Thanks for answering.
The reason that I asked the question is because of reading about Lop.
I thought, as you said, that the proper procedure would be to delete both things. Say in the case of a Lop 04, fixing the 04 line and deleting the folder. I wanted to see what current procedures are for Lop, and I did a lot of looking at Lop threads last week, and I don't see consistency in procedures.
It is hard to check well, because you need nolop and combofix or comboscan logs to look at everything and those, particularly the combo**** logs, are not often asked for, but I have found some interesting threads.
I see one Lop folder that is not visible to HijackThis that is hardly ever deleted. By extension, this should be present in a significant majority of Lop related logs. Sometimes I don't see the related task scheduler task asked for right away either, so it seems like the fix process goes through some unnecessary cycles. Visible in the log are two folders, an HKLM and an HKLU folder. Sometimes, not always, I see only one asked for in the deletion steps. So I see logs pronounced as clean where there are lop folders left on the machine. In addition, I have seen registry fix files used only a few times, but the combo**** logs would sometimes seem to indicate that they should have been used in other threads as well.
So what I am trying to evaluate is whether I am seeing carelessness, the helper knows a folder is empty so is not concerned about removing it, registry removal considered unnecessary because the program it calls is gone, or what.
In addition there is a new tool that shows up called nolop. In the logs I looked at, only once did it remove files, the rest of the time it just removed the task scheduler job. Not knowing exactly what nolop does, I am having trouble fitting it into the mix too.
In short, I am trying to figure out why approaches to Lop seem to violate what I thought was the standard approach to cleaning things.
Edited by bluecoal, 19 June 2007 - 12:16 PM.