Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Heads up! revop.c (trojan horse) on the loose.

  1. #1
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024

    Heads up! revop.c (trojan horse) on the loose.

    AVG has been finding "revop.c" daily for the past week on my computer. I get the impression that it's new, and it's dang hard to get rid of. I can't find any removal tools for it yet but I read somewhere that Avast Antivirus will actually permanently get rid of it. Symantec apparently doesn't even acknowledge it's existence yet. My firewall asks me if I want to let "optimizer.exe", "bargains.exe", "searchassist.exe" and some other stupid names access the internet....umm, no. All that started happening when I first found the bug, so I think they may be connected. Another forum discussing this described it as "a beast". Also, I think it's new b/c every forum discussion I've found on it has been within the past week/2 weeks max. If anybody knows anything else about it, plz share .

  2. #2
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    http://service1.symantec.com/SUPPOR...001052409420406
    I think this's got removal instructions..havent checked it out tho srry...

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    I'd like to get a copy of that file.. opitimizer is part of known spyware.. some places call it a trojan.. just google search on optimizer.exe

    and ummm.. if you have it on your box.. you gonna have a bunch of other things on your box as well..

    I smell another hijackthis log coming my way..

    this time, I say.. get pestpatrol, in addition to the usual adaware/spybot.. then get hijackthis and post a log here.. If you can do all this within the next half hour, I'll look at the log.. because in one hour, my kids will have taken over all my computers and I won't get to go online until 9pm (4 hours from now)

    good luck

  4. #4
    The Symantec link did not work for me. Another one is:

    http://www.trendmicro.com/vinfo/viru...e=TROJ_REVOP.C

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    yeah therenegade.. you have to be careful.. you can't just copy paste links.. you have to do a right click (in IE) "copy shortcut" then paste inot the forum.. I really didn't search too hard at symatec for your link but I saw nothing on revop there..perhaps because they call it something else.

    from looking at a few logs that I've seen.. and remembering from other logs I've seen..
    I'd expect to see some hjt entries like these amoungst others..

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [msbb] c:\docume~1\simon\locals~1\temp\msbb.exe

    I think it'll be pretty easy to idenitify the"bad guys" from a hijackthis log.

  6. #6
    Member
    Join Date
    Sep 2002
    Posts
    51
    i have had revop.c it is a pain to get ride of but i found that the newest version of The Cleaner will get ride of it and Spyware S&D to i think not sure on that one

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    "Trojan horse on the loose"?

    I thought the whole point was, that the trojan horse is not mobile, or capable of being "on the loose". The only way it's ever a risk, is if you open the gates, bring it into the city, and then the soldiers creep out at night and open the door for the invading army?

    So if you're so stupid as to accept the bugger in the first place, you deserve everthing you get (including the fall of Troy)

    Slarty

  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    First Check where AVG is pulling these babies from.. If it is in your TIF (Temporary Internet Folder) then modify your searching habits..
    C is not the latest.. removed some 40+ Revop.e from a customers machine tonight.. ALL of these were in the TIF.... And a quick google.. found Revop.F on a few sites including Panda Software..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #9
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    some removal instructions i got on a mailing list.


    First move hijackthis to another folder. Create one somewhere other than a temporary directory.

    Then close all windows and have hijackthis fix the following:

    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

    O4 - HKLM\..\Run: [msbb] c:\windows\temp\msbb.exe
    O4 - HKLM\..\Run: [dqx] C:\WINDOWS\dqx.exe


    Then......

    Make sure you can view hidden and system files: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Then.......

    Reboot to safe mode and delete the following:

    File C:\WINDOWS\SYSTEM\BRIDGE.DLL
    File C:\WINDOWS\2_0_1browserhelper2.dll
    File C:\WINDOWS\dqx.exe

    Then....

    Browse to C:\Windows\Temp folder. Select all files in it and delete them.
    Empty your internet explorer cache.

    Then....

    Download ad-aware here -> http://fileforum.betanews.com/detail.php3?fid=965718306

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    From main window :Click "Start" then " Activate in-depth scan"

    Then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    Click the "Tweak" button.

    Open up the "Scanning Engine" section and tick "Unload recognized processes during scanning"

    Then........"Cleaning engine" and "Let windows remove files in use at next reboot" and "Automatically try to unregister objects prior to deletion"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Next" button.

    When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

  10. #10
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    Originally posted here by slarty
    "Trojan horse on the loose"?

    I thought the whole point was, that the trojan horse is not mobile, or capable of being "on the loose". The only way it's ever a risk, is if you open the gates, bring it into the city, and then the soldiers creep out at night and open the door for the invading army?

    So if you're so stupid as to accept the bugger in the first place, you deserve everthing you get (including the fall of Troy)

    Slarty
    Lol, damn that was harsh. I rarely ever let anything access the internet. I'm well aware that a trojan horse can only be downloaded and activated by the victim (I made title up on spur of the moment...didn't actually sit and think about it)....or it can be put there if your box has be hacked. I boot into safe mode and scan with both avg and ad-aware *and* I have system restore turned off but it still keeps coming up after reboot. I also had the computer unplugged from the internet just cuz I figured it couldn't hurt. All AV, firewall, and Antispyware is updated but it's just hard to get rid of. I'll try everything that's been posted here and see if anythign works. Thanks for the input everyone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •