TechSpot

Trojan Lop.AS

By Plap
Jan 3, 2007
  1. Hi there,

    I'm here as a last resort to find some help hopefully.

    Basically I've had an odd new year :) First I cracked a tooth, then my motherboard failed on my big PC and now I'm forced to use a latop until the new PC parts arrive... my problems then really began on New Years Eve pretty much... I somehow managed to aquire the Trojan Lop.AS malware/virus and after reading many related posts and trying the most common options over the last 3 days have failed to remove it 100%.

    The damn thing still pops up now and again (now almost at random now tho!?).

    I tried the NoLop (kramer1113 post here?) also but it actually could'nt find anything to do with Lop or Lop.AS and indeed it popped up again after the NoLop.exe completed it's scan/run.

    I like to think I do know what I'm doing when it comes to most PC matters but I have to admit this little bugger has beat all my attempts to clean it 100% to date.

    I think I'm slowly going malware mad on this one :p

    Any hopefully newer ideas or solutions welcome but I will say I have tried pretty much everything going with the latest brain files available, even manual removal... tho there is not much to hunt in reality it would seem as it is well hidden 'somewhere' that so far has eluded me.

    BR,

    Plap.
     
  2. Rik

    Rik Banned Posts: 4,985

    You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

    Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.


    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Plap

    Plap TS Rookie Topic Starter

    Hi,

    Thank you for your response.

    I have now completed that cycle of events and have posted the logs below.

    Of note after trying all this also I still had the Trojan Lop.AS pop up via AVG as a threat twice about every 15 mins and sometimes I have noticed my wirless connection dropping from the laptop end as if there is a dialer going on also?.

    Also of note after cleaning this system with an entire arsenal of anti everything warez I still get occasional detections of DoubleClick and AtlasDMT cookies which is starting to make me think this entire problem is related somehow?... there must be something still sitting on this machine which is triggering the cookies to be written over and over but yet none of the software I have used to date (nearlly all of it!) has been able to locate the seed/root program that is causing this repeated problem.

    Apart from the DoubleClick/AtDMT/and repeated Lop.AS my system is cleaner than a penguins chuff! so I'm still stuck with Lop.AS for now.

    The fact that AVG detects it but does not 'really' clean it has me wondering how effective AVG AntiVirus & AntiSpy actually is too as I believe Lop variants are getting on a bit now by current virus/malware standards.
     

    Attached Files:

  4. Rik

    Rik Banned Posts: 4,985

    One of the instructions you were given was to rename HiJackThis, you have not done so and it is very important that you do as some malware can hide from it.

    Taken from your log - C:\Program Files\Hijackthis\HijackThis.exe

    Once you have done it, we will need a fresh HJT log.


    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Plap

    Plap TS Rookie Topic Starter

    My apologies I did miss that point on second inspection.

    Please find new log attached after I changed the name.

    I will say so far that since rebooting I have not once seen the Lop.AS warning (and it has been more than the usual 15mins so far!)

    Perhaps this is because I have turned on WinXP firewall even tho I am behind a wireless router (Draytek) firewall so I guess I am now double firewalled against incoming malware data - I've not seen Lop.AS since ?.

    BR,

    Plap.
     
  6. Rik

    Rik Banned Posts: 4,985

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O11 - Options group: [INTERNATIONAL] International*

    Click on the fix checked button.

    Close HJT.

    Other than that your log is clean. Keep an eye on your system and see how it goes. If you have any broblems pst a fresh HJT log in this thread.


    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Plap

    Plap TS Rookie Topic Starter

    Hi there,

    After having no problems for around an hour I turned the machine off for approx 2 hours... when I switched back on within 15 mins of normal use the Trojan Lop.AS appeared again via AVG.

    I also noticed that on running a scan that AVG Anti-Spy reported 5 cookie entries again :/

    I did the recommended international fix with HJT and the log for this and the AVG scan are attached.

    Apart from that I have not done anything else.

    As I was typing this post the Lop.AS appeared again (I really hate this thing now!)

    BR,

    Plap.
     
  8. Rik

    Rik Banned Posts: 4,985

    I can see no evidence of it in your log so i will ask Howard to help when he is online.


    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Plap

    Plap TS Rookie Topic Starter

    Many thanks... I've been reading up on Lop.AH and how it is/was removed so I gather this may be 'similar' to this newer Lop.AS variant but I have found nothing yet on my system that looks like it should'nt be there.

    I'll await response then from Howard when he is available.

    I hope we can fix this for me and mainly anybody else that may have the same problem with this rather evil Trojan Lop. variant.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Your HJT log is clean. However, it appears you`re not running any firewall software. I suggest you go HERE and install one of the free Firewall programmes.

    As for your lop problem, please do the following.

