StyleZ.BLOG @ Republic Polytechnic

July 2, 2007

A Guide to fix the Thumbdrive Virus; RavMonE.exe Part 2!

Filed under: Daily stuff,Every Little Thing — Jasper Mah @ 10:03 pm

Hello All! StyleZ.Blog is updated once again with the latest guide to fix your harddrive & thumbdrive viruses! In today’s guide, I will illustrate how to fix the Autoplay/Auto issue when you right click on your thumbdrive/harddrive and notice that the Auto word is present.

So what problem does the “Auto” cause if triggered or activated by the user(which is you!)?

When your hard disk or thumbdrive has been previously infected with the viruses as listed below:

RavMonE.exe

Cn911.exe

sxs.exe

wservers.exe

or other variants of other viruses that infect thumbdrives, it will create this Autoplay function.

When you successfully remove a thumbdrive virus with a Antivirus of any brand, you will normally assume your thumbdrive/harddrive is cleaned and you could immediately access it.

Recently, with the outbreak of viruses, not many would notice it, and just ignore it, but did you know?

The virus is not completely wiped out from your thumbdrive just by simply using the general Antiviruses available in the market. Currently from testing, only Kaspersky Products such as Kaspersky Internet Security & AOL Active Virus Shield, have successfully removed this “Autorun” problem.

OH MY GOD! Then what do I do if I don’t have this antiviruses installed?

Fret not! In today’s guide, I shall illustrate how you can remove the “Autorun” problem successfully with included screenshots!

NOTE : This guide is only useful if you have confirmed your laptop is now free of virus threats, as this guide will not work efficiently if you use it on a computer still infected with RavMonE.exe or its variants as mentioned.

So without further ado . . . . . .

—————————————————————————————————————————-

1. Open up your My Computer and look for Tools, Select Folder Options.

folder options

—————————————————————————————————————————-

2. Go under the View Tab as shown in the screenshot below.

Folder Options 2

—————————————————————————————————————————-

3. In the Advanced Settings below, make sure that the “Show hidden files and folders” is selected and the “Hide protected operating system files is unchecked”. If ask whether to proceed, choose yes. Then, choose to Apply and press Ok.

Folder Options 3

—————————————————————————————————————————-

4. After you have done that, enter your harddrive that has been infected with the “Autorun” issue. At this point of time, when you are opening the drive, please right click and select Open or Explore. DO NOT at any point of time, select AutoRun or (O)Open to access the drive. Once you are in the drive, you should be looking at this as shown in the screenshot below.

Local Drive

At this point of time, follow the instructions clearly, do not delete any file unecessarily. If you do not follow the instructions and delete a wrong file, it may cause you to have a improper booting or startup that will not allow you to access your Windows.

There are important system files revealed when your local drive has the option “Hide protected operating system files” unchecked. Do not touch them!

1. Look for the file called Autorun.inf

2. It should be shaped like an orange gear with a notepad in the background as its icon.

3. Select it and delete it.

4. Check for other files such as Cn911.exe, sxs.exe, Ghost.exe, whether if they are present.

5. If those files mentioned above are present, please select them and delete them as well.

Note :

For Thumbdrives/USB Mass Storage Devices like your Harddisks, Memory Sticks, SD Cards, Mp3 Players, after you have done the steps mentioned above, you can remove your USB device, and re-plug it back to your laptop or desktop. There should be no more “Autorun” problem mentioned! Congratulations!

For Local Drives, such as your internal C:\ drive or D:\drive(not the CD Drive, the second partition you may have), you would have to restart your laptop/desktop to see the effect. Once again, congratulations!

Note 2 :

Please remember to go back to your Folder Options, and recheck that “Hide your protected operating system files” and make sure the “Do not show hidden files and folders is selected”. Since you are not fiddling/meddling around with the “Autorun” issue already, best not to make any crazy mistakes of deleting the wrong bootup file!

5. You just learned how to remove your own viruses problems involving the thumbdrives/harddrives! Congratulations! Although this is a short method, there are also other methods to deal with the “Autorun” issue if you ever encountered it. It involves registry editing. I shall share that method once I conclude the information from trying!

DISCLAIMER : This guide can be freely distributed, but it shall not be used for any commercial or illegal purposes to sell to staff/students of RP or anyone in particular, and this guide is not exactly perfect, so I apologise in advance if I have caused any confusion. At any point of time, if you have any suggestions or opinions, please reflect it into the comments section, or mail me at 63183@myrp.edu.sg for any enquiries.

I understand that there are actually a few methods to solve the thumbdrive problem, so this is a suggestion from me. I welcome all other suggestions and ideas from anyone else.

Thank you for reading this guide, and I hope you have understand and enjoyed your time here.

