Home News Reviews Forums Shop


LOP Software/spyware infection...

Anything else

LOP Software/spyware infection...

Postby Spazmogen on Sat Aug 14, 2004 11:06 am

I've been screwed by LOP 3x now in 2 months. It's hammered all 4 Netscape e-mail accounts everytime. Changes my bookmarks in both IE & Netscape.

This thing just does what it wants on my system.


Can anyone recommend a good spyware remover tool?

I've used Adaware 6, but it keeps coming back on me like a case of The Clap! I thought I had it cured each time (LOP that is :D )

I've found SpyFerret, but the free version wont actually remove the files, it just identifies them. $39USD is the fee to buy a licence for it.

I was actually sitting at my comp. when LOP struck yesterday. It killed Ad-Watch (part of Adaware6) then installed itself again immediatly. I removed what I could, restarted, but the damage is done again. No e-mail accounts!

Anyone else having this trouble?

Where did this sh*t come from & how did I get it?
I removed Limewire, Kazzaa Lite & mIRC thinking it may have been one of them, but I'm not sure.
e6400 Core 2 Duo @ 2.13ghz
GeForce 7600GT 256mb PCI-e
2gb DDR2 667mhz Patriot ram 1.8v in d/c
Gigabyte GA-965P-DS3 F10 BIOS
WD Caviar SE16 250GB SATA300 7200RPM 16MB Buffer
Samsung SATA2 80gb 7200rpm
Samsung SH-S182D 18x DVD burner
User avatar
Spazmogen
CD-RW Player
 
Posts: 1472
Joined: Tue Oct 23, 2001 8:00 pm
Location: Woodstock, Ontario

Postby dodecahedron on Sat Aug 14, 2004 12:07 pm

Spybot S&D is a great anti-spyware/adware software (current version 1.3).
www.safer-networking.net

give it a try.
BTW, apart from being the best, it's totally free!
(most people swear by either spybot or adaware...i'm a spybot fan).


Spybot support forums:
www.forums.net-integration.net

you can learn a lot about spyware, net safetly/security/privacy etc. there. i did.
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the land of Mordor, where the Shadows lie
-- JRRT
M.C. Escher - Reptilien
User avatar
dodecahedron
DVD Polygon
 
Posts: 6865
Joined: Sat Mar 09, 2002 12:04 am
Location: Israel

Postby Matt on Sat Aug 14, 2004 1:32 pm

Spybot's definitions are so far out of date that they've become practically useless. I just finished writing up a definition for this lop variant this week actually. (I won't say what company I work for, but it shouldn't be very hard to figure out.) They haven't been hijacking mozilla/netscape until just recently.

This one is peticularly hard to remove because the processes that run disguse themselves as IEXPLORE.exe on the tasks list when no IE windows are open and watch to see when each other are terminated.

I'll head into work this afternoon and pickup the compiled definition set that should remove this and send that file to you if you want to give our product a try. If that doesn't work you can download hijackthis and email me the log I'll see which files and items we need to fix up.
User avatar
Matt
CD-RW Player
 
Posts: 261
Joined: Sun Apr 08, 2001 2:34 pm
Location: Boulder, CO

Postby dodecahedron on Sun Aug 15, 2004 12:53 am

Matt wrote:Spybot's definitions are so far out of date that they've become practically useless. I just finished writing up a definition for this lop variant this week actually. (I won't say what company I work for, but it shouldn't be very hard to figure out.)

you work for Ad-Aware ? :)

actually, i haven't used Spybot for over a month, computer trouble and OS reinstallation, another one coming up soon, couldn't be bothered.
but checking their website the latest update is 10 August.
are you saying that even thought they're releasing updates, these updates are'nt complete (don't handle new spyware)?
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the land of Mordor, where the Shadows lie
-- JRRT
M.C. Escher - Reptilien
User avatar
dodecahedron
DVD Polygon
 
Posts: 6865
Joined: Sat Mar 09, 2002 12:04 am
Location: Israel

Spybot, Spywareblaster

Postby dpippin on Sun Aug 15, 2004 1:39 am

I still can't guess what company Matt works for. However the three programs I use (all freeware) are:

1. Spybot Search and Destory as listed above.

2. SpywareBlaster, it's a prgram that prevents your system from getting spyware, and doesn't even have to run in the background! =D> http://www.javacoolsoftware.com/spywareblaster.html

3. And when something is still bothering me I use Hijackthis (very rarely). But it works great. And sometimes when I'm really stuck and need help I post my Hijackthis log file on www.cexx.org (Spyware Forum).
*.*.*-._.-PiP-._.-*.*.*
User avatar
dpippin
Buffer Underrun
 
Posts: 26
Joined: Wed Jul 23, 2003 2:14 pm
Location: Oregon

Postby tazdevl on Sun Aug 15, 2004 3:22 am

Couple things to try.

There might be something else messing around with your system or the malware is memory resident... so your average on-demand scanner won't fully pull it out.

First recommendation is to use safer browsing habits and quit using Kazaa, Limewire and MIRC. Scan everything before you download.

Couple online scanners that might help your cleanup efforts (bitdefender, mks and mcafee do a better job with non-viral baddies)...
http://www.bitdefender.com/scan/license.php
http://www.kaspersky.com/scanforvirus
http://us.mcafee.com/root/mfs/default.asp?cid=9913
http://skaner.mks.com.pl/skaner.html
http://security.symantec.com/sscv6/defa ... &venid=sym
http://housecall.trendmicro.com/

Get a new AV. Don't use a free one... you pay for what you get. My recommendation would be to pick up Kaspersky 4.5 Pro/Personal 5.0 and use the extended DB option. KAV has the best all around protection from viruses, worms and trojans (on par with most antitrojan apps)... the extended DB includes protection from riskware, adware, malware and pr0nware. Not to mention KAV has the best unpacking support of any AV in the industry so even if a nasty is buried in 5 different kinds of archives, it will be identified and taken care of.

SpySweeper... now on 3.0. Has active shields which means it keeps crap from getting installed (unlike Adaware free and Spybot). 15 or 30 day trial. www.webroot.com Better than the paid version of Adaware IMO. Only thing it needs is generic detection abilities.

One other I'd highly recommend... Ewido... adware, spyware and antitrojan. Just was released 10 days or so ago. Couple minor issues, but in all, a solid little app. www.ewido.net



My guess is that Matt works for Webroot, the maker of SpySweeper.
RIG:
P4 2.6C, Thermalright SP94/Panaflo 92MM M1A, IC7 Max3, Swifty MCX159, 1GB Geil PC4000 Ultra Plat, Radeon 8500, Audigy 2, 2X WD Raptor RAID 0, WD 250GB SE, Plex 708A, 166SDVD, LianLi PC75, XP Pro.
User avatar
tazdevl
CD-RW Player
 
Posts: 979
Joined: Tue May 14, 2002 11:03 pm

Postby Spazmogen on Sun Aug 15, 2004 6:57 am

Thanks guys.

Here's an update:
I'm f*cked. I spent the $39 USD for SpyFerret. It removed the LOP & numerous other pests. But it also seemed to have altered some windows files in the process. That version of XP is not functioning right now.
I've installed a temporary version of XP to burn what I require from that drive- Format C: is in my future.

Even after a temprary install, SpyFerret has already found 3 pests hiding on my system.
e6400 Core 2 Duo @ 2.13ghz
GeForce 7600GT 256mb PCI-e
2gb DDR2 667mhz Patriot ram 1.8v in d/c
Gigabyte GA-965P-DS3 F10 BIOS
WD Caviar SE16 250GB SATA300 7200RPM 16MB Buffer
Samsung SATA2 80gb 7200rpm
Samsung SH-S182D 18x DVD burner
User avatar
Spazmogen
CD-RW Player
 
Posts: 1472
Joined: Tue Oct 23, 2001 8:00 pm
Location: Woodstock, Ontario

Postby PadG on Sun Aug 15, 2004 11:05 am

To bad I came across this thread only now!

I'm pretty sure that CWShredder would have removed that pesky hijacker! It's free, and you may still want to check it out. I don't recall their home web site, but it's available for DL on www.download.com.
What is this life, if full of cares...
User avatar
PadG
Buffer Underrun
 
Posts: 15
Joined: Thu Aug 28, 2003 8:50 am
Location: Cleveland, OH

Postby pchilson on Sun Aug 15, 2004 11:49 am

Matt wrote:(I won't say what company I work for, but it shouldn't be very hard to figure out.)

Do I win a prize if I say "Webroot"?
pchilson
CD-RW Player
 
Posts: 213
Joined: Sat Sep 13, 2003 12:05 am
Location: Colorado

Postby dodecahedron on Sun Aug 15, 2004 12:07 pm

CWShredder is for fixing the CoolWWWSearch (and it's variants). i'm not sure it would help fix LOP.

here http://www.allsecpros.com/ you can download Spybot S&D, SpywareBlaster, CWShredder, HijackThis
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the land of Mordor, where the Shadows lie
-- JRRT
M.C. Escher - Reptilien
User avatar
dodecahedron
DVD Polygon
 
Posts: 6865
Joined: Sat Mar 09, 2002 12:04 am
Location: Israel

Postby tazdevl on Sun Aug 15, 2004 1:01 pm

pchilson wrote:
Matt wrote:(I won't say what company I work for, but it shouldn't be very hard to figure out.)

Do I win a prize if I say "Webroot"?


Too late, beat you to the punch.
RIG:
P4 2.6C, Thermalright SP94/Panaflo 92MM M1A, IC7 Max3, Swifty MCX159, 1GB Geil PC4000 Ultra Plat, Radeon 8500, Audigy 2, 2X WD Raptor RAID 0, WD 250GB SE, Plex 708A, 166SDVD, LianLi PC75, XP Pro.
User avatar
tazdevl
CD-RW Player
 
Posts: 979
Joined: Tue May 14, 2002 11:03 pm

Postby pchilson on Sun Aug 15, 2004 1:04 pm

tazdevl wrote:
pchilson wrote:
Matt wrote:(I won't say what company I work for, but it shouldn't be very hard to figure out.)

Do I win a prize if I say "Webroot"?


Too late, beat you to the punch.

Ahh, so you did. Didn't notice...
pchilson
CD-RW Player
 
Posts: 213
Joined: Sat Sep 13, 2003 12:05 am
Location: Colorado

Postby tazdevl on Sun Aug 15, 2004 1:05 pm

Spazmogen wrote:Thanks guys.

Here's an update:
I'm f*cked. I spent the $39 USD for SpyFerret. It removed the LOP & numerous other pests. But it also seemed to have altered some windows files in the process. That version of XP is not functioning right now.
I've installed a temporary version of XP to burn what I require from that drive- Format C: is in my future.

Even after a temprary install, SpyFerret has already found 3 pests hiding on my system.


Only things I can think of that SpyFerret might find if you've installed SP1 (not SP2) clean are Alexa, Media Player ID and DCom.

FYI I've never heard of SpyFerret and I follow the AV/AT/Spyware scene fairly closely. I'd get your money back if it's altering windows files. That definitely is a no no and reminds me of the days when AdAware just came out and it was pulling out OS reg keys and dlls because it incorrectly identified them.

The other thing I meant to say above was be sure to scan everything before you open it. Many AVs don't have real-time protection and don't automatically scan archives (NAV 2003 is a good example). Have to manually scan to identify malware.


EDIT
Not the best idea to use SpyFerret, they cracked SpyBot's signature files, some code and are using them. I'd get a refund based on that alone and if they don't hook you up, dispute the charge with your credit card company.

http://www.safer-networking.org/en/comp ... erret.html

If you have people recommending things like SpyFerret, I'd find another forum to get info.
RIG:
P4 2.6C, Thermalright SP94/Panaflo 92MM M1A, IC7 Max3, Swifty MCX159, 1GB Geil PC4000 Ultra Plat, Radeon 8500, Audigy 2, 2X WD Raptor RAID 0, WD 250GB SE, Plex 708A, 166SDVD, LianLi PC75, XP Pro.
User avatar
tazdevl
CD-RW Player
 
Posts: 979
Joined: Tue May 14, 2002 11:03 pm

Postby dodecahedron on Sun Aug 15, 2004 1:36 pm

tazdevl wrote:The other thing I meant to say above was be sure to scan everything before you open it. Many AVs don't have real-time protection and don't automatically scan archives (NAV 2003 is a good example). Have to manually scan to identify malware.

NAV 2003 does scan archives.
but i scan everything manually anyways. i'm paranoid. :o

tazdevl wrote:EDIT
Not the best idea to use SpyFerret, they cracked SpyBot's signature files, some code and are using them. I'd get a refund based on that alone and if they don't hook you up, dispute the charge with your credit card company.

http://www.safer-networking.org/en/comp ... erret.html

If you have people recommending things like SpyFerret, I'd find another forum to get info.

SpyFerret isn't the only one to have done that either.
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the land of Mordor, where the Shadows lie
-- JRRT
M.C. Escher - Reptilien
User avatar
dodecahedron
DVD Polygon
 
Posts: 6865
Joined: Sat Mar 09, 2002 12:04 am
Location: Israel

Postby tazdevl on Sun Aug 15, 2004 1:54 pm

dodecahedron wrote:
tazdevl wrote:The other thing I meant to say above was be sure to scan everything before you open it. Many AVs don't have real-time protection and don't automatically scan archives (NAV 2003 is a good example). Have to manually scan to identify malware.

NAV 2003 does scan archives.
but i scan everything manually anyways. i'm paranoid. :o

tazdevl wrote:EDIT
Not the best idea to use SpyFerret, they cracked SpyBot's signature files, some code and are using them. I'd get a refund based on that alone and if they don't hook you up, dispute the charge with your credit card company.

http://www.safer-networking.org/en/comp ... erret.html

If you have people recommending things like SpyFerret, I'd find another forum to get info.

SpyFerret isn't the only one to have done that either.


Last time I played with NAV 2K3 it did not unpack the archive during the RT scan... maybe they fixed it and now it goes to one level.

SpyFerret... there's a difference between companies agreeing to share signature files in a forum (lot of AV companies do this) and someone cracking your encrypted signature files.
RIG:
P4 2.6C, Thermalright SP94/Panaflo 92MM M1A, IC7 Max3, Swifty MCX159, 1GB Geil PC4000 Ultra Plat, Radeon 8500, Audigy 2, 2X WD Raptor RAID 0, WD 250GB SE, Plex 708A, 166SDVD, LianLi PC75, XP Pro.
User avatar
tazdevl
CD-RW Player
 
Posts: 979
Joined: Tue May 14, 2002 11:03 pm

Postby dodecahedron on Sun Aug 15, 2004 3:50 pm

tazdevl wrote:Last time I played with NAV 2K3 it did not unpack the archive during the RT scan... maybe they fixed it and now it goes to one level.

maybe i'm not understanding you rightly.

what do you mean by Real-Time scan?
when scanning an attachment to an email maybe?

there's an option in the Options Scan within compressed files. but it's under Manual scan. do you mean that the automatic scanning done in the background (like email attachments, program downloads) doesn't scan archives???
i was sure it did.
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the land of Mordor, where the Shadows lie
-- JRRT
M.C. Escher - Reptilien
User avatar
dodecahedron
DVD Polygon
 
Posts: 6865
Joined: Sat Mar 09, 2002 12:04 am
Location: Israel

Postby Matt on Sun Aug 15, 2004 4:57 pm

dodecahedron wrote:actually, i haven't used Spybot for over a month, computer trouble and OS reinstallation, another one coming up soon, couldn't be bothered.
but checking their website the latest update is 10 August.
are you saying that even thought they're releasing updates, these updates are'nt complete (don't handle new spyware)?


I'm not saying they aren't complete or aren't good at what they do, but their frequency of updates to new variants seems a little behind, but I give them incredible kudos for being a free product and staying on top of things so well.

Spazmogen wrote:I'm f*cked. I spent the $39 USD for SpyFerret. It removed the LOP & numerous other pests. But it also seemed to have altered some windows files in the process. That version of XP is not functioning right now.
I've installed a temporary version of XP to burn what I require from that drive- Format C: is in my future.

Even after a temprary install, SpyFerret has already found 3 pests hiding on my system.


What did it find on a fresh install of XP? Components of Alexa toolbar and cookies are the only possible things I could thing of...? I sent you a PM, btw.

dodecahedron wrote:CWShredder is for fixing the CoolWWWSearch (and it's variants). i'm not sure it would help fix LOP.

Dodeca is right, CWShredder won't do much for the lop hijackers. Unfortunately Merjin stopped putting out updates for this tool.
User avatar
Matt
CD-RW Player
 
Posts: 261
Joined: Sun Apr 08, 2001 2:34 pm
Location: Boulder, CO

Postby Spazmogen on Sun Aug 15, 2004 9:13 pm

OK.

I'm back up.

Norton AV 2003 & Firewall are back in and up to date.
Office XP is back in.
Netscape is set up again.

Next step: Ghost the partition onto a bootable DVD.

Matt: Alexa toolbar and cookies were indeed the only items found on a fresh scan (even after SP2 was installed).

