dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1221
lmilone
join:2001-07-21
Northfield, NJ

lmilone

Member

C2.lop -- Spybots working overtime!!

Can anyone tell me if C2.lop found in the registry by Spybot is another error like DSO exploit? In any case should I let Spybot remove it or should it be corrected by going into the registry? If the registry is the way to go does anyone know if theres a fix like the one for DSO exploit thats been found? Thanks

marti
Color outside the lines
MVM
join:2001-12-14
Houston, TX

marti

MVM

I heard it was a false positive. Will look for the link to the thread on Spybot forum.

Edit: found the link: »www.net-integration.net/ ··· 8;t=1944
[text was edited by author 2003-03-11 23:34:23]

discogail
join:2001-12-05
Somerville, MA

discogail to lmilone

Member

to lmilone
In some cases.....A default handler for Microsoft remote Data Services is being tagged as C2Lop. If your scan came up with [HKEY_CLASSES_ROOT\CLSID\{A1A6B99D-497F-11D1-9217-00C04FBBBFB3} ..it's a legit key...relating to the C:\Program Files\Common Files\system\msadc folder.....specifically the MSDFMAP.DLL.
If you've truly been "lopped"...there'll be more than just a reg key.
lmilone
join:2001-07-21
Northfield, NJ

lmilone

Member

The Spybot scan came up with just one reg entry but it differs from yours. The symbols following CLSID are:
(A1A_6B99D_497F_11D1_9217_00C04FBBBFB3). I have no idea what that means or how to find out. I would like to know how you determine what it is even though I would probably have to come back here to ask if it was good or bad.

EDIT: Just went back again to the Spybot forum thread mentioned by Marti (above) and found this by DISCOGAIL.

Posts: 25
Joined: June 2002
Posted: Mar. 09 2003,18:44

--------------------------------------------------------------------------------
My scan produced....
C2.lop: Class ID( (Handler Class)) (Registry key)
HKEY_CLASSES_ROOT\CLSID\{A1A6B99D-497F-11D1-9217-00C04FBBBFB3}

found the key......led me to C:\Program Files\Common Files\system\msadc folder.....
msdfmap.dll
"The MSDFMAP handler is the default handler for RDS that ships with the Microsoft Data Access Components and is installed with the MDAC component package. It uses the MSDFMAP.ini file as its default .ini file to validate information passed to the business services tier by the client application."

It's not just a beta issue....this occurs w/ the non-beta update.

Sorry I didn't check that before I posted but thought that instead of deleting the post I should put in the answer in case anyone else has the same question.
[text was edited by author 2003-03-12 10:38:37]

[text was edited by author 2003-03-12 10:41:49]

confoosed
@wilmsc01.tn.comcast.

confoosed

Anon

C2.lop Stops Spybot????!!??

When i'm scanning the scan stops at "C2.lop" and wont go passed it. What is this and what should i do?

TonyKlein
Premium Member
join:2001-07-02
Netherlands

TonyKlein

Premium Member

It's a known bug that occurs on some systems, and it's being looked at.

As a workaround, in SpyBot, go to Excludes > Products > Cookies, and put a check mark in the C2.Lop box. That way SpyBot will be able to complete trhe scan.

Cheers,

techman23
@netins.net

techman23

Anon

If you wait long enough the scan will get past C2.lop and complete.

pieter arntz
join:2002-02-26
Netherlands

pieter arntz

Member

I'm sorry. I care to disagree. I have seen people state they had waited for three hours. Unchecking the C2.lop cookies will restore Spybot S&D's normal functionality.
Sickofspies
join:2003-05-01
Hammond, WI

Sickofspies to lmilone

Member

to lmilone

Re: C2.lop -- Spybots working overtime!!