    Please Download NoLop to your desktop from one of the links below...
    http://www.spywareedge.net/nolop/NoLop.exe
    http://www.thespykiller.co.uk/forum/...pmod;dl=item16

    First close any other programs you have running as this will require a reboot
    Double click NoLop.exe to run it
    Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
    When scanning is finished you will be prompted to reboot only if infected, Click OK
    Now click the "REBOOT" Button.
    A Message should popup from NoLop.
    If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HJT log

    --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

    Regards Howard :wave: :wave:


    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Plap

    Plap TS Rookie Topic Starter

    Thank you Rik and Hi there Howard :)

    I am/was behind the router firewall and had enabled WinXP firewall also but I did as you said and have installed ZoneAlarm instead of WinXP firewall.

    I then ran NoLop (as I did before) but it reports no problems (log attached)

    I also ran HJT (log attached)

    Since then I have isolated the cookie/file for lo1[1] and it's 271Kb in size. I have had to rename it lo1[1].txt to disablefurther access to it by the Lop malware itself. I would post attach it here so you could take a look inside perhaps with a hex editor or whatever but the file limit for attachments is set to 100K.

    I still have the Lop.AS pop up about once every 15 mins tho it did pop up about 10 times in the last 30mins!

    This is one crazy problem.

    Update 20:25pm... Since installing ZoneAlarm (very nice) I don't get the DoubleClick, AtDMT, Mediaplex cookies anymore but now the only prob is of course just the Lop.AS popping up from time to time. I'll be back Thursday as I've been on this all day pretty much and the old eyeballs are starting to hurt! :p

    BR,

    Plap.
     
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I can`t find any specific removal tools or instructions for lop.AS. However, the Grisoft site does have a removal tool for lop.AH. Whether this will help with your infection is debatable, but it`s probably worth a try.

    Download the following three files ( rmparite.exe, rmparite.nt, rmparite.dos) and run the rmparite.exe file.

    You can also specify the disks (or partitions) to heal as a command parameters, e.g.: "rmparite C: D:". If the command is used without parameters, it heals all disks (partitions) on computer.

    Note:
    Successful running of the remover requires administrator rights. For proper functionality of the remover it is necessary to save the rmparite.nt and rmparite.dos into the same folder as rmparite.exe. After the healing process please run the AVG Complete Test to make sure your computer is virus-free.

    Let me know the results please.

    Regards Howard :)

    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. Plap

    Plap TS Rookie Topic Starter

    Hi Howard,

    I did as you said and ran the .exe provided as specified having already tried the Lop.AH remover without success some days ago in an attempt to remove the Lop.AS variant.

    The rmparite scan found one file that could not be cleaned or deleted but did remove it on reboot as the program requested.

    I then rebooted again and within 10 mins the Lop.AS file was reported as still there i.e. lo1[1] sadly.

    The good news however is that since running ZoneAlarm yesterday I have not since seen any dodgy cookies like DoubleClick, AtDMT, Mediaplex etc. so that's something at least :)

    I did a full Ad-Aware and AVG Anti-Spy scans and they both report nothing found which is great, tho as I was typing this mail I just had Lop.AS reported via AVG once again - tho now I just hit ignore to clear it as that's all I can do for now I guess.

    Perhaps the only thing left to do in my case is wait for Grisoft etc. to issue a 100% cleaner for Lop.AS as they did with Lop.AH et al.

    As a matter of formality I have attached my latest HJT log also.

    Thank you Howard and Rik for all you help so far, I've not given up just yet but do feel we have reached near end of the road with this one until one of the big anti virus providers produce a specific fix... meanwhile I will just have to make do with hitting the ignore button everytime Lop.AS (just did again the damn thing!) pops up.

    I'd really like to beat the living s*#t out of whoever wrote this little bugger for wasting nigh on 5 days of my (and your) free time.

    BR,

    Plap.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT liog is clean.

    I`m not quite done in trying to get rid of this bugger. Try this.

    Download Findlop by Metallica. Unzip it to your desktop. Double click findlop.bat. It will open a notepad file. Copy the content of that file and paste it here in your reply.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Window Search
    Window Searching
    Lop.com
    LOP SEARCH
    Browser Enhancer
    Ultimate Browser Enhancer
    Messneger Plus

    Let me know if any of the above helps.

    Regards Howard :)

    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. Plap

    Plap TS Rookie Topic Starter

    Hi Howard,

    I did all of that... of note FindLop.bat when run, spools output to Notepad as "[TRACE] Enumerating jobs and queues" an that's it! nothing else after about 10mins so I gave up.

    Here we have attached the two files that I have traced that caused the actual Lop.AS infection in the first place!, they have been renamed from .exe to .txt of course to prevent running/damage and also upload here for further examination.

    I have had a look inside the files and although there is some dodgy ascii text inside one and links to various system .dll's in both I could'nt locate anymore information myself personally.

    WARNING: The first one contains 'Dropper.Agent.azn'

    You can blame my wife for this not me!!!

    BR,

    Plap.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Oh dear, that`s not good. If only people would realise that trying to run cracks etc is a known cause of infections. It`s much safer to just go and buy the legit software.

    Like I said previously, I can`t find any good info for removing lop.AS. The only way to solve this at the moment, is to either wait for a fix to be released, or backup your important data and reformat.

    I`m sorry I wasn`t able to find a fix for you.

    Regards Howard :(

    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. Plap

    Plap TS Rookie Topic Starter

    Of course and thank you for all your help to date.

    For now this system (the wifes laptop) will remain with the Lop.AS infection until a suitable cleaner is located.

    I think a severe spanking is in order after finding this much out after 5 long days !!! - ooer :p

    BR,

    Plap.
     
  18. cryder

    cryder TS Rookie

    I sure would like to offer some help on this issue, but a pity that i can only vaguely remember what i have done when i found myself infected with Lop 2 months ago.

    Before i successfully removed it, i have tried the methods below.
    1. Pure DOS virus scan using Mcafee & Norton with NTFSDOS loaded up, nothing of relevant found.
    2. Using customised BartPE cd to bootup for bypass rootkit if any. Run Mcafee & AntiVir scan. Manual load windows user profile with 3rd party registry editor, RegeditPE, to check for suspicious startup programs. Run Ad-aware. Run Hijjack with user profile loaded. Again unable to find anything of relevance.

    However there were 2 files that came back even if deleted away. So i searched for those in registry and folders but found nothing. Frustrated, i ignored and lived with it for 1 week until something caught my sight when i look into the task manager(replaced with Process Explorer by Sysinternals). An unknown program appeared and gone in 1 second, also about the time the Lop strike, if i'm not forgetful/wrong or whatsoever. From here i cant really remembered what i do thou i certainly did a trace to the program and removed it including the 2 undeletable files and voila no more popups. I think the removal method i used have something similar to last year issue of Microsoft WGA problem(not the official MS method) but to remove the offending program. Also i cant remember whether there was an undeletable program in the task manager but can assume dont have cos of the capability of the manager.

    Sorry if these doesnt help you but just to show it can be removed.

    Some of the softwares i used and not stated here are Ccleaner, F-secure blacklight, Sophos anti-rootkit, Sysinternals rootkit revealer, some other pure DOS-based anti-virus programs and some other programs in the customised BartPE cd.
     
  19. Plap

    Plap TS Rookie Topic Starter

    Hi there,

    Many thanks for your help all the same cryder... I have included a link back below to another related Lop.AS thread elsewhere, in order that people with the same problem there can read about all this too perhaps.

    http://forums.techguy.org/security/530812-trojan-horse-lop-keeps-appearing.html?posted=1#post4320373

    I have no doubt we will get rid of it in the end but I just can't believe it has taken up so much of my and others time to date - totally unreal and one of the worst I've personally come across to 100% clean!

    BR & Thanks,

    Plap.
     
  20. Plap

    Plap TS Rookie Topic Starter

    I got bored in the end with the constant Lop.AS pop up in AVG Anti-Virus so turned off the Resident Shield for now.

    Then...

    Within a few minutes both Zone Alarm and AVG Anti-Spy prompted me about the following files related to Trojan Lop.AS and now also just plain Trojan Lop!?

    Don't know where this was in the surpise of it all by I did l delete it!
    ltadfwgd.exe

    Trojan.Agent.acl
    C:\Program Files\VSAdd-in\VSAdd-in.dll

    Trojan horse Lop (just Lop not Lop.AS)
    C:\WINDOWS\system32\jkkkj.dll

    So I deleted them all muhahahahaaaaa! :)

    I've turned the AVG Anti-Virus shield back on and had one more pop up of Lop.AS which I healed... then I turned it off again.

    At this point I await any more traps via Zone Alarm as this malware attempts net access perhaps? I 've not seen anything more just yet - cool!.

    Hope this helps anyway.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    The VSAdd-in programme is a well known nasty.

    Please post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  22. gfu fydfyd

    gfu fydfyd TS Rookie

    Guys,Gals,Whomevers.... Put simply for you ... This is related to lop that is bundled as a sponsor program for Messenger Plus ;o) .... Go d/l messenger plus (i got mine here http://www.msgpluslive.net/download/ ) AND select install of sponsors program..... then hit .... uninstall .... BINGO ...did it for me .... I believe the lop.AS is trying to contact set up for usual lop crap,but is probably blocked by firewall etc. Don't forget to clean up after!!!

    Hope it helps
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Your info is correct and thanks for posting, except that the lop.AS infection is not only contacted through Messengerplus.

    I`ve been searching for a solution to this new variant of the lop infection and I can`t fine one. Several members here are infected with this bugger. I know that in the cases I`ve looked at, Messengerplus or whatever it`s called isn`t installed, so there must be another avenue of infection as well.

    Regards Howard :wave: :wave:

    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. gfu fydfyd

    gfu fydfyd TS Rookie

    Fake keygens etc ? a usual source ...several lamer crakz sites bundle the installer as a keygen .... pops cmd window and away you go ... i believe because the install is incomplete...ie blocked in some way,that is why it wont uninstall.I think AVG busts it for intent to install,rather than the program IS installed.
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    That`s definitely the source of the infection in this thread.

    If you happen to come across a removal tool or technique that works for this particular variant, I`d be very grateful if you`d let me know.

    Regards Howard :)

    This thread is for the use of Plap only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.