Lop.com

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview

Summary:

lop is a family of programs that set your start page and IE's search features to use the site lop.com ('Live Online Portal') or one of its clone sites.

Known lop sites include: aavc.com acjp.com ebav.com ebaw.com ebch.com ebch.com ebdv.com ebdw.com ebgo.com ebjp.com ebkb.com ebkn.com ebky.com eblv.com wbkb.com ebmu.com ebvr.com ecmh.com ecmp.com ecpm.com ecwz.com ecyb.com edhq.com edty.com eduy.com eeev.com farse.com ibmx.com icwb.com icwo.com icwp.com iddh.com idhh.com ifiz.com iguu.com samz.com saoe.com sbee.com sbjr.com sbnl.com sbnt.com sbvr.com scbm.com sckr.com scrk.com sdry.com seld.com sfux.com sheat.com sipo.com smds.com srib.com srox.com srsf.com ssaw.com ssby.com surj.com tbvg.com tdak.com tdmy.com tefs.com tfil.com tjar.com tjaw.com tjgo.com tjem.com torc.com wabu.com wabq.com wfix.com wflu.com

Lop also adds shortcuts to advertisers. Finally it adds a task to run on startup which sets your homepage and search back to lop if you change them.

Alias:

See Also:

Category:

Spyware: Any product that employs a user's Internet connection in the background without their knowledge, and gathers/transmits info on the user or their behavior. Many spyware products will collect referrer info (information from your web browser which reveals what URL you linked from), your IP address (a number that is used by computers on the network to identify your computer), system information (such as time of visit, type of browser used, the operating system and platform, and CPU speed.) Spyware products sometimes wrap other commercial products, and are introduced to machines when those commercial products are installed. See also Adware.

Adware: Software that displays popup/popunder ads when the primary user interface is not visible or which do not appear to be assocaited with the product.

Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

Dialer: Software that dials a phone number. Some dialers connect to local Internet Service Providers and are beneficial as configured. Others connect to toll numbers without user awareness or permission.

Downloader: A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site.

Dropper: In viruses and trojans, the dropper is the part of the program that installs the hostile code onto the system.

Hijacker: Any software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Search Hijacker: Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.

Toolbar: A group of buttons which perform common tasks. A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. Toolbars may be created by Browser Helper Objects.

Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.

Variants:

Similar Pests:

Origins

Group:

Vendor:

By This Group:

Programming Language:

Date of Origin:

Distribution

Distribution:

Installed by ActiveX or simple EXE file download from many sites, often through redirecting pop-up ads. The executable file is likely to have a name like:

mp3.exe
FreeMP3.exe
freemp3z.exe
FreeMP3Music.exe
free_sex_viewer.exe
free_deals.exe
Software_Plugin.exe
download_file.exe
The_Ultimate_Browser_Enhancer.exe
free_plugin.exe

Prevalence:

Clot Factor:

The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.

Growth:

Operation

Advertising:

Storage Required:

Browser Performance:

Risks

Privacy Issues:

Security Issues:

Stability Issues:

Detection and Removal

Automatic Removal:

PestPatrol detects this.

PestPatrol removes this.

Manual Removal:

There is an uninstall feature, which can usually be found on the round icon in the system tray. Click the right button on it and choose 'Menu'. On the resulting window, click 'Help', then 'Uninstall'. Some variants also add a 'LOP uninstall' entry to the Control Panel's Add/Remove Programs control which does the same. However this feature does not clear up all the mess lop leaves behind. See below for cleanup info.

Open the Application Data folder. This can be found inside the Windows folder on Windows 95/98/Me; on Windows 2000 and XP it is inside your user folder in 'Documents and Settings', but it's hidden, so go to Tools->Folder Options->View and turn on 'Show hidden files and folders' to see it. In Windows NT 4.0 it is in the user folder inside 'WinNT\Profiles'.

The filenames of lop files varies for each different lop affiliate distributing the software, but normally there should not be any files inside Application Data (only folders), so it's usually easy to pick out the culprits. Known filenames for the toolbar DLL (lop/Toolbar) or ayb: protocol DLL (lop/AYB) include:

eelykofrllfrpr.dll
ealymfrprwch.dll
yeecrsoustoull.dll
heeachmstll.dll
ziebaeeoaeepr.dll
prxzoustustgr.dll
llfggrdr.exe
plg_ie[any digit].dll
quizbt[any digit].dll
blztstull[letter 'a', 'c', 'j', 'p', 's', 't' or 'y'].dll
blztstull['pr', 'tr' or 'oo'].dll
Known filenames for the system tray task and hijacker file include:

oofrkxpe.exe
lopsearc.exe
shoucrck.exe
meemnckyqbr.exe
eaymulyl.exe
ulyuiexeechp.exe
byb_save.exe
peebqusz.exe
trstdris.exe
Other files you may find with some versions include icon libraries (known filenames tchejea.lib and iCndE.lib) and loads of GIFs. These can all be deleted too. You might also have some of the following files in the Windows folder:

desktop.htm
dnserror.htm
jexpoofro.htm
i_dnserr.gif
s_dnserr.gif
r_dnserr.gif
b_dnserr.gif
tiejexpoo.gif
xiejexpoo.gif
oiejexpoo.gif
uiejexpoo.gif
Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you have not used the uninstall feature there should still be an entry with a value like 'C:\WINDOWS\APPLIC~1\(task name).exe -QuieT'; delete it. The name of this entry changes in different variants; known names are:

eeullz
ymste
abtu
zvoah
lssxsh
pprwly
You should also delete the following entries if you have them and they are not just blank:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Telephony\DomainName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP\Domain
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{...check all interfaces...}\Domain
Also you can remove the lop settings key if you can find it; it is inside HKEY_LOCAL_MACHINE\Software and has, again, a varying name; known examples are:

ckotetlllyllshz
kseateasteestoe
ssaxstxoaieoagrh
TrinityAYB (lop/Trinity variant)
Next, if you have not used the uninstall feature, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u [name of DLL]
substituting the full filename of the DLL, whatever its name is, in Application Data. Tip: You can drag the DLL file from Explorer onto the DOS command prompt window to put the name in so you don't have to type it all out.

Finally, reboot Windows and you should be able to delete all the files mentioned above, along with the shortcuts added to the desktop and the favorites menu. You can also reset your homepage (from Internet Options->General) and search settings (Internet Options->Programs->Reset Web Settings); if you use Netscape/Mozilla you will need to reset the home page too (Edit->Preferences->Navigator).

You may also wish to check your computer for dialers, as the lop.com site has been known to include dialer installers.

Research

File Analyses:

• Lop.com: 1111.exe ·  14599.exe ·  2443.exe ·  24701.exe ·  2dimensionofexploits.asm ·  2dimensionofexploitsenc.hta ·  2dimensionofexploitsenc.php ·  455ba634cc ·  activeonce.exe ·  adult entertainment.url ·  adult.lnk ·  afa6d429.exe ·  agreement-.htm ·  ahlrfsoy.exe ·  ante.exe ·  antedefault.dll ·  aswnk.exe ·  aswwxs.reg ·  atiupdate2.exe ·  backup.reg ·  barbboob.dll ·  bike poke.dll ·  binsect.exe ·  bitsplaygrid.exe ·  boldabout.exe ·  bore2mags.exe ·  campglueflap.exe ·  cast idle.dll ·  ckcoofrunea.exe ·  ckouvcrcgcea.dll ·  corn bold media.exe ·  cyd1.exe ·  debugregs.exe ·  delete play.exe ·  Dentcurbfree.exe ·  desktop.htm ·  desktop.swf ·  does admin.exe ·  download_plugin.exe ·  each cdrom memo.exe ·  eshglkfvcr.dll ·  etu1.exe ·  exploit1.htm ·  film.exe ·  filmpeak.dll ·  Flaw Army Name.exe ·  fmtah.exe ·  freemp3z.exe ·  fullscreenbar.htm ·  funktypebinfffccc.exe ·  gambling and online casinos.lnk ·  glckqksdr.dll ·  glzchtb.lib ·  great 1.exe ·  header (1).htm ·  header (2).htm ·  header (3).htm ·  header.htm ·  heart setup inside.bin ·  help support.exe ·  hpt1.exe ·  install.htm ·  install.txt ·  installation report download_plugin.htm ·  intramemocomp.exe ·  jumpnoundate.exe ·  keyhost.exe ·  khzc256.tmp ·  ktbxbllyth.dll ·  kvgpmfiv.exe ·  links.txt ·  lite cake loud.exe ·  lniegfer.exe ·  loadcashmeet.exe ·  longonlineplay.exe ·  lop notes.txt ·  lrgluoot.exe ·  lyzkisnf.dll ·  media else rdr.exe ·  mfcdpingwarnfast.exe ·  mp3 music search.lnk ·  mp3.exe ·  mp3_plugin.exe ·  mp3serch.exe ·  news and sports.lnk ·  nxfbmzqu.exe ·  online movies.lnk ·  onlinecontent.lnk ·  passthrough[1].htm ·  pile default.exe ·  pkajulyt.exe ·  plg_ie0.dll ·  plus size.exe ·  popupbaropener[1].htm ·  qwxgxlrv.exe ·  refslow.exe ·  removelop.exe ·  rgg1.exe ·  rpzgnwux.exe ·  rulefindcamp.exe ·  rvimsmkf.exe ·  sect name.exe ·  setup time.dll ·  sfx71e4.tmp ·  sfxbe.tmp ·  sizewaitgrim.exe ·  software_plugin.exe ·  ssaxstxoaieoagrh.reg ·  stop hope.exe ·  tchstlmmdrm.htm ·  tfsuxbtg.exe ·  the_ultimate_browser_enhancer.exe ·  toolbar_uninstall.exe ·  twunk001.mtx ·  ulyfchcrcrdcr.htm ·  vlluafrq.exe ·  wa_inst.exe ·  waybait.exe ·  web default one.exe ·  wshbrybr.exe ·  xlj1.exe ·  xxeoxiqu.exe ·  ystck32.exe ·  yxogltoo.exe ·  zvpkxxtu.exe ·  zxenmgrbl.dll
• Lop.com.WinActive: activebitsflap.exe ·  bags more bold.exe ·  bendaceproc.exe ·  bind funk inside.exe ·  binidledumb.exe ·  bold grim.exe ·  bowsbleh.exe ·  bytemess.exe ·  defy view.exe ·  ford wma dead.exe ·  great each close.exe ·  greyplan.exe ·  heartflaw.exe ·  hope1media.exe ·  hoxujhed.exe ·  idle barb ball.exe ·  interarmy.exe ·  keep comp.exe ·  kind joy bib.exe ·  liesbagslist.exe ·  logo vc.exe ·  mail mess.exe ·  mediawebdownload.exe ·  oozeboob.exe ·  pile default.exe ·  plus thunk mags.exe ·  ruledatawma.exe ·  sign support mags.exe ·  soft team.exe ·  software grim.dll ·  time funk aim.exe ·  unbzip2s.dll ·  winactive.exe ·  xyq.exe
• Lop.com.WinActiveJ: winactivej.exe ·  winactivej_unpacked.exe
• OmegaSearch: bash second cast.exe ·  cash remote.exe ·  femguyse.exe ·  frag drv first boob.exe ·  lejytfqx.exe ·  sta1f.exe ·  sta2.exe

More Info:

Research By:

Last Revised: