Solved! Use RAVMOND.EXE (Worm Mytob) Removal Guide

I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:

Free Download
Fully Functional 30-day Trial. No credit card is required.
Reviews
. EULA. Privacy Policy. Uninstall.

RAVMOND.EXE – Worm Mytob removal

FileMD5Virus Alias
RAVMOND.EXE c5d41ea4e79aef963d7194a361079544 Worm Mytob
RAVMOND.EXE c5d41ea4e79aef963d7194a361079544 Backdoor Poison
RAVMOND.EXE c5d41ea4e79aef963d7194a361079544 Virus Sality

RAVMOND.EXE size: 197632 bytes
RAVMOND.EXE hash: C5D41EA4E79AEF963D7194A361079544

Created files:

C:\13b4a2
%SysDir%\hxdef.exe
%SysDir%\IEXPLORE.EXE
%SysDir%\kernel66.dll
%SysDir%\msjdbc11.dll
%SysDir%\MSSIGN30.DLL
%SysDir%\NetMeeting.exe
%SysDir%\ODBC16.dll
%SysDir%\RAVMOND.exe
%SysDir%\spollsv.exe
D:\13b737
D:\cert\VBoxCertUtil.exe

Autostart registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Hardware Profile: %WinDir%\System32\hxdef.exeicrosoft Text Frame Work Service IME! ?Q?A~msctfime.imel?S??| ???8???l?3?n? ? c????T? ?U??U?tVn eQl?S??|
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft NetMeeting Associates, Inc.: NetMeeting.exe\NetMeeting.exeMicrosoft NetMeeting Associates, Inc.dialog box demoDialogboxexe_startgggggg_v10101010WINDOWSrunRAVMOND.exe\win.ini\RAVMOND.exeHardware ProfileSOFTWARE\Microsoft\Windows\CurrentVersion\Run\hxdef.e
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VFW Encoder/Decoder Settings: RUNDLL32.EXE MSSIGN30.DLL ondll_regws Management Protocol v.0 (experimental)Rundll32.exe msjdbc11.dll ondll_serverRe: %s > Get your FREE %s now! < HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Shell Extension: %WinDir%\System32\spollsv.exe*?A~? D ?s?s??0????D~0?A~????*?A~?B~D ?sp? pP???B~D ?sp? x?f?#} ?#}p? ?#}????4! A~p? ?#} HKLM\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)\Type: 10000000 HKLM\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)\Start: 02000000 HKLM\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)\ErrorControl: 01000000 HKLM\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)\DisplayName: Windows Management Protocol v.0 (experimental) HKLM\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)\ImagePath: Rundll32.exe msjdbc11.dll ondll_server HKLM\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)\Description: Windows Advanced Server. Performs scheduled scans for LANguard. HKLM\System\CurrentControlSet\Services\_reg\Type: 10000000 HKLM\System\CurrentControlSet\Services\_reg\Start: 02000000 HKLM\System\CurrentControlSet\Services\_reg\ErrorControl: 01000000 HKLM\System\CurrentControlSet\Services\_reg\DisplayName: _reg HKLM\System\CurrentControlSet\Services\_reg\ImagePath: Rundll32.exe msjdbc11.dll ondll_server

Detected by UnHackMe:

RAVMOND.EXE
Default location: %SYSDIR%\RAVMOND.EXE

Dropper information:
MD5: c5d41ea4e79aef963d7194a361079544
File size: 197632 bytes

Leave a Reply