Heads up! revop.c (trojan horse) on the loose.

[keezel]

AVG has been finding "revop.c" daily for the past week on my computer. I get the impression that it's new, and it's dang hard to get rid of. I can't find any removal tools for it yet but I read somewhere that Avast Antivirus will actually permanently get rid of it. Symantec apparently doesn't even acknowledge it's existence yet. My firewall asks me if I want to let "optimizer.exe", "bargains.exe", "searchassist.exe" and some other stupid names access the internet....umm, no. All that started happening when I first found the bug, so I think they may be connected. Another forum discussing this described it as "a beast". Also, I think it's new b/c every forum discussion I've found on it has been within the past week/2 weeks max. If anybody knows anything else about it, plz share .

[therenegade]

http://service1.symantec.com/SUPPOR...001052409420406
I think this's got removal instructions..havent checked it out tho srry...

[sumdumguy]

I'd like to get a copy of that file.. opitimizer is part of known spyware.. some places call it a trojan.. just google search on optimizer.exe

and ummm.. if you have it on your box.. you gonna have a bunch of other things on your box as well..

I smell another hijackthis log coming my way..

this time, I say.. get pestpatrol, in addition to the usual adaware/spybot.. then get hijackthis and post a log here.. If you can do all this within the next half hour, I'll look at the log.. because in one hour, my kids will have taken over all my computers and I won't get to go online until 9pm (4 hours from now)

good luck

[GandalfTheGray]

The Symantec link did not work for me. Another one is:

http://www.trendmicro.com/vinfo/viru...e=TROJ_REVOP.C

[sumdumguy]

yeah therenegade.. you have to be careful.. you can't just copy paste links.. you have to do a right click (in IE) "copy shortcut" then paste inot the forum.. I really didn't search too hard at symatec for your link but I saw nothing on revop there..perhaps because they call it something else.

from looking at a few logs that I've seen.. and remembering from other logs I've seen..
I'd expect to see some hjt entries like these amoungst others..

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\docume~1\simon\locals~1\temp\msbb.exe

I think it'll be pretty easy to idenitify the"bad guys" from a hijackthis log.

[Lord_Of_Dragons]

i have had revop.c it is a pain to get ride of but i found that the newest version of The Cleaner will get ride of it and Spyware S&D to i think not sure on that one

[slarty]

"Trojan horse on the loose"?

I thought the whole point was, that the trojan horse is not mobile, or capable of being "on the loose". The only way it's ever a risk, is if you open the gates, bring it into the city, and then the soldiers creep out at night and open the door for the invading army?

So if you're so stupid as to accept the bugger in the first place, you deserve everthing you get (including the fall of Troy)

Slarty

[Und3ertak3r]

First Check where AVG is pulling these babies from.. If it is in your TIF (Temporary Internet Folder) then modify your searching habits..
C is not the latest.. removed some 40+ Revop.e from a customers machine tonight.. ALL of these were in the TIF.... And a quick google.. found Revop.F on a few sites including Panda Software..

Cheers

[deftones12]

some removal instructions i got on a mailing list.


First move hijackthis to another folder. Create one somewhere other than a temporary directory.

Then close all windows and have hijackthis fix the following:

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O4 - HKLM\..\Run: [msbb] c:\windows\temp\msbb.exe
O4 - HKLM\..\Run: [dqx] C:\WINDOWS\dqx.exe


Then......

Make sure you can view hidden and system files: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Then.......

Reboot to safe mode and delete the following:

File C:\WINDOWS\SYSTEM\BRIDGE.DLL
File C:\WINDOWS\2_0_1browserhelper2.dll
File C:\WINDOWS\dqx.exe

Then....

Browse to C:\Windows\Temp folder. Select all files in it and delete them.
Empty your internet explorer cache.

Then....

Download ad-aware here -> http://fileforum.betanews.com/detail.php3?fid=965718306

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

From main window :Click "Start" then " Activate in-depth scan"

Then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

Click the "Tweak" button.

Open up the "Scanning Engine" section and tick "Unload recognized processes during scanning"

Then........"Cleaning engine" and "Let windows remove files in use at next reboot" and "Automatically try to unregister objects prior to deletion"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Next" button.

When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

[keezel]

Originally posted here by slarty
"Trojan horse on the loose"?

I thought the whole point was, that the trojan horse is not mobile, or capable of being "on the loose". The only way it's ever a risk, is if you open the gates, bring it into the city, and then the soldiers creep out at night and open the door for the invading army?

So if you're so stupid as to accept the bugger in the first place, you deserve everthing you get (including the fall of Troy)

Slarty

Lol, damn that was harsh. I rarely ever let anything access the internet. I'm well aware that a trojan horse can only be downloaded and activated by the victim (I made title up on spur of the moment...didn't actually sit and think about it)....or it can be put there if your box has be hacked. I boot into safe mode and scan with both avg and ad-aware *and* I have system restore turned off but it still keeps coming up after reboot. I also had the computer unplugged from the internet just cuz I figured it couldn't hurt. All AV, firewall, and Antispyware is updated but it's just hard to get rid of. I'll try everything that's been posted here and see if anythign works. Thanks for the input everyone!