Can neone explain this to me ??

View previous topic View next topic Go down

Solved Can neone explain this to me ??

Post by ankit_forum on Sun Jan 27, 2008 4:06 am

I got htis script from my pendrive,which was infected by a trojan

[AutoRun]
open=RavMon.exe
shell\open=(&O) //wat does this mean ??
shell\open\Command=RavMon.exe
shell\explore=Դ(&X //wat does this mean ??
shell\explore\Command="RavMon.exe -e"

earlier i had tried several times to autorun my USB but that didnt work,so i am trying to use this code which works Goofy

ankit_forum
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-01-12
Points Points : 32490
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Can neone explain this to me ??

Post by Doctor Inferno on Sun Jan 27, 2008 4:56 am

Ravmon.exe is actually a virus also known as W32.Nomvar, which is a worm that copies itself to the root of all drives, including removable and shared drives, and downloads potentially malicious files on to the compromised computer. So follow this removal process:

1.Confirm that you have Ravmon.exe virus.Right-click on any drive, if you see invalid characters in the menu, you are infected.

2.You have stop the process of the virus, open Task Manager(Ctrl+Alt+Del), go to the Processes tab and find the progam named "SVCHOST.EXE", there will few more svchost in small case but you have to terminate the one which is written in CAPS, if you see more than one SVCHOST.EXE (all caps) end the one with your username infront of it instead of LOCAL SERVICE, NETWORK SERVICE or SYSTEM.

3.Delete the virus files, for this you need to show system protected files.for this goto
My Computer>(Menu)Tools>Folder Options>(Tab)Views>Uncheck "Hide System protected files>Press OK
If you are unable to unhide the system files you can use 3rd party softwares to browse drive and delete files, try ACDsee or WinRAR.

Now you have delete these two files;

1.Autorun.inf

2.Ravmon.exe

from all of drives. Access drives from by typing drive letter in the address bar.

4. Once you are done with it, Open Windows folder(by address bar) and delete SVCHOST.EXE, SVCHOST.dll and MDM.exe.
Now restart the explorer.exe process by killing it in taskmanager and runing it again [(winkey + R), type explorer and hit enter].

Right-click on any drive and you will find valid characters, -The virus is removed.

This is optional as files are deleted from drives.

Remove MDM.exe from start-up.Press Winkey+R, type "msconfig" hit enter.Goto>(Tab) Start-up>Uncheck

"MDM.exe">OK>Exit without Restart.


To ensure that your are no longer infected, Download a copy of HijackThis and save it to your desktop in a folder. Do a scan and save the HijackThis logfile. Do not remove anything. Post your log file here. Link to HijackThis:

[You must be registered and logged in to see this link.]


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104584
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Can neone explain this to me ??

Post by ankit_forum on Sun Jan 27, 2008 5:09 am

HI doc,

thanks for replying
i hav 4 svchost.exe running
when i insert my pendrive my nod32 tells me that svchost.exe tried to create a file setup.exe in the usb drive

that means it is infected by a worm ,and as you say there is no svchost.exe in the taskmgr with all in caps
how to find it
and there are many ports opne on my system ,i hav a firewall,but it is configured to allow system32/svchost.exe and if i disallow it ma internet wont work
so i think i need to format ma pc

can u upload a bootable CD and provide me the link so that i can download it and run a scan from boot to remove the trojan ?? or tell me how can i get for NOD32?? like it is available for quick heal users

thanks agian

ankit_forum
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-01-12
Points Points : 32490
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Can neone explain this to me ??

Post by Doctor Inferno on Sun Jan 27, 2008 9:52 am

You mean upload a Windows XP CD? I can't. Shocking Whoa

I guess you are using an OEM version of Windows, you should still have a partition dedicated to PC recovery or a bootable disc that you should have made when you got your PC.

Recover your computer using the "destructive" format. It usually appears under the Start Menu - PC Recovery or something like that.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104584
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Can neone explain this to me ??

Post by ankit_forum on Sun Jan 27, 2008 12:48 pm

Hi doc
thanks4 replying again

i think i will make one using quick heal myself


thanks

ankit_forum
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-01-12
Points Points : 32490
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Can neone explain this to me ??

Post by Doctor Inferno on Thu Mar 13, 2008 2:09 pm

*********************************************************

This subject has been addressed or corrected. The subject is closed.

*********************************************************


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104584
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum