1 2 Previous Next 19 Replies Latest reply: Nov 3, 2006 10:48 AM by humminbird
dctrjons Level 1 Level 1 (0 points)
JUST bought a 30Gig video Ipod. I connected it, downloaded the Itunes software and then sync'd my music and Podcasts. After which I changed the settings to use the Ipod as a drive. Instructed I would have to manually eject the drive.

Well I told ITunes to do so - "Cannot drive is still in use"
Closed ITunes and tried to eject it from Windows explorer and was given the same error. Closed all programs, taskbar, disconnected from the internet, still no luck.

Finally opened task manager and being very familiar with all processes that are legal on my machine I found 3 RavMonE.exe's running. Googled it and I have found several references but 99% of them are in foreign language and many relate to IPods...but did not bother to translate myself.

So my question is, anyone else JUST get an Ipod and see encounter this. I see someone else stating there computer was locked up...I noticed severe slowdown when I went through trouble-shooting. I forcibly closed the RavMonE.exe processes and my IPod started working fine.

Windows XP, 4200+ AMD
  • 1. Re: RavMonE.exe ???
    b noir Level 9 Level 9 (71,995 points)
    i'm afraid you're infected by a worm. for some more information about it, see:

    W32/RJump.worm
  • 2. Re: RavMonE.exe ???
    dctrjons Level 1 Level 1 (0 points)
    Do I understand that I this worm probably was always there, but didn't really activate till I hooked up a removable storage (ie my IPod)?
  • 3. Re: RavMonE.exe ???
    b noir Level 9 Level 9 (71,995 points)
    ... that's my suspicion (if it was a brand new ipod fresh out of the box) ... i'm still not all that experienced with dealing with that worm, though, so i can't say that with confidence.

    if you download fresh definitions and run virus scans, does that pick up the worm? or is your antivirus currently saying that you are clean?
  • 4. Re: RavMonE.exe ???
    dctrjons Level 1 Level 1 (0 points)
    A scan pointed to the specific file, but wouldn't remove it.

    I followed a page's instructions on worm removal...forget where. Safe-mode, and a program called Autoruns.

    Seemed to work for a day but it popped up again when I plugged in the IPod, which I had scanned after deleting the Rav executable in Safe-mode.

    So I tried a "Houdini" by setting the process priority to low on the new RavMonE, force ended the process and deleted the file in the C:\WINDOWS (which had come back after safe-mode deleting). This was before my first post and it hasn't come back since and scans have been clean.

    Another note is I have a 64mb flash I use regularly but didn't seem to trigger the process, so I don't know if this thing is designed specifically to 'wake-up' with the IPod connecting or the software (ITunes) running, but it seemed to be the case - hence my suspicion, despite my disbelief that it was likely ...if at all possible... that it came with the IPod.

    Having zero understanding how these are manufactured / formatted...etc.

    THANKS for the response though. Did not want to accuse just make my mark JIC there is some sort of relation between the two. Have had suspicious processes before and a Google quickly came up with the answers...the search for this one came up with a large number of foreign threads and the English ones didn't cry out good or bad as consistently as every other search I had done.

    Thanks again. Sorry for the length.

    Windows XP
  • 5. Re: RavMonE.exe ???
    dctrjons Level 1 Level 1 (0 points)
    ....
  • 6. Re: RavMonE.exe ???
    dctrjons Level 1 Level 1 (0 points)
    Er...problem again

    Attached my IPod to a new computer and RavMonE.exe popped up again. I checked the Ipod via explorer and in the root directory I found RavMonLog.exe.

    Googling that I get one english thread with no responses. Tons of foreign language ones though.

