Can't get rid of LOP toolbars from IE

[Guest]

I've posted this problem earlier but lop.com toolbars are still appearing. I
tried Engel's solutions with no success. Anyone out there got a solution that
works?

Thanks
Peter

 

[Dave M]

I just googled - lop toolbar remove
some of the results could be scams (watch out) SpyFerret is rogue.
Adaware and Spybot both clam to detect and remove lop, perhaps not this variant
though.

There's an extensive manual removal technique listed on this site...
http://www.doxdesk.com/parasite/lop.html

And Symantec has a semi-automated one that involve having a Symantec security
product installed,
problem is there are lots of lop variants:
http://securityresponse.symantec.com/avcenter/venc/data/adware.lop.html

This might be your best bet, courtesy of Andy Manchesta:

--LOP is most often transmitted by the program Messenger
Plus! 3. Do you have Messenger Plus installed?

If you still do have it installed, please uninstall it
completely from Start -> Control Panel -> Add/Remove
Programs and remove Messenger Plus and include the
Sponser program , restart your computer.

LOP do make a uninstaller on thier site which has removed
the infection for users in the past but it's not a common
practice to use tools to remove infections, created by
the people who created the infection. Can we really trust
a Lop uninstaller made by the people that stealthly
installed lop on the computer in the first place??
Obviously people's opinions on this will differ slightly,
but the majority of us will not use it.

If you have problems and dont want to use thier
uninstaller then use Hijack This

LOP variants can be difficult to remove without seeing a
Hijack This log because each install is different and
they make random names up so you can never predict what
the files will be called on a system, If needed download
Hijack This.

Save to desktop or c:drive

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Choose to run a scan and save the log.

LOP also Lop likes to "write" to the Enumerating Task
Scheduler jobs.

That's easy enough to see in a Startuplist log from HJT.

To get a Startuplist log from HJT:

Open Hijackthis, click "Open the Misc Tools section"
Next to "Generate StartupList log", place a check next
to "List also minor sections" (full) and "List empty
sections (complete).
Then click "Generate StartupList log"
Click "Yes" to the box that pops-up.

Then copy and save the notepad text. Andy might want you to
email him these logs if he sees this... alternativly you could post on a
HijackThis forum like:
http://forums.spywareinfo.com/
http://forums.tomcoyote.org/
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/ or the Spyware forum at
http://aumha.net/viewforum.php?f=30
Regards, Dave

 

[Dave M]

Hi Again Peter;
News flash... I just upgraded my Webroot SpySweeper to Version 4.5, and they
have a 15 day free trial... Here's what they say:
http://www.webroot.com/consumer/products/spysweeper/

What's New in Spy Sweeper 4.5
Comprehensive Removal Technology eradicates the nastiest spyware programs
including CoolWebSearch, CommonName, LOP, and more

Maybe you should give it a try and tell us if that worked... might be the
easiest solution of all, and since I use it I'm curious certainly, but I think
Andy's suggestion of removing the Messenger Plus, if you have it, is still a
good first option for you, as well as running any A-S in SAFE mode with full
deep scans to remove LOP. SpySweeper is a highly regarded reputable product.

 

[Guest]

Hi Dave,
Thanks for your help.
I installed spy sweeper, after running sweep it identified lop variants and
removed them but when I tried running Safe Mode it hung on 'agp440.sys'. I
disabled it and this time Safe Mode hung on 'mup.sys'. I ran spy sweeper
again on normal boot and it blocked lop.com from changing IE. It looks like
lop is this in the system!!!

What to I do next? Please help!!! How do I get into Safe Mode?

Peter

 

[Dave M]

Hi again Peter;
If it's not one thing it's another, eh?

This getting into Safe boot mode problem is one you should probably resolve for
"next time" but it's complex with lots of suggested solutions from video driver
updates (monitor screen drivers) to re-installing windows to changing the
bios... hard to nail down precisely and maybe depends on the hardware your
running. Let me just post this forum URL so you can look at it in detail later:
http://ftp.sandpile.org/post/msgs/20002583.htm

Making sure I understand you... You ran SpySweeper 4.5 in normal boot mode, full
deep disk scan, twice and it claimed to remove LOP and it did block it from
changing IE for you, but you're pretty sure LOP is still around right? If so,
you need to tell us why you believe so, and by the time you get this you'll have
re-booted, so it's possible things could have changed after the last boot.
Have you used Control Panel > Add/Remove programs to remove SpyFerret and
Messenger Plus!(if you had it installed, (you need to tell us)) ... both of
which could be involved with the infection and/or re-infection?

Running AV Scans in Clean boot mode:
The purpose of this is to avoid malware from running in memory and locking files
that we want to remove.
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF) (including offline content.) CCleaner's Cleaning function
helps with this:
http://www.ccleaner.com

HOW TO Enable Hidden Files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

Since you can't get to Safe boot mode without a lot of work, try a Clean boot
instead of Safe, only it's slightly more complex:
310353 How to Perform a Clean Boot in Windows XP:
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000:
http://support.microsoft.com/kb/281770/EN-US/
Now you should be able to run SpySweeper and MSAS full deep scans without your
Safe mode problem, and you probably should run both until there's no more
detection of LOP. If this doesn't work after a few runs, I think we need to use
Andy's procedure for dealing with LOP infections in my original reply. So
please get back with your details.

