Hi! I got a PC in my office thats loaded with lop.com (a spyware). It alters the startup page and loads a bar with links to many porn sites etc. I'm aware that softwares like Ad-aware or SpyBot S&D can remove it (I'm using such softwares in my home) However, office policy prohibits the installation and use of 3rd-party softwares. So, the questions are:- 1) where is this lop.com file(s) residing, 2) what is the filename(s) and 3) how to remove it from the harddisk/registry completely? The office PC is using Office XP (Home Ed) which I'm not familiar with. (I'm using W2K at home) Thanks
Sorry! "The office PC is using Office XP (Home Ed) which I'm not familiar with. (I'm using W2K at home)" It should read Win XP (Home Ed) instead of Office XP (Home Ed) This is a typical situation whereby even if you know of softwares that can do the job but you're tied to the old-fashioned way of digging out the responsible files and registry entries that are causing the problem. Thanks again.
Hi WE Sim, Would it be allowed to run HijackThis on that computer? This program is not really a install that would cause any problems and removing it is as easy as dragging it to the Recycled folder. To give you an idea what you're up against: http://www.spywareinfoforum.com/yabbse/showthread.php?t=2334 Regards, Pieter
Hi Pieter_Arntz! Thanks for the rapid reply. I think I'm going to faint after reading the long info from the link. I thought Ad-aware and/or SpyBot would do a clean job but apparently they doesn't. There was also mentioned of removing MSN messenger. I don't think this could be done as Hotmail/Outlook Express via MSN messenger is being used. I just downloaded and tried HijackThis v1.91 on my own laptop and it discovered 100+ hijacked domains which HijackThis recommends to fix. Should I do it? I mean all of them? So, what am I supposed to look for if HijackThis is to be installed on my office PC? Thanks
Hi WE Sim, Spybot S&D and Adaware 6 (NOT 5.83) will do a clean job on lop.com I just gave you a link to a thread where they were fighting a new variant, so you would have an idea how widespread this will be on the infected computer. As to running HijackThis on your own computer. I think you´re reading the logs wrong, but I´d have to see them to make sure (feel free to post them or mail them to me). If you´re using a hosts file for instance you could get a lot of entries. Regards, Pieter
Hi Pieter_Arntz! During scanning using HijackThis on my laptop a pop-up alert states "You have an particularly large amount of hijacked domains. Its probably better to delete the file itself then to fix each item (and create a backup). If you see the same IP address in all the reported 01 items, consider deleting the Hosts file, which is located at C:\WINNT\system32\etc\hosts" Attached is the log file which I just ran HijackThis:- Logfile of HijackThis v1.91.2 Scan saved at 4:10:23 PM, on 01-Feb-03 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://sg.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=proxy.mystarhub.com.sg:8080 O1 - Hosts: 203.169.65.239 #2002-01-07 19:29:34 O1 - Hosts: 195.124.234.138 195.124.234.138 #2002-01-18 21:25:07 O1 - Hosts: 202.42.22.80 202.42.22.80 #2001-12-06 09:31:47 O1 - Hosts: 206.61.52.48 206.61.52.48 #2001-12-06 09:31:47 O1 - Hosts: 207.33.111.124 207.33.111.124 #2001-12-06 09:31:47 O1 - Hosts: 209.203.251.149 209.203.251.149 #2002-01-12 22:53:14 O1 - Hosts: 195.92.250.15 5star.freeserve.com #2001-12-06 09:34:26 O1 - Hosts: 64.4.8.250 64.4.8.250 #2002-01-08 18:34:48 O1 - Hosts: 192.41.8.207 a2zsolutions.com #2001-12-06 09:34:29 O1 - Hosts: 64.75.34.136 adcop.org #2001-12-06 09:34:32 O1 - Hosts: 63.237.136.5 adshield.org #2002-01-08 20:54:06 O1 - Hosts: 64.170.98.21 adsl.com #2001-12-06 09:34:34 O1 - Hosts: 216.22.145.138 aiserv1.albumpictures.com #2001-12-06 09:34:35 O1 - Hosts: 62.146.43.82 ants.ewido.net #2001-12-06 09:34:37 O1 - Hosts: 66.111.67.62 appian.com #2001-12-06 09:34:38 O1 - Hosts: 216.65.5.69 archives.sonixdownloads.com #2001-12-06 09:34:38 O1 - Hosts: 202.79.213.3 asia.cnet.com #2002-01-08 18:42:58 O1 - Hosts: 203.116.23.60 asiaone.com #2002-01-06 09:15:14 O1 - Hosts: 202.27.17.120 asiaonemarkets.com #2001-12-06 09:34:39 O1 - Hosts: 64.226.35.114 aspergantis.com #2001-12-06 09:34:43 O1 - Hosts: 207.68.181.229 astrology.msn.com #2002-01-06 21:20:25 O1 - Hosts: 216.136.131.172 astrology.yahoo.com #2002-01-06 21:17:36 O1 - Hosts: 209.73.164.147 babel.altavista.com #2001-12-06 09:34:46 O1 - Hosts: 64.158.138.25 beta.profusion.com #2001-12-06 09:34:48 O1 - Hosts: 204.179.240.77 bloomberg.com #2001-12-06 09:34:50 O1 - Hosts: 210.104.132.11 bok.or.kr #2001-12-06 09:34:50 O1 - Hosts: 202.126.2.77 bondsinasia.com #2001-12-06 09:34:51 O1 - Hosts: 202.27.17.125 business-times.asia1.com.sg #2001-12-06 09:34:51 O1 - Hosts: 204.127.135.37 cable-dsl.home.att.net #2001-12-06 09:34:52 O1 - Hosts: 216.205.148.162 camtech2000.net #2001-12-06 09:34:52 O1 - Hosts: 203.116.232.177 can.com.sg #2001-12-06 09:34:53 O1 - Hosts: 216.200.121.30 cartogra.com #2001-12-06 09:34:54 O1 - Hosts: 64.124.237.131 catchup.cnet.com #2002-01-09 21:27:25 O1 - Hosts: 64.56.196.55 cdrfaq.org #2001-12-06 09:34:54 O1 - Hosts: 208.230.143.112 chrisdeepmind.windowpictures.com #2001-12-06 09:34:56 O1 - Hosts: 204.198.135.194 come.to #2001-12-06 09:34:56 O1 - Hosts: 64.124.237.128 computers.cnet.com #2002-01-19 20:45:24 O1 - Hosts: 202.27.17.128 computertimes.asia1.com.sg #2001-12-06 09:35:13 O1 - Hosts: 202.27.17.128 computertimes.asiaone.com.sg #2002-01-07 23:23:48 O1 - Hosts: 63.236.73.130 cws.internet.com #2001-12-06 09:35:14 O1 - Hosts: 198.175.98.32 developer.intel.com #2002-01-07 23:36:17 O1 - Hosts: 209.202.192.40 dir.lycos.com #2001-12-06 09:35:14 O1 - Hosts: 204.71.200.74 docs.yahoo.com #2002-01-08 18:37:57 O1 - Hosts: 205.210.42.11 domains.dslreports.com #2002-01-09 23:03:38 O1 - Hosts: 198.31.34.202 dpf.deerfield.com #2001-12-06 09:35:15 O1 - Hosts: 128.121.251.213 driverzone.com #2001-12-06 09:35:16 O1 - Hosts: 64.39.26.79 dsl.com #2001-12-06 09:35:17 O1 - Hosts: 216.26.144.52 dvddemystified.com #2001-12-06 09:35:19 O1 - Hosts: 216.136.227.7 edit.yahoo.com #2002-01-06 09:13:00 O1 - Hosts: 64.45.60.18 eforums.electic.com #2002-01-17 22:53:57 O1 - Hosts: 205.150.121.224 electrofuel.com #2001-12-06 09:35:20 O1 - Hosts: 64.95.118.42 epinions.com #2001-12-06 09:35:21 O1 - Hosts: 128.11.45.117 equip.zdnet.com #2001-12-06 09:35:23 O1 - Hosts: 205.252.89.39 fileforum.betanews.com #2002-01-07 20:29:05 O1 - Hosts: 216.115.107.7 finance.yahoo.com #2001-12-06 09:35:25 O1 - Hosts: 63.240.14.150 firstgov.gov #2001-12-06 09:35:26 O1 - Hosts: 213.189.207.69 forum.ixbt.com #2002-01-10 22:46:38 O1 - Hosts: 209.15.11.15 forum.karf.net #2001-12-06 09:35:26 O1 - Hosts: 64.45.60.18 forums.electic.com #2002-01-17 22:51:57 O1 - Hosts: 64.49.204.225 forums.winguides.com #2001-12-06 09:35:27 O1 - Hosts: 129.250.247.194 fototime.com #2001-12-06 09:35:28 O1 - Hosts: 209.202.196.140 freehomepages1.tripod.com #2001-12-06 09:35:28 O1 - Hosts: 206.161.202.1 freeware32.efront.com #2001-12-06 09:35:29 O1 - Hosts: 128.9.176.20 ftp.isi.edu #2001-12-06 09:35:29 O1 - Hosts: 66.40.230.115 gaijininvestor.com #2001-12-06 09:35:30 O1 - Hosts: 155.69.24.133 gemsweb.ntu.edu.sg #2001-12-06 09:35:31 O1 - Hosts: 207.71.92.193 grc.com #2001-12-06 09:35:31 O1 - Hosts: 211.99.196.135 greenguard.nsfocus.com #2001-12-06 09:35:31 O1 - Hosts: 216.115.97.140 groups.yahoo.com #2001-12-06 09:35:32 O1 - Hosts: 128.164.127.252 gwis2.circ.gwu.edu #2001-12-06 09:35:32 O1 - Hosts: 157.238.201.66 hardcore2.erosway.com #2002-01-12 22:49:14 O1 - Hosts: 209.86.229.212 help.mindspring.com #2001-12-06 09:35:32 O1 - Hosts: 209.202.197.70 hlfxcat.tripod.com #2001-12-06 09:35:33 O1 - Hosts: 208.185.127.40 home.about.com #2001-12-06 09:35:33 O1 - Hosts: 204.127.135.37 home.att.net #2001-12-06 09:35:33 O1 - Hosts: 203.193.19.13 home.boom.com.hk #2001-12-06 09:35:34 O1 - Hosts: 207.211.212.50 home.cfl.rr.com #2001-12-06 09:35:35 O1 - Hosts: 194.25.3.144 home.t-online.de #2001-12-06 09:35:35 O1 - Hosts: 62.253.162.19 homepage.ntlworld.com #2001-12-06 09:35:35 O1 - Hosts: 209.157.220.6 horoscopes.astrology.com #2002-01-06 09:17:50 O1 - Hosts: 205.181.112.68 hotfiles.zdnet.com #2002-01-19 20:46:34 O1 - Hosts: 207.46.133.40 hotfix.microsoft.com #2002-01-17 22:46:24 O1 - Hosts: 199.175.106.238 ibo-business.com #2001-12-06 09:35:36 O1 - Hosts: 194.125.133.230 indigo.ie #2001-12-06 09:35:36 O1 - Hosts: 64.158.138.41 info.intelliseek.com #2001-12-06 09:35:36 O1 - Hosts: 138.23.89.35 infomine.ucr.edu #2001-12-06 09:35:37 O1 - Hosts: 207.150.198.172 inklineglobal.com #2001-12-06 09:35:38 O1 - Hosts: 64.226.146.43 intelytics.com #2001-12-06 09:35:39 O1 - Hosts: 209.202.197.70 jhlavac.tripod.com #2001-12-06 09:35:39 O1 - Hosts: 216.34.13.245 jibreel.net #2001-12-06 09:35:40 O1 - Hosts: 202.27.17.155 jobsearch.asia1.com.sg #2001-12-06 09:35:40 O1 - Hosts: 213.171.193.9 jv16.org #2002-01-06 09:12:12 O1 - Hosts: 66.39.30.176 keir.net #2001-12-06 09:35:41 O1 - Hosts: 216.198.214.2 kickme.to #2001-12-06 09:35:41 O1 - Hosts: 202.126.159.128 kinokuniya.com.sg #2001-12-06 09:35:41 O1 - Hosts: 211.200.28.40 koreaherald.co.kr #2001-12-06 09:35:42 O1 - Hosts: 64.4.53.7 lc2.law5.hotmail.passport.com #2002-01-06 21:13:09 O1 - Hosts: 64.113.168.176 lists.gpick.com. #2001-12-06 16:41:47 O1 - Hosts: 64.58.76.99 login.yahoo.com #2002-01-06 09:13:41 O1 - Hosts: 64.4.8.250 lw9fd.law9.hotmail.msn.com #2002-01-06 21:10:50 O1 - Hosts: 192.170.88.41 lycosasia.shareinvestor.com #2001-12-06 09:35:59 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\utilities\adobe acrobat v5.x\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Utilities\FlipAlbum Pro 5.x\FpLaunch.dll O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - d:\UTILIT~1\ADSHIE~1.2X\AdShield.dll O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Utilities\NAV2003 Pro\NAV2003\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [AVG_CC] D:\Utilities\AVG v6.x\avgcc32.exe /startup O4 - HKLM\..\Run: [CP51NBtn] D:\UTILIT~1\EZButton\CP51NBtn.EXE O4 - HKLM\..\Run: [Fix-It AV] D:\UTILIT~1\ONTRAC~2.X\MemCheck.exe O4 - HKLM\..\Run: [Outpost Firewall] D:\UTILIT~1\OUTPOS~1\OUTPOS~1.0\outpost.exe /waitservice O4 - HKLM\..\Run: [tcactive] D:\Utilities\The Cleaner\tca.exe O4 - HKLM\..\Run: [tcmonitor] D:\Utilities\The Cleaner\tcm.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] D:\UTILIT~1\NAV200~1\NAV2003\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [PestPatrol Control Center] D:\Utilities\PestPatrol Corp v4.1.x\PestPatrol\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] D:\UTILIT~1\PESTPA~1.X\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] D:\UTILIT~1\PESTPA~1.X\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [VCDPlayer] D:\UTILIT~1\VIRTUA~1.1\System\VCDPlay.exe O4 - HKLM\..\Run: [Ad-watch] D:\Utilities\Ad-aware Plus v6.x\Ad-aware 6\Ad-watch.exe O4 - HKLM\..\Run: [SpyCop ScanCheck] D:\Utilities\SpyCop Corp v5.x\MAIN.EXE /LASTSCAN O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [TextAloud] D:\Utilities\TextAloud MP3\TextAloud MP3\TextAloudMP3.exe -auto O4 - Startup: Atomica.lnk = D:\Utilities\Atomica\Atomica Client\Atomica.exe O4 - Startup: Shortcut to NetPerSec.lnk = D:\Utilities\NetPerSec v1.1\NetPerSec.exe O4 - Startup: BHO Cop.lnk = D:\Utilities\BHOCop v1.x\BHOCop\BHOCop.exe O4 - Startup: PowerReg SchedulerV2.exe O4 - Startup: Holiday Lights.lnk = D:\Utilities\Holiday Lights v5.3\Holiday Lights\Holiday Lights.exe O4 - Startup: TrayPlt.lnk = D:\Utilities\Tray Pilot Lite 1.10\Tray Pilot Lite\TrayPlt.exe O4 - Startup: SpClDlx.lnk = D:\Utilities\Speaking Clock Deluxe v3.06c\Speaking Clock Deluxe\SpClDlx.exe O4 - Startup: SpywareGuard Control Panel.lnk = D:\Utilities\SpywareGuard\SpywareGuard\spywareguardcp.exe O4 - Startup: invipro4.lnk = D:\Utilities\Invisible Pro v4.x\invipro4.exe O4 - Global Startup: Acrobat Assistant.lnk = D:\Utilities\Adobe Acrobat v5.x\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = D:\Utilities\Office XP\Office10\OSA.EXE O4 - Global Startup: ORiNOCO Client Manager.lnk = D:\Utilities\LT Orinoco\CMLUC.EXE O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = D:\Utilities\Mini2 Digital Camera\Ulead Photo Express\CalCheck.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Bluetooth Connection Manager.lnk = D:\3COM Bluetooth Print Kit\BTCM.exe O8 - Extra context menu item: &Maintain Block List... - d:\UTILIT~1\ADSHIE~1.2X\maintain.htm O8 - Extra context menu item: Add to &Block List... - d:\UTILIT~1\ADSHIE~1.2X\suppress.htm O8 - Extra context menu item: AdShield Option &Settings... - d:\UTILIT~1\ADSHIE~1.2X\settings.htm O8 - Extra context menu item: Atomica... - file:\UTILIT~1\ATOMICA\ATOMIC~1\Html\griemenu.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\UTILIT~1\OFFICE~1\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: AdShield (HKCU) O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37581.1197222222 O16 - DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx Please comment. Thanks
Hi WE Sim, What I see in your hosts file is a reasonably normal list of favorites (I´m guessing you used FastNet99 to merge it with a restricting hosts file?). Nothing wrong with that. If you don´t have any problems I see no reason to change it. You can check those and then ignore them, so they don´t show up in every scan. Regards, Pieter
Hi Pieter_Arntz! You were right to say that I used FastNet99. It was a long time ago that I removed FastNet99 from my system. However, if HijackThis were to be installed on my office PC what am I supposed to look for? I would like to learn more of HijackThis. Is there an online manual or help file for it? I supposed the removal of lop.com spyware still have to depend on SpyBot &/or Ad-aware? Thanks
Hi WE Sim, I am not aware of any on-line manual for HijackThis. There is a short description of the codes in the Help file. You could ask any specific questions on Hijackthis at the board of SpywareInfo where Merijn (the creator of HijackThis) hangs out. On this board you can find Tony´s list of BHO´s (updated weekly) to see if what you have under O2 is harmful or not. Using Adaware 6 or Spybot S&D to remove Lop.com is the easiest way and I would recommend doing so. It is not something you can easily get rid off yourself. Regards, Pieter
Hi Pieter_Arntz! Sorry for nor replying as I was waiting for Adware Personal v6 (build 160) to be released before carrying out further tests. OK! I downloaded it this morning (I'm posting at home now) and together with SpyBotSD (with latest dat) cleansed my office PC thoroughly many...many... countless times with reboots in between. The final result is : After each re-boot, Spybot reported C2.lop:IE Start page, and Adaware reported 2 Registry values identified 1) Possible Browser Hijack attempt ........"http://sbnt.com/... 2) AdvertBar............................................"http://sbnt.com/... Thats great! Even the latest dats from these 2 softwares could not get rid of lop.com I did a scan using HijackThis (after cleaning with the 2 programs) and the log is as shown below. I suspect the last 2 entries are the culprits and need to be fixed by HijackThis. What do you think? Here's the log Logfile of HijackThis v1.91.2 Scan saved at 18:06:47, on 05/02/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://go.compaq.com/1Q00CDT/0409/bl7.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [xwean] C:\DOCUME~1\CPTAN\APPLIC~1\fgrthsts.exe -QuieT O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{93B9F036-55F4-42AF-BF8C-84D8B9CF55CF}: Domain = sbnt.com O17 - HKLM\System\CCS\Services\Tcpip\..\{A6B8AC92-875F-479E-AD85-0620035B9DDA}: Domain = sbnt.com Are there any more entries that I need to fix? If the problem is solely due to these 2 entries why didn't Adaware & SpybotSD fix them as well? Thank you and I need your advise so that I can go to my office tomorrow to solve the problem.
Because it starts up everytime and I think it's due to this key: O4 - HKLM\..\Run: [xwean] C:\DOCUME~1\CPTAN\APPLIC~1\fgrthsts.exe -QuieT Kill that one, reboot and then scan again. I would like you to mail me that fgrthsts.exe please. Regards, Pieter PS Since you do have Hijackthis running have it fix the two O17 entries as well.
Considering they have a trojan, I think they could see their way fit to allow a program on long enough to remove it. Or is the person responsible for that decision really that dense? Anyway, the best source of removal instructions is Andrew's site http://www.doxdesk.com/parasite/lop.html I used to have a good page on lop, but I got tired of updating every time they update. Spybot generally kills every version of lop and I have other things to do.
Hi Mike Healan! What I noticed from many companies here is that generally they do have firewalls and anti-virus softwares but other than that like spywares, web bugs, malicious cookies etc the IT dept is hardly interested afterall they doesn't destroy data or corrupt the hard disk. Of course, this may change the thinking of the management when one such evils creates havoc one day. In addition, the installation and use of 3rd-party softwares have to go through the IT dept's approval as some companies do have audits on the PCs to ensure no external non-approved softwares are installed and used.
Ah, that's your solution. Just explain to them that lop.com is "external non-approved software" and then watch how fast they move to rip it out. They wouldn't want anyone to get away with having unapproved software, now would they?
Hi Pieter_Arntz! Sorry for the late posting as it's difficult to access this forum this morning. After the discussion yesterday I did not use HijackThis to fix the entries as advised by you since I was trying out a new dat (05-02-03) from Lavasoft this morning and sure enough after scanning my office PC again, Adaware identified further 28 objects (all related to lop.com) After cleaning and re-booting, re-scanning with SpyBot & Adaware reveals no more traces of lop.com and upon access to the net there's no more problem of link bar and alteration to the IE Start page. Apparently, Adaware finally found a cure to the lop.com issue. However, after that I ran HijackThis and found something disturbing especially the last 2 entries under 017. sbnt.com is assocaited with the link bar. See the log below. Logfile of HijackThis v1.91.2 Scan saved at 11:07:38, on 06/02/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=485376 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://go.compaq.com/1Q00CDT/0409/bl7.asp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{93B9F036-55F4-42AF-BF8C-84D8B9CF55CF}: Domain = sbnt.com O17 - HKLM\System\CCS\Services\Tcpip\..\{A6B8AC92-875F-479E-AD85-0620035B9DDA}: Domain = sbnt.com Why didn't Adware further identified those 2 entries? Note :- I 'll e-mail your request for fgrthsts.exe after this post. Pls chcek and let me know whether you receive it. Thank you
Hi WE Sim, I wasn't sure if Adaware would pick up on the O17 entries. That's why I added my PS in my previous post. The list of lop.com domains is enormous and more are found/added all the time. Thanks for the exe. I'll make sure it gets on the "wanted posters" if it isn't on there yet. Regards, Pieter