Remove lop.com

Remove lop.com
Home ->Remove lop.com        


What is lop.com ?

Lop is a family of programs that set your start page and IE's search features to use the site lop.com ('Live Online Portal') or one of its clone sites. It is mainly a pay-per-click search portal where other web sites pay for each click-through to their site via lop. This isn't a terrible idea, but rather than create a quality web site to get surfers to their site and clicking those links, they instead created a program which is labeled variously as an mp3 search program, a porn search program, or some other such thing. The installer turns the user's web browser into a device with a seemingly endless supply of links to lop.com.Known lop sites include: aavc.com acjp.com ebch.com ebdv.com ebdw.com ebjp.com ebkn.com ebky.com eblv.com ebmu.com ebvr.com ecmh.com ecpm.com ecwz.com ecyb.com eduy.com eeev.com ibmx.com icwb.com icwo.com icwp.com iddh.com idhh.com ifiz.com iguu.com samz.com saoe.com sbjr.com sbnl.com sbnt.com sbvr.com scbm.com sckr.com scrk.com sdry.com seld.com sfux.com sipo.com smds.com srib.com srox.com srsf.com ssaw.com ssby.com surj.com tbvg.com tdak.com tdko.com tdmy.com tefs.com tfil.com thko.com tjar.com tjaw.com tjdo.com tjem.com tjgo.com torc.com wabq.com wabu.com wbkb.com wfix.com wflu.com

lop.com variants

lop/Trinity is an old variant of the software, which only adds the shortcuts and does the homepage/search hijacking.

lop/Dialer is a plain porn dialler delivered with the startup task.

lop/Toolbar : includes the startup task and an IE toolbar with more lop links. This variant can be detected by the script at this site.

lop/Rnd : a version of lop/Toolbar that uses completely random class IDs as well as pseudo-random filenames, making it difficult to detect.

lop/AYB : a URL protocol module used by the MP3Search (or similar) minibrowser launched by the startup task. This variant can be detected by the script at this site; having it is usually a sign you may have lop/Toolbar or lop/Rnd as well.

lop/Loader : an installer process that opens a small progress window in the middle of the screen and loads and runs both lop/AYB and either lop/Toolbar or lop/Rnd.

lop/IMZ : an installer process like lop/Loader, but installing lop/Rnd and FavoriteMan/IMZ . lop/AYB is not installed, so the script at this script usually cannot detect lop/IMZ installations.

lop/Active : an update of lop/Rnd which monitors web pages viewed for keywords, and sets the buttons in the toolbar to match. This also opens a floating window on the desktop on startup. Can also hijack to active-max.com, mysearchnow.com, searchwebnow.com or find-quick.com as well as one of the traditional four-letter domains.

lop.com behavior

  • Stealth Tactics
  • Connects to the internet
  • Shows ads
  • Changes browser

lop.com Removal Instructions:

Open the Application Data folder. This can be found inside the Windows folder on Windows 95/98/Me; on Windows 2000 and XP it is inside your user folder in 'Documents and Settings', but it's hidden, so go to Tools->Folder Options->View and turn on 'Show hidden files and folders' to see it. In Windows NT 4.0 it is in the user folder inside 'WinNT\Profiles'.

The filenames of lop files can vary for each different installation, but usually under Windows there should not be any files inside Application Data (only folders), so it's generally easy to pick out the culprits. Known filenames for the toolbar DLL (lop/Toolbar, lop/Rnd) or ayb: protocol DLL (lop/AYB) include:

blztstull[letter 'a', 'c', 'j', 'p', 's', 't' or 'y'].dll
blztstull['pr', 'tr' or 'oo'].dll
chksbdrlya.dll
dmvcrthl.exe
eaeeishllblc.dll
eelykofrllfrpr.dll
eelykofrllfrj.dll
ealymfrprwch.dll
epllkeeoopr.dll
freabrlaouw.dll
gldqumssfrie.dll
hglllyxrxw.dll
icdrhwno.dll
heeachmstll.dll
meepajlr.dll
ousszidrta.dll
plg_ie[any digit].dll
prxzoustustgr.dll
prnouestssstx.dll
quizbt[any digit].dll
quglwachfs.dll
sstroallhqch.dll
tblchepruprgr.dll
trdzhtxf.exe
trstshcrscksr.dll
ukfroigl.dll
upckeetoutw.dll
veaeyglckr.dll
woafrquzn.dll
yeecrsoustoull.dll
ziebaeeoaeepr.dll
Known filenames for the system tray task and hijacker file include:

asshuktr.exe
bilyooas.exe
byb_save.exe
crgbeaoa.exe
eaymulyl.exe
eeublidc.exe
glxshmcr.exe
ijlysseb.exe
jqumysto.exe
kfriegbs.exe
llfggrdr.exe
lltckiey.exe
lopsearc.exe
meemnckyqbr.exe
meepajlr.exe
mprcouie.exe
oofrkxpe.exe
peebqusz.exe
quveioot.exe
shoucrck.exe
ssmeeibl.exe
tchpeatr.exe
tglblrll.exe
trstdris.exe
ulyuiexeechp.exe
vestufck.exe
vfthrcbr.exe
xogyfhp.exe
ykphmbre.exe
ylynfste.exe
Other files you may find with some versions include icon libraries (known filenames tchejea.lib and iCndE.lib) and loads of GIFs. These can all be deleted too. You might also have some of the following files in the Windows folder:

desktop.htm
dnserror.htm
jexpoofro.htm
i_dnserr.gif
s_dnserr.gif
r_dnserr.gif
b_dnserr.gif
tiejexpoo.gif
xiejexpoo.gif
oiejexpoo.gif
uiejexpoo.gif
Open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you have not used the uninstall feature there should still be an entry with a value like 'C:\WINDOWS\APPLIC~1\(task name).exe -QuieT'; delete it. The name of this entry changes in different variants; known names are:

abtu
brchfgl
brfrgroo
chytrw
eeullz
eedrtss
lldrlyk
lssxsh
stoafv
oooami
oooik
oucno
phqtr
pprwly
qncu
stjlee
uaouea
trglckea
xckja
ymste
zvoah
In the lop/Active variant, there will instead be a 'winactive' entry pointing to winactive.exe. Delete this too.

You should also delete the following entries if you have them and they are not just blank:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Telephony\DomainName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP\Domain
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{... check all interfaces ...}\Domain
Also you can remove the lop settings key if you can find it; it is inside HKEY_LOCAL_MACHINE\Software and has, again, a varying name; known examples are:

ckotetlllyllshz
kseateasteestoe
rhvlveasteafpr
ssaxstxoaieoagrh
TrinityAYB (lop/Trinity variant)
Next, if you have not used the uninstall feature, open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u [name of DLL]
substituting the full filename of the DLL, whatever its name is, in Application Data. Tip: You can drag the DLL file from Explorer onto the DOS command prompt window to put the name in so you don't have to type it all out.

Finally, reboot Windows and you should be able to delete all the files mentioned above, along with the shortcuts added to the desktop and the favorites menu. For the lop/Active variant you should delete the entire 'Active Window' folder inside Program Files.

You can also reset your homepage (from Internet Options->General) and search settings (Internet Options->Programs->Reset Web Settings), and delete the entries added to your Favorites menu. If you use Netscape/Mozilla you will need to reset the home page (Edit->Preferences->Navigator) and remove the Bookmarks too.

You may also wish to check your computer for diallers, as the lop.com site has been known to include dialler installers. If you have the lop/IMZ variant it is also possible that FavoriteMan/IMZ may have installed other parasites such as BargainBuddy , IGetNet and n-Case.

 

Copyright © SpywareDot 2002-2005| spywaredot.com.  All rights reserved.

     
lop.com Spyware Removal