Ask Me Help Desk

Ask Me Help Desk (https://www.askmehelpdesk.com/forum.php)
-   Spyware, Viruses, etc. (https://www.askmehelpdesk.com/forumdisplay.php?f=477)
-   -   How to remove RVHOST.EXE malware ? (https://www.askmehelpdesk.com/showthread.php?t=71164)

  • Mar 12, 2007, 05:45 AM
    aferoz
    How to remove RVHOST.EXE malware ?
    Does anyone have idea about the RVHOST.EXE malware, and how to remove this permanently, or Patch the OS in order not to get infected again in future?

    Mcafee version 8.0 + Antispyware + Patch 14 cannot remove this malware :o :o

    The only software that can remove this is PREVX, but it's a trial of 30-days only! and as soon as the software is removed the system will get infected again most probably through sharing files with Mobile (Flash) disks...

    Please, do let me know if there is any solution for this...

    Feroz.
    Kabul.
  • Mar 12, 2007, 05:46 AM
    ScottGem
    Try the info found here:

    Bleeping Computer - RVHOST.exe - Program Information
  • Mar 14, 2007, 04:12 PM
    ANETGames
    1 Attachment(s)
    RVHOST.EXE Is most commonly caused by a worm infection.
    You shouldn't continue to get this threat once it's deleted, unless you come into contact with it again. May I suggest using caution with flash drives, and don't open things that you are unsure about.

    Delete these files if they exist:
    C:\WINDOWS\SYSTEM32\RVHOST.exe
    c:\windows\rvhost.exe
    %all drives%\new folder.exe
    C:\Windows\Tasks\At1.job
    Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run in the registry, and you need delete the entries which contain RVHOST.exe in them, or better yet, change them back to their appropriate paths.
    Go to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System
    "DisableTaskManager" = 1 (CHANGE IT TO 0 )
    "DisableRegistryTools" = 1 (CHANGE IT TO 0 )

    Go to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer
    "nofolderoptions" = 1 (CHANGE IT TO 0)

    Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Schedule
    "attaskmaxhours" = 0 (CHANGE IT TO 24)

    Because this threat may make it unable to access the registry editor, you may need to Merge a .REG Program.

    I have attached one for you ehich I made, that will re-enable task manager, folder options, and allow you to use the registry editor.
  • Apr 12, 2007, 01:22 AM
    Zaithe
    Follow these steps to completely remove this worm:
    1-Start>RUN
    2-Write CMD
    3-In CMD,write "Taskkill /T /IM "RVHOST.EXE"
    then open a Notepad Start>RUn
    4-Write "NOtepad"
    5-in notepad paste these lines below
    On Error Resume Next
    Set shl = CreateObject("WScript.Shell")
    Set fso = CreateObject("scripting.FileSystemObject")
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools"
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr"
    shl.RegDelete
    6- save the notepad as "Enable.VBS" and the change the file type to "All"
    7-double click "Enable.VBS"
    8-now Start>Run. Write "Regedit" in it and press enter
    9- Do the following changes in Registy

    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Yahoo Messengger = "%System%\RVHOST.exe"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
    Removing Other Entry from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>Explorer
    In the right panel, locate and delete the entry:
    NofolderOptions = "1"
    Restoring Modified Entries from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Winlogon
    In the right panel, locate the entry:
    Shell = "Explorer.exe RVHOST.exe"
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    Explorer.exe
    In the right panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>Schedule
    In the right panel, locate the entry:
    NextAtJobId = "2"
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    1
    Close Registry Editor.
    Deleting the Malware File(s)

    Right-click Start then click Search... or Find.. depending on the version of Windows you are running.
    In the Named input box, type:
    AT1.JOB
    In the Look In drop-down list, select My Computer, then press Enter.
    Once located, select the file then press SHIFT+DELETE.
    Note: AT1.JOB is a Sheduled Task so you can find this in C:\WINDOWS
  • Sep 19, 2007, 09:29 PM
    Syed Fasih
    Quote:

    Originally Posted by aferoz
    Does anyone have idea about the RVHOST.EXE malware, and how to remove this permanently, or Patch the OS in order not to get infected again in future?