One other thing, could you use My Computer to look in C:\Windows\system32 and
see if a file is in there from SpySweeper named ssiefr.exe. I'd like to know if
it's in the trial version of SpySweeper 4.5. If you pass your cursor over the
file it will say it's SpySweeper Early File Remover.

 

[Dave M]

Hi Peter;
Troubleshooting over different time zones is a royal pain. I'd hoped by now you
had been able to follow the Clean boot & SpySweeper details from my prior post,
but I don't think it's going to happen that quickly. Unfortunately, I have to
leave for the weekend very soon. I notified Andy Manchesta that your having LOP
problems still and he's following this thread. Andy just ran through LOP
removal using SpySweeper as installed by Messenger Plus! 3. SpySweeper 4.5
reported back to him, and required him to reboot his machine for the remainder
of it's removal process. Although your LOP could be another variant, I'd expect
the process to be similar for you. What I'm not sure about is if your inability
to get to Safe might affect this re-boot technique. You're getting close, I can
tell you that much, although you might have to perform some manual clean-up
after SS finishes it's work, due to the way the LOP installation names it's
components with random names. I'll check back in on Monday to see how your
making out.

Good luck, Peter.

 

[Guest]

Hi Dave,
Thanks. Yeah its difficult and a pain. I was going to reply after I've done
what you mentioned, I'm actually doing it at the moment. The Clean Boot,
didn't allow me to disable win.ini, need to be Administrator (XP Pro). I
tried running SpySweeper but error "The Spy Sweeper installation has been
damaged. Please reinstall the product.

Going backwards, the lop toolbar showed up again this morning (my time) and
the only way to close it was ctrl-alt-del and stop iexplorer in the task
manager. It a real pain in the #$%! I will login as Adminstrator and try
again with clean boot and will let you know of the outcome.

Peter

 

[Guest]

Hi Dave,
BTW, my pc is a DELL Dimension 8300 running XP Pro and Office 2003. The
Outlook is also effected by lop. The lop search and links toolbars appeared.
I reinstalled SpySweeper (after uninstall) in Clean Boot with win.ini enabled
and its running Sweep at the moment. So far, adware 'cws-aboutblank' and
'2o7.net cookie' spy cookie found.

Peter

 

[Guest]

Hey Peter

Sounds like you got afew problems there, If you have your windows disk its
probably a good idea to start with the System file Check feature to make sure
you don't have damaged or corrupt system files.

Insert the Windows disk into the drive and then goto Start Menu then Run and
type

SFC /SCANNOW

remember the space after SFC and let it check all your system files as it
will repair any thats damaged or corrupt using the files from your disk.

Next for LOP I'm still not sure if you have MessengerPlus if you do please
uninstall it using the Add/Remove screen and remove both Messenger Plus and
the sponsor Program. If you do not have MessengerPlus but used to have it let
us know, If you have a different variant of LOP check your add/remove screen
for these:

Lop.com
LOP SEARCH
Window Searching
Window Active
Browser Enhancer
Ultimate Browser Enhancer
Search Plugin

Remove any found. You may also be able to locate a globe type icon in the
bottom right hand corner of your screen (near the clock), right click on it
then click Menu. From the main menu you will see a help button on the top
right hand corner. Click the help button then choose 'uninstall'

LOP strings random names together so its always difficult to help without
seeing a Hijack This log to show the entries but Spysweeper did well
yesterday when I ran LOP on my test machine but it did leave a couple of
entries in place, This was where the LOP entries were on my system

C:\Documents and Settings\Andy\Application Data\comphole\Fork Build.exe
C:\Documents and Settings\Andy\Application
Data\Dashproxybird\AudioDateWait.exe
C:\Documents and Settings\Andy\Application Data\Dashproxybird\live trans.exe
C:\Documents and Settings\Andy\Application
Data\Dashproxybird\SpamNurbEggsFive.exe
C:\Documents and Settings\Andy\Application Data\Dashproxybird\nwjhmqam.exe
C:\Documents and Settings\All Users\Application Data\1fragdeadtick\dalethe.exe

You need to enable hidden files and folders to view the application data
folders, Goto C:\Documents and Settings then goto 'Tools' on the top bar and
choose 'Folder Options', Go to the 'View' Tab and place a check next to "Show
Hidden Files and Folders"

There was also Registry run commands to start these files on reboot and a
hijacked IE search page and BHO entry, this was where Hijack This was usefull
to remove them.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
h**p://www.jmnyhtxmpmwhu.net/jAf4esK8Zzh1Pu0kDCYTvXHzH4bDxBzE13gPyHFr8EQYTk1dHGqcZShEKYRGKYXp.html

O2 - BHO: (no name) - {C9EA44CF-47B5-EA81-035A-66C7313A7BA8} -
C:\DOCUME~1\ANDY\APPLIC~1\comphole\Fork Build.exe

O4 - HKLM\..\Run: [DeadTickMfcdEach] C:\Documents and Settings\All
Users\Application Data\1fragdeadtick\dalethe.exe

O4 - HKCU\..\Run: [Pluspile] C:\DOCUME~1\ANDY\APPLIC~1\DASHPR~1\live trans.exe

If you have problems and cannot find a way to uninstall LOP download Hijack
This

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

first save it in a convenient permanent folder such as C:\HJT\ then extract
and run Hijack This, Choose to do a 'system scan and save the logfile' when
its finished scanning it will open the results in notepad, If you need help
send that log to my email and I will let you know what needs removing
([email protected])

I noticed Dave made a reference to Spy Ferret, if you have that also please
uninstall it using the add/remove screen and remove its folder from
c:\Program Files area.

Next Download these

Please download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Download Ccleaner

http://download.ccleaner.com/download124bin.asp

Download Intermute's CWShredder from here:

http://cwshredder.net/bin/CWShredder.exe

This would be best running in safe mode but if you cannot boot to safe mode
run them in normal mode with all other IE browser windows closed.

Run Ewido again.

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "Remove"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.

Run SpySweeper Again and remove anything found

Run CWShredder and click "Fix" to remove the CWS infection if it exists.

Run Ccleaner and press "Run Cleaner"

Close all Open Browser windows and goto Start Menu > Control Panel >
Internet Options, Next goto the Programs Tab and press "Reset Web Settings"
and include the homepage then click Yes, then go back to the General Tab and
enter the homepage you wish to use into the space provided then press apply.

With your problems getting to safe mode its hard to know whats causing this,
agp440.sys is refering to the advanced graphics port, possibly a conflict
somewhere or video card needs updating as its not compatible with windows in
some way, the other option may be a repair install of windows but with it
freezing at agp440.sys it may not be freezing on that but having problems
with whatever comes after that in the safe mode boot process.

Here's a couple of support pages but its hard to know if these pages are any
help for this issue.

http://support.microsoft.com/default.aspx?scid=kb;en-us;324764
http://support.microsoft.com/kb/307654/

Let us know how you get on

Regards

Andy

 

[Guest]

Hi Andy,
Thanks. It looks like a lot do... but I won't have access to the PC until
Monday. I will get back to you then on the results. My question is, why can't
some authority shutdown lop.com, messenger plus and spyferret? Especially
when they make it almost impossible to remove... hundreds of variants. The
list you gave me is similar to mine with different file names or variants. I
will make a point to keep the logs.

Peter

Hey Peter

Sounds like you got afew problems there, If you have your windows disk its
probably a good idea to start with the System file Check feature to make sure
you don't have damaged or corrupt system files.

Insert the Windows disk into the drive and then goto Start Menu then Run and
type

SFC /SCANNOW

remember the space after SFC and let it check all your system files as it
will repair any thats damaged or corrupt using the files from your disk.

Next for LOP I'm still not sure if you have MessengerPlus if you do please
uninstall it using the Add/Remove screen and remove both Messenger Plus and
the sponsor Program. If you do not have MessengerPlus but used to have it let
us know, If you have a different variant of LOP check your add/remove screen
for these:

Lop.com
LOP SEARCH
Window Searching
Window Active
Browser Enhancer
Ultimate Browser Enhancer
Search Plugin

Remove any found. You may also be able to locate a globe type icon in the
bottom right hand corner of your screen (near the clock), right click on it
then click Menu. From the main menu you will see a help button on the top
right hand corner. Click the help button then choose 'uninstall'

LOP strings random names together so its always difficult to help without
seeing a Hijack This log to show the entries but Spysweeper did well
yesterday when I ran LOP on my test machine but it did leave a couple of
entries in place, This was where the LOP entries were on my system

C:\Documents and Settings\Andy\Application Data\comphole\Fork Build.exe
C:\Documents and Settings\Andy\Application
Data\Dashproxybird\AudioDateWait.exe
C:\Documents and Settings\Andy\Application Data\Dashproxybird\live trans.exe
C:\Documents and Settings\Andy\Application
Data\Dashproxybird\SpamNurbEggsFive.exe
C:\Documents and Settings\Andy\Application Data\Dashproxybird\nwjhmqam.exe
C:\Documents and Settings\All Users\Application Data\1fragdeadtick\dalethe.exe

You need to enable hidden files and folders to view the application data
folders, Goto C:\Documents and Settings then goto 'Tools' on the top bar and
choose 'Folder Options', Go to the 'View' Tab and place a check next to "Show
Hidden Files and Folders"

There was also Registry run commands to start these files on reboot and a
hijacked IE search page and BHO entry, this was where Hijack This was usefull
to remove them.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
h**p://www.jmnyhtxmpmwhu.net/jAf4esK8Zzh1Pu0kDCYTvXHzH4bDxBzE13gPyHFr8EQYTk1dHGqcZShEKYRGKYXp.html

O2 - BHO: (no name) - {C9EA44CF-47B5-EA81-035A-66C7313A7BA8} -
C:\DOCUME~1\ANDY\APPLIC~1\comphole\Fork Build.exe

O4 - HKLM\..\Run: [DeadTickMfcdEach] C:\Documents and Settings\All
Users\Application Data\1fragdeadtick\dalethe.exe

O4 - HKCU\..\Run: [Pluspile] C:\DOCUME~1\ANDY\APPLIC~1\DASHPR~1\live trans.exe

If you have problems and cannot find a way to uninstall LOP download Hijack
This

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

first save it in a convenient permanent folder such as C:\HJT\ then extract
and run Hijack This, Choose to do a 'system scan and save the logfile' when
its finished scanning it will open the results in notepad, If you need help
send that log to my email and I will let you know what needs removing
([email protected])

I noticed Dave made a reference to Spy Ferret, if you have that also please
uninstall it using the add/remove screen and remove its folder from
c:\Program Files area.

Next Download these

Please download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Download Ccleaner

http://download.ccleaner.com/download124bin.asp

Download Intermute's CWShredder from here:

http://cwshredder.net/bin/CWShredder.exe

This would be best running in safe mode but if you cannot boot to safe mode
run them in normal mode with all other IE browser windows closed.

Run Ewido again.

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "Remove"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.

Run SpySweeper Again and remove anything found

Run CWShredder and click "Fix" to remove the CWS infection if it exists.

Run Ccleaner and press "Run Cleaner"

Close all Open Browser windows and goto Start Menu > Control Panel >
Internet Options, Next goto the Programs Tab and press "Reset Web Settings"
and include the homepage then click Yes, then go back to the General Tab and
enter the homepage you wish to use into the space provided then press apply.

With your problems getting to safe mode its hard to know whats causing this,
agp440.sys is refering to the advanced graphics port, possibly a conflict
somewhere or video card needs updating as its not compatible with windows in
some way, the other option may be a repair install of windows but with it
freezing at agp440.sys it may not be freezing on that but having problems
with whatever comes after that in the safe mode boot process.

Here's a couple of support pages but its hard to know if these pages are any
help for this issue.

http://support.microsoft.com/default.aspx?scid=kb;en-us;324764
http://support.microsoft.com/kb/307654/

Let us know how you get on

Regards

Andy

 

[Guest]

Hi Again Peter

I agree its crazy that these companies can infect users but no one can touch
them, They operate within the law it seems although it must be very
borderline and they would always defend themselves by saying they show a
clear Terms Of Service or End User Licence Agreement before installation, We
all know the EULA's and TOS are usually hidden in setup pages or pop ups and
often overlooked when we install programs we believe to be genuine, This is
how these companies make alot of money by giving the impression that whatever
the software is would benefit the user with lines like click for free
screensavers or browser enhancement's when in reality the software could be
got from an alternative source without the adware included, Some of the
downloads are really taking advantage of people where they pop up a box to
download a plugin or enhancement but the allow box is already checked but it
doesnt show what its checked for then they have a large part to click on to
close the pop up window, by doing that you then agree to the install and once
they get on the system it can be very difficult to get them off again, they
would probably just blame it on one of thier affiliates and say they
suspended the account so its hard to prove its not most of the time.

Messenger Plus in itself is clean and not a problem but its Sposored by
C2Media which is the LOP infection so it cannot be recommended plus the setup
screen is worded like "Yes Thankyou Please Install Messenger Plus With the
Sponsor" or "No I Refuse To Give My Support" which can be easily overlooked
and novice users may click the first option thinking thats agreeing to
install MessengerPlus but then it also installs LOP, That variant is not that
difficult to remove but if Antispy scanners remove some of it as the user
doesnt connect it with Messenger Plus then the Uninstall feature can go
corrupt and not be able to remove the infection. The Messenger Plus program
in itself is fine as long as users remember not to accept the sponsor, I
cannot see why anyone would agree to have the LOP infection installed so this
is why they make it hard for novice user's to understand that's what the
Sponsor is.

SpyFerret is just a rogue remover full of false positives to goad the user
into buying the application to remove threats that do not exist, I tested it
myself last week and it was saying I had Adware and Spyware on a clean
machine, Ive also had two infected warnings when scanning the SpyFerret setup
file at Jotti's malware scan site (http://virusscan.jotti.org/) by different
AV companies in the past and although they could be false positives its not
often a AntiVirus Vendor would detect a Antispy scanner as infected. The free
scanner from SpyFerret now requires the user to run a reg fix on the system
first to change registry settings then the free scanner can be installed so
Its certainly not a recommended remover and has been on Eric Howes Rogue list
for a long time because it's possibly using a stolen database from Spybot
Search & Destroy (http://www.spywarewarrior.com/rogue_anti-spyware.htm) as
you can see from his list its just one of many and new ones are always being
released

With the steps I posted in the last reply they shouldnt take you long to get
through, Ewido says its a 14 trial but it works fine after that expires (Just
stops the real time protection and auto updates) so its worth keeping on the
system, CWShredder is just because Spysweeper detected about:blank but it
could require more tools if it really is CWS HomeSearch , CWShredder will
only take 20 seconds to run so its nice and fast and will let you know if
there is a problem with CWS, same with Ccleaner that will just remove all
temp and usused files from your system so will not take long to run, The MS
Support pages I wouldnt go into at this stage, Running SFC /SCANNOW may be
able to repair the problem also checking if your video card has any recent
driver updates (Nvidia/ATI etc..)

