How to remove RVHOST.EXE malware ?

Well The solution I gave before was working brilliant when this rvhost.exe virus start to spread but now I find that this virus use more than one techniques so here's another better and latest solution Although my last solution is still working.

1- Download any third party task manager software.Install and run it,you ll see a exe with icon same like folder icon,delete that exe.Exe can be with any name like "natu*" "rvhost.exe" etc etc.Just remember one thing delete the exe with folder like icon.
Security Task Manager download and review - security enhanced task manager from SnapFiles
2-Then go My Computer>System Restore. And turn off the system restore.Apply and OK
3-Then download VB script to enable Folder Options
Enable/Disable Folder Options
4-Go to Folder Option>View. Click the "Show hidden files and folders" and uncheck the "Hide Protected Operating sytem files".Apply and OK.
--------
NOTE:If You have latest update virus then just Run antivirus after these steps.It ll surely remove the virus. Actually this virus hides it self and run with Autorun.inf which is show after you uncheck the Hide Protected....".So Clean the system with update antivirus.I used Trend Micro and its working smoothly.
----------
5- Now Search "*.exe" in system and delete the exe which have same icon as folder.search "rvhost.exe" in C drive and delete the prefetch.if not found then search with "ravmon.exe".If not found any prefetch don't get tense.
6-Enable you Registy with script (Available on Internet) and Do the following changes in Registy

In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Yahoo Messengger = "%System%\RVHOST.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
Removing Other Entry from the Registry

Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Policies>Explorer
In the right panel, locate and delete the entry:
NofolderOptions = "1"
Restoring Modified Entries from the Registry

Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
CurrentVersion>Winlogon
In the right panel, locate the entry:
Shell = "Explorer.exe RVHOST.exe"
Right-click on the value name and choose Modify. Change the value data of this entry to:
Explorer.exe
In the right panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>Schedule
In the right panel, locate the entry:
NextAtJobId = "2"
Right-click on the value name and choose Modify. Change the value data of this entry to:
1
Close Registry Editor.

6- Now Start>RUn and write "msconfig" Click ok and then click and Startup tab in Msconfig window. Disbale the entry of "rvhost.exe".Click ok and restart system.

Caution: don't ever Open USB drive with Double click.Just go to address bar and write the USB drive name because May be USB can be infected with this virus. It place Autorun.inf in it and it run the virus exe when you double click the USB.This Virus spreads through USB.

Hope this ll help you a lot.If any problem,do let me know.May b you can find some thing different because this virus attack way is not always same.Best of Luck

Thanks a lot Zaithe! I followed your instructions above (Feb 28,2008) and it worked!

Wish to add a few for others to follow and get things done easily.

- At intruction #6, (after search and delete the prefetch file) the script to enable the Registry (regedit) can be found here
- And to re-enable the Task Manager, open a blank Notepad (Start>Run>Notepad>OK), copy and paste the following script, which I found:
-Save as any name you want but with .reg extension. E.g..: taskmgr.reg
-And at 'Save as type', choose "All files".
-Save it on the Desktop for easy retrieval, click save.
-Run the 'taskmgr.reg' by double-clicking it.
-Click 'Yes' when Registry Editor ask 'If you want to add the info to the registry', click 'OK' to acknowledge.
-Press ctrl+alt+del and wallah!...

[quote=Zaithe]Follow these steps to completely remove this worm:
1-Start>RUN
2-Write CMD
3-In CMD,write "Taskkill /T /IM "RVHOST.EXE"
Then open a Notepad Start>RUn
4-Write "NOtepad"
5-in notepad paste these lines below
On Error Resume Next
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
Shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools"
Shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr"
Shl.RegDelete
6- save the notepad as "Enable.VBS" and the change the file type to "All"
7-double click "Enable.VBS"
8-now Start>Run. Write "Regedit" in it and press enter

After this procedure, there's a statement saying "Registry editing has been disabled by your administrator" what will I do?

Thanks

Isangsweet,

As Zaithe mentioned in his/her reply on 'Feb 28, 2008 07:30 AM', he mentioned that "this virus use more than one techniques" and suggested another solution. Have you tried that one yet? I directly jumped to his new solution the first time and it worked.

However, last week as I tried to remove this pesky exe from a friend's notebook/laptop, after I run the 'Enable.VBS', when I typed 'regedit' in Run, I got "Registry editing has been disabled by your administrator", just like you were.

What I found out was, the exe did not 'killed' entirely and I had to repeat the process all over again. I restarts the laptop and starts with finding (and deleting) the 'folder icon' using the 'Security Task Manager' again. Follow every steps he mentioned (big thanks, Zaithe).

The VB scripts given always asked for you to 'Log Off' for the changes to take effect. I did not log off if it worked (either to enable Folder Options or the regedit). If it doesn't work (ie the Folder Options), then only I log off and log back in. Try do not 'Restart' as I afraid the exe might come back again and you have to redo everything again and it will be an endless silly loop...

Good luck and god speed!... Amen

Thank you so much Zaithe. Wew I already remove the F* error on start up on my notepad. Again thanks dude.

All of these didn't work for me...thanks to my friend all of this long process has a shortcut

Try this guys...courtesy of paps global hehehe

"we isn't pros, but we work like one"

100% will fix your prob