RavMon.exe... Be Careful

[warsi]

Hi!
RavMon.exe, which is (even) provided by Microsoft.com...
but a new virus named RavMon.exe has arrived...

Parts:
1 : > RavMon.exe
2 : > Autorun.inf
3 : > Unknown Resident Program/dll/etc...

Threats:

RavMon.exe is the action agent... Autorun.inf directs it... and The Unknown Application(s) MasterMind it...

When it attacks the first two files are found in every root-directory of Hard disks... like in C:, D:, E:, etc... and if you right click on drive, you will notice that Open, Explore like commands are changed from English to some other language... and after all if you click on any like (Open, Explore...), then you are no more able to See Hidden and System Files....

My Solution:

I just written a Dos-Batch file to remove this virus.. it looks like this
c:
cd\
attrib ravmon.exe -s -h -r
del ravmon.exe
attrib autorun.inf -s -h -r
del autorun.inf

[for all partitions]


WARNING: TO USE THIS FILE YOU MUST RE-INSTALL OS... IF YOU JUST USE THIS FILE WITHOUT RE-INSTALLING OS, THEN ITS USELESS...

STEP BY STEP PROCEDURE:
1 : > BOOT YOUR COMPUTER FROM BOOTABLE DEVICE...
2 : > EXECUTE BATCH FILE FROM DOS-PROMPT
3 : > JUST AFTER THAT RESTART AND WITHOUT USING YOUR OLD OS, RE-INSTALL YOUR OS....

CONGRATULATIONS YOU ARE SUCCESSFULL

 

[howard_hopkinso]

The RavMon.exe file can be a trojan or a legit file depending on where it`s running from and whther you`re running the Rav antivirus programme.

RavMon.exe belongs to both the Rav antivirus programme and the W32/VB-CYK worm. If it`s running from C:\WINDOWS\system32\RavMon.exe, then it`s more than likely a trojan infection.

It`s important to know where the file is running from in order to determin whether it`s nasty of not.

I would encourage anyone who suspects this trojan to post a HJT log into a new thread in this forum, as per these instructions HERE.

If it`s the trojan, it`s very easy to manually remove it.

I`m not aware that the RavMon.exe file is a Microsoft file and can find no references to it.

Regards Howard

 

[warsi]

RavMon Is Also Provided By Microsoft.com

HI,
Dear brother, I have opened microsoft.com and in search box I just typed RavMon.exe and pressed Search button, in answer, I got RavMon.exe file...

But there is a difference b/w RavMon.exe Trojan and MS-RavMon...
the Trojan is of 48KB and Microsoft gives it about 640KB....

and the problem I have discussed, has some other third master mind file.... (Resident Type It may because of curropted Explorer.exe or Winlogongui.exe or other file)

but no other version of this file is found in any other folder....

Keep in Mind this virus has THREE parts... RavMon.exe, Autorun.inf and UNKNOWN

 

[howard_hopkinso]

Could you please post a link to the Microsoft definition of the RavMon.exe file?

Thanks.

Regards Howard

 

[warsi]

Hi,
As I had already mentioned.... I just Loged On to www.microsoft.com and in search bar I entered RavMon.exe and pressed search button and in return I received a download window for RavMon.exe .... You can check this procedure...

THANKS
rEgArDs warsi

 

[howard_hopkinso]

That`s very strange. This is what I get when I search Microsoft for the same file. I`ve done a search of both Google and Yahoo and can`t find any reference to RavMon.exe being a Microsoft file.

May I suggest, you post a HJT log as per these instructions, just in case your system is infected.

Regards Howard

 

[warsi]

hi,
After all I have found the solution...
the third partner of this virus is embeded in svchost.exe... (it curropts svchost actually when we double click ravmon.exe or execute it by anyway... and then its show is started...)

just go to MS-DOS mode. and as you do other things (As I have described in forst post...) , just delete svchost from x:\windows\system32 and (if there is in ) from x:\windows
and then reboot...
now insert your xp/98 cd and for 98 give this command
sfc

and for xp
sfc/scannow

THANKS

 

[myawk]

need help

i just got a ravmon file in my flash drive.
when i scanned it for viruses, suddenly 9 of the folders have been infected and the anti-virus deleted those folders.
when i opened the drive for the folders. only 4 files remained. two word files which are not in a folder and this RavMon.exe and RavMonlog..
how i can i view all the folders since the flashdrive still has the same amount of bytes efore it happened..
pls help.. need some of the files for my thesis..

 

[momok]

Hi myawk and welcome to techspot. =)

Please do the following and start a new thread to post your logs.

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly Momok =)

This thread is for the use of warsi only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[warsi]

Hi myawk!
Your problem testifies that I was true...
First of all...
1 Attach Flash drive to computer
2 if you are running XP then goto run and type cmd or command to open dos prompt...
3 goto your flash drive like g: or H: etc...
4 now type dir/ah and press Enter
5 do you see the list of files? do you recognise your lost folders?
now to unhide or to un attribute the folders do the following...
6 suppose one of your folder's name is myawk then do this...
attrib myawk -s -r -h [press Enter key]
and so on
you can also try this command

attrib *.* -r -h -s

and also

undelete myawk


and now to delete the virus do this

attrib ravmon.exe -r -h -s
del ravmon.exe

Thanks
Please Post reply...

 

[Zero-One]

The Fading of Ravmon.exe

Hi all
actually, i'm a new commer her, but I think I have something to share in this topic.
First, If you have infected with RavMon.exe (the 49 KB Size), you will probably find these files on the root of every drive you have.

Ravmon.exe
Autorun.inf

There is a mastermind as said earlier, which is SVCHOST.exe, not the Microsoft svchost.exe which can be found in "c:\windows\system32\" this bad one is in "c:\windows\SVCHOST.exe" and "c:\windows\SVCHOST.dll"
all you have to do is to boot from an external Device (Floppy or CD-Rom) personally I've used Brat live windows XP CD, or Knoppix v5 live CD, they both work well, with a pretty easy interface, if you are not Familier with Linux, just head for Brat Live windows XP, or any Other live booting CDs.

- Delete autorun.inf
Ravmon.exe
from any partition you have, then head for "c:\windows" then Delete "SVChost32.exe" and "svchost.dll" (((DO NOT DELETE THE ONE IN SYSTEM32)))

---- I hope it becomes useful for you -----

 

[joeman500]

I know this is about a year on, but we've had major problems with this virus just not wanting to go. I read your site and found out more about the virus and made a bat file to hopefully get rid of it completely. The problem I was having is that whenever i deleted the autorun.inf and ravmon files, even the way said in this forum, it just kept coming back, due to a process in memory running. Hopefully this will work for everyone. Make sure all your usb pens are plugged into the computer, also make sure that there are no CD's in your drive.

Taskkill.exe /F /IM MDM.exe
Taskkill.exe /F /IM MDM.exe
Taskkill.exe /F /IM ravmon.exe
attrib C:\windows\svchost.exe -s -h -r
del C:\windows\svchost.exe /F
attrib C:\windows\svchost.dll -s -h -r
del C:\windows\svchost.dll /F
attrib C:\windows\mdm.exe -s -h -r
del C:\windows\mdm.exe /F
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SVCHOST /f
attrib C:\ravmon.exe -s -h -r
del C:\ravmon.exe /F
attrib C:\autorun.inf -s -h -r
del C:\autorun.inf /F
attrib C:\ravmon.exe -s -h -r
del D:\ravmon.exe /F
attrib D:\autorun.inf -s -h -r
del D:\autorun.inf /F
attrib E:\ravmon.exe -s -h -r
del E:\ravmon.exe /F
attrib E:\autorun.inf -s -h -r
del E:\autorun.inf /F
attrib F:\ravmon.exe -s -h -r
del F:\ravmon.exe /F
attrib F:\autorun.inf -s -h -r
del F:\autorun.inf /F
attrib G:\ravmon.exe -s -h -r
del G:\ravmon.exe /F
attrib G:\autorun.inf -s -h -r
del G:\autorun.inf /F
attrib H:\ravmon.exe -s -h -r
del H:\ravmon.exe /F
attrib H:\autorun.inf -s -h -r
del H:\autorun.inf /F
Pause

Joe

For those of you who do not know how to make bat files. Open Notepad, paste the code in above, File > Save as, change the save as type to "All Files" type the filename in as "VirusRemover.bat" (without the quotes)

 

[Blind Dragon]

There are also tools that we use to deal with trojans such as this. In fact I just looked through the updates files for one of the programs we use in the preliminary removal instructions and these were added to the programs definitions back at 04-17-2007.

2 days before this thread started!