How to remove RVHOST.exe?? - Kickstory

Latest

Just Another View With A DSLR

Tuesday, July 7, 2009

How to remove RVHOST.exe??



continue from old post...

Follow these steps to completely remove this worm:

1-Start>RUN
2-Write CMD
3-In CMD,write "Taskkill /T /IM "RVHOST.EXE"then open a Notepad Start>RUn
4-Write "NOtepad"
5-in notepad paste these lines below

On Error Resume Next
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools"
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr"
shl.RegDelete

6- save the notepad as "Enable.VBS" and the change the file type to "All"
7-double click "Enable.VBS"
8-now Start>Run. Write "Regedit" in it and press enter
9- Do the following changes in RegistyIn the left panel, double-click the following:

HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run

In the right panel, locate and delete the entry:

Yahoo Messengger = "%System%\RVHOST.exe" (Note: %System% is the Windows system folder,

which is usually C:\Windows\System on Windows 98 and ME,

C:\WINNT\System32 on Windows NT and 2000, and

C:\Windows\System32 on Windows XP and Server 2003.)-->

Removing Other Entry from the RegistryStill in Registry Editor, in the left panel, double-click the following:

HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>Explorer

In the right panel, locate and delete the entry:

NofolderOptions = "1" Restoring Modified Entries from the RegistryStill in Registry Editor,

in the left panel, double-click the following:

HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon

In the right panel, locate the entry:

Shell = "Explorer.exe RVHOST.exe"

Right-click on the value name and choose Modify. Change the value data of this entry to:

Explorer.exe

In the right panel, double-click the following:

HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Schedule

In the right panel, locate the entry:

NextAtJobId = "2"

Right-click on the value name and choose Modify.

Change the value data of this entry to: 1

Close Registry Editor.

Deleting the Malware File(s)

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.

In the Named input box, type:AT1.JOB

In the Look In drop-down list, select My Computer, then press Enter.

Once located, select the file then press SHIFT+DELETE.Note:

AT1.JOB is a Sheduled Task so you can find this in C:\WINDOWS


You need to unlock the Task Manager and the Registery Editor1.

In the Run Dialog Type: gpedit.msc2.

TASK MANAGER============go to user configuration then Administrative Templates then System then Alt+Ctrl+Del Options double click Remove Task Manager at Right side window and set it to disabled3.

Registery Editor============go to user configuration then Administrative Templates then System then double click Prevent access to registert editing Tools at Right side window and set it to disabled

No comments:

Post a Comment