Ravmon.exe Suddenly passed by Avast

[tutelageous]

I once took a flash disk to a friend to copy a file. His machine running McAfee detected a virus (ravmon.exe) and cleaned it. I was surprised because I had checked the flash disk on my wife's computer running a licensed version of a "top-rated" antivirus. My dell notebook (Xp-professional) computer runs avast (free version) and has always shouted "virus, virus" (usually this ravmon.exe) whenever I copy a file from my wife's computer.

Last week again, I wanted to scan a flash disk from a friend, I saw Avast list ravmon.exe among the files on the flash disk but did not raise any alarm for me to tell it what to do (eg delete). I scanned again, the same thing. Agian, I tried to retrieve a file from my wife's computer it and it was zonealarm (free version), not Avast, that told me that ravmon.exe wanted to assess the trusted zone and also wanted to connect to the internet. I denied it permission

Oh, What about my wife's computer? She paid for 2-years internet suite and she still has over 1 year to run. The vendor wanted me to disable the antivirus, zip the antivirus and send it to them for analysis. I am not a techie and cannot handle any convoluted process. So I may get somebody to do what they want or just go ahead and uninstall completely. To be fair, this licensed internet suite often detects some malware (win.32........I don't remember their full names) that Avast does not pick up.   

My question - has Avast being compromised by this ravmon.exe?

[FreewheelinFrank]

Hi tutelageous,

My question - has Avast being compromised by this ravmon.exe?

Well, it could be a new version that isn't detected.

You could submit the file to VirusTotal to check:

http://www.virustotal.com/

(Not a convoluted process: locate the file with 'browse' then click 'send'.)

To check for an infection by the malware, look for ravmon.exe as a running process, a file on your computer, and a registry entry, as described below.

(See the highlighted instructions:

Process->Task Manager>Process tab
File->file
Registry->Regedit-navigate)

CLEAN INSTRUCTIONS

1. Right click on an empty space from the taskbar (or right click on the clock from the right corner) and select Task Manager.


- Select the Processes tab, locate ravmon.exe, right click on it and select End Process
- Delete the following file: C:\Windows\ravmon.exe

 

2. To clean the removable storage device (USB stick, PEN drive etc.) right-click on your USB stick / PEN drive icon and select Explore.

NB: Be careful NOT to double-click the icon because the malware will be reactivated.

- Locate and delete the autorun.inf and ravmon.exe files

3. Click on Start, Run, type regedit and click on OK.

NB: Before you edit the registry, please export the keys that you plan to edit, or create a backup of the system.

- Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Delete the "RavAV" = "C:\windows\ravmon.exe"

[FreewheelinFrank]

The vendor wanted me to disable the antivirus, zip the antivirus and send it to them for analysis.

You won't need to disable the anti-virus if it's not detecting the file.

You'll need a program like ZipGenius or 7Zip:

http://www.snapfiles.com/Freeware/downloader/fwzip.html

In ZipGenius, this is the process:

Right click the file, select ZipGenius>Create Archive with options>Main Settings

Tick the password box and enter a password. ('virus' is normal)

Confirm the password when prompted.

7Zip is even easier as I recall but I don't have it on my system at the moment.

[tutelageous]

Thanks FreewheelinFrank,

I detected RavmonE.exe (that is actually the correct name) on my wife's computer (the one running a licenced internet security suite) under processes (within Windows task manager). I was grateful for the opportunity to kill (end process). It is actually residing within C:\windows   folder and I have been able to zip and mail it to the vendor. I was luck that yahoo virus scanner was temporarily unavailable at the time of attaching it, otherwise, it may have prevented me from mailing it.

Virustotal reported that it is malware, actually about 26 of the various antivirus software detected it but could not agree on the name - worm, win32, ....jump were the common names. Only 6 software (including the one my wife is using say that it is clean).

Avast incidentally reported it as Win32:RJump-B from Virustotal, but it still passes it (I can see it as it is scanning) on my computer when I put in the USB drive. My Avast signature is up to date. Right clicking Explore does not reveal it under my computer. To see it, you have to be watching Avast as it is scanning the files.  I do not think my own computer is infected - RavmonE.exe is not within C:\windows and it does not show up under running processes within windows task manager.

Thanks anyway. There is a new post on the topic (how to delete RavmonE, autorun...without antivirus), the author calls them the TRIO, and I have just skimmed it. I will read it in detail later and act.

Thanks once again

[FreewheelinFrank]

Curious.

To recap, avast! does not detect a known malware file on a USB drive, even when claiming to be scanning the drive.

The only possibility I can think of is that the file is in archive form on the drive and you do not have 'scan archives' enabled, but you said the file was an .exe file.

Does avast! detect the file if you right click on it and select scan with avast!?

Are the resident shield settings set to normal or have you customised the settings?

Maybe somebody else will have an idea why this is happening.

[QEHNick]

Sounds very much like what was happening at my workplace.
The virus was not detected "on-access" but was when an "on-demand" scan was performed.
Eventually the geniuses at the avast! virus labs concocted an evil smelling brew which killed the damn thing off, even from USB devices.

It may be another variant you have there, send it off asap.

[tutelageous]

Curious.

To recap, avast! does not detect a known malware file on a USB drive, even when claiming to be scanning the drive.

The only possibility I can think of is that the file is in archive form on the drive and you do not have 'scan archives' enabled, but you said the file was an .exe file.

Does avast! detect the file if you right click on it and select scan with avast!?

What I do is insert the USB disk into my computer, go to my computer and right click the removable drive icon and ask Avast to scan it. I try to watch the files as Avast lists and scans them. My previous experience was that Avast would list this particular file and immediately raise an alarm. Of course I would ask it to delete all of it. However, Avast no longer does that. It now lists the file and passes it without any alarm that it is a virus. If I open the USB file normally to work on it, I won't see it. I will only see files like word doc, powerpoint, but not this RavmonE.exe. Yet I know that it is there (having seen as it was being scanned) and I did not copy it onto the USB disk.

Avast detected it when I passed it through Virustotal, although that service just tells you about the viruses without doing anything about it. (Incidentally something just occured to me - why don't they find a way of making this virustotal available to users normally - to scan and disinfect files. Although I can guess 2 reasons why they will not agree) 

One thing, how do you enable archives scan in Avast? I have been trying to do it, but I don't know how to.

Thanks once again

[FreewheelinFrank]

[tutelageous]

Thanks FreewheelinFrank

Now I got it - how to scan archive files. But really how do you take those secreen shots and how do you paste them on your message?

Thanks very much, once again

[MeDIeVaL]

Can you post a screenshot?
To know how to post a screenshot, see http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

Or you can press PrtScr button on your keyboard, paste it to Paint, Fireworks etc then upload it to any filehosting website. Get their link and paste it here...

[FreewheelinFrank]

I used the old freeware version of Faststone Capture, sadly now replaced by a trialware version.

The image button above allows you to post a picture. Your ISP may well provide some free web space you can use.