is rasmontr.exe a virus?

  • Thread starter Thread starter modern_millie
  • Start date Start date
M

modern_millie

my anti-virus software put a file named 'rasmontr.exe' in quarantine.
(it found said file in a C:\WINNT\system32\ )
what I need to know is: can I delete this file, or is it some
important system file?

I did a search on google for it but only found entries regarding
'rasmontr.dll'

The file has been in quarantine for about 10 days now, and my computer
seems to be running fine, but then - I am not much of a computer
expert.

can somebody help please?

Alex
 
Please go to one or more of the below online scanners and perform a scan of your platform
then report back your results.

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Dave





| my anti-virus software put a file named 'rasmontr.exe' in quarantine.
| (it found said file in a C:\WINNT\system32\ )
| what I need to know is: can I delete this file, or is it some
| important system file?
|
| I did a search on google for it but only found entries regarding
| 'rasmontr.dll'
|
| The file has been in quarantine for about 10 days now, and my computer
| seems to be running fine, but then - I am not much of a computer
| expert.
|
| can somebody help please?
|
| Alex
 
modern_millie said:
my anti-virus software put a file named 'rasmontr.exe' in quarantine.
(it found said file in a C:\WINNT\system32\ )
what I need to know is: can I delete this file, or is it some
important system file?
Click to expand...

Looks like a program for monitoring dial-up connections. If you are on
broadband, you probably don't need it.
 
God..that took ages..no viruses were found:

Trendmicro:
Congratulations. Housecall couldn't find any viruses.

F-secure:
couldn't even be started. I was told 'unable to download databases'
each time I tried to start the scan.

McAfee:
Infected Files: 0

Panda:
No viruses have been found

Symantec:
0 file(s) infected on your disk drives.No viruses were detected in
memory

Bitdefender:
Infected Objects: 0


I am still not sure though whether to delete rasmontr.exe from
quarantine or not?

Alex
 
No, I am not on broadband.I am on 56kb modem. My internet connection
is working ok though.

Hmm..I know that a quarantined file can't do any harm. But I'd be much
happier if I knew what sort of file exactly this rasmontr.exe is..and
if I could finally delete it.

can't sleep at night,

Alex
 
modern_millie said:
God..that took ages..no viruses were found:
Click to expand...

Yes, but can the other scanners scan the quarantined file? I had a
malicious piece of JS, that was converted into another format when AVG
put it in the vault.

michael
 
Well thankfully you can now state it has a 99% probability of NOT being a virus.

The only questions left are --
Was it a False Positive declaration that moved it into quarantine ?
What is the AV software you are using ?
Did that un-named AV software provide a name to the infector ?
Could it be another form of Malware such as Adware or Spyware ?

My final suggestion is to download yourself a copy of the free Ad-Aware SE Personal edition
from Lavasoft (http://www.lavasoftusa.com/software/adaware/) and also SpyBot Search &
Destroy (http://www.safer-networking.org/) and use them to check your system for commercial
parasites (malware).

Dave




| God..that took ages..no viruses were found:
|
| Trendmicro:
| Congratulations. Housecall couldn't find any viruses.
|
| F-secure:
| couldn't even be started. I was told 'unable to download databases'
| each time I tried to start the scan.
|
| McAfee:
| Infected Files: 0
|
| Panda:
| No viruses have been found
|
| Symantec:
| 0 file(s) infected on your disk drives.No viruses were detected in
| memory
|
| Bitdefender:
| Infected Objects: 0
|
|
| I am still not sure though whether to delete rasmontr.exe from
| quarantine or not?
|
| Alex
|
|
|
| > Please go to one or more of the below online scanners and perform a scan of your
platform
| > then report back your results.
| >
| > Trend:
| > http://housecall.antivirus.com
| > http://housecall.trendmicro.com
| >
| > F-Secure:
| > http://support.f-secure.com/enu/home/ols.shtml
| >
| > McAfee:
| > http://www.mcafee.com/myapps/mfs/default.asp
| >
| > Panda:
| > http://www.pandasoftware.com/activescan/
| >
| > Symantec:
| > http://security.symantec.com/
| >
| > BitDefender
| > http://www.bitdefender.com/scan/license.php
| >
| > Dave
 
David said:
Well thankfully you can now state it has a 99% probability of NOT being a virus.
Click to expand...

Isn't the characteristic signature altered via encryption on placement
into quarantine?

michael
 
If you mean the signature that identifies it as an particular infector ? No.

Dave




| David H. Lipman wrote:
|
| > Well thankfully you can now state it has a 99% probability of NOT being a virus.
|
| Isn't the characteristic signature altered via encryption on placement
| into quarantine?
|
| michael
 
Yes, but can the other scanners scan the quarantined file?
Click to expand...

bitdefender caught and deleted a renamed copy of a trojan I was keeping to
see what scanner would find it first... and it found and deleted the a
manually quarantined copy kept by NAV. So the answer ir probably
'sometimes'.
 
Hello Dave,

I do have had Adaware installed and it has found Alexa on my machine
and deleted it. Also it found 1 attempt at browser hijacking - but I
suppose that comes from my internet provider freenet. Once I connect
to the internet, their homepage is the first thing that loads in my
browser, even though I may type another address, It's always been like
that from day one.
And Adaware doesn't seem to be able to delete the code that causes
this.Each time I run it, it finds one attempt at browser hijacking and
deletes the code in question. But when I run Adaware 1 minute later it
finds the same code again. But that wouldn't have anything to do with
the file in my quarantine folder, would it!?


The AV software I am using is Trendmicro's PC cillin.
It did not provide a name to the infector. And the file doesnt show up
in the protocoll list either. That's what's a little strange.
PC cillin has found other viruses on my machine - and these do show up
in the protocols, together with info about which sort of action has
been taken and where the files were found.
But rasmontr.exe only sits there in my quarantine folder without any
protocol to match. It was found on August 5th. And for that day no
protocol does exist. I did not delete any protocols.
maybe it's some virus masquerading as a harmless file? Tricking you
into keeping it, while it's actually a harmfull file?
I found only information about rasmontr.dll through google, which does
indeed seem to be a win system file- mine is an executable though.
Hm!?

I'll go get Spybot now. Thanks for your help. I guess I'll just let
the file sit there in quarantine & pray that nothing happens.

Alex
 
Thanks for recommending Spybot!!!

Spybot found quite a few things (Alexa related.htm document, some dso
exploit, a few tracking cookies and:

It found: GoldenPalace.Casino - autorun settings (rasmontr) and then
followes an endlessly long registry key number.

It asked me if I was really sure that I want to change that registry
entry back, and I did. And in that dilaogue box it labelled
rasmontr.exe as 'old data' (probably because it's been moved from its
original place into quarantine?)


I still do not understand what exactly this file in my quarantine
folder is. Some spyware sent by a GoldenPlace.Casino website? I never
visit any stupid game websites. Hm?

Would you think can I delete the file from quarantine now?

Alex
 
I believe the DSO Exploit declaration in SpyBot is a known False Positive.

Dave



| Thanks for recommending Spybot!!!
|
| Spybot found quite a few things (Alexa related.htm document, some dso
| exploit, a few tracking cookies and:
|
| It found: GoldenPalace.Casino - autorun settings (rasmontr) and then
| followes an endlessly long registry key number.
|
| It asked me if I was really sure that I want to change that registry
| entry back, and I did. And in that dilaogue box it labelled
| rasmontr.exe as 'old data' (probably because it's been moved from its
| original place into quarantine?)
|
|
| I still do not understand what exactly this file in my quarantine
| folder is. Some spyware sent by a GoldenPlace.Casino website? I never
| visit any stupid game websites. Hm?
|
| Would you think can I delete the file from quarantine now?
|
| Alex
|
|
|
| > Well thankfully you can now state it has a 99% probability of NOT being a virus.
| >
| > The only questions left are --
| > Was it a False Positive declaration that moved it into quarantine ?
| > What is the AV software you are using ?
| > Did that un-named AV software provide a name to the infector ?
| > Could it be another form of Malware such as Adware or Spyware ?
| >
| > My final suggestion is to download yourself a copy of the free Ad-Aware SE Personal
edition
| > from Lavasoft (http://www.lavasoftusa.com/software/adaware/) and also SpyBot Search &
| > Destroy (http://www.safer-networking.org/) and use them to check your system for
commercial
| > parasites (malware).
| >
| > Dave
| >
 
On that special day, modern_millie, ([email protected]) said...
comes from my internet provider freenet. Once I connect
to the internet, their homepage is the first thing that loads in my
browser, even though I may type another address, It's always been like
that from day one.
Click to expand...

This is not a hijacker, it is a "feature" done by internal re-routing on
the web *server* side. This will only happen if you dial their
connection number.


Gabriele Neukam

(e-mail address removed)
 
Theo said:
bitdefender caught and deleted a renamed copy of a trojan I was keeping to
see what scanner would find it first... and it found and deleted the a
manually quarantined copy kept by NAV. So the answer ir probably
'sometimes'.
Click to expand...

A "properly" quarantined malware file will be encrypted and renamed from its original state and the
program doing the quarantining should be the only way to reverse this. Funny that your NAV didn't
encrypt - - is it an old NAV version or was bitdefender breaking the encryption?
 
A "properly" quarantined malware file will be encrypted and renamed
from its original state and the program doing the quarantining should
be the only way to reverse this. Funny that your NAV didn't encrypt -
- is it an old NAV version or was bitdefender breaking the encryption?
Click to expand...

The original program was from 2001, so maybe it did. These were part of the
lines from the scan. I added the .troj at the end of the .exe so it wouldnt
run in case I missed a run setting somewhere

C:\WINNT\system32\msnmsg.exe.troj infected: Backdoor.SDBot.JT
C:\WINNT\system32\msnmsg.exe.troj deleted
C:\Program Files\Navnt\Quarantine\68D1765F.exe=>(Quarantine) infected:
Backdoor.SDBot.JT
C:\Program Files\Navnt\Quarantine\68D1765F.exe deleted
 
(e-mail address removed) (modern_millie) wrote in
still do not understand what exactly this file in my quarantine
folder is. Some spyware sent by a GoldenPlace.Casino website? I never
visit any stupid game websites. Hm?
Click to expand...

Ive seen adware descriptions for them as well. Its probably something going
around the same way as porn ones do.
 
Theo said:
(e-mail address removed) (modern_millie) wrote in




Ive seen adware descriptions for them as well. Its probably something going
around the same way as porn ones do.
Click to expand...

banner ads infected with malicious javascript or CHM exploit?? there's
been a mention on Full Disclosure mailing list about wired.com having
such an ad. (the admins are adding filters.) i ran into such a script
the other day on a popular site.

within a year or two, I suspect there will be rootkit features in spyware.

michael
 
Oh..I see. Thanks for pointing that out.

And thanks a lot to everybody else who answered my questions. I've
deleted rasmontr.exe from quarantine now, and hopefully won't have to
post here again about mysterious quarantined things.

Alex x
 
Back
Top