Wondering if anyone who was hit with this wonderful C2.lop spy has noticed if the toolbar name is : HPIECCHGOUV or if this is just a fluke. I'm working on cleaning it off of someone's PC, and I ran Search & Destroy and it seems to be working for now. But he still has this toolbar as an option in the system. Although not checked.
I also noticed, before running spybot, that although it didn't change his start page, it ran some sort of script before his page loaded.. Once I ran s&D this stopped, and it stripped his start page.. Working now, but just wanted to add that as a side note.
Thanks for any help you all can offer on fully removing this Demon!

pieter arntz
join:2002-02-26
Netherlands

pieter arntz

Member

Hi sickofspies,

What version of HijackThis are you using?
The funny name for the toolbar is consistent with lop.com, so you're on the right track.

Pete3t3
@cpe.net.cable.rogers

Pete3t3 to Sickofspies

Anon

to Sickofspies
Just giving up on getting rid of the toolbar entry for now on this PC. Got everything else ( I think

Mine show as eoublqucrpr

Had the same results after running spybot. Also removed a program C:\windows\tvmd.exe and c:\windows\application data\dasfdaskk.dll. (don't recall the name of this last one, but it was an odd looking DLL. Had to boot from DOS disk to get these.

»www.doxdesk.com/parasite ··· lop.html

Got my info from the above link.

TonyKlein
Premium Member
join:2001-07-02
Netherlands

TonyKlein to Sickofspies

Premium Member

to Sickofspies
said by Sickofspies:
Wondering if anyone who was hit with this wonderful C2.lop spy has noticed if the toolbar name is : HPIECCHGOUV or if this is just a fluke.
It's a fluke.

LOP uses random file names, identifiers, and what have you.

That's why Ad-Aware, SpyBot and others find it hard to get rid of in its entirety.

However, it's a cinch to get rid of manually.

Go to http://www.tomcoyote.org/hjt/ , and download Hijack This.

Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless, so do NOT fix anything yet.
Someone here will be happy to help you interpret the results.

If this is about the LOP toolbar itself, it will show up as one of the "O3" items, and you can safely have Hijack This fix that particular one.

Cheers,
[text was edited by author 2003-05-06 03:23:09]

FQTran
@attbi.com

FQTran

Anon

Logfile of HijackThis v1.94.0
Scan saved at 8:16:36 PM, on 5/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37747.849375
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TonyKlein
Premium Member
join:2001-07-02
Netherlands

TonyKlein

Premium Member

Nice log, no sign of LOP at all.

As a matter of fact, it's squeaky clean!
Are you having a particular problem, or is this just to make sure you're OK?

Cheers,

FQTran
@attbi.com

FQTran

Anon

No TonyKlein, I am still having a problem (SpyBot hang for a long time when it reached C2.lop) I clicked post a reply too soon and didn't realize that I did say anything about my scan.

Regards,

TonyKlein
Premium Member
join:2001-07-02
Netherlands

TonyKlein

Premium Member

said by FQTran:
No TonyKlein, I am still having a problem (SpyBot hang for a long time when it reached C2.lop)
I hear what you're saying, but you're not in fact infected with LOP yourself, which is also why your Hijack This log doesn't show any sign of it (which it would if you were infected).

Apparently SpyBot still hangs on your system during C2.Lop cookie detection, and it's unclear what's causing it.

Until a solution is found the above workaround still is a viable option, that is if it works for you.
It will not impair SpyBot's ability to scan for real soyware at all.

Zupe
MVM
join:2001-11-29
New York, NY

Zupe to FQTran

MVM

to FQTran
There was a Beta Spybot update on May 7th that addressed this problem - see »www.net-integration.net/ ··· 5;hl=new for details. I assume the non-beta version will be released in the near future if you don't want to use the beta.

FQTran
@attbi.com

FQTran to TonyKlein

Anon

to TonyKlein
Thank you TonyKlein, checked the C2.lop does works.

FQnTra
@attbi.com

FQnTra to Zupe

Anon

to Zupe
Thank you Pondering...
Unfortunately, those link are no longer exist to download the beta version. I will wait until the final release then.

Regards,