lmilone join:2001-07-21 Northfield, NJ |
lmilone
Member
2003-Mar-11 11:31 pm
C2.lop -- Spybots working overtime!!Can anyone tell me if C2.lop found in the registry by Spybot is another error like DSO exploit? In any case should I let Spybot remove it or should it be corrected by going into the registry? If the registry is the way to go does anyone know if theres a fix like the one for DSO exploit thats been found? Thanks |
|
martiColor outside the lines MVM join:2001-12-14 Houston, TX
|
marti
MVM
2003-Mar-11 11:32 pm
I heard it was a false positive. Will look for the link to the thread on Spybot forum. Edit: found the link: » www.net-integration.net/ ··· 8;t=1944[text was edited by author 2003-03-11 23:34:23] |
|
|
to lmilone
In some cases.....A default handler for Microsoft remote Data Services is being tagged as C2Lop. If your scan came up with [HKEY_CLASSES_ROOT\CLSID\{A1A6B99D-497F-11D1-9217-00C04FBBBFB3} ..it's a legit key...relating to the C:\Program Files\Common Files\system\msadc folder.....specifically the MSDFMAP.DLL. If you've truly been "lopped"...there'll be more than just a reg key. |
|
lmilone join:2001-07-21 Northfield, NJ
|
lmilone
Member
2003-Mar-12 10:17 am
The Spybot scan came up with just one reg entry but it differs from yours. The symbols following CLSID are: (A1A_6B99D_497F_11D1_9217_00C04FBBBFB3). I have no idea what that means or how to find out. I would like to know how you determine what it is even though I would probably have to come back here to ask if it was good or bad.
EDIT: Just went back again to the Spybot forum thread mentioned by Marti (above) and found this by DISCOGAIL.
Posts: 25 Joined: June 2002 Posted: Mar. 09 2003,18:44
-------------------------------------------------------------------------------- My scan produced.... C2.lop: Class ID( (Handler Class)) (Registry key) HKEY_CLASSES_ROOT\CLSID\{A1A6B99D-497F-11D1-9217-00C04FBBBFB3}
found the key......led me to C:\Program Files\Common Files\system\msadc folder..... msdfmap.dll "The MSDFMAP handler is the default handler for RDS that ships with the Microsoft Data Access Components and is installed with the MDAC component package. It uses the MSDFMAP.ini file as its default .ini file to validate information passed to the business services tier by the client application."
It's not just a beta issue....this occurs w/ the non-beta update.
Sorry I didn't check that before I posted but thought that instead of deleting the post I should put in the answer in case anyone else has the same question. [text was edited by author 2003-03-12 10:38:37]
[text was edited by author 2003-03-12 10:41:49] |
|
|
confoosed
Anon
2003-Apr-19 2:50 am
C2.lop Stops Spybot????!!??When i'm scanning the scan stops at "C2.lop" and wont go passed it. What is this and what should i do? |
|
TonyKlein Premium Member join:2001-07-02 Netherlands |
It's a known bug that occurs on some systems, and it's being looked at.
As a workaround, in SpyBot, go to Excludes > Products > Cookies, and put a check mark in the C2.Lop box. That way SpyBot will be able to complete trhe scan.
Cheers, |
|
|
techman23
Anon
2003-Apr-21 11:52 pm
If you wait long enough the scan will get past C2.lop and complete. |
|
|
I'm sorry. I care to disagree. I have seen people state they had waited for three hours. Unchecking the C2.lop cookies will restore Spybot S&D's normal functionality. |
|
|
to lmilone
Re: C2.lop -- Spybots working overtime!!Wondering if anyone who was hit with this wonderful C2.lop spy has noticed if the toolbar name is : HPIECCHGOUV or if this is just a fluke. I'm working on cleaning it off of someone's PC, and I ran Search & Destroy and it seems to be working for now. But he still has this toolbar as an option in the system. Although not checked. I also noticed, before running spybot, that although it didn't change his start page, it ran some sort of script before his page loaded.. Once I ran s&D this stopped, and it stripped his start page.. Working now, but just wanted to add that as a side note. Thanks for any help you all can offer on fully removing this Demon! |
|
|
Hi sickofspies,
What version of HijackThis are you using? The funny name for the toolbar is consistent with lop.com, so you're on the right track. |
|
|
to Sickofspies
Just giving up on getting rid of the toolbar entry for now on this PC. Got everything else ( I think Mine show as eoublqucrpr Had the same results after running spybot. Also removed a program C:\windows\tvmd.exe and c:\windows\application data\dasfdaskk.dll. (don't recall the name of this last one, but it was an odd looking DLL. Had to boot from DOS disk to get these. » www.doxdesk.com/parasite ··· lop.htmlGot my info from the above link. |
|
TonyKlein Premium Member join:2001-07-02 Netherlands
|
to Sickofspies
said by Sickofspies: Wondering if anyone who was hit with this wonderful C2.lop spy has noticed if the toolbar name is : HPIECCHGOUV or if this is just a fluke.
It's a fluke. LOP uses random file names, identifiers, and what have you. That's why Ad-Aware, SpyBot and others find it hard to get rid of in its entirety. However, it's a cinch to get rid of manually. Go to http://www.tomcoyote.org/hjt/ , and download Hijack This. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log somewhere, and please show us its contents. Most of what it lists will be harmless, so do NOT fix anything yet. Someone here will be happy to help you interpret the results. If this is about the LOP toolbar itself, it will show up as one of the "O3" items, and you can safely have Hijack This fix that particular one. Cheers, [text was edited by author 2003-05-06 03:23:09] |
|
|
|
FQTran
Anon
2003-May-9 9:18 pm
Logfile of HijackThis v1.94.0 Scan saved at 8:16:36 PM, on 5/9/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O9 - Extra button: Create Mobile Favorite (HKLM) O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37747.849375 O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab |
|
TonyKlein Premium Member join:2001-07-02 Netherlands |
Nice log, no sign of LOP at all. As a matter of fact, it's squeaky clean! Are you having a particular problem, or is this just to make sure you're OK? Cheers, |
|
|
FQTran
Anon
2003-May-10 11:48 am
No TonyKlein, I am still having a problem (SpyBot hang for a long time when it reached C2.lop) I clicked post a reply too soon and didn't realize that I did say anything about my scan.
Regards, |
|
TonyKlein Premium Member join:2001-07-02 Netherlands |
said by FQTran: No TonyKlein, I am still having a problem (SpyBot hang for a long time when it reached C2.lop)
I hear what you're saying, but you're not in fact infected with LOP yourself, which is also why your Hijack This log doesn't show any sign of it (which it would if you were infected). Apparently SpyBot still hangs on your system during C2.Lop cookie detection, and it's unclear what's causing it. Until a solution is found the above workaround still is a viable option, that is if it works for you. It will not impair SpyBot's ability to scan for real soyware at all. |
|
Zupe MVM join:2001-11-29 New York, NY |
to FQTran
There was a Beta Spybot update on May 7th that addressed this problem - see » www.net-integration.net/ ··· 5;hl=new for details. I assume the non-beta version will be released in the near future if you don't want to use the beta. |
|
|
to TonyKlein
Thank you TonyKlein, checked the C2.lop does works. |
|
|
FQnTra to Zupe
Anon
2003-May-11 8:40 pm
to Zupe
Thank you Pondering... Unfortunately, those link are no longer exist to download the beta version. I will wait until the final release then.
Regards, |
|