    ALSO PRISMXL.SYS popped up and I am wondering if this is enabling RavMon to function. I removed it from my other computer. I read it's harmless but I also read it's used to intall other programs...which seems fishy.
  • 7. Re: RavMonE.exe ???
    b noir Level 9 Level 9 (71,995 points)
    hmmmmm. i think we need to get you to a reputable malware removal help forum, where a specialist helper can give your system a thorough going-over with a HijackThis log to see precisely what's going on. (not trying to get rid of you here, it's just that we're out beyond the limits of my competence at the moment. i'd like someone with some better skills to have a look.)

    there's a nice list of reputable malware removal help forums given at the end of this document. (there are others out there, but this list gathers together a number of options for you.)

    doxdesk: other sites about parasites
  • 8. Re: RavMonE.exe ???
    dctrjons Level 1 Level 1 (0 points)
    NP, thanks for the help I'll try it. Tried it on a third machine...no problems. Only difference is it's operating XP SP1 not XP media. So I'll go see what I can find out.
  • 9. Re: RavMonE.exe ???
    ChadA Level 1 Level 1 (0 points)
    I'd just like to confirm the following, that a 30 gb IPOD, purchased 1 October 2006, out of the box from a big box store, does in fact contain the RAVMONE.EXE virus.
    The package was sealed from the factory.
    Upon connecting it to a PC with the latest signatures from both Symantec and McAfee antivirus, it immediately quarantined the .exe file.
    Also on the drive are the supporting files, an autorun.inf, msvcr71.exe.
    Disabling the AV software on a test system allowed the infection to occur, and confirmed that this is in fact a virus and not a false positive.

    See here for more details:
    http://vil.nai.com/vil/content/v_139985.htm
  • 10. Re: RavMonE.exe ???
    Chris CA Level 9 Level 9 (74,885 points)
    The package was sealed from the factory.
    You do know that stores have plastic sealing & packaging setups?
    They are not (usually) trying to mislead but returns and damaged plastic wrap can simply be resealed.

    Not to say it absolutely did not have come from the factory with a worm on it, but doubtful.
  • 11. Re: RavMonE.exe ???
    laus Level 1 Level 1 (0 points)
    Hi all

    I purchased an 80gb iPod, from a dept store in Bucks, UK, on 3rd October. After configuring it in iTunes 7 and plugging it back in, my AV software identified and quarantined the ravmonE.exe virus.
    As someone else mentioned, there was also an autorun.inf, but my PC gave me the option of running it or not ... so I didn't.

    My own PC is not infected (ie not in running processes), nor does it have that .exe on it.

    I think my iPod shipped with this file on the HDD.
  • 12. Re: RavMonE.exe ???
    dctrjons Level 1 Level 1 (0 points)
    Tested it on the same computers again.
    Computer #1: (Windows XP MediaCE, ITunes installed) - When plugging in IPod RavMonE.exe process starts and installs in C:\Windows, and RavMonLog.exe appears on IPod root dir. Can delete both files and stop process...but when I double click the IPod root directory after closig RavMonLog.exe appears again after a couple seconds and RavMonE.exe is back on my machine.

    Computer #2: (Windows XP MediaCE, NO ITunes) - Same results.

    Computer #3: (ME upgraded with XP sp1 install, No ITunes) - No virus, no unusual processes. Can eject via Explorer no problem and access the hard drive. No file appears in root directory.

    Did this several times attaching it to each computer in different order, always same result. I'm stumped.
  • 13. Re: RavMonE.exe ???
    negrab Level 1 Level 1 (0 points)
    exactly same problem. received ipod 30gb yesterday, no problems. activated removable drive today, virus warninig (g-data internet security). blocked virus, deleted ravmondllautorun. no running task. in spite of that it shows on ipod screen "do not disconnect". and i can not eject the drive in windows. i bought it directly in the apple store, and it was shipped from zurich... dunno what 2 do, guess i'm gonna write apple an angry e-mail...

    This was added later:
    Yeah, if i could... i tried to find their e-mail address on the apple site, but nothing! they don't have a support e-mail address. just the (expensive) phone and the do-not-reply address. WHAT THE HECK!! if anyone has the e-mail, please post it here...
  • 14. Re: RavMonE.exe ???
    dctrjons Level 1 Level 1 (0 points)
    So as I understand it you used it fine UNTIL after you enabled it as a removable-HD?

    I enabled mine right away and tried to eject it right after so I don't know if this was the trigger factor.
1 2 Previous Next