This discussion is archived
8698 Views 19 Replies Latest reply: Nov 3, 2006 10:48 AM by humminbird
... that's my suspicion (if it was a brand new ipod fresh out of the box) ... i'm still not all that experienced with dealing with that worm, though, so i can't say that with confidence.
if you download fresh definitions and run virus scans, does that pick up the worm? or is your antivirus currently saying that you are clean?gateway, p4 (belladonna), Windows XP, 20gb b&w ipod (mauve) 20gb color ipod (attractive beast)
A scan pointed to the specific file, but wouldn't remove it.
I followed a page's instructions on worm removal...forget where. Safe-mode, and a program called Autoruns.
Seemed to work for a day but it popped up again when I plugged in the IPod, which I had scanned after deleting the Rav executable in Safe-mode.
So I tried a "Houdini" by setting the process priority to low on the new RavMonE, force ended the process and deleted the file in the C:\WINDOWS (which had come back after safe-mode deleting). This was before my first post and it hasn't come back since and scans have been clean.
Another note is I have a 64mb flash I use regularly but didn't seem to trigger the process, so I don't know if this thing is designed specifically to 'wake-up' with the IPod connecting or the software (ITunes) running, but it seemed to be the case - hence my suspicion, despite my disbelief that it was likely ...if at all possible... that it came with the IPod.
Having zero understanding how these are manufactured / formatted...etc.
THANKS for the response though. Did not want to accuse just make my mark JIC there is some sort of relation between the two. Have had suspicious processes before and a Google quickly came up with the answers...the search for this one came up with a large number of foreign threads and the English ones didn't cry out good or bad as consistently as every other search I had done.
Thanks again. Sorry for the length.
Windows XPWindows XP
Attached my IPod to a new computer and RavMonE.exe popped up again. I checked the Ipod via explorer and in the root directory I found RavMonLog.exe.
Googling that I get one english thread with no responses. Tons of foreign language ones though.
ALSO PRISMXL.SYS popped up and I am wondering if this is enabling RavMon to function. I removed it from my other computer. I read it's harmless but I also read it's used to intall other programs...which seems fishy.
hmmmmm. i think we need to get you to a reputable malware removal help forum, where a specialist helper can give your system a thorough going-over with a HijackThis log to see precisely what's going on. (not trying to get rid of you here, it's just that we're out beyond the limits of my competence at the moment. i'd like someone with some better skills to have a look.)
there's a nice list of reputable malware removal help forums given at the end of this document. (there are others out there, but this list gathers together a number of options for you.)
doxdesk: other sites about parasitesgateway, p4 (belladonna), Windows XP, 20gb b&w ipod (mauve) 20gb color ipod (attractive beast)
I'd just like to confirm the following, that a 30 gb IPOD, purchased 1 October 2006, out of the box from a big box store, does in fact contain the RAVMONE.EXE virus.
The package was sealed from the factory.
Upon connecting it to a PC with the latest signatures from both Symantec and McAfee antivirus, it immediately quarantined the .exe file.
Also on the drive are the supporting files, an autorun.inf, msvcr71.exe.
Disabling the AV software on a test system allowed the infection to occur, and confirmed that this is in fact a virus and not a false positive.
See here for more details:
http://vil.nai.com/vil/content/v_139985.htm30gb IPOD, Windows XP Pro
The package was sealed from the factory.
You do know that stores have plastic sealing & packaging setups?
They are not (usually) trying to mislead but returns and damaged plastic wrap can simply be resealed.
Not to say it absolutely did not have come from the factory with a worm on it, but doubtful.iMac G5 (Rev B) - 1 GB RAM, Mac OS X (10.4.8), Silver Mini, Blue Mini
I purchased an 80gb iPod, from a dept store in Bucks, UK, on 3rd October. After configuring it in iTunes 7 and plugging it back in, my AV software identified and quarantined the ravmonE.exe virus.
As someone else mentioned, there was also an autorun.inf, but my PC gave me the option of running it or not ... so I didn't.
My own PC is not infected (ie not in running processes), nor does it have that .exe on it.
I think my iPod shipped with this file on the HDD.
Tested it on the same computers again.
Computer #1: (Windows XP MediaCE, ITunes installed) - When plugging in IPod RavMonE.exe process starts and installs in C:\Windows, and RavMonLog.exe appears on IPod root dir. Can delete both files and stop process...but when I double click the IPod root directory after closig RavMonLog.exe appears again after a couple seconds and RavMonE.exe is back on my machine.
Computer #2: (Windows XP MediaCE, NO ITunes) - Same results.
Computer #3: (ME upgraded with XP sp1 install, No ITunes) - No virus, no unusual processes. Can eject via Explorer no problem and access the hard drive. No file appears in root directory.
Did this several times attaching it to each computer in different order, always same result. I'm stumped.IPod 30gig video, Windows XP
exactly same problem. received ipod 30gb yesterday, no problems. activated removable drive today, virus warninig (g-data internet security). blocked virus, deleted ravmondllautorun. no running task. in spite of that it shows on ipod screen "do not disconnect". and i can not eject the drive in windows. i bought it directly in the apple store, and it was shipped from zurich... dunno what 2 do, guess i'm gonna write apple an angry e-mail...
This was added later:
Yeah, if i could... i tried to find their e-mail address on the apple site, but nothing! they don't have a support e-mail address. just the (expensive) phone and the do-not-reply address. WHAT THE HECK!! if anyone has the e-mail, please post it here...iPod Video 30gb 5th generation - 2 days old, Windows XP Pro
So as I understand it you used it fine UNTIL after you enabled it as a removable-HD?
I enabled mine right away and tried to eject it right after so I don't know if this was the trigger factor.Windows XP