SpywareInfo Home
Warning: include(/home/swicom/domains/spywareinfoforum.info/public_html/newsletter.php): failed to open stream: No such file or directory in /home/swipart/public_html/spywareinfoforum.info/modules/banner.php on line 10

Warning: include(): Failed opening '/home/swicom/domains/spywareinfoforum.info/public_html/newsletter.php' for inclusion (include_path='.:/opt/cpanel/ea-php56/root/usr/share/pear') in /home/swipart/public_html/spywareinfoforum.info/modules/banner.php on line 10

Warning: include(/home/swicom/domains/spywareinfoforum.info/public_html/modules/banners/rotater.php): failed to open stream: No such file or directory in /home/swipart/public_html/spywareinfoforum.info/modules/banner.php on line 10

Warning: include(): Failed opening '/home/swicom/domains/spywareinfoforum.info/public_html/modules/banners/rotater.php' for inclusion (include_path='.:/opt/cpanel/ea-php56/root/usr/share/pear') in /home/swipart/public_html/spywareinfoforum.info/modules/banner.php on line 10


Last updated April 22, 2004


Be aware that the following article is badly out of date. For a more up-to-date article, please visit Doxdesk.

Also be aware that the company responsible for lop.com is C2Media LTD located in The United Kingdom. There is another company in the United States and Canada doing business under the name of C2 Media which is entirely unrelated to C2Media LTD.

Lop.com has become one of the most hated names on the internet. All over cyberspace, from message boards to newsgroups to IRC chat rooms I've seen people begging for help in getting rid of this annoying software.

What is lop.com? Lop.com is a web site owned by C2 Media. It is mainly a pay-per-click search portal where other web sites pay for each click-through to their site via lop. This isn't a terrible idea, but rather than create a quality web site to get surfers to their site and clicking those links, they instead created a program which is labeled variously as an mp3 search program, a porn search program, or some other such thing. The installer turns the user's web browser into a device with a seemingly endless supply of links to lop.com.

An early version (installer name download_plugin.exe) installs two files in the user's wallpaper folder, one an html file and the other a shockwave file. The html file contains code to load the shockwave file. The installer sets the html file as the user's wallpaper so that the flash search engine program is sitting on the desktop at every boot. The flash file does little more than open and close a series of collapsible menus containing more lop internet shortucts and a search function which queries - take a guess - lop.com.

A later version (installer name mp3serch.exe) omits this desktop feature as its bugginess reportedly led to its being discontinued. Both versions install a stripped down browser which uses the Internet Explorer web browser engine. This browser automatically launches the following URL:

Not content to leave the user with this browser, the lop installer also makes dramatic changes to Internet Explorer, Mozilla Navigator, and most likely Netscape Navigator. The default search engine pages, toolbar settings, and start page are changed. The lop installer adds scores of internet shortcuts in Internet Explorer's Favorites folder and in Mozilla's Bookmarks.htm file. The download_plugin.exe version does not alter Mozilla Navigator.

These lop installers create a BHO which produces an accessories toolbar in Internet Explorer full of - you guessed it - even more lop.com internet shortcuts. This BHO also takes control of the browser to make it redirect to lop.com if there is some error loading a page. This BHO is named plg_ie0.dll. As with all BHOs, it can be disabled with BHODemon, although I've had two users report that after disabling it, another BHO was automatically generated with the name plg_ie1.dll.

In addition to altering the security nightmare that Internet Explorer has become, the installer also makes changes to Mozilla and presumably Netscape. During testing, I found that Mozilla's prefs.js file (the file that contains user settings) was changed to prefs.bk! and replaced with another with the following setting added.
user_pref("browser.startup.homepage", "www.lop.com");

It also changes bookmarks.html to bookmarks.bk!. The replacement file included all of lop's bookmarks. Bookmarks.html is where Mozilla and Netscape store the user's saved bookmarks. Deleting the altered bookmarks.html and prefs.js, then renaming the two .bk! files to bookmarks.html and prefs.js respectively restores mozilla's settings. Again, the download_plugin.exe version does not alter Mozilla / Netscape Navigator.

The lop installers finishes up by creating a registry entry to load a file named mp3serch.exe (or lopsearch.exe if you have the download_plugin.exe installer) at every boot. This entry will make Windows load the lop executable file on each machine restart.

The effect of all of this is to turn the user's web browser into a device to present them with a seemingly endless supply of lop chosen links to click. The user becomes a visitor to lop.com with nearly every action that they take with their browser, whether it be searching for something, typing in an incorrect URL, or simply by opening a new browser window.

Newer variants of C2Media's software omits the browser and BHO altogether, and instead installs dozens of internet shortcuts and sets the home page to http://unitedstates.rub.to. The installer for this variant may be named mp3.exe or freemp3z.exe. These files may appear on your computer as a result of an activex script which automatically begins to download them when you load pages at certain mp3 and/or pornographic web sites. The files are digitally signed by C2Media, the company which owns the lop.com web site and software.

Another software product that does roughly the same thing as lop.com's software and leads to a web site that is virtually identical to lop.com is the Xupiter toolbar from xupiter.com. Although there is no other evidence that they are related, considering that the software and web sites are nearly twins of eachother, many people speculate that xupiter is also made by C2Media.

Unfortunately for lop.com, their tactics have gained them the attention of Lavasoft, maker of Ad-aware. Starting with version 5.7, Ad-aware started targeting lop.com along with a number of browser hijackers. Spybot S&D also target and remove lop.com software. Ad-aware and Spybot both updated recently to target xupiter.com's software as well. Although we used to provide manual removal instructions for lop.com, we now recommend that you simply use Spybot to remove both lop.com and xupiter.


CounterExploitation - Homepage Hijackers
Google.com - Search results for lop.com
PCWorld - Invasion of the browser snatchers
PCWorld - Stealth ad explosion
SpywareInfo - Browser Hijacking
Spyware Weekly - Xupiter


Email Address

Site Search
Search this web site using Google.com

Site Navigation

About SpywareInfo
Contact us
Downloads Page
Latest Virus Alerts
Links Page
Privacy Policy
Support SpywareInfo
Support Forums
The Spyware Weekly

Spyware Search

Look up spyware in Spywareguide.com's spyware database
Search powered by SpywareGuide

Support SpywareInfo with PayPal - it 's fast, free and secure!
Support SpywareInfo

Privacy News

Member of The Harvester Project

Stop Policeware






Advertising terms of use

All material on this web site is copyrighted
© 2001- 2021
by Mike Healan. ® All rights reserved.

SpywareInfo banner designed by mockie

For my bulk mailer visitors :)