revop.c trojan

Discussion in 'Trojan Defence Suite' started by mark_s, Apr 30, 2004.

Thread Status:
Not open for further replies.
  1. mark_s

    mark_s Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    16
    Hello

    Am new to this whole internet thing. Nod32 tells me I have a virus called win32/revop.c trojan. The exe file that gets picked up is called bdl14025[1].exe.

    Can anyone tell me how to get rid of this? The Nod32 help desk isn't open again till Monday!

    Thanks
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello mark_s and welcome!
    You run TDS don't you and updated with the latest databases?
    With that, highest sensitivity and all scanoptions in the scanconsole checked, does it find it for you? The trojan is in the TDS database so should be detected.
    If so you can delete it. If not detected, it might be a variant and you could zip it and send to submit@diamondcs.com.au
    Did NOD not quarantine the file for you and in that way take out the danger for the moment?
    When running TDS scan, do close the other scanners and resident antivirus protection you might have further, so TDS has free access to all files for scanning.
    Please let us know the results!
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    with that file name it wil be in temporary internet files so empty them
     
  4. mark_s

    mark_s Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    16
    I tried deleting the temp internet files. No joy there.

    Jooske, What is TDS?
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    What is the exact path to the file at this moment?
    could it be NOD32 quarantined the file so even deletion with other programs like windows itself or cleaning caches in Internet Explorer is not possible?
    In that case you have a few options:
    If NOD quarantined it for you, maybe NOD is able to delete it as well.
    If not:
    close NOD, also resident protection etc, then again try to clean caches via Internet Explorer or windows explorer.
    If it still doesn't work,
    you can reboot into safe mode and search and delete the file that way.


    Since you posted in the TDS forum for help i thought you are using or familiar with TDS (Trojan Defence Suite)
    Please get a download of the evaluation version here
    http://tds.diamondcs.com.au/index.php?page=download
    Install TDS, go back to the same page and get the latest update.td3 (database) , reboot after the install, now after TDS startup scans it might alarm on that same file, if so delete it via TDS.
    Note: if you scan with TDS, that same moment leave other scanners and resident protection closed till you're ready.
     
  6. mark_s

    mark_s Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    16
    Gday again Jooske

    At the moment Nod32 says the exe file is at:

    c:\docume~1\mark\locals~1\temp\bdl14025[1].exe and
    c:\documents and setting\mark\local settings\temporary internet file...\bdl14025[1].exe.

    I can't find these directories when I search through explorer?

    I will try sutting everything down (including nod 32) and deleting the tmep internet files.

    Thanks again
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So you see Derek is right about the location in the TIF directory.
    For me these TIF files are in another location, but that depends on your windows version and maybe other personal settings.
    In my system it will be TIF > Content5.0 > foldername > filename.

    If you open Internet Explorer > Tools > Options > delete files including the local pages, it cleans the caches and hopefully including that file.
    A second way (win98, hope the same on your XP)
    in windows explorer, rightclick on a drive letter to get it's properties, and get a button telling to clean the drive; clicking that get a menu to configure which files you want to be deleted, among which those TIF files (temporaty internet files) , recycle bin etc.
    That would be a second way to get rid of them. Have the feeling the second cleans more. Also my firewall has a cachescleaner which can be configured what i want to be cleansed after each reboot or at buttonclick on it.


    If you do a search in Windows on that filename, it should show up again with that full pathname; from that search results you should be able to delete it too. (if NOD is not blocking any access to it, so close that down again those moments.)
    Make sure you don't doubleclick to start the executable to run!
    If It is still protected for deletion, you can reboot in safe mode and delete it in that way.

    Is it the only infection and is NOD not able to delete it for you?

    Please let us know how it goes?
     
  8. mark_s

    mark_s Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    16
    OK, Firstly Nod32 give me the choice of deleting the files and I click on delete. But when I restart the files are back again o_O

    Have tried the steps you suggested.

    Firstly I went to internet explorer -> Tools -> Internet Options -> Delete Cookies and Delete Files.
    Did this for both users on my machine (me and my wife)

    That didn't work so then I used disk cleanup from windows explorer, that also didn't work.

    I then tried searching in windows (Start -> search) for the file bdl14025[1].exe but this file wasn't found o_O so I couoldn't delete it.

    As far as I know I only have the one virus, (nod 32 only says one anyway). Only other thing strage is that when I shut down my machine I get an error message saying "End Program - Add Word". Not sure if this is related to a virus or not.

    Anyway thanls for your help. bed time now.
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    for the first one do this
    some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then using windows explorer navigate to
    c:\documents and settings\mark\local settings\temp\

    then as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this

    while in the temp folder, select view and select details.

    then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.

    select all the files/folders except the today ones and delete them all.

    I also suggest following advice here

    https://www.wilderssecurity.com/showthread.php?t=15913
    and post a hjt log in the hiajck forum
     
  10. mark_s

    mark_s Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    16
    I am back at it again now.

    OK have tried doing all of the suggestions again. I found a file called bdm.exe in my temp folder that would let itself be deleted because it was currently running. I then closed the bdm.exe application and deleted it and that has stoped the bdl14025[1].exe being created.

    My internet is starting to run in a more normal manner now, only residual problem is that extra internet screens pop up with things like PC shield, but now I am able to close them easily. Will see if I can stop this happening.

    Thanks again for the help.
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Reason why i asked you to try to delete and clean out caches in safe mode.
    But with Derek's explanation less then 24 hour old files might nog have been deleted that could have helped only partly too.
    So now there are still popups something is not clean yet; please let Derek have another look at a new HijackThis log from you.

    These popups, are those messenger advertisements or ordinary popup advertisements?
    In the last case you should block popups --i do it via the firewall and i use the googlesearch bar which has it included too but there are many other ways to block them.
    If it's the messenger advertisements you can disable the messenger service via the control panel. XP users can tell you best how exactly.
     
  12. mark_s

    mark_s Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    16
    Jooske & dvk01

    I ran Ad aware 6 and it found 136 items on my PC. Once these were deleted there are no more problems with slow internet or with pop ups. I haven't bothered to run hijack this. Do you think its still worth doing it?

    I did try deleting the files when in safe mode, but as I didn't know how to see the hidden files I couldn't find them to delete them.

    Thanks again for all your help.
     
  13. mark_s

    mark_s Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    16
  14. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    You put it in just the right spot ;-)

    I do imagine that our experts will have ya clean as a whistle in no time ;)
     
Thread Status:
Not open for further replies.