很多朋友的浏览器对Lop.com深受其害,注册表、文件都无法将其去掉,正巧在一个德国网站发现这篇文章,大家可以基本上了解为什么会有Lop.com,它为什么会大肆流传的原因。文中还说到了,用Ad-aware和Spybot都可以将Lop.com去掉,至于下载地址
Ad-aware可以在这里下载:http://www.onlinedown.net/adaware.htm
Spybot可以在这里下载:http://security.kolla.de/index.php?lang=en&page=download
直接下载方式
Ad-aware:http://xz.onlinedown.net/down/aawplus6.zip
Spybot:http://studserver.uni-dortmund.de/~su1669/spybotsd12.exe
全文如下:
---------------------------------------------------------------------------------
Lop.com
Last updated Sep. 25, 2002Lop.com has become one of the most hated names on the internet. All over cyberspace, from message boards to newsgroups to IRC chat rooms I've seen people begging for help in getting rid of this annoying software.
What is lop.com? Lop.com is a web site owned by C2 Media. It is mainly a pay-per-click search portal where other web sites pay for each click-through to their site via lop. This isn't a terrible idea, but rather than create a quality web site to get surfers to their site and clicking those links, they instead created a program which is labeled variously as an mp3 search program, a porn search program, or some other such thing. The installer turns the user's web browser into a device with a seemingly endless supply of links to lop.com.
An early version (installer name download_plugin.exe) installs two files in the user's wallpaper folder, one an html file and the other a shockwave file. The html file contains code to load the shockwave file. The installer sets the html file as the user's wallpaper so that the flash search engine program is sitting on the desktop at every boot. The flash file does little more than open and close a series of collapsible menus containing more lop internet shortucts and a search function which queries - take a guess - lop.com.
A later version (installer name mp3serch.exe) omits this desktop feature as its bugginess reportedly led to its being discontinued. Both versions install a stripped down browser which uses the Internet Explorer web browser engine. This browser automatically launches the following URL:
http://www.mp3search.com.
Not content to leave the user with this browser, the lop installer also makes dramatic changes to Internet Explorer, Mozilla Navigator, and most likely Netscape Navigator. The default search engine pages, toolbar settings, and start page are changed. The lop installer adds scores of internet shortcuts in Internet Explorer's Favorites folder and in Mozilla's Bookmarks.htm file. The download_plugin.exe version does not alter Mozilla Navigator.
These lop installers create a BHO which produces an accessories toolbar in Internet Explorer full of - you guessed it - even more lop.com internet shortcuts. This BHO also takes control of the browser to make it redirect to lop.com if there is some error loading a page. This BHO is named plg_ie0.dll. As with all BHOs, it can be disabled with BHODemon, although I've had two users report that after disabling it, another BHO was automatically generated with the name plg_ie1.dll.
In addition to altering the security nightmare that Internet Explorer has become, the installer also makes changes to Mozilla and presumably Netscape. During testing, I found that Mozilla's prefs.js file (the file that contains user settings) was changed to prefs.bk! and replaced with another with the following setting added.
user_pref("browser.startup.homepage", "www.lop.com");
It also changes bookmarks.html to bookmarks.bk!. The replacement file included all of lop's bookmarks. Bookmarks.html is where Mozilla and Netscape store the user's saved bookmarks. Deleting the altered bookmarks.html and prefs.js, then renaming the two .bk! files to bookmarks.html and prefs.js respectively restores mozilla's settings. Again, the download_plugin.exe version does not alter Mozilla / Netscape Navigator.
The lop installers finishes up by creating a registry entry to load a file named mp3serch.exe (or lopsearch.exe if you have the download_plugin.exe installer) at every boot. This entry will make Windows load the lop executable file on each machine restart.
The effect of all of this is to turn the user's web browser into a device to present them with a seemingly endless supply of lop chosen links to click. The user becomes a visitor to lop.com with nearly every action that they take with their browser, whether it be searching for something, typing in an incorrect URL, or simply by opening a new browser window.
Newer variants of C2Media's software omits the browser and BHO altogether, and instead installs dozens of internet shortcuts and sets the home page to http://unitedstates.rub.to. The installer for this variant may be named mp3.exe or freemp3z.exe. These files may appear on your computer as a result of an activex script which automatically begins to download them when you load pages at certain mp3 and/or pornographic web sites. The files are digitally signed by C2Media, the company which owns the lop.com web site and software.
Another software product that does roughly the same thing as lop.com's software and leads to a web site that is virtually identical to lop.com is the Xupiter toolbar from xupiter.com. Although there is no other evidence that they are related, considering that the software and web sites are nearly twins of eachother, many people speculate that xupiter is also made by C2Media.
Unfortunately for lop.com, their tactics have gained them the attention of Lavasoft, maker of Ad-aware. Starting with version 5.7, Ad-aware started targeting lop.com along with a number of browser hijackers. Spybot S&D also target and remove lop.com software. Ad-aware and Spybot both updated recently to target xupiter.com's software as well. Although we used to provide manual removal instructions for lop.com, we now recommend that you simply use Spybot to remove both lop.com and xupiter.
Related
CounterExploitation - Homepage Hijackers
Google.com - Search results for lop.com
PCWorld - Invasion of the browser snatchers
PCWorld - Stealth ad explosion
SpywareInfo - Browser Hijacking
Spyware Weekly - Xupiter