Can neone explain this to me ??

I got htis script from my pendrive,which was infected by a trojan

[AutoRun]
open=RavMon.exe
shell\open=´ò¿ª(&O) //wat does this mean ??
shell\open\Command=RavMon.exe
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X //wat does this mean ??
shell\explore\Command="RavMon.exe -e"

earlier i had tried several times to autorun my USB but that didnt work,so i am trying to use this code which works

Ravmon.exe is actually a virus also known as W32.Nomvar, which is a worm that copies itself to the root of all drives, including removable and shared drives, and downloads potentially malicious files on to the compromised computer. So follow this removal process:

1.Confirm that you have Ravmon.exe virus.Right-click on any drive, if you see invalid characters in the menu, you are infected.

2.You have stop the process of the virus, open Task Manager(Ctrl+Alt+Del), go to the Processes tab and find the progam named "SVCHOST.EXE", there will few more svchost in small case but you have to terminate the one which is written in CAPS, if you see more than one “SVCHOST.EXE” (all caps) end the one with your username infront of it instead of LOCAL SERVICE, NETWORK SERVICE or SYSTEM.

3.Delete the virus files, for this you need to show system protected files.for this goto
My Computer>(Menu)Tools>Folder Options>(Tab)Views>Uncheck "Hide System protected files”>Press OK
If you are unable to unhide the system files you can use 3rd party softwares to browse drive and delete files, try ACDsee or WinRAR.

Now you have delete these two files;

1.Autorun.inf

2.Ravmon.exe

from all of drives. Access drives from by typing drive letter in the address bar.

4. Once you are done with it, Open Windows folder(by address bar) and delete SVCHOST.EXE, SVCHOST.dll and MDM.exe.
Now restart the explorer.exe process by killing it in taskmanager and runing it again [(winkey + R), type “explorer” and hit enter].

Right-click on any drive and you will find valid characters, -The virus is removed.

This is optional as files are deleted from drives.

Remove MDM.exe from start-up.Press Winkey+R, type "msconfig" hit enter.Goto>(Tab) Start-up>Uncheck

"MDM.exe">OK>Exit without Restart.


To ensure that your are no longer infected, Download a copy of HijackThis and save it to your desktop in a folder. Do a scan and save the HijackThis logfile. Do not remove anything. Post your log file here. Link to HijackThis:

http://castlecops.com/zx/Merijn/hijackthis.zip

HI doc,

thanks for replying
i hav 4 svchost.exe running
when i insert my pendrive my nod32 tells me that svchost.exe tried to create a file setup.exe in the usb drive

that means it is infected by a worm ,and as you say there is no svchost.exe in the taskmgr with all in caps
how to find it
and there are many ports opne on my system ,i hav a firewall,but it is configured to allow system32/svchost.exe and if i disallow it ma internet wont work
so i think i need to format ma pc

can u upload a bootable CD and provide me the link so that i can download it and run a scan from boot to remove the trojan ?? or tell me how can i get for NOD32?? like it is available for quick heal users

thanks agian

You mean upload a Windows XP CD? I can't.

I guess you are using an OEM version of Windows, you should still have a partition dedicated to PC recovery or a bootable disc that you should have made when you got your PC.

Recover your computer using the "destructive" format. It usually appears under the Start Menu - PC Recovery or something like that.

Hi doc
thanks4 replying again

i think i will make one using quick heal myself


thanks