Andy

 

[Guest]

Thanks Andy. I got a bad fever and will not be at the office to run the test.
But here are the results from running Clean Boot using Administrator. Lop did
not show up when all the processes are disabled. Only when "Load Startup
Items" is enabled that LOP showed up again. This time I ran Sweep and it
found LOPDOTCOM and LOP cache. It was cleaned by Sweep, but the lop toolbars
appeared again when I ran IE and Outlook.

Do you think that one of the startup apps is causing problem? Here's the
list of startup files:
1. PrevX Firewall
2. AVG Antivirus (licensed)
3. Miscrosoft Antispyware

The PrevX firewall can't seem to prevent the changes to IE and Outlook when
I click on 'deny'. Occasionally, MSAS would also come up with the message to
allow or deny changes to IE.

I'm not sure what to do next...

Peter

 

[Guest]

Hi Peter

Hope your fever passes and your feeling well again soon,

At this stage we are best using Hijack This as it's clear the scanners are
having problems with this so it could be a long process if we cannot see the
LOP entries first, once we know what they are called and where they are saved
it will not take us long to remove them, Here's the steps we will be taking
to remove LOP it may look complicated but the instructions will be clear and
easy to follow for each area, they are just mixed up now so it may look like
alot of work

First we use Hijack This and get a log also get a log of all the add/remove
screen entries so we can remove what we can using that if any problems are
shown.

When dealing with malware in normal mode any antispy programs with real time
protection should be disabled as they can interfere with the fixes and
prevent registry changes which are needed to remove the junk. This includes (
SpybotSD TeaTimer, SpywareGuard, Microsoft AntiSpyware Real-time Protection,
AdWatch, SpySweeper, SpywareDoctor etc...) when fixing in safe mode this step
isnt required because the real time features are not running so they do not
need to be disabled.

What we do with Hijack This is first fix the 04 Run commands for the junk
and any other obvious problems then reboot into safe mode and because its in
safe mode and we removed the Run commands for the adware/spyware they cannot
start up with windows, then its very easy to remove the infected files as
they are not running on the system,

With LOP it also writes to the Enumerating Task Scheduler jobs so this is
something else we need to remove to clean up ( You dont need to use this now
its something we can do later) Again this is a simple process all we do is
open notepad and save this into it :

dir %Windir%\tasks /a h > files.txt
notepad files.txt

Save as type *all files and call it Find.bat and save it to your desktop,
double click it and it will then open a text like this in notepad:

Directory of C:\WINDOWS\tasks

09/04/2004 22:23 <DIR> .
09/04/2004 22:23 <DIR> ..
18/08/2001 20:00 65 desktop.ini
12/03/2005 19:31 342 FRU Task #Hewlett-Packard#hp psc 1200
series#1097605884.job
01/10/2005 14:00 268 AE1C853490B339C0.job
01/10/2005 14:00 272 87AB47859A2CE899.job
01/10/2005 14:00 268 A2CF8D4D91243E6D.job
01/10/2005 14:00 268 914E0EDF9A15A8EF.job
6 File(s) 1,489 bytes

The 16 digit .job entries in this list are all from LOP so to remove them
you would open Notepad again and save this into it.

%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h AE1C853490B339C0.job
del AE1C853490B339C0.job
attrib -r -s -h 87AB47859A2CE899.job
del 87AB47859A2CE899.job
attrib -r -s -h A2CF8D4D91243E6D.job
del A2CF8D4D91243E6D.job
attrib -r -s -h 914E0EDF9A15A8EF.job
del 914E0EDF9A15A8EF.job

save as type *all files, call it remove.bat and double click it and that
removes the entries, (These are random so you could have more or less and
could be any name so we can look for them after removing the LOP files and
Registry entries)

Here's The instructions and links for Hijack This again if you need them :

Download Hijack This

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Save it in a convenient permanent folder such as C:\HJT\, double click
HijackThis.exe, and press "System Scan and save the logfile" It will then
scan your system and open the results in notepad and also save the results
into the Hijack This folder, Send that to me via email as it will be a large
log to post on here. Most of what it lists will be harmless or even
essential, don't fix anything yet.

Also get a uninstall list using Hijack This:

Please run HijackThis, click on “Open the Misc Tools sectionâ€, and then on
“Open Uninstall Managerâ€. Click the “Save list†button, save the file
uninstall_list.txt to your Desktop, and post the contents with the log and we
can take it from there.

Regards

Andy

 

[Guest]

Hi Peter

We can use Killbox to get rid of those Directories in C:\drive abit later if
needed but with them being random named can you check whats inside them
first, You will need to enable hidden files and folders to remove LOP so we
may as well do that first incase the folders on c:\drive have files that are
set as hidden. (They are showing a creation date of 2003 so its unlikely they
are malware related as scanners would of detected problems but its still
worth checking the contents of the folders)

If you dont have Spysweeper now then download Ewido Security Suite , If you
do have SpySweeper update the definitions as we will be using it in safe
mode.

Ewido

Download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Enable Hidden Files and Folders :


Click Start > Open My Computer > Select the Tools menu from the top bar and
click Folder Options > Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm > Click OK.

Set this back after you have checked for the files by opening the same page
and pressing "Restore Defaults"

Save This to notepad if needed so you can still view it in safe mode.


Run Hijack This and Choose to do a system scan, Place a check next to these
entries:


O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Flawmeowdartcake] C:\Documents and Settings\All
Users\Application Data\creativesaveflawmeow\dale soap.exe

Close all opwn Browser Windows except hijack this and press Fix Checked


Reboot into safe mode (Reboot and keep tapping F8 then choose safe mode from
the list)


Delete This Folder (You need to have hidden files enabled to view the
application data folder):


C:\Documents and Settings\All Users\Application Data\creativesaveflawmeow
<-- This Folder


Run Ewido Again:

Run Ewido again. From the main menu click on 'scanner' then click 'Complete
System Scan' When ewido finds something, it will pop up a notification.
Select "Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click on
"Save Report" and save it to your desktop or c:/drive incase you need it
again.


If you have Ccleaner, run that to clear temp and unused files , if you don't
have Ccleaner goto start menu then run and type


cleanmgr


press OK place checks next to temporary files & recycle bin and press OK again


Reboot back to normal mode :



When you get back to normal mode Open notepad and copy and paste the next
part into it :


dir %Windir%\tasks /a h > files.txt
notepad files.txt


Save this as findjobs.bat , choose to save it as type *all files and place
it on your desktop.

Doubleclick on on findjobs.bat and post the content of the txtfile you get
in your next reply


Also check the folders on C:\drive to see what files they contain and if
there is exe or dll files in them right click them and choose properties,
look for any information on who created the folder or for a version tab on
the file properties , If there is no information goto jotti's site and upload
them to be scanned for malware

http://virusscan.jotti.org/

when the site opens press browse then find the files and press submit

Im in work soon as its 7.30am here but should be home about 1pm so will
check for a reply then


Chat to you later

Andy

 

[Guest]

Hi Andy,
Thanks. I've sent you the logs and here the uninstall_list:

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
Animaniacs Game Pack
ATI Control Panel
ATI Display Driver
AVG Anti-Virus 7.0
Big Action Construction
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
Conexant SmartHSFi V92 56K DF PCI Modem
DawnOfWar
Dell Solution Center
Delta Force - Black Hawk Down
DVDSentry
Easy CD Creator 5 Basic
Finding Nemo
Fisher-Price® Ranger Trail
Football Mania
Harry Potter TM
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet
LEGO Creator
LEGO Island 2
LEGOLAND
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AntiSpyware
Microsoft Interactive Training
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Modem Helper
MSN Messenger 6.1
Pokémon
Prevx Home
QuickTime
QuickTime for Windows (32-bit)
Roxio VideoWave Movie Creator
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Serious Sam: The First Encounter
Serious Sam: The Second Encounter
Shockwave
Sound Blaster Live!
Spybot - Search & Destroy 1.4
Star Wars Galactic Battlegrounds
Stronghold Crusader
The ClueFinders 4th Grade Adventures
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900930)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2

I've sent you the log to our email. I'm still getting lop toolbars and popups.

Regards,
Peter

 

[Guest]

Hi Andy,

I've mentioned earlier that I can't run Safe Mode. It hung on 'agp440.sys'
and now 'mup.sys'. Dave did mentioned on how to fix this problem and I will
do that first. Its 6:24 pm here and I'm at home and will not be at the office
till 3pm tomorrow (or 4am your time?). The PC belongs to the CEO of the
company, his home PC. Its now in the office so that I can resolve the
problem. I'm hoping for a quick way to resolve this problem, but this is
crazy. Is there a security update for XP to block this from ever happening?
Most of the people who are infected with lop, reformat their hardisk (Dell
even recommended for me to do this). But I think Miscrosoft ought to do
something about lop.

Thanks for your help, much appreciated. I will get back to you tomorrow with
your remedy.

Regards,
Peter

Hi Peter

We can use Killbox to get rid of those Directories in C:\drive abit later if
needed but with them being random named can you check whats inside them
first, You will need to enable hidden files and folders to remove LOP so we
may as well do that first incase the folders on c:\drive have files that are
set as hidden. (They are showing a creation date of 2003 so its unlikely they
are malware related as scanners would of detected problems but its still
worth checking the contents of the folders)

If you dont have Spysweeper now then download Ewido Security Suite , If you
do have SpySweeper update the definitions as we will be using it in safe
mode.

Ewido

Download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Enable Hidden Files and Folders :


Click Start > Open My Computer > Select the Tools menu from the top bar and
click Folder Options > Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm > Click OK.

Set this back after you have checked for the files by opening the same page
and pressing "Restore Defaults"

Save This to notepad if needed so you can still view it in safe mode.


Run Hijack This and Choose to do a system scan, Place a check next to these
entries:


O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Flawmeowdartcake] C:\Documents and Settings\All
Users\Application Data\creativesaveflawmeow\dale soap.exe

Close all opwn Browser Windows except hijack this and press Fix Checked


Reboot into safe mode (Reboot and keep tapping F8 then choose safe mode from
the list)


Delete This Folder (You need to have hidden files enabled to view the
application data folder):


C:\Documents and Settings\All Users\Application Data\creativesaveflawmeow
<-- This Folder


Run Ewido Again:

Run Ewido again. From the main menu click on 'scanner' then click 'Complete
System Scan' When ewido finds something, it will pop up a notification.
Select "Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click on
"Save Report" and save it to your desktop or c:/drive incase you need it
again.


If you have Ccleaner, run that to clear temp and unused files , if you don't
have Ccleaner goto start menu then run and type


cleanmgr


press OK place checks next to temporary files & recycle bin and press OK again


Reboot back to normal mode :



When you get back to normal mode Open notepad and copy and paste the next
part into it :


dir %Windir%\tasks /a h > files.txt
notepad files.txt


Save this as findjobs.bat , choose to save it as type *all files and place
it on your desktop.

Doubleclick on on findjobs.bat and post the content of the txtfile you get
in your next reply


Also check the folders on C:\drive to see what files they contain and if
there is exe or dll files in them right click them and choose properties,
look for any information on who created the folder or for a version tab on
the file properties , If there is no information goto jotti's site and upload
them to be scanned for malware

http://virusscan.jotti.org/

when the site opens press browse then find the files and press submit

Im in work soon as its 7.30am here but should be home about 1pm so will
check for a reply then


Chat to you later

Andy

 

[Guest]

Hi Peter

Sorry I forgot about your problem booting into safe mode, Ive sent you a
email about this but try the system file checker to check for any missing or
corrupt windows files (SFC /SCANNOW) and go for the LOP fix in normal mode,
After fixing the 04 entry reboot then delete the folder as then it will not
be running on your system as the 04 entry is the run command to start LOP's
files when you reboot. The other steps are just to clean up and check for
other problems but fixing that 04 and then rebooting and removing the file
should take care of LOP as it looks like SpySweeper has removed all of LOP's
other entries from your system.

Let me know if you have problems

Regards

Andy

 

[Guest]

Hi Andy,

Hijack This did it! Traces of lop are gone. By fixing that 04 did the trick.
I've also deleted the directory. Thanks very much... its been hell.

I'm still having problem with removing these two dirs with Killbox:

Pocket Killbox version 2.0.0.473
Running on Windows XP As an Administrator
was started @ Tuesday, November 08, 2005, 4:48 PM

# 1 [Files to Delete]
Path = C:\a0ecf159a55dc52431
*This File could not be Deleted

# 2 [Delete on Reboot]
Path = C:\b3fafe2d26adca42693cf1e2aa791919
*This File could not be Deleted

# 3 [Delete on Reboot]
Path = C:\b3fafe2d26adca42693cf1e2aa791919
*This File could not be Deleted

Killbox Closed(Exit) @ 4:50:01 PM
__________________________________________________

Pocket Killbox version 2.0.0.473
Running on Windows XP As an Administrator
was started @ Tuesday, November 08, 2005, 4:55 PM

# 1 [Files to Delete]
Path = C:\a0ecf159a55dc52431
*This File could not be Deleted

# 2 [Delete on Reboot]
Path = C:\a0ecf159a55dc52431
*This File could not be Deleted

I Rebooted @ 4:56:00 PM
Killbox Closed(Exit) @ 4:56:01 PM
__________________________________________________

I can't find out what the content are, I can't open the sub folder 'SP2',
access denied. The other 2 that I manage to get rid off had the following dirs

\sp2\update\update.exe

Thanks very much again for helping me got rid of lop.

Regards,
Peter

Hi Peter

We can use Killbox to get rid of those Directories in C:\drive abit later if
needed but with them being random named can you check whats inside them
first, You will need to enable hidden files and folders to remove LOP so we
may as well do that first incase the folders on c:\drive have files that are
set as hidden. (They are showing a creation date of 2003 so its unlikely they
are malware related as scanners would of detected problems but its still
worth checking the contents of the folders)

If you dont have Spysweeper now then download Ewido Security Suite , If you
do have SpySweeper update the definitions as we will be using it in safe
mode.

Ewido

Download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Enable Hidden Files and Folders :


Click Start > Open My Computer > Select the Tools menu from the top bar and
click Folder Options > Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm > Click OK.

Set this back after you have checked for the files by opening the same page
and pressing "Restore Defaults"

Save This to notepad if needed so you can still view it in safe mode.


Run Hijack This and Choose to do a system scan, Place a check next to these
entries:


O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Flawmeowdartcake] C:\Documents and Settings\All
Users\Application Data\creativesaveflawmeow\dale soap.exe

Close all opwn Browser Windows except hijack this and press Fix Checked


Reboot into safe mode (Reboot and keep tapping F8 then choose safe mode from
the list)


Delete This Folder (You need to have hidden files enabled to view the
application data folder):


C:\Documents and Settings\All Users\Application Data\creativesaveflawmeow
<-- This Folder


Run Ewido Again:

Run Ewido again. From the main menu click on 'scanner' then click 'Complete
System Scan' When ewido finds something, it will pop up a notification.
Select "Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click on
"Save Report" and save it to your desktop or c:/drive incase you need it
again.


If you have Ccleaner, run that to clear temp and unused files , if you don't
have Ccleaner goto start menu then run and type


cleanmgr


press OK place checks next to temporary files & recycle bin and press OK again


Reboot back to normal mode :



When you get back to normal mode Open notepad and copy and paste the next
part into it :


dir %Windir%\tasks /a h > files.txt
notepad files.txt


Save this as findjobs.bat , choose to save it as type *all files and place
it on your desktop.