    Mcafee version 8.0 + Antispyware + Patch 14 cannot remove this malware :o :o

    The only software that can remove this is PREVX, but its a trial of 30-days only !, and as soon as the software is removed the system will get infected again most probably through sharing files with Mobile (Flash) disks ..................

    Please, do let me know if there is any solution for this ......

    Feroz.
    Kabul.


    FEROZ just download AVG Antivirus from the location : AVG Anti-Virus Free Edition download from Antivirus category
    This will remove the malware... ;) Take Care...

    Syed Fasih (Karachi)
  • Sep 19, 2007, 09:36 PM
    Syed Fasih
    Quote:

    Originally Posted by aferoz
    Does anyone have idea about the RVHOST.EXE malware, and how to remove this permanently, or Patch the OS in order not to get infected again in future?

    Mcafee version 8.0 + Antispyware + Patch 14 cannot remove this malware :o :o

    The only software that can remove this is PREVX, but its a trial of 30-days only !, and as soon as the software is removed the system will get infected again most probably through sharing files with Mobile (Flash) disks ..................

    Please, do let me know if there is any solution for this ......

    Feroz.
    Kabul.

    After you remove the Malware using AVG Antivirus... You need to unlock the Task Manager and the Registery Editor
    1. In the Run Dialog Type: gpedit.msc

    2. TASK MANAGER
    ============
    go to user configuration then Administrative Templates then System then Alt+Ctrl+Del Options double click Remove Task Manager at Right side window and set it to disabled

    3. Registery Editor
    ============
    go to user configuration then Administrative Templates then System then double click Prevent access to registert editing Tools at Right side window and set it to disabled
  • Jan 6, 2008, 11:08 AM
    babadikya
    Fantastic! I have made it!! Thank you Zaithe.
  • Feb 10, 2008, 10:03 PM
    BigBee
    Yes indeed, Fantastic : I did all the aforementioned and it worked very well in the end, but... but... but :

    At first, I couldn't get my "Run" neither my "Search" option on the Start Menu, as well as the rest. The virus (or worm) had it all blocked.

    So, I did what Zaithe tells us to do from point #5 to #7. But it didn't work. I double-clicked on my "enable.vbs" but to no avail. I also try to merge the .reg program of ANETGames (Quote: "Because this threat may make it unable to access the registry editor, you may need to merge a .REG program. I have attached one for you which I made, that will re-enable Task Manager, folder options, and allow you to use the registry editor").

    So, I had to go on the same website, looking for answers and it led me to a little program specially written by Symantec to unblock "regedit.exe", the registry editor. It worked.

    Then, as I still didn't have any "search" nor "run" nor "folder" options available at this stage in my Explorer, I had to resort to the marvelous "Total Commander" of Christian Ghisler to retrieve regedit.exe on c:\windows. THEN and only THEN could I edit the registry and make the necessary changes as ANETGames, Zaithe and Syed Fasih tell us to do.

    I retrieve ALL my options, got rid of this pesky worm and it all went well. Thank you all.:D
  • Feb 12, 2008, 01:22 PM
    BigBee
    Quote:

    Originally Posted by ANETGames
    Go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer
    "nofolderoptions" = 1 (CHANGE IT TO 0)

    Hi ANETGames. I did this (along with the rest) and it didn't work at first. I still didn't get my "Folder Options" back. So, I searched deeper into the Registry and found another key that I had to modify as well:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policie s\Explorer

    Then, it worked, I got it back. Hope it can help others facing similar problem.

    PS: Just in case: Once into the Registry, hit CTRL+F (on your keyboard... ) to reach the Search option, then type 'nofolderoptions' in the search box and hit <Enter>. You'll find the first one, then hit the F3 key for the next occurrence.
  • Feb 13, 2008, 08:45 PM
    invisibleman_productions
    My client got rid of the problem with a complete scan with the stand alone anti virus scanner Dr Web

    Dr.Web - innovative technologies for information security. Antivirus & antispam protection. / Download / Programs for Windows
    ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

    And superantispyware
    http://downloads2.superantispyware.c...ntiSpyware.exe
  • Feb 28, 2008, 01:30 AM
    Zaithe
    Well The solution I gave before was working brilliant when this rvhost.exe virus start to spread but now I find that this virus use more than one techniques so here's another better and latest solution Although my last solution is still working.

    1- Download any third party task manager software.Install and run it,you ll see a exe with icon same like folder icon,delete that exe.Exe can be with any name like "natu*" "rvhost.exe" etc etc.Just remember one thing delete the exe with folder like icon.
    Security Task Manager download and review - security enhanced task manager from SnapFiles
    2-Then go My Computer>System Restore. And turn off the system restore.Apply and OK
    3-Then download VB script to enable Folder Options
    Enable/Disable Folder Options
    4-Go to Folder Option>View. Click the "Show hidden files and folders" and uncheck the "Hide Protected Operating sytem files".Apply and OK.
    --------
    NOTE:If You have latest update virus then just Run antivirus after these steps.It ll surely remove the virus. Actually this virus hides it self and run with Autorun.inf which is show after you uncheck the Hide Protected... ".So Clean the system with update antivirus.I used Trend Micro and its working smoothly.
    ----------
    5- Now Search "*.exe" in system and delete the exe which have same icon as folder.search " in system and delete the exe which have same icon as folder.search " in C drive and delete the prefetch.if not found then search with "ravmon.exe" in C drive and delete the prefetch.if not found then search with "%System%\RVHOST.exe".If not found any prefetch dont get tense.
    6-Enable you Registy with script (Available on Internet) and Do the following changes in Registy

    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Yahoo Messengger = "1"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
    Removing Other Entry from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>Explorer
    In the right panel, locate and delete the entry:
    NofolderOptions = "Explorer.exe RVHOST.exe"
    Restoring Modified Entries from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Winlogon
    In the right panel, locate the entry:
    Shell = "2"
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    Explorer.exe
    In the right panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>Schedule
    In the right panel, locate the entry:
    NextAtJobId = "msconfig" Click OK and then click and Startup tab in Msconfig window. Disbale the entry of "
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    1
    Close Registry Editor.

    6- Now Start>RUn and write ".Click OK and restart system.

    Caution: Don't ever Open USB drive with Double click.Just go to address bar and write the USB drive name because May be USB can be infected with this virus. It place Autorun.inf in it and it run the virus exe when you double click the USB.This Virus spreads through USB.

    Hope this ll help you a lot.If any problem,do let me know.May be you can find something different because this virus attack way is not always same.Best of Luck
  • Jun 19, 2008, 08:53 AM
    yusoff44
    Thanks a lot Zaithe!! I followed your instructions above (Feb 28,2008) and it worked!

    Wish to add a few for others to follow and get things done easily.

    - At intruction #6, (after search and delete the prefetch file) the script to enable the Registry (regedit) can be found here
    - And to re-enable the Task Manager, open a blank Notepad (Start>Run>Notepad>OK), copy and paste the following script, which I found:
    Quote:

    REGEDIT4
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
    "DisableTaskMgr"=dword:00000000
    -Save as any name you want but with .reg extension. Eg.: taskmgr.reg
    -And at 'Save as type', choose "All files".
    -Save it on the Desktop for easy retrieval, click save.
    -Run the 'taskmgr.reg' by double-clicking it.
    -Click 'Yes' when Registry Editor ask 'If you want to add the info to the registry', click 'OK' to acknowledge.
    -Press ctrl+alt+del and wallah!.
  • Jun 29, 2008, 11:54 AM
    isangsweet
    [QUOTE=Zaithe]Follow these steps to completely remove this worm:
    1-Start>RUN
    2-Write CMD
    3-In CMD,write "Taskkill /T /IM "RVHOST.EXE"
    then open a Notepad Start>RUn
    4-Write "NOtepad"
    5-in notepad paste these lines below
    On Error Resume Next
    Set shl = CreateObject("WScript.Shell")
    Set fso = CreateObject("scripting.FileSystemObject")
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools"
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr"
    shl.RegDelete
    6- save the notepad as "Enable.VBS" and the change the file type to "All"
    7-double click "Enable.VBS"
    8-now Start>Run. Write "Regedit" in it and press enter

    after this procedure, there's a statement saying "Registry editing has been disabled by your administrator" what will I do?

    Thanks
  • Jun 29, 2008, 08:11 PM
    yusoff44
    isangsweet,

    As Zaithe mentioned in his/her reply on 'Feb 28, 2008 07:30 AM', he mentioned that "this virus use more than one techniques" and suggested another solution. Have you tried that one yet? I directly jumped to his new solution the first time and it worked.

    However, last week as I tried to remove this pesky exe from a friend's notebook/laptop, after I run the 'Enable.VBS', when I typed 'regedit' in Run, I got "Registry editing has been disabled by your administrator", just like you were.

    What I found out was, the exe did not 'killed' entirely and I had to repeat the process all over again. I restarts the laptop and starts with finding (and deleting) the 'folder icon' using the 'Security Task Manager' again. Follow every steps he mentioned (big thanks, Zaithe).

    The VB scripts given always asked for you to 'Log Off' for the changes to take effect. I did not log off if it worked (either to enable Folder Options or the regedit). If it doesn't work (ie the Folder Options), then only I log off and log back in. Try do not 'Restart' as I afraid the exe might come back again and you have to redo everything again and it will be an endless silly loop...

    Good luck and god speed!. amen :)
  • Apr 14, 2009, 02:22 PM
    bloodwar666
    Quote:

    Originally Posted by Zaithe View Post
    Follow these steps to completely remove this worm:
    1-Start>RUN
    2-Write CMD
    3-In CMD,write "Taskkill /T /IM "RVHOST.EXE"
    then open a Notepad Start>RUn
    4-Write "NOtepad"
    5-in notepad paste these lines below
    On Error Resume Next
    Set shl = CreateObject("WScript.Shell")
    Set fso = CreateObject("scripting.FileSystemObject")
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools"
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr"
    shl.RegDelete
    6- save the notepad as "Enable.VBS" and the change the file type to "All"
    7-double click "Enable.VBS"
    8-now Start>Run. Write "Regedit" in it and press enter
    9- Do the following changes in Registy

    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Yahoo Messengger = "%System%\RVHOST.exe"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
    Removing Other Entry from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>Explorer
    In the right panel, locate and delete the entry:
    NofolderOptions = "1"
    Restoring Modified Entries from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Winlogon
    In the right panel, locate the entry:
    Shell = "Explorer.exe RVHOST.exe"
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    Explorer.exe
    In the right panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>Schedule
    In the right panel, locate the entry:
    NextAtJobId = "2"
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    1
    Close Registry Editor.
    Deleting the Malware File(s)

    Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
    In the Named input box, type:
    AT1.JOB
    In the Look In drop-down list, select My Computer, then press Enter.
    Once located, select the file then press SHIFT+DELETE.
    Note: AT1.JOB is a Sheduled Task so you can find this in C:\WINDOWS





    Thank you so much Zaithe. Wew I already remove the F* error on start up on my notepad. Again thanks dude. :D
  • Oct 4, 2010, 06:04 AM
    shuyin5
    all of these didn't work for me... thanks to my friend all of this long process has a shortcut

    try this guys... courtesy of paps global hehehe

    "we aint pros, but we work like one"

    100% will fix your prob


    http://net-studio.org/eng/patch/patch-for-virus/259.html?task=view

  • All times are GMT -7. The time now is 03:25 PM.