Lop.com - Help needed :(

Discussion in 'privacy problems' started by WE Sim, Jan 31, 2003.

Thread Status:
Not open for further replies.
  1. WE Sim

    WE Sim Guest

    Hi! :oops:

    I got a PC in my office thats loaded with lop.com (a spyware). It alters the startup page and loads a bar with links to many porn sites etc.

    I'm aware that softwares like Ad-aware or SpyBot S&D can remove it (I'm using such softwares in my home)

    However, office policy prohibits the installation and use of 3rd-party softwares.

    So, the questions are:-

    1) where is this lop.com file(s) residing,
    2) what is the filename(s) and
    3) how to remove it from the harddisk/registry completely?

    The office PC is using Office XP (Home Ed) which I'm not familiar with. (I'm using W2K at home)

    Thanks
     
  2. WE Sim

    WE Sim Guest

    Sorry!

    "The office PC is using Office XP (Home Ed) which I'm not familiar with. (I'm using W2K at home)"

    It should read Win XP (Home Ed) instead of Office XP (Home Ed)

    This is a typical situation whereby even if you know of softwares that can do the job but you're tied to the old-fashioned way of digging out the responsible files and registry entries that are causing the problem.

    Thanks again.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi WE Sim,

    Would it be allowed to run HijackThis on that computer?
    This program is not really a install that would cause any problems and removing it is as easy as dragging it to the Recycled folder. ;)

    To give you an idea what you're up against: http://www.spywareinfoforum.com/yabbse/showthread.php?t=2334

    Regards,

    Pieter
     
  4. WE Sim

    WE Sim Guest

    Hi Pieter_Arntz!

    Thanks for the rapid reply.

    I think I'm going to faint after reading the long info from the link. :doubt:

    I thought Ad-aware and/or SpyBot would do a clean job but apparently they doesn't.

    There was also mentioned of removing MSN messenger. I don't think this could be done as Hotmail/Outlook Express via MSN messenger is being used.

    I just downloaded and tried HijackThis v1.91 on my own laptop and it discovered 100+ hijacked domains which HijackThis recommends to fix. Should I do it? I mean all of them?

    So, what am I supposed to look for if HijackThis is to be installed on my office PC?

    Thanks
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi WE Sim,

    Spybot S&D and Adaware 6 (NOT 5.83) will do a clean job on lop.com
    I just gave you a link to a thread where they were fighting a new variant, so you would have an idea how widespread this will be on the infected computer.

    As to running HijackThis on your own computer. I think you´re reading the logs wrong, but I´d have to see them to make sure (feel free to post them or mail them to me).
    If you´re using a hosts file for instance you could get a lot of entries.

    Regards,

    Pieter
     
  6. WE Sim

    WE Sim Guest

    Hi Pieter_Arntz!


    During scanning using HijackThis on my laptop a pop-up alert states

    "You have an particularly large amount of hijacked domains. Its probably better to delete the file itself then to fix each item (and create a backup).

    If you see the same IP address in all the reported 01 items, consider deleting the Hosts file, which is located at C:\WINNT\system32\etc\hosts"

    Attached is the log file which I just ran HijackThis:-

    Logfile of HijackThis v1.91.2
    Scan saved at 4:10:23 PM, on 01-Feb-03
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://sg.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.mystarhub.com.sg:8080
    O1 - Hosts: 203.169.65.239 #2002-01-07 19:29:34
    O1 - Hosts: 195.124.234.138 195.124.234.138 #2002-01-18 21:25:07
    O1 - Hosts: 202.42.22.80 202.42.22.80 #2001-12-06 09:31:47
    O1 - Hosts: 206.61.52.48 206.61.52.48 #2001-12-06 09:31:47
    O1 - Hosts: 207.33.111.124 207.33.111.124 #2001-12-06 09:31:47
    O1 - Hosts: 209.203.251.149 209.203.251.149 #2002-01-12 22:53:14
    O1 - Hosts: 195.92.250.15 5star.freeserve.com #2001-12-06 09:34:26
    O1 - Hosts: 64.4.8.250 64.4.8.250 #2002-01-08 18:34:48
    O1 - Hosts: 192.41.8.207 a2zsolutions.com #2001-12-06 09:34:29
    O1 - Hosts: 64.75.34.136 adcop.org #2001-12-06 09:34:32
    O1 - Hosts: 63.237.136.5 adshield.org #2002-01-08 20:54:06
    O1 - Hosts: 64.170.98.21 adsl.com #2001-12-06 09:34:34
    O1 - Hosts: 216.22.145.138 aiserv1.albumpictures.com #2001-12-06 09:34:35
    O1 - Hosts: 62.146.43.82 ants.ewido.net #2001-12-06 09:34:37
    O1 - Hosts: 66.111.67.62 appian.com #2001-12-06 09:34:38
    O1 - Hosts: 216.65.5.69 archives.sonixdownloads.com #2001-12-06 09:34:38
    O1 - Hosts: 202.79.213.3 asia.cnet.com #2002-01-08 18:42:58
    O1 - Hosts: 203.116.23.60 asiaone.com #2002-01-06 09:15:14
    O1 - Hosts: 202.27.17.120 asiaonemarkets.com #2001-12-06 09:34:39
    O1 - Hosts: 64.226.35.114 aspergantis.com #2001-12-06 09:34:43
    O1 - Hosts: 207.68.181.229 astrology.msn.com #2002-01-06 21:20:25
    O1 - Hosts: 216.136.131.172 astrology.yahoo.com #2002-01-06 21:17:36
    O1 - Hosts: 209.73.164.147 babel.altavista.com #2001-12-06 09:34:46
    O1 - Hosts: 64.158.138.25 beta.profusion.com #2001-12-06 09:34:48
    O1 - Hosts: 204.179.240.77 bloomberg.com #2001-12-06 09:34:50
    O1 - Hosts: 210.104.132.11 bok.or.kr #2001-12-06 09:34:50
    O1 - Hosts: 202.126.2.77 bondsinasia.com #2001-12-06 09:34:51
    O1 - Hosts: 202.27.17.125 business-times.asia1.com.sg #2001-12-06 09:34:51
    O1 - Hosts: 204.127.135.37 cable-dsl.home.att.net #2001-12-06 09:34:52
    O1 - Hosts: 216.205.148.162 camtech2000.net #2001-12-06 09:34:52
    O1 - Hosts: 203.116.232.177 can.com.sg #2001-12-06 09:34:53
    O1 - Hosts: 216.200.121.30 cartogra.com #2001-12-06 09:34:54
    O1 - Hosts: 64.124.237.131 catchup.cnet.com #2002-01-09 21:27:25
    O1 - Hosts: 64.56.196.55 cdrfaq.org #2001-12-06 09:34:54
    O1 - Hosts: 208.230.143.112 chrisdeepmind.windowpictures.com #2001-12-06 09:34:56
    O1 - Hosts: 204.198.135.194 come.to #2001-12-06 09:34:56
    O1 - Hosts: 64.124.237.128 computers.cnet.com #2002-01-19 20:45:24
    O1 - Hosts: 202.27.17.128 computertimes.asia1.com.sg #2001-12-06 09:35:13
    O1 - Hosts: 202.27.17.128 computertimes.asiaone.com.sg #2002-01-07 23:23:48
    O1 - Hosts: 63.236.73.130 cws.internet.com #2001-12-06 09:35:14
    O1 - Hosts: 198.175.98.32 developer.intel.com #2002-01-07 23:36:17
    O1 - Hosts: 209.202.192.40 dir.lycos.com #2001-12-06 09:35:14
    O1 - Hosts: 204.71.200.74 docs.yahoo.com #2002-01-08 18:37:57
    O1 - Hosts: 205.210.42.11 domains.dslreports.com #2002-01-09 23:03:38
    O1 - Hosts: 198.31.34.202 dpf.deerfield.com #2001-12-06 09:35:15
    O1 - Hosts: 128.121.251.213 driverzone.com #2001-12-06 09:35:16
    O1 - Hosts: 64.39.26.79 dsl.com #2001-12-06 09:35:17
    O1 - Hosts: 216.26.144.52 dvddemystified.com #2001-12-06 09:35:19
