can't get rid of revop.c

Discussion in 'adware, spyware & hijack cleaning' started by cdrys, May 12, 2004.

Thread Status:
Not open for further replies.
  1. cdrys

    cdrys Registered Member

    Joined:
    May 12, 2004
    Posts:
    2
    AVG keeps coming up and says that I have the revop.c trojan in my Windows\System32 folder. I of course have run AVG and removed it but it keeps coming back. I also tried manually deleting it, but again it keeps coming back. The only problems I've noticed are with IE. Sometimes after using it there are 2 IE windows minimized that won't maximize - they can only be closed. I also got a notice from one of the addresses in my contact list that they received an email from me with the SomeFool worm, but that may be another issue and has probably been taken care of with all the antivirus programs I've run in the last 2 days. Anyway, I followed your directions and ran AdAware and Spybot both, and then ran HijackThis. My log is below. Please help me get rid of the revop.c thing!


    Logfile of HijackThis v1.97.7
    Scan saved at 9:29:51 AM, on 5/12/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\lexbces.exe
    C:\WINDOWS\System32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\jxyraed.exe
    C:\WINDOWS\system32\qckbmpd.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Terminal Services Client\mstsc.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lowellstoyota.com/admin
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 207.246.97.204:8080
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.car-part.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "www.car-part.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\pzstm1hm.slt\prefs.js)
    O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\system32\icdd7ee6.dll
    O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\system32\iel2cde8.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\system32\li01f948.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\system32\jxyraed.exe
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\system32\qckbmpd.exe
    O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\system32\li01f948.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\system32\iel2cde8.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\system32\icdd7ee6.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [lex2kusb] C:\WINDOWS\system32\lex2kusb.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
    O4 - Startup: yess.lnk = C:\Program Files\Terminal Services Client\mstsc.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O12 - Plugin for .ram: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppl3260.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/088171a031663d779515/netzip/RdxIE601.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=20033310
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37728.2437268519
    O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} (EZListings) - http://www.therealyellowpageslive.net/live/ezlistnt.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{476153C0-F775-4963-B39D-52A67EE5A9FB}: NameServer = 4.2.2.2,63.240.76.4
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi cdrys,


    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:


    O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINDOWS\system32\icdd7ee6.dll
    O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINDOWS\system32\iel2cde8.dll

    O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINDOWS\system32\li01f948.dll

    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\system32\jxyraed.exe
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\system32\qckbmpd.exe
    O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\system32\li01f948.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\system32\iel2cde8.dll,EnableRunDLL32
    O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINDOWS\system32\icdd7ee6.dll,EnableRunDLL32

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/088171a031663d779515/netzip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\system32\jxyraed.exe
    C:\WINDOWS\system32\qckbmpd.exe
    C:\WINDOWS\system32\li01f948.dll
    C:\WINDOWS\system32\iel2cde8.dll
    C:\WINDOWS\system32\icdd7ee6.dll

    I am not sure about this one:
    O4 - HKCU\..\Run: [lex2kusb] C:\WINDOWS\system32\lex2kusb.exe
    Find that file and check it's properties > version tab and let us knwo what you can find out.

    Regards,

    Pieter
     
  3. cdrys

    cdrys Registered Member

    Joined:
    May 12, 2004
    Posts:
    2
    I followed your directions and it looks like revop.c is gone!!!! I had already deleted some of the suspicous files you pointed out, but there were a couple I had missed. I'm keeping my fingers crossed, but AVG hasn't popped up in the last 4 hours with that same revop.c warning! As for the lex2kusb.exe file, it appears to be a Lexmark printer file of some sort. Thanks for your help!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
Thread Status:
Not open for further replies.