Lop Virus after reinstall of OS

Discussion in 'Computer Security' started by Colloghi, Sep 4, 2008.

  1. Colloghi

    Colloghi Kilobyte Poster

    303
    7
    54
    I seem to be having a problem with a computer for a friend. They seem to be getting something called a Lop virus, which seems to change the users page they are viewing, and also leaves traces with the address [email protected]. The virus seems to refuse to go away, even after reinstall.......but im not so sure and feel this may be something to do wiuth whatever the users is viewing or downloading after each install.


    The pc is a dell and comes with the Dell windows xp recovery Cds for that system, and ive reinstalled the system twice with this disk. The first time, i was askled to save some files, but to otherwise do a complete reinstall of the system. I done as asked, and reinstalled the system and retrieved the data which needed retrieving and checked the system....it all seemed fine, no viruses as far as my scans showed.

    However the virus came back the same, the user this time said they were happy for everything to formatted and the OS recovered. Ive now done this, formatted the system and recovered the OS with the dell disks. Ran AVG, Hijackthis, Adaware, norton, all fine no scans.



    Today the user states the same virus is back, although she has assured me that nothing has been downloaded as far as she is aware.

    I know others do use this same PC, like her younger son.................is it something being downloaded? or is there a chance the Lop virus is staying in the recovery partition if there is one?


    Sorry for the long post:oops:
     
    Certifications: A+, MCP 270, 271, MCDST
    WIP: 290
  2. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Lop is a nasty bit of adware from C-Media that is often installed with programs like MessengerPlus - the default installation of which comes with Lop as a 'sponsor' program - lots of people install without realising it is filth as the actual MessengerPlus program is pretty useful (I run it meself).

    Check the PC out again for anything that has been installed - look for things like ropey-looking toolbars (a dead giveaway). Either they are downloading something that installs it as part of a bundle, or they are going to a particular website that drive-by installs it each time the PC is rebuilt. If they run pop-up blocking software it should help, tell them to use Firefox instead of IE and, most importantly, give them my stock answer in cases like this:

    stop looking at pr0n on the Internet
     
    Certifications: A few
    WIP: None - f*** 'em
  3. postman

    postman Byte Poster

    176
    3
    24
    But that's the best part of the internet:oops::twisted:
     
    WIP: A+
  4. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    Number one rule here:

    After restoring the OS *patch it* using something like Autopatcher (i.e. not on line) and bring the SPs up to date, also not on line.

    The install AVG etc and other apps.

    Old restore disks can leave a machine vulnerable, and attempting to patch it online can mean a race between nasties and the patches.

    Also check the machine before you do this - if there is any P2P apps on it then read the riot act to the owner.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  5. Colloghi

    Colloghi Kilobyte Poster

    303
    7
    54
    Thanks for the replies back on this.:)

    just another quick query, could the application Skype? be a means by which the lop is appearing, as I know the users does use that fairly often.
     
    Certifications: A+, MCP 270, 271, MCDST
    WIP: 290
  6. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Not unless they are downloading Skype from a malicious source. Like other software, Skype can be provisioned from non-legitimate sources, so its possible (though highly unlikely) that they are getting it that way.

    Have you taken my earlier advice? Check Add/Remove programs for Messenger Plus. It is by far the most common attack vector for lop infections in my experience.
     
    Certifications: A few
    WIP: None - f*** 'em
  7. Norton-Forum-assist

    Norton-Forum-assist New Member

    1
    0
    1

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.