    O1 - Hosts: 216.136.227.7 edit.yahoo.com #2002-01-06 09:13:00
    O1 - Hosts: 64.45.60.18 eforums.electic.com #2002-01-17 22:53:57
    O1 - Hosts: 205.150.121.224 electrofuel.com #2001-12-06 09:35:20
    O1 - Hosts: 64.95.118.42 epinions.com #2001-12-06 09:35:21
    O1 - Hosts: 128.11.45.117 equip.zdnet.com #2001-12-06 09:35:23
    O1 - Hosts: 205.252.89.39 fileforum.betanews.com #2002-01-07 20:29:05
    O1 - Hosts: 216.115.107.7 finance.yahoo.com #2001-12-06 09:35:25
    O1 - Hosts: 63.240.14.150 firstgov.gov #2001-12-06 09:35:26
    O1 - Hosts: 213.189.207.69 forum.ixbt.com #2002-01-10 22:46:38
    O1 - Hosts: 209.15.11.15 forum.karf.net #2001-12-06 09:35:26
    O1 - Hosts: 64.45.60.18 forums.electic.com #2002-01-17 22:51:57
    O1 - Hosts: 64.49.204.225 forums.winguides.com #2001-12-06 09:35:27
    O1 - Hosts: 129.250.247.194 fototime.com #2001-12-06 09:35:28
    O1 - Hosts: 209.202.196.140 freehomepages1.tripod.com #2001-12-06 09:35:28
    O1 - Hosts: 206.161.202.1 freeware32.efront.com #2001-12-06 09:35:29
    O1 - Hosts: 128.9.176.20 ftp.isi.edu #2001-12-06 09:35:29
    O1 - Hosts: 66.40.230.115 gaijininvestor.com #2001-12-06 09:35:30
    O1 - Hosts: 155.69.24.133 gemsweb.ntu.edu.sg #2001-12-06 09:35:31
    O1 - Hosts: 207.71.92.193 grc.com #2001-12-06 09:35:31
    O1 - Hosts: 211.99.196.135 greenguard.nsfocus.com #2001-12-06 09:35:31
    O1 - Hosts: 216.115.97.140 groups.yahoo.com #2001-12-06 09:35:32
    O1 - Hosts: 128.164.127.252 gwis2.circ.gwu.edu #2001-12-06 09:35:32
    O1 - Hosts: 157.238.201.66 hardcore2.erosway.com #2002-01-12 22:49:14
    O1 - Hosts: 209.86.229.212 help.mindspring.com #2001-12-06 09:35:32
    O1 - Hosts: 209.202.197.70 hlfxcat.tripod.com #2001-12-06 09:35:33
    O1 - Hosts: 208.185.127.40 home.about.com #2001-12-06 09:35:33
    O1 - Hosts: 204.127.135.37 home.att.net #2001-12-06 09:35:33
    O1 - Hosts: 203.193.19.13 home.boom.com.hk #2001-12-06 09:35:34
    O1 - Hosts: 207.211.212.50 home.cfl.rr.com #2001-12-06 09:35:35
    O1 - Hosts: 194.25.3.144 home.t-online.de #2001-12-06 09:35:35
    O1 - Hosts: 62.253.162.19 homepage.ntlworld.com #2001-12-06 09:35:35
    O1 - Hosts: 209.157.220.6 horoscopes.astrology.com #2002-01-06 09:17:50
    O1 - Hosts: 205.181.112.68 hotfiles.zdnet.com #2002-01-19 20:46:34
    O1 - Hosts: 207.46.133.40 hotfix.microsoft.com #2002-01-17 22:46:24
    O1 - Hosts: 199.175.106.238 ibo-business.com #2001-12-06 09:35:36
    O1 - Hosts: 194.125.133.230 indigo.ie #2001-12-06 09:35:36
    O1 - Hosts: 64.158.138.41 info.intelliseek.com #2001-12-06 09:35:36
    O1 - Hosts: 138.23.89.35 infomine.ucr.edu #2001-12-06 09:35:37
    O1 - Hosts: 207.150.198.172 inklineglobal.com #2001-12-06 09:35:38
    O1 - Hosts: 64.226.146.43 intelytics.com #2001-12-06 09:35:39
    O1 - Hosts: 209.202.197.70 jhlavac.tripod.com #2001-12-06 09:35:39
    O1 - Hosts: 216.34.13.245 jibreel.net #2001-12-06 09:35:40
    O1 - Hosts: 202.27.17.155 jobsearch.asia1.com.sg #2001-12-06 09:35:40
    O1 - Hosts: 213.171.193.9 jv16.org #2002-01-06 09:12:12
    O1 - Hosts: 66.39.30.176 keir.net #2001-12-06 09:35:41
    O1 - Hosts: 216.198.214.2 kickme.to #2001-12-06 09:35:41
    O1 - Hosts: 202.126.159.128 kinokuniya.com.sg #2001-12-06 09:35:41
    O1 - Hosts: 211.200.28.40 koreaherald.co.kr #2001-12-06 09:35:42
    O1 - Hosts: 64.4.53.7 lc2.law5.hotmail.passport.com #2002-01-06 21:13:09
    O1 - Hosts: 64.113.168.176 lists.gpick.com. #2001-12-06 16:41:47
    O1 - Hosts: 64.58.76.99 login.yahoo.com #2002-01-06 09:13:41
    O1 - Hosts: 64.4.8.250 lw9fd.law9.hotmail.msn.com #2002-01-06 21:10:50
