Description
lop is a family of programs that set your start page and IE's search features to use the site lop.com ('Live Online Portal') or one of its clone sites. Known lop sites include:
* aavc.com
* acjp.com
* ebch.com
* ebdv.com
* ebdw.com
* ebjp.com
* ebkn.com
* ebky.com
* eblv.com
* ebmu.com
* ebvr.com
* ecmh.com
* ecpm.com
* ecwz.com
* ecyb.com
* eduy.com
* eeev.com
* ibmx.com
* icwb.com
* icwo.com
* icwp.com
* iddh.com
* idhh.com
* ifiz.com
* iguu.com
* samz.com
* saoe.com
* sbjr.com
* sbnl.com
* sbnt.com
* sbvr.com
* scbm.com
* sckr.com
* scrk.com
* sdry.com
* seld.com
* sfux.com
* sipo.com
* smds.com
* srib.com
* srox.com
* srsf.com
* ssaw.com
* ssby.com
* surj.com
* tbvg.com
* tdak.com
* tdko.com
* tdmy.com
* tefs.com
* tfil.com
* thko.com
* tjar.com
* tjaw.com
* tjdo.com
* tjem.com
* tjgo.com
* torc.com
* wabq.com
* wabu.com
* wbkb.com
* wfix.com
* wflu.com
Also sbee.com and scmb.com, which no longer house lop clones, are believed to have been used in the past.
In newer variants, changing your home page back results in the new home page being 'framed' by a 'passthrough' frameset from lop, which adds a lop search bar to the bottom of the page.
It also adds shortcuts to advertisers. Finally it adds a task to run on startup which sets your homepage and search back to lop if you change them.
Variants
lop/Trinity is an old variant of the software, which only adds the shortcuts and does the homepage/search hijacking.
lop/Dialer is a plain porn dialler delivered with the startup task.
lop/Toolbar: includes the startup task and an IE toolbar with more lop links. This variant can be detected by the script at this site.
lop/Rnd: a version of lop/Toolbar that uses completely random class IDs as well as pseudo-random filenames, making it difficult to detect.
lop/AYB: a URL protocol module used by the MP3Search (or similar) minibrowser launched by the startup task. This variant can be detected by the script at this site; having it is usually a sign you may have lop/Toolbar or lop/Rnd as well.
lop/Loader: an installer process that opens a small progress window in the middle of the screen and loads and runs both lop/AYB and either lop/Toolbar or lop/Rnd.
lop/IMZ: an installer process like lop/Loader, but installing lop/Rnd and FavoriteMan/IMZ. lop/AYB is not installed, so the script at this script usually cannot detect lop/IMZ installations.
lop/Active: an update of lop/Rnd which monitors web pages viewed for keywords, and sets the buttons in the toolbar to match. This also opens a floating window on the desktop on startup. Can also hijack to active-max.com, mysearchnow.com, searchwebnow.com or find-quick.com as well as one of the traditional four-letter domains.
Also known as
C2 by Spybot, after the company (C2 Media) that makes it. Troj/Tubmo by Sophos anti-virus, for unknown reasons.
Distribution
Installed by ActiveX from many sites, often pop-up ads.
There are often pop-up loops (pop-ups opening pop-ups endlessly) for sites claiming to be MP3 search and download tools, which try to exploit the confusion caused by this to install lop. However, lop downloaders have also appeared on some mainstream ad networks.
The executable file pointed to by the ActiveX downloader is likely to have a name like:
* mp3.exe
* mp3search.exe
* mp3_finder.exe
* mp3_plugin.exe
* mp3Software_plugin.exe
* napster2.exe
* FreeMP3.exe
* freemp3s.exe
* freemp3z.exe
* FreeMP3Music.exe
* free_deals.exe
* free_plugin.exe
* freeplugin.exe
* Software_Plugin.exe
* Download_Plugin.exe
* download_file.exe
* The_Ultimate_Browser_Enhancer.exe
* sex_viewer.exe
* free_sex_viewer.exe
* Adult_Software.exe
* keygen33win.exe
* download_serial.exe
* free_warez.exe
Also bundled with software downloads from edonkey.com (note: the real 'eDonkey' software site is at edonkey2000.com), fake 'cracks' or key generators from software-piracy sites, and Patchou's MSN Messenger Plus.
What it does
Advertising
Yes. Some shortcut icons are added to the desktop. Many more are added to the Favorites menu. More are on an IE toolbar called 'Accessories'. The process run on startup also occasionally pops up adverts.
Privacy violation
No.
Security issues
Yes. The startup process can download and execute arbitrary code from its controlling server.
Stability problems
Running the software may cause many 'dial-up connection' requests to appear if you are not connected. Windows seems to hang temporarily for a few minutes when this happens.
Removal
lop/Toolbar installations normally put a round icon in the system tray, try right-clicking this, choosing 'Menu', then on the resulting window, clicking 'Help', then 'Uninstall'. With newer variants you will have to answer an annoying riddle before it will go away.
lop/Rnd installations do not put the icon in the system tray, but may add an entry to the Control Panel's Add/Remove Programs list, which can be used to uninstall in the same way. The name of the uninstall option varies randomly but tend to follow a pattern, eg.:
* Browser Enhance r
* Brows er Enhancer
* Ultimate Browse r Enhancer
* Ultimate Browser En hancer
* L.O P. Un insta11
* L O.P. Un instal1
* Live 0n line Portal
* Live.0nli ne Porta1
lop/Active installations have an additional 'Window Active' entry that should also be removed.
Manual removal
Open the Application Data folder. This can be found inside the Windows folder on Windows 95/98/Me; on Windows 2000 and XP it is inside your user folder in 'Documents and Settings', but it's hidden, so go to Tools->Folder Options->View and turn on 'Show hidden files and folders' to see it. In Windows NT 4.0 it is in the user folder inside 'WinNT\Profiles'.
The filenames of lop files can vary for each different installation, but usually under Windows there should not be any files inside Application Data (only folders), so it's generally easy to pick out the culprits. Known filenames for the toolbar DLL (lop/Toolbar, lop/Rnd) or ayb: protocol DLL (lop/AYB) include:
* blztstull[letter 'a', 'c', 'j', 'p', 's', 't' or 'y'].dll
* blztstull['pr', 'tr' or 'oo'].dll
* chksbdrlya.dll
* dmvcrthl.exe
* eaeeishllblc.dll
* eelykofrllfrpr.dll
* eelykofrllfrj.dll
* ealymfrprwch.dll
* epllkeeoopr.dll
* freabrlaouw.dll
* gldqumssfrie.dll
* hglllyxrxw.dll
* icdrhwno.dll
* heeachmstll.dll
* meepajlr.dll
* ousszidrta.dll
* plg_ie[any digit].dll
* prxzoustustgr.dll
* prnouestssstx.dll
* quizbt[any digit].dll
* quglwachfs.dll
* sstroallhqch.dll
* tblchepruprgr.dll
* trdzhtxf.exe
* trstshcrscksr.dll
* ukfroigl.dll
* upckeetoutw.dll
* veaeyglckr.dll
* woafrquzn.dll
* yeecrsoustoull.dll
* ziebaeeoaeepr.dll
Known filenames for the system tray task and hijacker file include:
* asshuktr.exe
* bilyooas.exe
* byb_save.exe
* crgbeaoa.exe
* eaymulyl.exe
* eeublidc.exe
* glxshmcr.exe
* ijlysseb.exe
* jqumysto.exe
* kfriegbs.exe
* llfggrdr.exe
* lltckiey.exe
* lopsearc.exe
* meemnckyqbr.exe
* meepajlr.exe
* mprcouie.exe
* oofrkxpe.exe
* peebqusz.exe
* quveioot.exe
* shoucrck.exe
* ssmeeibl.exe
* tchpeatr.exe
* tglblrll.exe
* trstdris.exe
* ulyuiexeechp.exe
* vestufck.exe
* vfthrcbr.exe
* xogyfhp.exe
* ykphmbre.exe
* ylynfste.exe
Other files you may find with some versions include icon libraries (known filenames tchejea.lib and iCndE.lib) and loads of GIFs. These can all be deleted too. You might also have some of the following files in the Windows folder:
* desktop.htm
* dnserror.htm
* jexpoofro.htm
* i_dnserr.gif
* s_dnserr.gif
* r_dnserr.gif
* b_dnserr.gif
* tiejexpoo.gif
* xiejexpoo.gif
* oiejexpoo.gif
* uiejexpoo.gif
Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you have not used the uninstall feature there should still be an entry with a value like 'C:\WINDOWS\APPLIC~1\(task name).exe -QuieT'; delete it. The name of this entry changes in different variants; known names are:
* abtu
* brchfgl
* brfrgroo
* chytrw
* eeullz
* eedrtss
* lldrlyk
* lssxsh
* stoafv
* oooami
* oooik
* oucno
* phqtr
* pprwly
* qncu
* stjlee
* uaouea
* trglckea
* xckja
* ymste
* zvoah
In the lop/Active variant, there will instead be a 'winactive' entry pointing to winactive.exe. Delete this too.
You should also delete the following entries if you have them and they are not just blank:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Telephony\DomainName
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP\Domain
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{...check all interfaces...}\Domain
Also you can remove the lop settings key if you can find it; it is inside HKEY_LOCAL_MACHINE\Software and has, again, a varying name; known examples are:
* ckotetlllyllshz
* kseateasteestoe
* rhvlveasteafpr
* ssaxstxoaieoagrh
* TrinityAYB (lop/Trinity variant)
Next, if you have not used the uninstall feature, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u [name of DLL]
substituting the full filename of the DLL, whatever its name is, in Application Data. Tip: You can drag the DLL file from Explorer onto the DOS command prompt window to put the name in so you don't have to type it all out.
Finally, reboot Windows and you should be able to delete all the files mentioned above, along with the shortcuts added to the desktop and the favorites menu. For the lop/Active variant you should delete the entire 'Active Window' folder inside Program Files.
You can also reset your homepage (from Internet Options->General) and search settings (Internet Options->Programs->Reset Web Settings), and delete the entries added to your Favorites menu. If you use Netscape/Mozilla you will need to reset the home page (Edit->Preferences->Navigator) and remove the Bookmarks too.
You may also wish to check your computer for diallers, as the lop.com site has been known to include dialler installers. If you have the lop/IMZ variant it is also possible that FavoriteMan/IMZ may have installed other parasites such as BargainBuddy, IGetNet and n-Case.
Súgó
A téma zárva.
Elküldve: 2005. 01. 02. 19:32
- és ismert DLL-ek tárolója és nyomkövetője.
( Szép, ugye? Van tűzfalam, vírusírtóm, AdAware Watch is figyel (elvileg) ...
