Removing one of the latest variants of lop.com

Discussion in 'privacy problems' started by Pieter_Arntz, Feb 23, 2003.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz
    Online

    Pieter_Arntz Spyware Veteran

    This post is by no means made because I want to avoid helping any of you to remove lop.com infections. Neither is it ment to promote or disqualify any anti-spywaresoftware.

    Actually it is only a warning to steer away from lop.com and to give you an idea of what it changes on your computer.

    First I disabled all resident spywareprotection and my firewall so I would not "cripple" the installation.

    In the installer it makes very little difference whether you click Accept, Decline or the red cross in the upper right corner, so no escape there.

    These are the items changed after the installation in my Hijackthis log:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://thko.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://thko.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=thko.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://thko.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://thko.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://thko.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://thko.com/searchbar.html
    O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\bleetrfrzdf.dll
    O2 - BHO: (no name) - {652d61d4-65df-4c4d-8cdf-bdbe9b9342ff} - C:\DOCUME~1\Pieter\APPLIC~1\gllnprgrtrf.dll
    O4 - HKLM\..\Run: [zgrtrl] C:\DOCUME~1\Pieter\APPLIC~1\dhfrstee.exe -QuieT
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thko.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{575C73D2-1A72-4A39-B8F3-1B8B44829DA9}: Domain = thko.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{73C972C2-467E-4772-8FB2-D4D283F6F173}: Domain = thko.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7B52223B-7618-4D0D-9866-5D64F0715A42}: Domain = thko.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = thko.com
    O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F}

    Explanation:
    R0 and R1 entries are changes made in the registry to change your IE searchbar, searchpages, startpage, search bar page and search assistant.
    A list of lop.com domains can be found in this thread:
    http://www.wilderssecurity.com/showthread.php?t=7367
    O2 entries are Browser Helper Objects, dll´s that are called upon once you open an IE Window.
    A list of known BHO´s can be found on this site:
    http://www.spywareinfoforum.com/bhos/
    Sometimes toolbars are added as well, listed in HijackThis under O3. A list of known Toolbars can be found here:
    http://www.spywareinfoforum.com/toolbars/
    .
    Don´t be surprised if you can´t find them there. Lop.com creates random CSLID´s as well as random names for the dll´s and it´s main executable, which can be found under O4. That is the Startup entry. There you will find the only give-away that has been consistently present: the funny looking -QuieT (always capital Q and T)
    The O17 entries are changes to the LSP (winsock2). The wrong way of removing these will cost you your connection to the www.
    The O18 entry is a change in your protocol.

    A short explanation and downloadlinks for HijackThis can be found here: http://www.tomcoyote.org/hjt/#quick

    So far the best way to prevent getting infected by lop.com is by using SpywareBlaster, SpywareGuard and Adwatch (part of AdAware Plus + Pro) or Spybot S&D Resident.

    To get rid of lop.com search the entries listed above (taking into account all possible variations) and have HijackThis fix them.
    Then scan your computer for remnants with your favorite spywarecleaner.

    I hope this helps someone.

    Regards,

    Pieter

    Adapted links
    Once more adapted links and added info on toolbars
  2. spy1
    Offline

    spy1 Registered Member

    Pieter - Thank you. That's a great 'roadmap' of what to look for if lop were to somehow get past your defenses. Pete
  3. Loki
    Offline

    Loki Registered Member

    Hi Pieter,

    I have a question about the O18 change on the protocol: ayb, do you know what this does? And if Lop is starting to make changes to the protocol things are going to get worse fast. Or maybe I'm wrong.

    Loki :cool:
  4. Pieter_Arntz
    Online

    Pieter_Arntz Spyware Veteran

    Thnx Pete,

    Getting it seems to be fairly easy, since they release new versions quite frequently. :(
    Getting rid of it completely (without using Total Uninstall or System Restore) takes me over an hour, and I practice. :D

    Regards,

    Pieter
  5. Pieter_Arntz
    Online

    Pieter_Arntz Spyware Veteran

    Hi Loki,

    I don´t know why they chose to make that change or what is does, but I agree it´s very invasive. Maybe one of the real experts knows more about that.
    That is not new to this variant however, they´ve been doing that before.

    Regards,

    Pieter
  6. Loki
    Offline

    Loki Registered Member

    Thanks Pieter,

    I hope someone knows what that change is doing and why. The protocol is how are computers talk to each other and to change something there seems Lop might what more then just to make spyware. :mad:

    Loki :cool:
  7. Vampirefo
    Online

    Vampirefo Guest

    Back up your registry, before installing anything, then if something like Spyware is installed restore your registry using the back up.
  8. Primrose
    Offline

    Primrose Registered Member

    Thanks for the work and info Pieter..they sure keep it a moving target and that was a good write up.l
  9. Mike_Healan
    Offline

    Mike_Healan Registered Member

    That creates a new protocol that Internet Explorer can interpret it as the beginning of an address. Lop's software uses it make IE load content using an ayb://whatever address. CommonName does this, Google does it, mIRC does it, and several other programs do this.

    http://
    https://
    ftp://
    gopher://
    irc://
    file:///
    ayb://
    etc
  10. Loki
    Offline

    Loki Registered Member

    Hi Mike,

    Thanks :D

    Loki :cool:
  11. Pieter_Arntz
    Online

    Pieter_Arntz Spyware Veteran

    As comparison to the first log in this thread, a log made after installing the new version of Messenger Plus (which comes with lop bundled).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://Q29548.find-quick.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://Q29548.find-quick.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://Q29548.find-quick.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://Q29548.find-quick.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://Q29548.find-quick.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://Q29548.find-quick.com/searchbar.html
    O2 - BHO: (no name) - {7684d979-132a-49cf-a60e-f28e3153c2fd} - C:\DOCUME~1\ADMINI~1\APPLIC~1\mpreegrylydr.dll
    O3 - Toolbar: dsbrgrifrof - {be43feb6-3d63-476e-ab6c-90d81c1b8691} - C:\DOCUME~1\ADMINI~1\APPLIC~1\mpreegrylydr.dll
    O4 - HKLM\..\Run: [kylypr] C:\DOCUME~1\ADMINI~1\APPLIC~1\idjhfrke.exe -QuieT
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = S16009.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8CD43687-9479-47D7-A0D8-EDCBB46FDDF9}: Domain = S16009.find-quick.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = S16009.find-quick.com

    I din´t install this one myself, but found it on a reasonably well protected system, that had no other spyware on it.
    So this may not be everything lop.com tries to change, but it gives you a good idea of how it has evolved over the last 3,5 months.

    To our dismay other spywarecreators have followed their example, in randomizing elements, thus complicating the lives of the "good guys" that are trying to keep their prevention and removal software up-to-date.

    This one has also been using:
    O4 - HKLM\..\Run: [winactive] C:\PROGRAM FILES\WINDOW ACTIVE\WINACTIVE.EXE
    to start up the main executable.

    In all known variants the dll's can be found in the Application Data folder. For the older variants the .exe can be found in that folder as well.

    Hope this helps someone,

    Pieter

    Added the winactive startup
  12. Pieter_Arntz
    Online

    Pieter_Arntz Spyware Veteran

    A new version is being bundled with MessengerPlus.
    These are the changes visible in my HijackThis log.
    NOTE. I'm only posting the lop aka C2Media related entries. I also got Apropos and Autoupdater (PeopleOnPage) entries.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html

    O2 - BHO: (no name) - {824F8823-2A01-47F2-EFEF-340566BB814C} - H:\PROGRA~1\HtmGrim\PHONE WIPE.dll

    O3 - Toolbar: Draw audio plus - {E3DC3C46-12C9-0D73-BA34-770CE28F2AE4} - H:\PROGRA~1\HtmGrim\PHONE WIPE.dll

    O4 - HKLM\..\Run: [biasrule] H:\PROGRA~1\abouthide\Platform Bait.exe

    The folder- and filenames appear to come from a big but limited collection. The CLSID´s are random.