    O1 - Hosts: 192.170.88.41 lycosasia.shareinvestor.com #2001-12-06 09:35:59
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\utilities\adobe acrobat v5.x\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Utilities\FlipAlbum Pro 5.x\FpLaunch.dll
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - d:\UTILIT~1\ADSHIE~1.2X\AdShield.dll
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Utilities\NAV2003 Pro\NAV2003\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVG_CC] D:\Utilities\AVG v6.x\avgcc32.exe /startup
    O4 - HKLM\..\Run: [CP51NBtn] D:\UTILIT~1\EZButton\CP51NBtn.EXE
    O4 - HKLM\..\Run: [Fix-It AV] D:\UTILIT~1\ONTRAC~2.X\MemCheck.exe
    O4 - HKLM\..\Run: [Outpost Firewall] D:\UTILIT~1\OUTPOS~1\OUTPOS~1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [tcactive] D:\Utilities\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] D:\Utilities\The Cleaner\tcm.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\UTILIT~1\NAV200~1\NAV2003\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [PestPatrol Control Center] D:\Utilities\PestPatrol Corp v4.1.x\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] D:\UTILIT~1\PESTPA~1.X\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] D:\UTILIT~1\PESTPA~1.X\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [VCDPlayer] D:\UTILIT~1\VIRTUA~1.1\System\VCDPlay.exe
    O4 - HKLM\..\Run: [Ad-watch] D:\Utilities\Ad-aware Plus v6.x\Ad-aware 6\Ad-watch.exe
    O4 - HKLM\..\Run: [SpyCop ScanCheck] D:\Utilities\SpyCop Corp v5.x\MAIN.EXE /LASTSCAN
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [TextAloud] D:\Utilities\TextAloud MP3\TextAloud MP3\TextAloudMP3.exe -auto
    O4 - Startup: Atomica.lnk = D:\Utilities\Atomica\Atomica Client\Atomica.exe
    O4 - Startup: Shortcut to NetPerSec.lnk = D:\Utilities\NetPerSec v1.1\NetPerSec.exe
    O4 - Startup: BHO Cop.lnk = D:\Utilities\BHOCop v1.x\BHOCop\BHOCop.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: Holiday Lights.lnk = D:\Utilities\Holiday Lights v5.3\Holiday Lights\Holiday Lights.exe
    O4 - Startup: TrayPlt.lnk = D:\Utilities\Tray Pilot Lite 1.10\Tray Pilot Lite\TrayPlt.exe
    O4 - Startup: SpClDlx.lnk = D:\Utilities\Speaking Clock Deluxe v3.06c\Speaking Clock Deluxe\SpClDlx.exe
    O4 - Startup: SpywareGuard Control Panel.lnk = D:\Utilities\SpywareGuard\SpywareGuard\spywareguardcp.exe
    O4 - Startup: invipro4.lnk = D:\Utilities\Invisible Pro v4.x\invipro4.exe
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Utilities\Adobe Acrobat v5.x\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Utilities\Office XP\Office10\OSA.EXE
    O4 - Global Startup: ORiNOCO Client Manager.lnk = D:\Utilities\LT Orinoco\CMLUC.EXE
    O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = D:\Utilities\Mini2 Digital Camera\Ulead Photo Express\CalCheck.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Bluetooth Connection Manager.lnk = D:\3COM Bluetooth Print Kit\BTCM.exe
    O8 - Extra context menu item: &Maintain Block List... - d:\UTILIT~1\ADSHIE~1.2X\maintain.htm
    O8 - Extra context menu item: Add to &Block List... - d:\UTILIT~1\ADSHIE~1.2X\suppress.htm
    O8 - Extra context menu item: AdShield Option &Settings... - d:\UTILIT~1\ADSHIE~1.2X\settings.htm
    O8 - Extra context menu item: Atomica... - file:D:\UTILIT~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\UTILIT~1\OFFICE~1\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.1197222222
    O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx

    Please comment. Thanks
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi WE Sim,

    What I see in your hosts file is a reasonably normal list of favorites (I´m guessing you used FastNet99 to merge it with a restricting hosts file?).
    Nothing wrong with that. If you don´t have any problems I see no reason to change it. You can check those and then ignore them, so they don´t show up in every scan.

    Regards,

    Pieter
     
  8. WE Sim

    WE Sim Guest

    Hi Pieter_Arntz!


    You were right to say that I used FastNet99. It was a long time ago that I removed FastNet99 from my system.

    However, if HijackThis were to be installed on my office PC what am I supposed to look for?

    I would like to learn more of HijackThis. Is there an online manual or help file for it?

    I supposed the removal of lop.com spyware still have to depend on SpyBot &/or Ad-aware?

    Thanks
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi WE Sim,

    I am not aware of any on-line manual for HijackThis. There is a short description of the codes in the Help file.
    You could ask any specific questions on Hijackthis at the board of SpywareInfo where Merijn (the creator of HijackThis) hangs out.
    On this board you can find Tony´s list of BHO´s (updated weekly) to see if what you have under O2 is harmful or not.
    Using Adaware 6 or Spybot S&D to remove Lop.com is the easiest way and I would recommend doing so. It is not something you can easily get rid off yourself.

    Regards,

    Pieter
     
  10. WE Sim

    WE Sim Guest

    Hi Pieter_Arntz!

    Sorry for nor replying as I was waiting for Adware Personal v6 (build 160) to be released before carrying out further tests.

    OK! I downloaded it this morning (I'm posting at home now) and together with SpyBotSD (with latest dat) cleansed my office PC thoroughly many...many... countless times with reboots in between.

    The final result is :

    After each re-boot,

    Spybot reported C2.lop:IE Start page, and

    Adaware reported 2 Registry values identified
    1) Possible Browser Hijack attempt ........"http://sbnt.com/...
    2) AdvertBar............................................"http://sbnt.com/...

