Lop Virus after reinstall of OS

[Colloghi]

I seem to be having a problem with a computer for a friend. They seem to be getting something called a Lop virus, which seems to change the users page they are viewing, and also leaves traces with the address lop@usersname.com. The virus seems to refuse to go away, even after reinstall.......but im not so sure and feel this may be something to do wiuth whatever the users is viewing or downloading after each install.


The pc is a dell and comes with the Dell windows xp recovery Cds for that system, and ive reinstalled the system twice with this disk. The first time, i was askled to save some files, but to otherwise do a complete reinstall of the system. I done as asked, and reinstalled the system and retrieved the data which needed retrieving and checked the system....it all seemed fine, no viruses as far as my scans showed.

However the virus came back the same, the user this time said they were happy for everything to formatted and the OS recovered. Ive now done this, formatted the system and recovered the OS with the dell disks. Ran AVG, Hijackthis, Adaware, norton, all fine no scans.



Today the user states the same virus is back, although she has assured me that nothing has been downloaded as far as she is aware.

I know others do use this same PC, like her younger son.................is it something being downloaded? or is there a chance the Lop virus is staying in the recovery partition if there is one?


Sorry for the long post

[zebulebu]

Lop is a nasty bit of adware from C-Media that is often installed with programs like MessengerPlus - the default installation of which comes with Lop as a 'sponsor' program - lots of people install without realising it is filth as the actual MessengerPlus program is pretty useful (I run it meself).

Check the PC out again for anything that has been installed - look for things like ropey-looking toolbars (a dead giveaway). Either they are downloading something that installs it as part of a bundle, or they are going to a particular website that drive-by installs it each time the PC is rebuilt. If they run pop-up blocking software it should help, tell them to use Firefox instead of IE and, most importantly, give them my stock answer in cases like this:

stop looking at pr0n on the Internet

[postman]

Quote:

stop looking at pr0n on the Internet

But that's the best part of the internet

[hbroomhall]

Number one rule here:

After restoring the OS *patch it* using something like Autopatcher (i.e. not on line) and bring the SPs up to date, also not on line.

The install AVG etc and other apps.

Old restore disks can leave a machine vulnerable, and attempting to patch it online can mean a race between nasties and the patches.

Also check the machine before you do this - if there is any P2P apps on it then read the riot act to the owner.

Harry.

[Colloghi]

Thanks for the replies back on this.

just another quick query, could the application Skype? be a means by which the lop is appearing, as I know the users does use that fairly often.

[zebulebu]

Not unless they are downloading Skype from a malicious source. Like other software, Skype can be provisioned from non-legitimate sources, so its possible (though highly unlikely) that they are getting it that way.

Have you taken my earlier advice? Check Add/Remove programs for Messenger Plus. It is by far the most common attack vector for lop infections in my experience.

[Norton-Forum-assist]

HI Colloghi,

My name is Peter and I am working for an external European Symantec-Support-Team.
We are sorry to hear about your problem. I have informed the Symantec Support about your issue and they provided us with the following solution:

-Please see: http://www.symantec.com/security_res...421-99&tabid=1

Please try it and let me know if it helped.

Best Regards,
Pete