Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
HELP !!!!!!
I keep getting AVG resident shield messages that C/:WINDOWS/System32/notepad.exe is infected with Trojan Horse Downloader . Revop. A
Im doing Avast and AVG scans and ill post the results later.. can anyone give me any info on this trojan for I still cant find any on it..
ANY HELP MUCH APPRECIATED!!!!!!!
More than likely Notepad.exe the original file was renamed to something like Note.com or notepad.com.
The one that your seeing is the virus and should be deleted take a look at this link.
http://www.pchell.com/virus/qaz.shtml
0 
ONE BIG PROBLEM.... Ive followed the steps but my registry didnt contain the data value "startIExxxx/Notepad.exe"
thxs for the help anyway
0
Ive also searched for Note.com and Notepad.com and so far no sign of those files... WAAAAA I HATE GETTING VIRUSES
0
sorry to be posting so much here but ive checked the zone alarms log and it appears that it has blocked "notepad.exe" from trying to access the net multiple times , THANK YOU ZONEALARM!!!!!
my question now is that after I have gotten rid of this evil thing **crosses fingers**. should I turn off system restore..reboot and enable system restore again?
0
Ok AVG has "healed" notepad.exe and im just doing another scan now as well as a panda active scan soon.
**hopes internet dosent hang**Ive stopped getting the AVG resident shield messages but I can no longer use notepad as windows is unable to find notepad.exe.
I am still a bit worried that there may be some registry work still to do but I have no idea what to look for etc etc.
Here is my hijack this log and if anyone finds anything suspect can they PLZ PLZ post.
Logfile of HijackThis v1.97.7
Scan saved at 6:23:22 p.m., on 29/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG6\avgw.exe
C:\Documents and Settings\Kelly\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://computing.net/security/wwwboard/wwwboard.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [BrowserBrand] C:\Program Files\ONLINE~1\XTRA\brand.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/keycrypt/npkxsite.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37848.649224537
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A63742EE-387A-4E9B-B2AC-F2495AFAC27C}: NameServer = 210.48.65.2 210.48.66.2
0
Do you know what this program is or does?
O4 - HKLM\..\Run: [BrowserBrand] C:\Program Files\ONLINE~1\XTRA\brand.exe
Check this link out read through it a worm will copy a file of this name to your HD:
http://www.symantec.com/avcenter/venc/data/w32.gluber.b@mm.html
I would check out the file just to make sure it's one you want loading.
0
Ok.. Ive read though it and it looks like I have not got it..just one question when you referred to
"Check this link out read through it a worm will copy a file of this name to your HD: "what do you mean by a copy of a file of this name??... what name?
But it appears that whatever I had isnt on my computer anymore and notepad.exe dosent try to connect to the net anymore
HELP STILL NEEDED HERE !!!!!
0
oh I forgot one thing... this may sound stupid but how do I check out the registry value:
O4 - HKLM\..\Run: [BrowserBrand] C:\Program Files\ONLINE~1\XTRA\brand.exe
to make sure that it is what I want loading
0
My AVG found this trojan as well in notepad.exe, 3 days ago, and Zone Alarm blocked it from internet a day before that. Yesterday, it appeared again in C:\system volume information\restore in A0042330.exe. Both of these files are in virus vault, so what do I do now? I am new to all of this. I could not find any info on this trojan until I tried today and the previous post was found by search engine and I looked for a long time!!!
0
YAY im not alone.... to get rid of the virus in the system restore you must turn off system restore which will make your computer restart and once you log back in , re-enable system restore.
How to turn off system restore:
left click on "My Computer"
go to properties
and then go to system restore
and click "turn off system restore"Im sorry but I have no other info on how to make sure that your system is completly clean , so I am nearly in the same mess you are and PLZ PLZ anyone post if they have info on this beast.
Hope this helps Panda9066.
Best of Luck
0
I also got the virus. My AVG found this trojan as well in notepad.exe, 3 days ago, and ZoneAlarm blocked it from internet a day before that. I have gotten rid of it by using AVG-Anti Virus. Notepad.exe was healed.
0
I got the same virus today, but I do not have Windows XP nor Zone Alarm. I am on Windows 98. The file "do.exe" was found on C: showing infected. AVG was unable to remove it either. I deleted the file permanently. Notepad.exe was not infected and note.com was not found on my system.
Any suggestions .. ?
0
These infected files are in AVG virus vault,(notepad.exe and one in system restore folder) even though after the test ran it said files were healed. When I try to restore the files it says they are still a virus, but I thought once they were healed I could restore the "back ups". I am totally confused, should I delete both files in virus vault and then turn off system restore, or should I let them stay in virus vault because my computer is running fine so far, except that notepad can't be found when I try to open a notepad document. However, notepad can be opened from the notepad icon in the Windows folder and runs fine!!????? Also, if I delete the files, will I ever be able to get back what I deleted, or is what is deleted only a virus and not useful anyway, i.e., is notepad still on my computer and just not named notepad.exe anymore, because like I said, I can still use it by manually opening the icon, just can't open a document that was created by notepad in the past?
0
I deleted my file that was infected and since I have never used notepad it wasnt been to much of a problem. There is no harm in having the virus stored in the virus vault. I believe that the notepad icon in the WINDOWS folder was proberly not infected. If you do delete them I think that you will not be able to recover them.
I think that you may be able to reinstall notepad from the xp disk but not sure so post in the xp forum.. they will tell you if it is possible to reinstall notepad.
Turning off system restore will get rid of the infected file in the system restore so I see no harm in turning off system restore.. just make sure that you turn it back on again after you have finished.
Sadly it seems that this must be a very new virus and there is very little/nothing in terms of information on it.
BTW once it is in the vault it will not spread and it will not try to broadcast.
Note to Popatlal:If you are still feeling a bit uncertain it might be a good idea to try out some online scans:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://scan.sygate.com/trojanscan.html
http://www.trendmicro.com/en/home/global/enterprise.htm
http://www.symantec.com
You may have to explore the trendmicro and symantec website a bit but I am certain they have free online ant-virus scans.Its also a bit sad how many ppl dont check these old topics so sorry if my advice seems a bit limited.
Best of Luck.
*Novice*
0
Stuck with "Downloader.Revop.A"?
From your desktop, not on any website at all, click "Start" then click "Run" then type in "regedit" (no quotation marks) and then run it. That will show you your registry. Don't fool around in it, just look for anything that says "Downloader". Right click and search for Revop.A. or just put in Revop. Right click on it and delete it. Problem solved. (you've beeen a naughty person while surfing, that's how you get it.)
0
P.S. "Downloader.Revop.A" is just a nuisance virus written by someone who likes things to be hard for other people. After virus scan removes it, all it does is bother you. Rickdude
0
Ok... searched the registry and no Revop or Revop.A.
BTW I do not go to porn sites.. I was seaching for information on music when about 30 pop-ups came up.. thats how I got it.
But still thanks for the info
0
My wife got it from a link off of a cooking site, the link displayed a page that said "site has moved, click here to continue", and when she did, about 20 to 30 pop ups came up and then AVG popped up with virus found message. I went back through the website history and found this link myself and got the Revop.A again, so don't be fooled into thinking you are safe just because you don't surf porn.
0
yeah.. I think AVG cooked the virus.. havent had any problems since
Best of Luck pander9066 and anyone else who gets infected with this virus
*novice*
0
I have 6 Trojan Revop.A. viruses in my system restore. I have disabled sys restore but still Avg and Trojan Remover cannot heal it or move it.
Any help would be appreciated
Thanks
0
I also caught this pesky virus opening a link in a webpage. Heres how i got rid of it hope it helps. I first ran Panda Active Scan and 3 files were detected and removed (couple of .exe files in the temporary internet folder and one other) anyways after panda removed the virus i then cleared my temp internet folder and cookies,,then i ran regedit and searched for revop, trojan, and revop.a and came up with just one entry and deleted it, then i turned sys restore off and rebooted my system now i can open all notepad doc's and from the start menu seems to be completely gone. before i did this notepad.exe would only open from the windows directory, if attempted to open from any other location it would launch the trojan.revop.a and try to connect to the internet and try to download my Panda would then detect the virus and remove it. Just a little FYI i found the reg entry in this location hope it helps. (HKEY_USERS\S-1-5-21-602162358-1482476501-839522115-1003\Software\Google\NavClient\1.1\History)
0
My agv also detected this virus. When i looked for help i found this site. I downloaded panda and it did not find anything. The virus was in agv vault so i emptied the vault and ran it again. Now panda and agv are not detecting it. Is it gone? I cannot find system restore under my computer\properties. I am running windows 98, is there somewhere else to look? I am pretty green at this computer stuff. HELP!
0
Yeah I'm running Win98SE, and I have no clue where this system restore is, nor do I know how I got the virus, altho I think it was my dumbass friend. Would you guys just suggest doing a full scan of my harddrives with AVG?
0
Trojan Revop.A is an alias for the virus TROJ_winpup.B
go here for link to trend micro info page on it:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINPUP.B
some more info:
http://www.computercops.biz/modules.php?name=Forums&file=viewtopic&p=73401
Now I made the silly mistake of not cleaning system restore and it came back and infected 2 more files about a week after I thought I was clean. So if you are getting messages from AVG resident shield that it is in system restore then you MUST disable system restore , do a full scan with an antivirus checker and once you are clean re-enable system restore.Here are some online scans that you might want to do:
http://housecall.trendmicro.com/
http://www.trojanscan.com/trojanscan
nrav av:
http://www.ravantivirus.com/scan/
virus scan:
http://www.bitdefender.com/scan/licence.php
avast cleaning tool:
http://www.avast.com/i_idt_171.html
mcafee avert stinger:
http://vil.nai.com/vil/stinger/
scans for open trojin ports:
http://scan.sygate.com/pretrojanscan.html
test my sheilds grc:
https://nanoprobe.grc.com/x/ne.dll?bh0bkyd2
dsl port scan:
http://www.dslreports.com/scan
pest patrol scan mediocre:
http://www.pestscan.com/Scan.asp
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