    Thats great! Even the latest dats from these 2 softwares could not get rid of lop.com

    I did a scan using HijackThis (after cleaning with the 2 programs) and the log is as shown below. I suspect the last 2 entries are the culprits and need to be fixed by HijackThis. What do you think?

    Here's the log

    Logfile of HijackThis v1.91.2
    Scan saved at 18:06:47, on 05/02/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [xwean] C:\DOCUME~1\CPTAN\APPLIC~1\fgrthsts.exe -QuieT
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{93B9F036-55F4-42AF-BF8C-84D8B9CF55CF}: Domain = sbnt.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A6B8AC92-875F-479E-AD85-0620035B9DDA}: Domain = sbnt.com



    Are there any more entries that I need to fix? If the problem is solely due to these 2 entries why didn't Adaware & SpybotSD fix them as well?

    Thank you and I need your advise so that I can go to my office tomorrow to solve the problem.
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Because it starts up everytime and I think it's due to this key:

    O4 - HKLM\..\Run: [xwean] C:\DOCUME~1\CPTAN\APPLIC~1\fgrthsts.exe -QuieT

    Kill that one, reboot and then scan again. I would like you to mail me that fgrthsts.exe please.

    Regards,

    Pieter

    PS Since you do have Hijackthis running have it fix the two O17 entries as well.
     
  12. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    Considering they have a trojan, I think they could see their way fit to allow a program on long enough to remove it. Or is the person responsible for that decision really that dense?

    Anyway, the best source of removal instructions is Andrew's site http://www.doxdesk.com/parasite/lop.html

    I used to have a good page on lop, but I got tired of updating every time they update. Spybot generally kills every version of lop and I have other things to do.
     
  13. WE Sim

    WE Sim Guest

    Hi Mike Healan! ;)

    What I noticed from many companies here is that generally they do have firewalls and anti-virus softwares but other than that like spywares, web bugs, malicious cookies etc the IT dept is hardly interested afterall they doesn't destroy data or corrupt the hard disk. Of course, this may change the thinking of the management when one such evils creates havoc one day.

    In addition, the installation and use of 3rd-party softwares have to go through the IT dept's approval as some companies do have audits on the PCs to ensure no external non-approved softwares are installed and used.
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,840
    Location:
    New England
    Ah, that's your solution. Just explain to them that lop.com is "external non-approved software" and then watch how fast they move to rip it out. ;)

    They wouldn't want anyone to get away with having unapproved software, now would they? :D
     
  15. WE Sim

    WE Sim Guest

    Hi Pieter_Arntz!

    Sorry for the late posting as it's difficult to access this forum this morning.

    After the discussion yesterday I did not use HijackThis to fix the entries as advised by you since I was trying out a new dat (05-02-03) from Lavasoft this morning and sure enough after scanning my office PC again, Adaware identified further 28 objects (all related to lop.com)

    After cleaning and re-booting, re-scanning with SpyBot & Adaware reveals no more traces of lop.com and upon access to the net there's no more problem of link bar and alteration to the IE Start page.

    Apparently, Adaware finally found a cure to the lop.com issue.

    However, after that I ran HijackThis and found something disturbing especially the last 2 entries under 017. sbnt.com is assocaited with the link bar. See the log below.

    Logfile of HijackThis v1.91.2
    Scan saved at 11:07:38, on 06/02/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=485376
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{93B9F036-55F4-42AF-BF8C-84D8B9CF55CF}: Domain = sbnt.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A6B8AC92-875F-479E-AD85-0620035B9DDA}: Domain = sbnt.com


    Why didn't Adware further identified those 2 entries?

    Note :- I 'll e-mail your request for fgrthsts.exe after this post. Pls chcek and let me know whether you receive it.


    Thank you
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi WE Sim,

    I wasn't sure if Adaware would pick up on the O17 entries. That's why I added my PS in my previous post.
    The list of lop.com domains is enormous and more are found/added all the time.
    Thanks for the exe. I'll make sure it gets on the "wanted posters" if it isn't on there yet. :)

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.