6 (build 160) to be released before carrying out further tests.

OK! I downloaded it this morning (I'm posting at home now) and together with SpyBotSD (with latest dat) cleansed my office PC thoroughly many...many... countless times with reboots in between.

The final result is :

After each re-boot,

Spybot reported C2.lop:IE Start page, and

Adaware reported 2 Registry values identified
1) Possible Browser Hijack attempt ........"http://sbnt.com/...
2) AdvertBar............................................"http://sbnt.com/...

Thats great! Even the latest dats from these 2 softwares could not get rid of lop.com

I did a scan using HijackThis (after cleaning with the 2 programs) and the log is as shown below. I suspect the last 2 entries are the culprits and need to be fixed by HijackThis. What do you think?

Here's the log

Logfile of HijackThis v1.91.2
Scan saved at 18:06:47, on 05/02/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [xwean] C:\DOCUME~1\CPTAN\APPLIC~1\fgrthsts.exe -QuieT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93B9F036-55F4-42AF-BF8C-84D8B9CF55CF}: Domain = sbnt.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6B8AC92-875F-479E-AD85-0620035B9DDA}: Domain = sbnt.com



Are there any more entries that I need to fix? If the problem is solely due to these 2 entries why didn't Adaware & SpybotSD fix them as well?

Thank you and I need your advise so that I can go to my office tomorrow to solve the problem.

Because it starts up everytime and I think it's due to this key:

O4 - HKLM\..\Run: [xwean] C:\DOCUME~1\CPTAN\APPLIC~1\fgrthsts.exe -QuieT

Kill that one, reboot and then scan again. I would like you to mail me that fgrthsts.exe please.

Regards,

Pieter

PS Since you do have Hijackthis running have it fix the two O17 entries as well.

-{ Quote: " quoting: WE Sim link=board=21;threadid=6894;start=0#45982 date=1044029319]
However, office policy prohibits the installation and use of 3rd-party softwares." }-

Considering they have a trojan, I think they could see their way fit to allow a program on long enough to remove it. Or is the person responsible for that decision really that dense?

Anyway, the best source of removal instructions is Andrew's site http://www.doxdesk.com/parasite/lop.html

I used to have a good page on lop, but I got tired of updating every time they update. Spybot generally kills every version of lop and I have other things to do.

Hi Mike Healan! ;)

What I noticed from many companies here is that generally they do have firewalls and anti-virus softwares but other than that like spywares, web bugs, malicious cookies etc the IT dept is hardly interested afterall they doesn't destroy data or corrupt the hard disk. Of course, this may change the thinking of the management when one such evils creates havoc one day.

In addition, the installation and use of 3rd-party softwares have to go through the IT dept's approval as some companies do have audits on the PCs to ensure no external non-approved softwares are installed and used.

-{ Quote: " quoting: WE Sim link=board=21;threadid=6894;start=0#47030 date=1044513962]In addition, the installation and use of 3rd-party softwares have to go through the IT dept's approval as some companies do have audits on the PCs to ensure no external non-approved softwares are installed and used." }-

Ah, that's your solution. Just explain to them that lop.com is "external non-approved software" and then watch how fast they move to rip it out. ;)

They wouldn't want anyone to get away with having unapproved software, now would they? ;D

Hi Pieter_Arntz!

Sorry for the late posting as it's difficult to access this forum this morning.

After the discussion yesterday I did not use HijackThis to fix the entries as advised by you since I was trying out a new dat (05-02-03) from Lavasoft this morning and sure enough after scanning my office PC again, Adaware identified further 28 objects (all related to lop.com)

After cleaning and re-booting, re-scanning with SpyBot & Adaware reveals no more traces of lop.com and upon access to the net there's no more problem of link bar and alteration to the IE Start page.

Apparently, Adaware finally found a cure to the lop.com issue.

However, after that I ran HijackThis and found something disturbing especially the last 2 entries under 017. sbnt.com is assocaited with the link bar. See the log below.

Logfile of HijackThis v1.91.2
Scan saved at 11:07:38, on 06/02/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=485376
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://go.compaq.com/1Q00CDT/0409/bl7.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93B9F036-55F4-42AF-BF8C-84D8B9CF55CF}: Domain = sbnt.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6B8AC92-875F-479E-AD85-0620035B9DDA}: Domain = sbnt.com


Why didn't Adware further identified those 2 entries?

Note :- I 'll e-mail your request for fgrthsts.exe after this post. Pls chcek and let me know whether you receive it.


Thank you

Hi WE Sim,

I wasn't sure if Adaware would pick up on the O17 entries. That's why I added my PS in my previous post.
The list of lop.com domains (http://www.spywareinfoforum.com/yabbse/showthread.php?t=2609;start=0) is enormous and more are found/added all the time.
Thanks for the exe. I'll make sure it gets on the "wanted posters" if it isn't on there yet. :)

Regards,

Pieter