    In the Program Files folder, three folders were added:
    H:\Program Files\abouthide
    Files: AMOK.exe = 32146 bytes
    body grey.exe = 22528 bytes
    For.exe = 135680 bytes
    Platform Bait.exe = 214356 bytes
    H:\Program Files\C2Media
    File: Setup.exe = 7574 bytes
    H:\Program Files\HtmGrim
    Files: PHONE WIPE.dll = 196934 bytes
    antepeak.dat = 6 kb

    Recognition: in the folder where the executable is (listed under O4 in the HijackThis log), you will find one other executable represented by this icon:
    [​IMG] (in my example the body grey.exe)

    HTH,

    Pieter
  13. GotXA
    Online

    GotXA Guest

    Hi Im having troble with the http :// mysearchnow . xxx/ tooolbar as well. I think it infected my pc after installing mnplus3. hears my log of hijackthis:
    can you please telll me what files i should remover and if i should remove and other files shuche as program files. thanx a lot

    Wilders no longer do HiJackThis logs, edited clickable link.
    Please read Post below ~ TAS
    Last edited by a moderator: Sep 15, 2004
  14. Tassie_Devils
    Offline

    Tassie_Devils Global Moderator

    Hi GotXA.

    Wilders no longer does HJT logs.


    PLEASE READ HERE

    Please follow the advice given in there, go to the link and pick a forum which handles hijack logs. :)

    Also, read carefully any instructions on the site you choose to follow their HJT guidelines.

    TAS
  15. Thor22299
    Online

    Thor22299 Guest

    aNYON CAN HELP:

    I'VE GOT THE PEST SEARCH.COM IN MY SYTEM. WHAT DO I NEED TO CHANGE WITH BELOW LOG?

    Logfile of HijackThis v1.98.2
    Scan saved at 11:09:48, on 10.10.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE
    C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
    C:\Programme\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
    C:\Programme\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\HP\KBD\KBD.EXE
    C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Programme\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Programme\Messenger Plus! 3\MsgPlus.exe
    c:\progra~1\intern~1\iexplore.exe
    C:\Programme\Internet Explorer\iexplore.exe
    C:\Programme\Microsoft Money\System\mnyexpr.exe
    C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Programme\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
    C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Programme\CASIO\Photo Loader\Plauto.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Programme\Messenger\msmsgs.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\Programme\ArcorDSL\ArcorDSL.exe
    C:\Programme\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOKUME~1\TE\LOKALE~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bieyzkmovmciiphd.biz/FR9ZWejoKDMZYRYQM0s/S4IbMPZ51spuzRD0RmofFiU.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.cmhflmtrulvvxqiaacnznky....iPDTtuiDx_t3faHNrN1INs5Vt2AYJJkBMJG4LEoz.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von Arcor
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Programme\Microsoft Money\System\mnyside.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.2001.0001\en-gb\msntb.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {E57021D4-11DA-84BF-A794-7BF003484AE0} - C:\PROGRA~1\SAVEST~1\tons shim.exe
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.2001.0001\en-gb\msntb.dll
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Programme\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~4\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] C:\Programme\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [msnappau] "C:\Programme\MSN Apps\Updater\01.02.0002.1001\en-gb\msnappau.exe"
    O4 - HKLM\..\Run: [Morecurb] C:\PROGRA~1\1rdrdoes\DEFY ROAD.exe
    O4 - HKLM\..\Run: [new body cash window] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ballarmynewbody\OBJFILM.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Programme\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HPAiODevice(hp officejet 5100 series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Photo Loader resident.lnk = C:\Programme\CASIO\Photo Loader\Plauto.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Programme\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
    O9 - Extra button: Hot Video - {FFB51760-344E-4FFB-BFFF-4B18C7AC1D63} - C:\WINDOWS\System32\ShellExt\SYSCNTR.EXE (file missing)
    O12 - Plugin for .tif: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.arcor.de
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://dl.dialerssolution.com/cax.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1821FB-6E81-45E5-B442-A4179A7E67E4}: NameServer = 145.253.2.203 145.253.2.81
  16. dvk01
    Offline

    dvk01 Global Moderator

    This thread is now closed

    Thor22299 - WILDERS DOES NOT DO HIJACK LOG CLEANING any longer

    see post 14 for alternative sites that do

    to remove the LOP infection
    Click here to download the LOP uninstaller. Close all browser windows and run the uninstaller.

    When it is finished restart your computer.

    if you cannot get to that site then it is also available here http://www.thespykiller.co.uk/files/lopremover.exe
    Last edited by a moderator: Oct 10, 2004
Thread Status:
Not open for further replies.