Doubleclick on on findjobs.bat and post the content of the txtfile you get
in your next reply


Also check the folders on C:\drive to see what files they contain and if
there is exe or dll files in them right click them and choose properties,
look for any information on who created the folder or for a version tab on
the file properties , If there is no information goto jotti's site and upload
them to be scanned for malware

http://virusscan.jotti.org/

when the site opens press browse then find the files and press submit

Im in work soon as its 7.30am here but should be home about 1pm so will
check for a reply then


Chat to you later

Andy

 

[Guest]

Hi Andy,

I tried almost every suggestions from the Internet to fix the Safe Mode
problem hanging on MUP.sys. After disabling Agp440.sys, it now hangs on
MUP.sys. Before I removed lop, the PC can boot in Safe Mode but after I ran a
few antispyware Safe Mode hung on Agp440 and now mup.sys.

Do you have a solution?

Thanks.
Peter

Hi Peter

We can use Killbox to get rid of those Directories in C:\drive abit later if
needed but with them being random named can you check whats inside them
first, You will need to enable hidden files and folders to remove LOP so we
may as well do that first incase the folders on c:\drive have files that are
set as hidden. (They are showing a creation date of 2003 so its unlikely they
are malware related as scanners would of detected problems but its still
worth checking the contents of the folders)

If you dont have Spysweeper now then download Ewido Security Suite , If you
do have SpySweeper update the definitions as we will be using it in safe
mode.

Ewido

Download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Enable Hidden Files and Folders :


Click Start > Open My Computer > Select the Tools menu from the top bar and
click Folder Options > Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm > Click OK.

Set this back after you have checked for the files by opening the same page
and pressing "Restore Defaults"

Save This to notepad if needed so you can still view it in safe mode.


Run Hijack This and Choose to do a system scan, Place a check next to these
entries:


O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Flawmeowdartcake] C:\Documents and Settings\All
Users\Application Data\creativesaveflawmeow\dale soap.exe

Close all opwn Browser Windows except hijack this and press Fix Checked


Reboot into safe mode (Reboot and keep tapping F8 then choose safe mode from
the list)


Delete This Folder (You need to have hidden files enabled to view the
application data folder):


C:\Documents and Settings\All Users\Application Data\creativesaveflawmeow
<-- This Folder


Run Ewido Again:

Run Ewido again. From the main menu click on 'scanner' then click 'Complete
System Scan' When ewido finds something, it will pop up a notification.
Select "Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click on
"Save Report" and save it to your desktop or c:/drive incase you need it
again.


If you have Ccleaner, run that to clear temp and unused files , if you don't
have Ccleaner goto start menu then run and type


cleanmgr


press OK place checks next to temporary files & recycle bin and press OK again


Reboot back to normal mode :



When you get back to normal mode Open notepad and copy and paste the next
part into it :


dir %Windir%\tasks /a h > files.txt
notepad files.txt


Save this as findjobs.bat , choose to save it as type *all files and place
it on your desktop.

Doubleclick on on findjobs.bat and post the content of the txtfile you get
in your next reply


Also check the folders on C:\drive to see what files they contain and if
there is exe or dll files in them right click them and choose properties,
look for any information on who created the folder or for a version tab on
the file properties , If there is no information goto jotti's site and upload
them to be scanned for malware

http://virusscan.jotti.org/

when the site opens press browse then find the files and press submit

Im in work soon as its 7.30am here but should be home about 1pm so will
check for a reply then


Chat to you later

Andy

 

[Guest]

Hi Again Peter

The folders in c:\drive are from a Microsoft update or hotfix so are not a
threat to your system, here's a page about that from Microsoft:

Installation of Hotfix Leaves Temporary Folder on Hyper-Threaded or
Multiprocessor Computer

http://support.microsoft.com/default.aspx?scid=kb;en-us;817084

The safe mode issue needs fixing but its difficult to know what the problem
is and not something I have any experience with, The AGP440.sys is related to
the Accelerated Graphics Port , I made a mistake referring to it as Advanced
Graphics. AGP enables the computer to communicate with the graphics card but
I'm not sure what the conflict here is especially if you say it was working
fine before you got infected with LOP and when its disabled your system then
freezes at the next file,

Obviously it's is a known issue as Microsoft have a support page for this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;324764

Same with MUP.sys its well covered on any search engine but the actual cause
of the problem isnt clear, Here's one page for example about this.

http://www.sadikhov.com/forum/lofiversion/index.php/t31329.html

Its hard to know what to suggest here, First step would be the system file
checking feature SFC /SCANNOW to check system files then you may have to do a
repair install of Windows or maybe remove SP2 and reinstall it and all the
updates but there is no way of being sure this would even fix the problem if
its a conflict with a non Microsoft product on your system.

You really should contact Microsoft as its a problem if you cannot boot into
safe mode and they would know what is causing this or at least give you some
options to fix the problem that doesnt involve a complete format and
reinstall of the O/S.

Here's a link to Microsoft support and hopefully they can provide you will a
solution.

Contact Microsoft (If your not in the US then click United States in the top
left corner and change it to your region)

http://support.microsoft.com/contactus/?ws=support

All The Best

Andy