What is Open Search Web or Lop.com?
Open Search Web is a search
portal created by the makers of Lop.com. It sets your homepage to one
that looks similar to the image below, adds tons of items to your
favorites folder and takes over your computer. This hijack is a few
years old, but still very popular.
How Do I Know If Open Search Web or Lop.com is on my Computer?
If you have been infected with Lop.com, your homepage will change to one similar to this:
There are more than 70 known portal sites for Lop.com including but not limited to the following domains:
- aavc.com
- acjp.com
- active-max.com
- allaboutsearching.com
- amazingautosearch.com
- contexualsearch.com
- ebvr.com
- ecmh.com
- ecpm.com
- find-quick.com
- ibmx.com
- icwb.com
- icwo.com
- icwp.com
- iddh.com
- idhh.com
| - ifiz.com
- iguu.com
- look-today.com
- lop.com
- mysearchnow.com
- netsearchsoft.com
- ohyea.org
- omegasearch.com
- prosearching.com
- saoe.com
- sbnl.com
- sbnt.com
- sbvr.com
- sckr.com
- scrk.com
- search200.com
| - searchexe.com
- searchweb2.com
- searchwebnow.com
- sfux.com
- tdak.com
- tdko.com
- tdmy.com
- tefs.com
- tfil.com
- tjar.com
- tjaw.com
- tjem.com
- tjgo.com
- wabq.com
- wabu.com
- wfix.com
- wflu.com
|
If you use
HijackThis
create a logfile, you'll notice the following types of entries
(although not exactly the same). Most will have a 04 entry pointing to
an Application Data directory with a file there and possibly a Browser
Hijack Object or BHO file with the corresponding 02 entry.
O2 - BHO: (no name) - {ECB8B044-33B5-CDA2-ACD2-9C071C83ADE6} - C:/DOCUME~1/RIKKEF~1/APPLIC~1/ADMINB~1/Aim idle.exe
O4 - HKLM\..\Run: [DupeIsoLessMp3] E:\Documents and Settings\All Users\Application Data\foroptiondupeiso\Site save.exe
O4 - HKLM\..\Run: [rdrownswindowboob] C:\WINDOWS\Application Data\Site About Rdr Owns\01 aim.exe
O4 - HKLM\..\Run: [Gpl Aim] C:\PROGRA~1\ARMYDE~1\16 sect.exe
O4 - HKLM\..\Run: [Mail Bias Vc Delete] C:\WINDOWS\All Users\Application Data\Memo Four Mail Bias\2 tick.exe
C:\Documents and Settings\All Users\Application Data\settings each blah about\Ballsect.exe
O4 - HKLM\..\Run: [ bytecitybookjugs ] C:\Documents and Settings\All Users\Application Data\scr support byte city\32 The.exe
O4 - HKLM\..\Run: [Corngrim01itch] C:\Documents and Settings\All Users\Application Data\Audio Phone Corn Grim\32 Time.exe
O4 - HKCU\..\Run: [ARMY BASH] C:\DOCUME~1\Owner\APPLIC~1\PLATFO~1\Junk 32 glue.exe
O4 - HKLM\..\Run: [Axis Camp] C:\PROGRA~1\OnlineExtraView\4ShowTick.exe
O4 - HKLM\..\Run: [FaceMediaToolCdrom] C:\Documents and Settings\All Users\Application Data\global joy face media\64clock.exe
O4 - HKCU\..\Run: [Tora] C:\Documents and Settings\K.Joseph\Application Data\aamo.exe
O4
- HKLM\..\Run: [That Program Ooze Bib] C:\Documents and Settings\All
Users\Application Data\downloadkeepthatprogram\Acid Blue.exe
O4 - HKLM\..\Run: [Scr Four Noun Heart] C:\Documents and Settings\All Users\Application Data\WaitHopeScrFour\acid store.exe
O4 - HKCU\..\Run: [idolmixantemanager] C:\Documents and Settings\All Users\Application Data\shim online idol mix\active bone.exe
O4 - HKLM\..\Run: [rulegreat] C:\PROGRA~1\HtmTick\File active mp3.exe
O4 - HKLM\..\Run: [sendtonsstylebits] C:\WINDOWS\Application Data\Bait Funk Send Tons\aim mapi.exe
O4 - HKLM\..\Run: [LOVEEACHDRIVETIME] C:\Documents and Settings\All Users\Application Data\atom mpeg love each\Aim readme.exe
O4 - HKCU\..\Run: [Interwin] C:\DOCUME~1\CBrown\APPLIC~1\CREATI~1\Amen gram.exe
O4 - HKLM\..\Run: [Metameetmessabout] C:\Documents and Settings\All Users\Application Data\pure dumb meta meet\amen mapi.exe
Most HijackThis logs will also have the offending domain placed in the R entries like so:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://thko.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://thko.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=thko.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://thko.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://thko.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://thko.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://thko.com/searchbar.html
Other possible HijackThis entries may be listed similar to the following
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = allaboutsearching.com
O17 - HKLMSoftware..Telephony: DomainName = allaboutsearching.com
O17 - HKLMSystemCCSServicesTcpip..{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = allaboutsearching.com
How Do I Remove Open Search Web (Lop.com)?
Although
Open Search Web and its variants can be removed manually, the
variations of file names, locations, etc. make it hard to create a
straight forward manual approach to remove it.
Lop.com used to
host an uninstaller to remove the infection, however since this is an
older hijacker, Lop.com is no longer in business and the domain does
not exist anymore. If you find yourself infected with a similar
homepage hijacker I would recommend downloading
MalwareBytes Anti-Malware or
Combofix. They should definitely be able to clear the infection for you.