RavMonE.exe ???

Question

Level 1

0 points

RavMonE.exe ???

JUST bought a 30Gig video Ipod. I connected it, downloaded the Itunes software and then sync'd my music and Podcasts. After which I changed the settings to use the Ipod as a drive. Instructed I would have to manually eject the drive.

Well I told ITunes to do so - "Cannot drive is still in use"
Closed ITunes and tried to eject it from Windows explorer and was given the same error. Closed all programs, taskbar, disconnected from the internet, still no luck.

Finally opened task manager and being very familiar with all processes that are legal on my machine I found 3 RavMonE.exe's running. Googled it and I have found several references but 99% of them are in foreign language and many relate to IPods...but did not bother to translate myself.

So my question is, anyone else JUST get an Ipod and see encounter this. I see someone else stating there computer was locked up...I noticed severe slowdown when I went through trouble-shooting. I forcibly closed the RavMonE.exe processes and my IPod started working fine.

Windows XP, 4200+ AMD

Posted on Sep 22, 2006 9:51 PM

Reply

Answer 1

Best reply

b noir

Level 9

72,324 points

Sep 24, 2006 2:15 AM in response to dctrjons

i'm afraid you're infected by a worm. for some more information about it, see:

W32/RJump.worm

Reply

Answer 2

dctrjons Author

Level 1

0 points

Sep 24, 2006 10:26 PM in response to b noir

Do I understand that I this worm probably was always there, but didn't really activate till I hooked up a removable storage (ie my IPod)?

Reply

Answer 3

b noir

Level 9

72,324 points

Sep 25, 2006 10:54 AM in response to dctrjons

... that's my suspicion (if it was a brand new ipod fresh out of the box) ... i'm still not all that experienced with dealing with that worm, though, so i can't say that with confidence.

if you download fresh definitions and run virus scans, does that pick up the worm? or is your antivirus currently saying that you are clean?

Reply

Answer 4

dctrjons Author

Level 1

0 points

Sep 26, 2006 8:55 PM in response to b noir

A scan pointed to the specific file, but wouldn't remove it.

I followed a page's instructions on worm removal...forget where. Safe-mode, and a program called Autoruns.

Seemed to work for a day but it popped up again when I plugged in the IPod, which I had scanned after deleting the Rav executable in Safe-mode.

So I tried a "Houdini" by setting the process priority to low on the new RavMonE, force ended the process and deleted the file in the C:\WINDOWS (which had come back after safe-mode deleting). This was before my first post and it hasn't come back since and scans have been clean.

Another note is I have a 64mb flash I use regularly but didn't seem to trigger the process, so I don't know if this thing is designed specifically to 'wake-up' with the IPod connecting or the software (ITunes) running, but it seemed to be the case - hence my suspicion, despite my disbelief that it was likely ...if at all possible... that it came with the IPod.

Having zero understanding how these are manufactured / formatted...etc.

THANKS for the response though. Did not want to accuse just make my mark JIC there is some sort of relation between the two. Have had suspicious processes before and a Google quickly came up with the answers...the search for this one came up with a large number of foreign threads and the English ones didn't cry out good or bad as consistently as every other search I had done.

Thanks again. Sorry for the length. 🙂

Windows XP

Reply

Answer 5

dctrjons Author

Level 1

0 points

Sep 27, 2006 11:37 AM in response to dctrjons

....

Reply

Answer 6

dctrjons Author

Level 1

0 points

Sep 27, 2006 11:37 AM in response to dctrjons

Er...problem again

Attached my IPod to a new computer and RavMonE.exe popped up again. I checked the Ipod via explorer and in the root directory I found RavMonLog.exe.

Googling that I get one english thread with no responses. Tons of foreign language ones though.

ALSO PRISMXL.SYS popped up and I am wondering if this is enabling RavMon to function. I removed it from my other computer. I read it's harmless but I also read it's used to intall other programs...which seems fishy.

Reply

Answer 7

b noir

Level 9

72,324 points

Sep 27, 2006 12:19 PM in response to dctrjons

hmmmmm. i think we need to get you to a reputable malware removal help forum, where a specialist helper can give your system a thorough going-over with a HijackThis log to see precisely what's going on. (not trying to get rid of you here, it's just that we're out beyond the limits of my competence at the moment. i'd like someone with some better skills to have a look.)

there's a nice list of reputable malware removal help forums given at the end of this document. (there are others out there, but this list gathers together a number of options for you.)

doxdesk: other sites about parasites

Reply

Answer 8

dctrjons Author

Level 1

0 points

Sep 27, 2006 1:59 PM in response to b noir

NP, thanks for the help I'll try it. Tried it on a third machine...no problems. Only difference is it's operating XP SP1 not XP media. So I'll go see what I can find out.

Reply

Answer 9

ChadA

Level 1

0 points

Oct 3, 2006 9:09 AM in response to dctrjons

I'd just like to confirm the following, that a 30 gb IPOD, purchased 1 October 2006, out of the box from a big box store, does in fact contain the RAVMONE.EXE virus.
The package was sealed from the factory.
Upon connecting it to a PC with the latest signatures from both Symantec and McAfee antivirus, it immediately quarantined the .exe file.
Also on the drive are the supporting files, an autorun.inf, msvcr71.exe.
Disabling the AV software on a test system allowed the infection to occur, and confirmed that this is in fact a virus and not a false positive.

See here for more details:
http://vil.nai.com/vil/content/v_139985.htm

Reply

Answer 10

Chris CA

Level 10

82,434 points

Oct 3, 2006 9:18 AM in response to ChadA

The package was sealed from the factory.
You do know that stores have plastic sealing & packaging setups?
They are not (usually) trying to mislead but returns and damaged plastic wrap can simply be resealed.

Not to say it absolutely did not have come from the factory with a worm on it, but doubtful.

Reply

Answer 11

laus

Level 1

0 points

Oct 5, 2006 11:53 PM in response to Chris CA

Hi all

I purchased an 80gb iPod, from a dept store in Bucks, UK, on 3rd October. After configuring it in iTunes 7 and plugging it back in, my AV software identified and quarantined the ravmonE.exe virus.
As someone else mentioned, there was also an autorun.inf, but my PC gave me the option of running it or not ... so I didn't.

My own PC is not infected (ie not in running processes), nor does it have that .exe on it.

I think my iPod shipped with this file on the HDD.

Reply

Answer 12

dctrjons Author

Level 1

0 points

Oct 6, 2006 3:10 AM in response to laus

Tested it on the same computers again.
Computer #1: (Windows XP MediaCE, ITunes installed) - When plugging in IPod RavMonE.exe process starts and installs in C:\Windows, and RavMonLog.exe appears on IPod root dir. Can delete both files and stop process...but when I double click the IPod root directory after closig RavMonLog.exe appears again after a couple seconds and RavMonE.exe is back on my machine.

Computer #2: (Windows XP MediaCE, NO ITunes) - Same results.

Computer #3: (ME upgraded with XP sp1 install, No ITunes) - No virus, no unusual processes. Can eject via Explorer no problem and access the hard drive. No file appears in root directory.

Did this several times attaching it to each computer in different order, always same result. I'm stumped.

Reply

Answer 13

negrab

Level 1

0 points

Oct 6, 2006 11:32 AM in response to dctrjons

exactly same problem. received ipod 30gb yesterday, no problems. activated removable drive today, virus warninig (g-data internet security). blocked virus, deleted ravmon dllautorun. no running task. in spite of that it shows on ipod screen "do not disconnect". and i can not eject the drive in windows. i bought it directly in the apple store, and it was shipped from zurich... dunno what 2 do, guess i'm gonna write apple an angry e-mail...

This was added later:
Yeah, if i could... i tried to find their e-mail address on the apple site, but nothing! they don't have a support e-mail address. just the (expensive) phone and the do-not-reply address. WHAT THE HECK!! if anyone has the e-mail, please post it here...

Reply

Answer 14

dctrjons Author

Level 1

0 points

Oct 7, 2006 7:53 PM in response to negrab

So as I understand it you used it fine UNTIL after you enabled it as a removable-HD?

I enabled mine right away and tried to eject it right after so I don't know if this was the trigger factor.

Reply

Answer 15

stc3

Level 1

0 points

Oct 10, 2006 10:12 PM in response to dctrjons

I also bought a 30gb video ipod from a retail apple store on October 7th which contained the RavMonE.exe and autorun.inf files preinstalled. Just for reference, this was from the Cleveland retail store at Legacy Village. I was surprised at first when kaspersky anti virus picked up on the files off my sealed ipod. I thought it was a fluke at first, but upon opening the ipod directory, the files were indeed present.I also have to add that my system is clean and checked daily with multiple virus and spyware scanners, so I am certain it was not from a previous infection that copied itself over. I then performed a restore of the ipod off of itunes 7, after which the files were no longer present. In any case, I'm not sure what to make of it, though I think apple should be notified of the issue, since from looking at this thread, it is not an isolated event. As many users are not that up-to-date with anti-virus protection, I'm assuming that most of these cases are just slipping by unnoticed (or hopefully just automatically resolved by anti-virus software). Just out of curiosity, where did the other people in this thread get your ipods at? It seems to be in the latest batches though...

Reply