imani Posted October 7, 2007 Share Posted October 7, 2007 Can anybody tell me the code to find a file on the basis of this string shell\open\Command=RavMon.exe Link to comment Share on other sites More sharing options...
PsaltyDS Posted October 7, 2007 Share Posted October 7, 2007 Can anybody tell me the code to find a file on the basis of this string shell\open\Command=RavMon.exe What's the context for that entry? There used to be a "Reliable AntiVirus (RAV)" from a Romanian company with that executable name, but it was embraced by Microsoft in 2003 and probably extinguished. Then, there's the W32/Rjump.worm: Method of Infection - W32/Rjump.worm lists all mapped and removable storage drives on an infected system and drops the following files onto the root folder of the available drive: * autorun.inf --> used to autorun the worm when the drive is accessed * msvcr71.dll --> Clean Microsoft Visual Studio dll file * ravmon.exe --> copy of the worm The contents of the autorun.inf are as follows: [AutoRun] open=RavMonE.exe e shellexecute=RavMonE.exe e shell\Auto\command=RavMonE.exe e shell=Auto Infection occurs when a removable storage device or a mapped drive hosting a copy of W32/Rjump.worm is accessed and the user agrees to the auto run prompt for execution of the worm. Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
Paulie Posted October 7, 2007 Share Posted October 7, 2007 Perhaps he has the worm and is trying to get rid of it? In that case, it would have been more convincing if he had said "I have a worm and i want to delete it" Link to comment Share on other sites More sharing options...
imani Posted October 8, 2007 Author Share Posted October 8, 2007 Perhaps he has the worm and is trying to get rid of it?In that case, it would have been more convincing if he had said "I have a worm and i want to delete it"Yes I want to detect the autorun.inf file on the basis of this string to get rid of those virus files Link to comment Share on other sites More sharing options...
imani Posted October 9, 2007 Author Share Posted October 9, 2007 Yes I want to detect the autorun.inf file on the basis of this string to get rid of those virus filesAnybody can reply me Link to comment Share on other sites More sharing options...
smashly Posted October 9, 2007 Share Posted October 9, 2007 Hi, Maybe look in the registry, I'm only guessing at this though ...$Def = RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\RavMon.exe\", "") MsgBox(0,'', $Def) Cheers Link to comment Share on other sites More sharing options...
Tripredacus Posted October 9, 2007 Share Posted October 9, 2007 Well, Windows has the ability to search for strings already. My question would be is it possible to create a faster search for strings in AutoIT? Twitter | MSFN | VGCollect Link to comment Share on other sites More sharing options...
imani Posted October 11, 2007 Author Share Posted October 11, 2007 Well, Windows has the ability to search for strings already. My question would be is it possible to create a faster search for strings in AutoIT? I have found the code $file = FileOpen("autorun.inf",0) While 1 $line = FileReadLine($file) If @error = -1 Then ExitLoop ;MsgBox(0, "Line read:", $line) If $line = "shell\open\Command=RavMon.exe" Then MsgBox(16,'','Virus Found in the file') ExitLoop EndIf Wend FileClose($file) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now