ravmone

my PC has been infected by ravmone…
i guess it’s a worm…
but im not sure
i got it several times from an infected pendrive
but i manage 2 remove it

but y avast cant detect it… ???

Generally, if a virus is replicant (coming and coming again), you should:

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  4. Use a-squared, ewido or Spyware Terminator (trojan removers).

Other option is scanning in SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222

Hope this help in anyway… 8)

If avast can’t detect it then send them a sample.

If you are not getting a virus warning that you believe is a new, undetected virus then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

Hi bohan,

This worm opens a backdoor on the system of the infected machine. It is written in the script language Python and converted into Windows PE format through using the py2exe tool. The worm file has a size of 3 513 806 bytes.

Every worm file that infects, tries to complete the following operations:

  1. Copy its file to the main file of Windows under the name RavMon.exe

  2. By running every time the system starts up, writes to the registry:

“RavAV” = “RavMon.exe”
to be found in:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run

  1. Opens a radom TCP port and waits for remote instructions of the malware author, who is able to:

write to or delete from the registry,
run themes,
run files from the internet,
delete files,
get to data or files on the system,
run or stop servicesi,
halt procersses.

  1. Sends the IP adddress, port number and version number of the installed malware to one of the following addresses:

http://natrocket.kmip.net:5288/
http://natrocket.9966.org:5288/
http://scipaper.kmip.net:80/

  1. The worm is spread through mapped applications like hard disks, flash disks. Scan all mapped applications on the infected machine and after that scan the main folder

autorun.inf
msvcr71.dll
RavMonE.exe

The worm file is targeted, every time the user checks the disk size.

Also look here: http://www.bleepingcomputer.com/startups/RavAV-15228.html

polonus

thx guys ;D

No problem, welcome to the forums.