Page 1 of 1

LOP Software/spyware infection...

PostPosted: Sat Aug 14, 2004 11:06 am
by Spazmogen
I've been screwed by LOP 3x now in 2 months. It's hammered all 4 Netscape e-mail accounts everytime. Changes my bookmarks in both IE & Netscape.

This thing just does what it wants on my system.


Can anyone recommend a good spyware remover tool?

I've used Adaware 6, but it keeps coming back on me like a case of The Clap! I thought I had it cured each time (LOP that is :D )

I've found SpyFerret, but the free version wont actually remove the files, it just identifies them. $39USD is the fee to buy a licence for it.

I was actually sitting at my comp. when LOP struck yesterday. It killed Ad-Watch (part of Adaware6) then installed itself again immediatly. I removed what I could, restarted, but the damage is done again. No e-mail accounts!

Anyone else having this trouble?

Where did this sh*t come from & how did I get it?
I removed Limewire, Kazzaa Lite & mIRC thinking it may have been one of them, but I'm not sure.

PostPosted: Sat Aug 14, 2004 12:07 pm
by dodecahedron
Spybot S&D is a great anti-spyware/adware software (current version 1.3).
www.safer-networking.net

give it a try.
BTW, apart from being the best, it's totally free!
(most people swear by either spybot or adaware...i'm a spybot fan).


Spybot support forums:
www.forums.net-integration.net

you can learn a lot about spyware, net safetly/security/privacy etc. there. i did.

PostPosted: Sat Aug 14, 2004 1:32 pm
by Matt
Spybot's definitions are so far out of date that they've become practically useless. I just finished writing up a definition for this lop variant this week actually. (I won't say what company I work for, but it shouldn't be very hard to figure out.) They haven't been hijacking mozilla/netscape until just recently.

This one is peticularly hard to remove because the processes that run disguse themselves as IEXPLORE.exe on the tasks list when no IE windows are open and watch to see when each other are terminated.

I'll head into work this afternoon and pickup the compiled definition set that should remove this and send that file to you if you want to give our product a try. If that doesn't work you can download hijackthis and email me the log I'll see which files and items we need to fix up.

PostPosted: Sun Aug 15, 2004 12:53 am
by dodecahedron
Matt wrote:Spybot's definitions are so far out of date that they've become practically useless. I just finished writing up a definition for this lop variant this week actually. (I won't say what company I work for, but it shouldn't be very hard to figure out.)

you work for Ad-Aware ? :)

actually, i haven't used Spybot for over a month, computer trouble and OS reinstallation, another one coming up soon, couldn't be bothered.
but checking their website the latest update is 10 August.
are you saying that even thought they're releasing updates, these updates are'nt complete (don't handle new spyware)?

Spybot, Spywareblaster

PostPosted: Sun Aug 15, 2004 1:39 am
by dpippin
I still can't guess what company Matt works for. However the three programs I use (all freeware) are:

1. Spybot Search and Destory as listed above.

2. SpywareBlaster, it's a prgram that prevents your system from getting spyware, and doesn't even have to run in the background! =D> http://www.javacoolsoftware.com/spywareblaster.html

3. And when something is still bothering me I use Hijackthis (very rarely). But it works great. And sometimes when I'm really stuck and need help I post my Hijackthis log file on www.cexx.org (Spyware Forum).

PostPosted: Sun Aug 15, 2004 3:22 am
by tazdevl
Couple things to try.

There might be something else messing around with your system or the malware is memory resident... so your average on-demand scanner won't fully pull it out.

First recommendation is to use safer browsing habits and quit using Kazaa, Limewire and MIRC. Scan everything before you download.

Couple online scanners that might help your cleanup efforts (bitdefender, mks and mcafee do a better job with non-viral baddies)...
http://www.bitdefender.com/scan/license.php
http://www.kaspersky.com/scanforvirus
http://us.mcafee.com/root/mfs/default.asp?cid=9913
http://skaner.mks.com.pl/skaner.html
http://security.symantec.com/sscv6/defa ... &venid=sym
http://housecall.trendmicro.com/

Get a new AV. Don't use a free one... you pay for what you get. My recommendation would be to pick up Kaspersky 4.5 Pro/Personal 5.0 and use the extended DB option. KAV has the best all around protection from viruses, worms and trojans (on par with most antitrojan apps)... the extended DB includes protection from riskware, adware, malware and pr0nware. Not to mention KAV has the best unpacking support of any AV in the industry so even if a nasty is buried in 5 different kinds of archives, it will be identified and taken care of.

SpySweeper... now on 3.0. Has active shields which means it keeps crap from getting installed (unlike Adaware free and Spybot). 15 or 30 day trial. www.webroot.com Better than the paid version of Adaware IMO. Only thing it needs is generic detection abilities.

One other I'd highly recommend... Ewido... adware, spyware and antitrojan. Just was released 10 days or so ago. Couple minor issues, but in all, a solid little app. www.ewido.net



My guess is that Matt works for Webroot, the maker of SpySweeper.

PostPosted: Sun Aug 15, 2004 6:57 am
by Spazmogen
Thanks guys.

Here's an update:
I'm f*cked. I spent the $39 USD for SpyFerret. It removed the LOP & numerous other pests. But it also seemed to have altered some windows files in the process. That version of XP is not functioning right now.
I've installed a temporary version of XP to burn what I require from that drive- Format C: is in my future.

Even after a temprary install, SpyFerret has already found 3 pests hiding on my system.

PostPosted: Sun Aug 15, 2004 11:05 am
by PadG
To bad I came across this thread only now!

I'm pretty sure that CWShredder would have removed that pesky hijacker! It's free, and you may still want to check it out. I don't recall their home web site, but it's available for DL on www.download.com.

PostPosted: Sun Aug 15, 2004 11:49 am
by pchilson
Matt wrote:(I won't say what company I work for, but it shouldn't be very hard to figure out.)

Do I win a prize if I say "Webroot"?

PostPosted: Sun Aug 15, 2004 12:07 pm
by dodecahedron
CWShredder is for fixing the CoolWWWSearch (and it's variants). i'm not sure it would help fix LOP.

here http://www.allsecpros.com/ you can download Spybot S&D, SpywareBlaster, CWShredder, HijackThis

PostPosted: Sun Aug 15, 2004 1:01 pm
by tazdevl
pchilson wrote:
Matt wrote:(I won't say what company I work for, but it shouldn't be very hard to figure out.)

Do I win a prize if I say "Webroot"?


Too late, beat you to the punch.

PostPosted: Sun Aug 15, 2004 1:04 pm
by pchilson
tazdevl wrote:
pchilson wrote:
Matt wrote:(I won't say what company I work for, but it shouldn't be very hard to figure out.)

Do I win a prize if I say "Webroot"?


Too late, beat you to the punch.

Ahh, so you did. Didn't notice...

PostPosted: Sun Aug 15, 2004 1:05 pm
by tazdevl
Spazmogen wrote:Thanks guys.

Here's an update:
I'm f*cked. I spent the $39 USD for SpyFerret. It removed the LOP & numerous other pests. But it also seemed to have altered some windows files in the process. That version of XP is not functioning right now.
I've installed a temporary version of XP to burn what I require from that drive- Format C: is in my future.

Even after a temprary install, SpyFerret has already found 3 pests hiding on my system.


Only things I can think of that SpyFerret might find if you've installed SP1 (not SP2) clean are Alexa, Media Player ID and DCom.

FYI I've never heard of SpyFerret and I follow the AV/AT/Spyware scene fairly closely. I'd get your money back if it's altering windows files. That definitely is a no no and reminds me of the days when AdAware just came out and it was pulling out OS reg keys and dlls because it incorrectly identified them.

The other thing I meant to say above was be sure to scan everything before you open it. Many AVs don't have real-time protection and don't automatically scan archives (NAV 2003 is a good example). Have to manually scan to identify malware.


EDIT
Not the best idea to use SpyFerret, they cracked SpyBot's signature files, some code and are using them. I'd get a refund based on that alone and if they don't hook you up, dispute the charge with your credit card company.

http://www.safer-networking.org/en/comp ... erret.html

If you have people recommending things like SpyFerret, I'd find another forum to get info.

PostPosted: Sun Aug 15, 2004 1:36 pm
by dodecahedron
tazdevl wrote:The other thing I meant to say above was be sure to scan everything before you open it. Many AVs don't have real-time protection and don't automatically scan archives (NAV 2003 is a good example). Have to manually scan to identify malware.

NAV 2003 does scan archives.
but i scan everything manually anyways. i'm paranoid. :o

tazdevl wrote:EDIT
Not the best idea to use SpyFerret, they cracked SpyBot's signature files, some code and are using them. I'd get a refund based on that alone and if they don't hook you up, dispute the charge with your credit card company.

http://www.safer-networking.org/en/comp ... erret.html

If you have people recommending things like SpyFerret, I'd find another forum to get info.

SpyFerret isn't the only one to have done that either.

PostPosted: Sun Aug 15, 2004 1:54 pm
by tazdevl
dodecahedron wrote:
tazdevl wrote:The other thing I meant to say above was be sure to scan everything before you open it. Many AVs don't have real-time protection and don't automatically scan archives (NAV 2003 is a good example). Have to manually scan to identify malware.

NAV 2003 does scan archives.
but i scan everything manually anyways. i'm paranoid. :o

tazdevl wrote:EDIT
Not the best idea to use SpyFerret, they cracked SpyBot's signature files, some code and are using them. I'd get a refund based on that alone and if they don't hook you up, dispute the charge with your credit card company.

http://www.safer-networking.org/en/comp ... erret.html

If you have people recommending things like SpyFerret, I'd find another forum to get info.

SpyFerret isn't the only one to have done that either.


Last time I played with NAV 2K3 it did not unpack the archive during the RT scan... maybe they fixed it and now it goes to one level.

SpyFerret... there's a difference between companies agreeing to share signature files in a forum (lot of AV companies do this) and someone cracking your encrypted signature files.

PostPosted: Sun Aug 15, 2004 3:50 pm
by dodecahedron
tazdevl wrote:Last time I played with NAV 2K3 it did not unpack the archive during the RT scan... maybe they fixed it and now it goes to one level.

maybe i'm not understanding you rightly.

what do you mean by Real-Time scan?
when scanning an attachment to an email maybe?

there's an option in the Options Scan within compressed files. but it's under Manual scan. do you mean that the automatic scanning done in the background (like email attachments, program downloads) doesn't scan archives???
i was sure it did.

PostPosted: Sun Aug 15, 2004 4:57 pm
by Matt
dodecahedron wrote:actually, i haven't used Spybot for over a month, computer trouble and OS reinstallation, another one coming up soon, couldn't be bothered.
but checking their website the latest update is 10 August.
are you saying that even thought they're releasing updates, these updates are'nt complete (don't handle new spyware)?


I'm not saying they aren't complete or aren't good at what they do, but their frequency of updates to new variants seems a little behind, but I give them incredible kudos for being a free product and staying on top of things so well.

Spazmogen wrote:I'm f*cked. I spent the $39 USD for SpyFerret. It removed the LOP & numerous other pests. But it also seemed to have altered some windows files in the process. That version of XP is not functioning right now.
I've installed a temporary version of XP to burn what I require from that drive- Format C: is in my future.

Even after a temprary install, SpyFerret has already found 3 pests hiding on my system.


What did it find on a fresh install of XP? Components of Alexa toolbar and cookies are the only possible things I could thing of...? I sent you a PM, btw.

dodecahedron wrote:CWShredder is for fixing the CoolWWWSearch (and it's variants). i'm not sure it would help fix LOP.

Dodeca is right, CWShredder won't do much for the lop hijackers. Unfortunately Merjin stopped putting out updates for this tool.

PostPosted: Sun Aug 15, 2004 9:13 pm
by Spazmogen
OK.

I'm back up.

Norton AV 2003 & Firewall are back in and up to date.
Office XP is back in.
Netscape is set up again.

Next step: Ghost the partition onto a bootable DVD.

Matt: Alexa toolbar and cookies were indeed the only items found on a fresh scan (even after SP2 was installed).

I was trying to remove Alexa with SpyFerret when it crashed XP.

PostPosted: Mon Aug 16, 2004 1:17 am
by dodecahedron
Matt wrote:Dodeca is right, CWShredder won't do much for the lop hijackers. Unfortunately Merjin stopped putting out updates for this tool.

too bad :(

PostPosted: Mon Aug 16, 2004 1:31 pm
by Spazmogen
I've been reading that Active X can be used to install this automatically.

Would I be wise to remove Active X controls from IE6?

PostPosted: Mon Aug 16, 2004 1:46 pm
by Matt
Make sure that you have them set to at least prompt you before installing.

PostPosted: Tue Aug 17, 2004 5:28 am
by Spazmogen
I've blocked ALL Active X with Norton Personal Firwall 2003 edition.

I'm also using Webroot's "Spy Sweeper". It is fantastic! I highly recommend it. I like the fact that it has a shield feature and runs minimized in the task tray near my clock.

This combination of firewall/Spy Sweeper should keep LOP at bay!

PostPosted: Tue Aug 17, 2004 11:31 pm
by ruderacer
Spaz, I was just about to recommend Spy Sweeper. Just make sure you update it regularly. Glad to see your up and running.

PostPosted: Thu Aug 19, 2004 4:28 pm
by Spazmogen
I'm now trying to get a refund from SpyFerret (aka: onlinepcfix.com ).

I expect I'll have a fight on my hands.