I was trying to remove Alexa with SpyFerret when it crashed XP.
e6400 Core 2 Duo @ 2.13ghz
GeForce 7600GT 256mb PCI-e
2gb DDR2 667mhz Patriot ram 1.8v in d/c
Gigabyte GA-965P-DS3 F10 BIOS
WD Caviar SE16 250GB SATA300 7200RPM 16MB Buffer
Samsung SATA2 80gb 7200rpm
Samsung SH-S182D 18x DVD burner
User avatar
Spazmogen
CD-RW Player
 
Posts: 1472
Joined: Tue Oct 23, 2001 8:00 pm
Location: Woodstock, Ontario

Postby dodecahedron on Mon Aug 16, 2004 1:17 am

Matt wrote:Dodeca is right, CWShredder won't do much for the lop hijackers. Unfortunately Merjin stopped putting out updates for this tool.

too bad :(
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the land of Mordor, where the Shadows lie
-- JRRT
M.C. Escher - Reptilien
User avatar
dodecahedron
DVD Polygon
 
Posts: 6865
Joined: Sat Mar 09, 2002 12:04 am
Location: Israel

Postby Spazmogen on Mon Aug 16, 2004 1:31 pm

I've been reading that Active X can be used to install this automatically.

Would I be wise to remove Active X controls from IE6?
e6400 Core 2 Duo @ 2.13ghz
GeForce 7600GT 256mb PCI-e
2gb DDR2 667mhz Patriot ram 1.8v in d/c
Gigabyte GA-965P-DS3 F10 BIOS
WD Caviar SE16 250GB SATA300 7200RPM 16MB Buffer
Samsung SATA2 80gb 7200rpm
Samsung SH-S182D 18x DVD burner
User avatar
Spazmogen
CD-RW Player
 
Posts: 1472
Joined: Tue Oct 23, 2001 8:00 pm
Location: Woodstock, Ontario

Postby Matt on Mon Aug 16, 2004 1:46 pm

Make sure that you have them set to at least prompt you before installing.
User avatar
Matt
CD-RW Player
 
Posts: 261
Joined: Sun Apr 08, 2001 2:34 pm
Location: Boulder, CO

Postby Spazmogen on Tue Aug 17, 2004 5:28 am

I've blocked ALL Active X with Norton Personal Firwall 2003 edition.

I'm also using Webroot's "Spy Sweeper". It is fantastic! I highly recommend it. I like the fact that it has a shield feature and runs minimized in the task tray near my clock.

This combination of firewall/Spy Sweeper should keep LOP at bay!
e6400 Core 2 Duo @ 2.13ghz
GeForce 7600GT 256mb PCI-e
2gb DDR2 667mhz Patriot ram 1.8v in d/c
Gigabyte GA-965P-DS3 F10 BIOS
WD Caviar SE16 250GB SATA300 7200RPM 16MB Buffer
Samsung SATA2 80gb 7200rpm
Samsung SH-S182D 18x DVD burner
User avatar
Spazmogen
CD-RW Player
 
Posts: 1472
Joined: Tue Oct 23, 2001 8:00 pm
Location: Woodstock, Ontario

Postby ruderacer on Tue Aug 17, 2004 11:31 pm

Spaz, I was just about to recommend Spy Sweeper. Just make sure you update it regularly. Glad to see your up and running.
User avatar
ruderacer
CD-RW Player
 
Posts: 351
Joined: Sat Sep 20, 2003 12:15 pm
Location: Back in Florida

Postby Spazmogen on Thu Aug 19, 2004 4:28 pm

I'm now trying to get a refund from SpyFerret (aka: onlinepcfix.com ).

I expect I'll have a fight on my hands.
e6400 Core 2 Duo @ 2.13ghz
GeForce 7600GT 256mb PCI-e
2gb DDR2 667mhz Patriot ram 1.8v in d/c
Gigabyte GA-965P-DS3 F10 BIOS
WD Caviar SE16 250GB SATA300 7200RPM 16MB Buffer
Samsung SATA2 80gb 7200rpm
Samsung SH-S182D 18x DVD burner
User avatar
Spazmogen
CD-RW Player
 
Posts: 1472
Joined: Tue Oct 23, 2001 8:00 pm
Location: Woodstock, Ontario


Return to General Software Questions

Who is online

Users browsing this forum: No registered users and 1 guest

All Content is Copyright (c) 2001-2017 CDRLabs Inc.