Thank you.

– StyleZ

“Play with Originality, Play with StyleZ”

Advertisements

36 Comments »

  1. thank youuu so much! this stupid ravmon thing was on my desktop,laptop, harddrive, and flash memory!! and thanks to your guide i was finally able to get rid of it!! but i have a problem i used the guide above and it worked on my hardrive but when i try to delete autorun and sxs on my flash memory it only lets me delete one at a time and when i delete one of them the other reappears!! i’ve tried deleting them 100x and they keep reappearing!! oh and a hidden folder called recycled also keeps appearing! please help!! and thanks again

    Comment by areej — July 8, 2007 @ 9:34 pm | Reply

  2. I have a problem that the option of show hiden files is not any more working
    Does that mean I must re install windows or there is a way to fix that problem?

    Comment by anagamil — July 16, 2007 @ 5:36 am | Reply

  3. hi it really works! Thank you!

    Comment by jy — July 17, 2007 @ 5:53 pm | Reply

  4. 10s for providing the guide of manual removing RavMonE.exe bug. It is so USEFUL. this bug has been hidden in my pc, laptop, thumbdrives, external hardisc, mp3 since months ago. AVG is useless! It can’t even detect it!

    i oso encounter the autorun problem in my external hardisc. i follow the guides above to fix it but two files: RECYCLER and SYSTEM VOLUME INFORMATION cannot be deleted. PLEASE HELP ME!!! please email me if u have find de solution.

    thank you very much…hope to hear from u soon….

    Comment by Priscilla — July 24, 2007 @ 1:09 am | Reply

  5. I think, the alternative way (if the file autorun.inf is not possible to be deleted)to remove it by editing it. Open the file autorun.inf (can use notepad). Then, you will see something like these:

    [AutoRun]
    open=RavMonE.exe e
    shellexecute=RavMonE.exe e
    shell\Auto\command=RavMonE.exe e
    shell=Auto

    Delete all accept the first line [AutoRun] and then save the file. at least if it cannot be deleted, it will not run automatically.
    sorry if it doesn’t work.

    Comment by shah — July 25, 2007 @ 4:11 pm | Reply

  6. thank you thank yu thank you! *muah* *hug* (and more..!) 😀

    Comment by shallu — August 3, 2007 @ 9:04 pm | Reply

  7. hello, it seems that the ravmone has evolved, if i try to access it or delete it in any way it says “cannot delete *.inf/exe: the disk is write protected” even if its not..

    hmmmnnn im sure you can help me with this problem.. thnx in advance. ^_^ .v..

    Comment by Magnus — August 16, 2007 @ 5:36 pm | Reply

  8. we cannot deleted, rename or open it in flash memory. also i could not remove the attrib, non-of -h -s -r attribs

    Comment by Abdul moqim — August 21, 2007 @ 2:19 pm | Reply

  9. Dear Stylez, Im sure u have known by now how much help u have been to ppl who have googled for RavMonE. Hats off to u. Keep up the good work!!

    Comment by maya — September 4, 2007 @ 3:07 am | Reply

  10. i removed the virus caused by cn911.exe but now i don’t get the autoplay options when i plug my ipod or camera. everything usb appears un my pc but as storage not as a device. what files where infected by this trojan? can i replace them so as to get functionality back? thanks.

    Comment by mechi — September 24, 2007 @ 10:37 pm | Reply

  11. Thank you so very very very much… RavMonE was giving me and my family a headache.. It was infecting our desktop, notebooks, external HDDs and thumbdrives.. I followed every single step even down to the “bwahahhaha” evil laugh part.. Haha. Thanks again.. You’re briliant! 🙂

    Comment by koktee — October 20, 2007 @ 3:08 pm | Reply

  12. Thanks man u are 2 gud but I experienced a virus that at start up automatically activates the notepad with a title Flu Bhurung and keeps opening at intervals.

    Comment by Sireemoxxy — November 10, 2007 @ 8:04 pm | Reply

  13. hey StylZ
    I have this particular problem with only one local drive while others are working normally. The files those you had suggested to delete are not existing on my PC or that infected localdrive(thumbdrive). Please suggest me some alternative.

    Comment by Jaimit — December 11, 2007 @ 8:06 pm | Reply

  14. Dear stylz,
    I got same problem while deselecting of options from step 3 . if i close that window and open again it is remaining same selected.
    Now i have some important docs in hiden folders . want your help to recover my files.
    Thanks in advance
    regards,
    prashant

    Comment by prashant — December 27, 2007 @ 2:01 pm | Reply

  15. Hi, I followed your steps BUT i dont have any of the files that u said to delete. In other words then if i restart it should just work…Taking into considderation that if i ha to delete those files abut they aren’t there, then its the same thing ? right? When i restart and try to open my computer it works the 1st time. The second time it just freezes up. I can explore my drives though. You think the virus is still there OR is a file just corrupt ?

    Comment by COSTA — February 22, 2008 @ 5:36 pm | Reply

  16. i have ravmon on my usb i cant access 12 folders that i had saved..is there any chance of recovering them..please help

    Comment by nazma — February 27, 2008 @ 10:01 pm | Reply

  17. I cant seem to find the Folder Options. Help lol?

    Comment by LOL — March 5, 2008 @ 8:41 pm | Reply

  18. i cant find the autorun.inf mentioned in step4. && a “system” file kept coming out whenever i restart the laptop. any solutions?

    Comment by yyann — March 28, 2008 @ 10:57 am | Reply

  19. Hey any1 out there .. if possible can u help me .. i have a virus whereby when i open my local hard drive i.e C:,D:..etc.. i get a dialog sayin open with a certain file (so select any program thing… ) But i can only access my drives by windows explorer n going through the left panel.. so if any1 can
    help me out as soon as possible .. plz do so.. n 1 more thing any file i burn on a cd or copy to my removable hardrive and take it to some1’s computer they too get the same virus.. plus i read the above replies about “checking the show hidden folders” and “uncheking hide protected file..etc”.. the hide protected checkbox works but after pressing the show hidden files checkbox.. i c no result i.e when i go back to folder options ->view its unchecked AUTOMATICALLY!!.. so plz do help me out and cant recognise which virus or trojan it is .. and i am using AVG antivirus with Windows XP SP2..

    Ohh 1 more thing before the Affect of the virus in the starting whenever i open any drives they open in another dialog.. i know u must be thinkin tht i have to go uncheck it in folder options thing.. its all perfect there but still its the same thing then later onn is when i couldn’t access the drives..

    and in regedit i was exploring through it, some areas there where values like of different jumbled up words or bullets and numbering kind of a thing..
    And just to inform i cannnnot FORMAT my drive i have important files on it..as i said if i back it up the virus gets in it 2..

    REPLY FAST PLZ!!

    regards,
    Vieldside

    Comment by Vieldside — March 30, 2008 @ 7:40 am | Reply

  20. It me again just to subtract a few stuff from the previous post .. i went to WinRAR to view those files in C: drive i have the following files so plz guide me what to do :

    Documents and Settings
    Program Files
    RECYCLER
    System Volume Information
    WINDOWS
    AUTOEXEC.BAT
    autorun.inf
    avi_log.txt
    BOOT.BAK
    boot.ini
    cme.dat
    CONFIG.SYS
    hiberfil.sys (system file its size 267MB)
    htsetup.err
    IO.SYS
    MSDOS.SYS
    NTDETECT.COM
    ntldr
    pagefile.sys (system file.. its size 406MB..???:S)

    so help me out ppl..:D..thx

    regards,
    Vieldside

    Comment by Vieldside — March 30, 2008 @ 7:46 am | Reply

  21. and in tht Autorun.inf file the following is written:(its Scarry ppl)

    ;DD3kLss03A2DS4a2alLLlq37lDsKJ3oilaKk2caw0adJ34Cqo7dkkeow92eALrr4aSqd3ldKk2wD8wsdJq01Siw1roSFLa1ws15kl9sl6orkik
    [AutoRun]
    ;Lc13raZAajawrk0I68L5JL532lsd4kwZ4eDqsA3as8flkl52K2LDsk3KaLoJoe9la4pf3wK1jd0aw7eFra9sdlfal42qDiqa33pJ9
    open=un9.cmd
    ;379Ddkwoiad5S2aa5iww8skrwae0KdAdai9m5lJ64lpLkalqicalocADjqDK0qww7leAAss9L91
    shell\open\Command=un9.cmd
    ;KfLdS64sal73D7k8DsiaJ4L92a0aiaAiUk2lee0qwm7jK39lZ2j9kkdKkAKs2r5piep1LrsKd8Kw0Cll35S4
    shell\open\Default=1
    ;l4Dkfjkk703wkwj3kJja2DfiaKdKdLo
    shell\explore\Command=un9.cmd
    ;w3laq3okLLcqf430lriaJ6A2wak1dsr802Kial4wKl4e7j2KIl3aqs5s7A3l3ioKAJ4k8ojKkD4e1i5wfA0qDqs31rDiiD40Kda4a

    Comment by Vieldside — March 30, 2008 @ 8:03 am | Reply

  22. Hey any1 out there .. if possible can u help me .. i have a virus whereby when i open my local hard drive i.e C:,D:..etc.. i get a dialog sayin open with a certain file (so select any program thing… ).I need to open my hard disks by double clicking on it or right click open/explore. But i can only access my drives by windows explorer n going through the left panel.. so if any1 can
    help me out as soon as possible ..

    Comment by massi — May 23, 2008 @ 2:42 pm | Reply

  23. Hey any1 out there .. if possible can u help me .. i have a virus whereby when i open my local hard drive i.e C:,D:..etc.. i get a dialog sayin open with a certain file (so select any program thing… ) But i can only access my drives by windows explorer n going through the left panel.. so if any1 can
    help me out as soon as possible ..

    Comment by massi — May 23, 2008 @ 2:43 pm | Reply

  24. WOW thanks I am able to remove it. By the way I found a file name called RECYCLER and SYSTEM VOLUME INFORMATION are they viruses or what? How can i remove that ?

    Ones again thanks a lot

    Comment by tewonat — June 24, 2008 @ 9:02 pm | Reply

  25. I have the same problems as wht is mentioned in 23 & 24… pls help us…

    Comment by Jane — July 14, 2008 @ 2:12 am | Reply

  26. hi, i’m confused. My external hard disk has the RavMonE virus. when i went E:/Tools/Folder Options and clicked “Show hidden files and folders” and uncheked “Hide protected operating system files”, i saw the files: RavMonE which is an application, AUTORUN, msvcr71.dll and the folders: Recycler, Recycled and System Volume information. i tried deleting the AUTORUN file first, then the RavMonE.exe and then the msvcr71.dll
    When i uplugged and plugged it back. the three files that i have deleted were back. what should i do to delete the RavMonE virus on my external hard disk? pls. help..

    Comment by Dan — October 23, 2008 @ 5:28 pm | Reply

  27. thanks a lot..now i am free from the ravmone.exe problem now…

    Comment by harry5255 — December 26, 2008 @ 8:46 pm | Reply

  28. i plugged in my mobile phone’s usb and found the ravmonE, tried to the method shown above but i count find the file autorun.inf now i couldnt proceed. please help

    Comment by chelle — January 14, 2009 @ 8:28 pm | Reply

  29. i have a pendrive when i open a particular folder it reads USBC@+ë. pls advice

    Comment by dior — March 2, 2009 @ 8:03 pm | Reply

  30. Did anyone every get back to you with the message below? I have something similar and I’m at my wits end trying to fix it. Any help?

    paula@mcgroryp.freeserve.co.uk

    i have a pendrive when i open a particular folder it reads USBC@+ë. pls advice

    Comment by dior — March 2, 2009 @ 8:03 pm

    Comment by Paula — June 26, 2009 @ 7:48 am | Reply

  31. i have a pendrive when i open a particular folder it reads USBC@+ë. pls advice

    Comment by chplaza — October 6, 2009 @ 11:11 pm | Reply

  32. USBC@+ë i just found out that this file, while it corrupts files, is not a virus.
    It is a hardware problem, usually common on china-made usb and mp3 players.
    Check for warranty so you can replace it.

    Comment by seto — March 31, 2010 @ 9:29 am | Reply

    • Are you sure? How did you find this out. All other sources on the ent I find seem to leave people clueless….

      Comment by Otriv — June 2, 2010 @ 7:10 am | Reply

  33. OMG!!! thank you so muck for the info!! you have saved me so much trouble in the future, cuz i’d spend like an hour a day just trying to open files and relocate missing work

    Comment by auzzie — April 9, 2010 @ 5:02 am | Reply

  34. Can you get, Plus There are?Be a boundless, (beta For The.Cards: Yes they, to combine colors.The expected demand bleach rp, news media is reduce weight in.To remember while, a sizeable amount.,

    Comment by bleach rp — May 17, 2010 @ 1:25 am | Reply

  35. How about little.exe and autorun.inf, i think its a variant of the dropper virus a malware but i cant get rid of it on my system. It also looks like the autorun.inf is encrypted in some way and i cant get the exact location of the file being executed on my windows machine. I thought that my thumb drive was the only infected media. First i tried to delete those 2 files mention from my thumb drive and flashdrives but i wasnt able to do that with explorer. My antivirus NOD32 cant identify it as well even with the latest signature. So i tried rebooting my laptop in safe mode with ms dos command prompt then deleted those nasty files on the command prompt, resetting their attributes with -r -h -s then deleting manually. After i started my laptop in windows, there it was again on my flashdrive. So i guess i got a trojan or virus which is undetectable as of now. Im just worried since most of my work is stored on my latop. I never experience such a nasty pest. This is giving me a headache. Lol! Anyway can anybody help me on this.

    Comment by Bakuto — August 6, 2010 @ 7:36 am | Reply


RSS feed for comments on this post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: