Jump to content
xisto Community
Sign in to follow this  
Followers 0
Xevian

Lop some malware

By Xevian, in Computer Networks

Recommended Posts

Xevian    0

Xevian
Posted

I can't seem to get rid of this LOP thing... Everytime i scan my computer with Ad-Aware, delete it, 1 minute later, its back again... Can someone identify this mysterious and annoying thing?

Share this post

Link to post
Share on other sites

miCRoSCoPiC^eaRthLinG    0

miCRoSCoPiC^eaRthLinG
Posted

Here's some info on LOP aka "Live Online Portal" I found through google. Am pasting it here for quick reference. If you want more info follow the links at the bottom of the page...

Lop.com has become one of the most hated names on the internet. All over cyberspace, from message boards to newsgroups to IRC chat rooms I've seen people begging for help in getting rid of this annoying software.
What is lop.com? Lop.com is a web site owned by C2 Media. It is mainly a pay-per-click search portal where other web sites pay for each click-through to their site via lop. This isn't a terrible idea, but rather than create a quality web site to get surfers to their site and clicking those links, they instead created a program which is labeled variously as an mp3 search program, a porn search program, or some other such thing. The installer turns the user's web browser into a device with a seemingly endless supply of links to lop.com.

An early version (installer name download_plugin.exe) installs two files in the user's wallpaper folder, one an html file and the other a shockwave file. The html file contains code to load the shockwave file. The installer sets the html file as the user's wallpaper so that the flash search engine program is sitting on the desktop at every boot. The flash file does little more than open and close a series of collapsible menus containing more lop internet shortucts and a search function which queries - take a guess - lop.com.

A later version (installer name mp3serch.exe) omits this desktop feature as its bugginess reportedly led to its being discontinued. Both versions install a stripped down browser which uses the Internet Explorer web browser engine. This browser automatically launches the following URL:
http://mp3va.com/?pid=889.

Not content to leave the user with this browser, the lop installer also makes dramatic changes to Internet Explorer, Mozilla Navigator, and most likely Netscape Navigator. The default search engine pages, toolbar settings, and start page are changed. The lop installer adds scores of internet shortcuts in Internet Explorer's Favorites folder and in Mozilla's Bookmarks.htm file. The download_plugin.exe version does not alter Mozilla Navigator.

These lop installers create a BHO which produces an accessories toolbar in Internet Explorer full of - you guessed it - even more lop.com internet shortcuts. This BHO also takes control of the browser to make it redirect to lop.com if there is some error loading a page. This BHO is named plg_ie0.dll. As with all BHOs, it can be disabled with BHODemon, although I've had two users report that after disabling it, another BHO was automatically generated with the name plg_ie1.dll.

In addition to altering the security nightmare that Internet Explorer has become, the installer also makes changes to Mozilla and presumably Netscape. During testing, I found that Mozilla's prefs.js file (the file that contains user settings) was changed to prefs.bk! and replaced with another with the following setting added.
user_pref("browser.startup.homepage", "http://imptestrm.com/rg-erdr.php?_dnm=www.lop.com&_cfrg=1&_drid=as-drid-2236481458717182;);

It also changes bookmarks.html to bookmarks.bk!. The replacement file included all of lop's bookmarks. Bookmarks.html is where Mozilla and Netscape store the user's saved bookmarks. Deleting the altered bookmarks.html and prefs.js, then renaming the two .bk! files to bookmarks.html and prefs.js respectively restores mozilla's settings. Again, the download_plugin.exe version does not alter Mozilla / Netscape Navigator.

The lop installers finishes up by creating a registry entry to load a file named mp3serch.exe (or lopsearch.exe if you have the download_plugin.exe installer) at every boot. This entry will make Windows load the lop executable file on each machine restart.

The effect of all of this is to turn the user's web browser into a device to present them with a seemingly endless supply of lop chosen links to click. The user becomes a visitor to lop.com with nearly every action that they take with their browser, whether it be searching for something, typing in an incorrect URL, or simply by opening a new browser window.

Newer variants of C2Media's software omits the browser and BHO altogether, and instead installs dozens of internet shortcuts and sets the home page to http://forums.xisto.com/no_longer_exists/. The installer for this variant may be named mp3.exe or freemp3z.exe. These files may appear on your computer as a result of an activex script which automatically begins to download them when you load pages at certain mp3 and/or pornographic web sites. The files are digitally signed by C2Media, the company which owns the lop.com web site and software.

Another software product that does roughly the same thing as lop.com's software and leads to a web site that is virtually identical to lop.com is the Xupiter toolbar from xupiter.com. Although there is no other evidence that they are related, considering that the software and web sites are nearly twins of eachother, many people speculate that xupiter is also made by C2Media.

Unfortunately for lop.com, their tactics have gained them the attention of Lavasoft, maker of Ad-aware. Starting with version 5.7, Ad-aware started targeting lop.com along with a number of browser hijackers. Spybot S&D also target and remove lop.com software. Ad-aware and Spybot both updated recently to target xupiter.com's software as well. Although we used to provide manual removal instructions for lop.com, we now recommend that you simply use Spybot to remove both lop.com and xupiter.


Links:
1. http://www.spyany.com/
2. http://forums.xisto.com/no_longer_exists/
3. https://personalfirewall.comodo.com/spyware/lop.html
4. http://forums.xisto.com/no_longer_exists/

All the best...

Share this post

Link to post
Share on other sites

Xevian    0

Xevian
Posted

Oh My God! This is exactly what has happened to my computer... But everytime i use Ad-Aware to delete it, it comes back at the very next moment! I'm going to download spybot to try and detach this LOP...

Share this post

Link to post
Share on other sites

Xevian    0

Xevian
Posted

It seems that spybot works much better than Ad Aware... It found malwares that Ad-Aware couldn't find... There was a lot of them... About a page full... Can't believe i didn't use spybot before! :P

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept