Ask Experts Questions for FREE Help !
Ask
    aferoz's Avatar
    aferoz Posts: 3, Reputation: 1
    New Member
     
    #1

    Mar 12, 2007, 05:45 AM
    How to remove RVHOST.EXE malware ?
    Does anyone have idea about the RVHOST.EXE malware, and how to remove this permanently, or Patch the OS in order not to get infected again in future?

    Mcafee version 8.0 + Antispyware + Patch 14 cannot remove this malware :o :o

    The only software that can remove this is PREVX, but it's a trial of 30-days only! and as soon as the software is removed the system will get infected again most probably through sharing files with Mobile (Flash) disks...

    Please, do let me know if there is any solution for this...

    Feroz.
    Kabul.
    ScottGem's Avatar
    ScottGem Posts: 64,966, Reputation: 6056
    Computer Expert and Renaissance Man
     
    #2

    Mar 12, 2007, 05:46 AM
    Try the info found here:

    Bleeping Computer - RVHOST.exe - Program Information
    ANETGames's Avatar
    ANETGames Posts: 51, Reputation: 3
    Junior Member
     
    #3

    Mar 14, 2007, 04:12 PM
    RVHOST.EXE Is most commonly caused by a worm infection.
    You shouldn't continue to get this threat once it's deleted, unless you come into contact with it again. May I suggest using caution with flash drives, and don't open things that you are unsure about.

    Delete these files if they exist:
    C:\WINDOWS\SYSTEM32\RVHOST.exe
    c:\windows\rvhost.exe
    %all drives%\new folder.exe
    C:\Windows\Tasks\At1.job
    Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run in the registry, and you need delete the entries which contain RVHOST.exe in them, or better yet, change them back to their appropriate paths.
    Go to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System
    "DisableTaskManager" = 1 (CHANGE IT TO 0 )
    "DisableRegistryTools" = 1 (CHANGE IT TO 0 )

    Go to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer
    "nofolderoptions" = 1 (CHANGE IT TO 0)

    Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Schedule
    "attaskmaxhours" = 0 (CHANGE IT TO 24)

    Because this threat may make it unable to access the registry editor, you may need to Merge a .REG Program.

    I have attached one for you ehich I made, that will re-enable task manager, folder options, and allow you to use the registry editor.
    Attached Files
  1. File Type: zip ANETGAMES-PKG_0023349.zip (360 Bytes, 23115 views)
  2. Zaithe's Avatar
    Zaithe Posts: 99, Reputation: 4
    Junior Member
     
    #4

    Apr 12, 2007, 01:22 AM
    Follow these steps to completely remove this worm:
    1-Start>RUN
    2-Write CMD
    3-In CMD,write "Taskkill /T /IM "RVHOST.EXE"
    then open a Notepad Start>RUn
    4-Write "NOtepad"
    5-in notepad paste these lines below
    On Error Resume Next
    Set shl = CreateObject("WScript.Shell")
    Set fso = CreateObject("scripting.FileSystemObject")
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools"
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr"
    shl.RegDelete
    6- save the notepad as "Enable.VBS" and the change the file type to "All"
    7-double click "Enable.VBS"
    8-now Start>Run. Write "Regedit" in it and press enter
    9- Do the following changes in Registy

    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Yahoo Messengger = "%System%\RVHOST.exe"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
    Removing Other Entry from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>Explorer
    In the right panel, locate and delete the entry:
    NofolderOptions = "1"
    Restoring Modified Entries from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Winlogon
    In the right panel, locate the entry:
    Shell = "Explorer.exe RVHOST.exe"
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    Explorer.exe
    In the right panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>Schedule
    In the right panel, locate the entry:
    NextAtJobId = "2"
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    1
    Close Registry Editor.
    Deleting the Malware File(s)

    Right-click Start then click Search... or Find.. depending on the version of Windows you are running.
    In the Named input box, type:
    AT1.JOB
    In the Look In drop-down list, select My Computer, then press Enter.
    Once located, select the file then press SHIFT+DELETE.
    Note: AT1.JOB is a Sheduled Task so you can find this in C:\WINDOWS
    Syed Fasih's Avatar
    Syed Fasih Posts: 2, Reputation: 1
    New Member
     
    #5

    Sep 19, 2007, 09:29 PM
    Quote Originally Posted by aferoz
    Does anyone have idea about the RVHOST.EXE malware, and how to remove this permanently, or Patch the OS in order not to get infected again in future?

    Mcafee version 8.0 + Antispyware + Patch 14 cannot remove this malware :o :o

    The only software that can remove this is PREVX, but its a trial of 30-days only !, and as soon as the software is removed the system will get infected again most probably through sharing files with Mobile (Flash) disks ..................

    Please, do let me know if there is any solution for this ......

    Feroz.
    Kabul.

    FEROZ just download AVG Antivirus from the location : AVG Anti-Virus Free Edition download from Antivirus category
    This will remove the malware... ;) Take Care...

    Syed Fasih (Karachi)
    Syed Fasih's Avatar
    Syed Fasih Posts: 2, Reputation: 1
    New Member
     
    #6

    Sep 19, 2007, 09:36 PM
    Quote Originally Posted by aferoz
    Does anyone have idea about the RVHOST.EXE malware, and how to remove this permanently, or Patch the OS in order not to get infected again in future?

    Mcafee version 8.0 + Antispyware + Patch 14 cannot remove this malware :o :o

    The only software that can remove this is PREVX, but its a trial of 30-days only !, and as soon as the software is removed the system will get infected again most probably through sharing files with Mobile (Flash) disks ..................

    Please, do let me know if there is any solution for this ......

    Feroz.
    Kabul.
    After you remove the Malware using AVG Antivirus... You need to unlock the Task Manager and the Registery Editor
    1. In the Run Dialog Type: gpedit.msc

    2. TASK MANAGER
    ============
    go to user configuration then Administrative Templates then System then Alt+Ctrl+Del Options double click Remove Task Manager at Right side window and set it to disabled

    3. Registery Editor
    ============
    go to user configuration then Administrative Templates then System then double click Prevent access to registert editing Tools at Right side window and set it to disabled
    babadikya's Avatar
    babadikya Posts: 3, Reputation: 1
    New Member
     
    #7

    Jan 6, 2008, 11:08 AM
    Fantastic! I have made it!! Thank you Zaithe.
    BigBee's Avatar
    BigBee Posts: 3, Reputation: 1
    New Member
     
    #8

    Feb 10, 2008, 10:03 PM
    Yes indeed, Fantastic : I did all the aforementioned and it worked very well in the end, but... but... but :

    At first, I couldn't get my "Run" neither my "Search" option on the Start Menu, as well as the rest. The virus (or worm) had it all blocked.

    So, I did what Zaithe tells us to do from point #5 to #7. But it didn't work. I double-clicked on my "enable.vbs" but to no avail. I also try to merge the .reg program of ANETGames (Quote: "Because this threat may make it unable to access the registry editor, you may need to merge a .REG program. I have attached one for you which I made, that will re-enable Task Manager, folder options, and allow you to use the registry editor").

    So, I had to go on the same website, looking for answers and it led me to a little program specially written by Symantec to unblock "regedit.exe", the registry editor. It worked.

    Then, as I still didn't have any "search" nor "run" nor "folder" options available at this stage in my Explorer, I had to resort to the marvelous "Total Commander" of Christian Ghisler to retrieve regedit.exe on c:\windows. THEN and only THEN could I edit the registry and make the necessary changes as ANETGames, Zaithe and Syed Fasih tell us to do.

    I retrieve ALL my options, got rid of this pesky worm and it all went well. Thank you all.:D
    BigBee's Avatar
    BigBee Posts: 3, Reputation: 1
    New Member
     
    #9

    Feb 12, 2008, 01:22 PM
    Quote Originally Posted by ANETGames
    Go to: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer
    "nofolderoptions" = 1 (CHANGE IT TO 0)
    Hi ANETGames. I did this (along with the rest) and it didn't work at first. I still didn't get my "Folder Options" back. So, I searched deeper into the Registry and found another key that I had to modify as well:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policie s\Explorer

    Then, it worked, I got it back. Hope it can help others facing similar problem.

    PS: Just in case: Once into the Registry, hit CTRL+F (on your keyboard... ) to reach the Search option, then type 'nofolderoptions' in the search box and hit <Enter>. You'll find the first one, then hit the F3 key for the next occurrence.
    Zaithe's Avatar
    Zaithe Posts: 99, Reputation: 4
    Junior Member
     
    #11

    Feb 28, 2008, 01:30 AM
    Well The solution I gave before was working brilliant when this rvhost.exe virus start to spread but now I find that this virus use more than one techniques so here's another better and latest solution Although my last solution is still working.

    1- Download any third party task manager software.Install and run it,you ll see a exe with icon same like folder icon,delete that exe.Exe can be with any name like "natu*" "rvhost.exe" etc etc.Just remember one thing delete the exe with folder like icon.
    Security Task Manager download and review - security enhanced task manager from SnapFiles
    2-Then go My Computer>System Restore. And turn off the system restore.Apply and OK
    3-Then download VB script to enable Folder Options
    Enable/Disable Folder Options
    4-Go to Folder Option>View. Click the "Show hidden files and folders" and uncheck the "Hide Protected Operating sytem files".Apply and OK.
    --------
    NOTE:If You have latest update virus then just Run antivirus after these steps.It ll surely remove the virus. Actually this virus hides it self and run with Autorun.inf which is show after you uncheck the Hide Protected... ".So Clean the system with update antivirus.I used Trend Micro and its working smoothly.
    ----------
    5- Now Search "*.exe" in system and delete the exe which have same icon as folder.search " in system and delete the exe which have same icon as folder.search " in C drive and delete the prefetch.if not found then search with "ravmon.exe" in C drive and delete the prefetch.if not found then search with "%System%\RVHOST.exe".If not found any prefetch dont get tense.
    6-Enable you Registy with script (Available on Internet) and Do the following changes in Registy

    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Yahoo Messengger = "1"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
    Removing Other Entry from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>Explorer
    In the right panel, locate and delete the entry:
    NofolderOptions = "Explorer.exe RVHOST.exe"
    Restoring Modified Entries from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Winlogon
    In the right panel, locate the entry:
    Shell = "2"
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    Explorer.exe
    In the right panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>Schedule
    In the right panel, locate the entry:
    NextAtJobId = "msconfig" Click OK and then click and Startup tab in Msconfig window. Disbale the entry of "
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    1
    Close Registry Editor.

    6- Now Start>RUn and write ".Click OK and restart system.

    Caution: Don't ever Open USB drive with Double click.Just go to address bar and write the USB drive name because May be USB can be infected with this virus. It place Autorun.inf in it and it run the virus exe when you double click the USB.This Virus spreads through USB.

    Hope this ll help you a lot.If any problem,do let me know.May be you can find something different because this virus attack way is not always same.Best of Luck
    yusoff44's Avatar
    yusoff44 Posts: 2, Reputation: 1
    New Member
     
    #12

    Jun 19, 2008, 08:53 AM
    Thanks a lot Zaithe!! I followed your instructions above (Feb 28,2008) and it worked!

    Wish to add a few for others to follow and get things done easily.

    - At intruction #6, (after search and delete the prefetch file) the script to enable the Registry (regedit) can be found here
    - And to re-enable the Task Manager, open a blank Notepad (Start>Run>Notepad>OK), copy and paste the following script, which I found:
    REGEDIT4
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
    "DisableTaskMgr"=dword:00000000
    -Save as any name you want but with .reg extension. Eg.: taskmgr.reg
    -And at 'Save as type', choose "All files".
    -Save it on the Desktop for easy retrieval, click save.
    -Run the 'taskmgr.reg' by double-clicking it.
    -Click 'Yes' when Registry Editor ask 'If you want to add the info to the registry', click 'OK' to acknowledge.
    -Press ctrl+alt+del and wallah!.
    isangsweet's Avatar
    isangsweet Posts: 1, Reputation: 1
    New Member
     
    #13

    Jun 29, 2008, 11:54 AM
    [QUOTE=Zaithe]Follow these steps to completely remove this worm:
    1-Start>RUN
    2-Write CMD
    3-In CMD,write "Taskkill /T /IM "RVHOST.EXE"
    then open a Notepad Start>RUn
    4-Write "NOtepad"
    5-in notepad paste these lines below
    On Error Resume Next
    Set shl = CreateObject("WScript.Shell")
    Set fso = CreateObject("scripting.FileSystemObject")
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools"
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr"
    shl.RegDelete
    6- save the notepad as "Enable.VBS" and the change the file type to "All"
    7-double click "Enable.VBS"
    8-now Start>Run. Write "Regedit" in it and press enter

    after this procedure, there's a statement saying "Registry editing has been disabled by your administrator" what will I do?

    Thanks
    yusoff44's Avatar
    yusoff44 Posts: 2, Reputation: 1
    New Member
     
    #14

    Jun 29, 2008, 08:11 PM
    isangsweet,

    As Zaithe mentioned in his/her reply on 'Feb 28, 2008 07:30 AM', he mentioned that "this virus use more than one techniques" and suggested another solution. Have you tried that one yet? I directly jumped to his new solution the first time and it worked.

    However, last week as I tried to remove this pesky exe from a friend's notebook/laptop, after I run the 'Enable.VBS', when I typed 'regedit' in Run, I got "Registry editing has been disabled by your administrator", just like you were.

    What I found out was, the exe did not 'killed' entirely and I had to repeat the process all over again. I restarts the laptop and starts with finding (and deleting) the 'folder icon' using the 'Security Task Manager' again. Follow every steps he mentioned (big thanks, Zaithe).

    The VB scripts given always asked for you to 'Log Off' for the changes to take effect. I did not log off if it worked (either to enable Folder Options or the regedit). If it doesn't work (ie the Folder Options), then only I log off and log back in. Try do not 'Restart' as I afraid the exe might come back again and you have to redo everything again and it will be an endless silly loop...

    Good luck and god speed!. amen :)
    bloodwar666's Avatar
    bloodwar666 Posts: 1, Reputation: 1
    New Member
     
    #15

    Apr 14, 2009, 02:22 PM
    Quote Originally Posted by Zaithe View Post
    Follow these steps to completely remove this worm:
    1-Start>RUN
    2-Write CMD
    3-In CMD,write "Taskkill /T /IM "RVHOST.EXE"
    then open a Notepad Start>RUn
    4-Write "NOtepad"
    5-in notepad paste these lines below
    On Error Resume Next
    Set shl = CreateObject("WScript.Shell")
    Set fso = CreateObject("scripting.FileSystemObject")
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools"
    shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr"
    shl.RegDelete
    6- save the notepad as "Enable.VBS" and the change the file type to "All"
    7-double click "Enable.VBS"
    8-now Start>Run. Write "Regedit" in it and press enter
    9- Do the following changes in Registy

    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Yahoo Messengger = "%System%\RVHOST.exe"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
    Removing Other Entry from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Policies>Explorer
    In the right panel, locate and delete the entry:
    NofolderOptions = "1"
    Restoring Modified Entries from the Registry

    Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Winlogon
    In the right panel, locate the entry:
    Shell = "Explorer.exe RVHOST.exe"
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    Explorer.exe
    In the right panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>Schedule
    In the right panel, locate the entry:
    NextAtJobId = "2"
    Right-click on the value name and choose Modify. Change the value data of this entry to:
    1
    Close Registry Editor.
    Deleting the Malware File(s)

    Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
    In the Named input box, type:
    AT1.JOB
    In the Look In drop-down list, select My Computer, then press Enter.
    Once located, select the file then press SHIFT+DELETE.
    Note: AT1.JOB is a Sheduled Task so you can find this in C:\WINDOWS




    Thank you so much Zaithe. Wew I already remove the F* error on start up on my notepad. Again thanks dude. :D
    shuyin5's Avatar
    shuyin5 Posts: 1, Reputation: 1
    New Member
     
    #16

    Oct 4, 2010, 06:04 AM
    all of these didn't work for me... thanks to my friend all of this long process has a shortcut

    try this guys... courtesy of paps global hehehe

    "we aint pros, but we work like one"

    100% will fix your prob


    http://net-studio.org/eng/patch/patch-for-virus/259.html?task=view

Not your question? Ask your question View similar questions

 

Question Tools Search this Question
Search this Question:

Advanced Search


Check out some similar questions!

OS infected with rvhost.exe [ 4 Answers ]

My computer is infected with rvhost.exe. When my computer is started, The task manager shows that the processor usage is fully occupied (100%). As soon as I kill/disable this process, my CPU usage drop to the normal level. I have AVG but it didn't detected any problems in my system. Please Help ...

RvHost.exe has infected my computer, please help [ 2 Answers ]

My computer is infected with rvhost.exe. When my computer is started, The task manager shows .

How to remove adware Global Pop.exe [ 2 Answers ]

I need to remove this File Name: Global Pop.exe Threat Name: Adware.Lop!dl Can you please help?

Annoying computer noises - malware [ 2 Answers ]

I repeatedly have noises coming from my computers: door slamming, door creaking open, women's screams. Seems that malware audio files are playing intermittently. Norton and Spybot have no effect. These have now spread over my entire home network. Anyone heard of this or know how to remove them?

Issas.exe, iau.exe etc how to get rid of? [ 5 Answers ]

Hi Whenever I try to open a text file, the following files load onto my machine: Lssas.exe, iau.exe, mservice.exe, svshost.exe, msqdevl.exe and stisvsq.exe Its easy enough to remove them again with Hijackthis run in safe mode, but I cannot use my notepad anymore. Whenever I open the...


View more questions Search