Hi Yanto.Chiang,
Here you read instructions as how to remove this worm manually:
http://www.askmehelpdesk.com/spyware-viruses-etc/how-remove-rvhost-exe-malware-71164.htmlYou need to unlock the Task Manager and the Registery Editor
1. In the Run Dialog Type: gpedit.msc
2. TASK MANAGER
============
go to user configuration then Administrative Templates then System then Alt+Ctrl+Del Options double click Remove Task Manager at Right side window and set it to disabled
3. Registery Editor
============
go to user configuration then Administrative Templates then System then double click Prevent access to registert editing Tools at Right side window and set it to disabled
You can also use this tool to be able to use the Registry Editor again:
http://www.askmehelpdesk.com/attachments/spyware-viruses-etc/2944d1173913897-how-remove-rvhost-exe-malware-anetgames-pkg_0023349.zipZip-file checked here with DrWeb online scanner: :Checking:
http://www.askmehelpdesk.com/attachments/spyware-viruses-etc/2944d1173913897-how-remove-rvhost-exe-malware-anetgames-pkg_0023349.zipEngine version: 5.0.1.12222
Total virus-finding records: 900950
File size: 360 bytes
File MD5: 7a9d281c45d15d2da3d2ec2cf2c8a4eb
http://www.askmehelpdesk.com/attachments/spyware-viruses-etc/2944d1173913897-how-remove-rvhost-exe-malware-anetgames-pkg_0023349.zip - archive ZIP
>
http://www.askmehelpdesk.com/attachments/spyware-viruses-etc/2944d1173913897-how-remove-rvhost-exe-malware-anetgames-pkg_0023349.zip/re_enable_regedit&taskmanager&options.reg - Ok
http://www.askmehelpdesk.com/attachments/spyware-viruses-etc/2944d1173913897-how-remove-rvhost-exe-malware-anetgames-pkg_0023349.zip - Ok
Follow these steps to completely remove this worm:
1-Start>RUN
2-Write CMD
3-In CMD,write "Taskkill /T /IM "RVHOST.EXE"
then open a Notepad Start>RUn
4-Write "NOtepad"
5-in notepad paste these lines below
On Error Resume Next
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools"
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr"
shl.RegDelete
6- save the notepad as "Enable.VBS" and the change the file type to "All"
7-double click "Enable.VBS"
8-now Start>Run. Write "Regedit" in it and press enter
9- Do the following changes in Registy
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Yahoo Messengger = "%System%\RVHOST.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
Removing Other Entry from the Registry
Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Policies>Explorer
In the right panel, locate and delete the entry:
NofolderOptions = "1"
Restoring Modified Entries from the Registry
Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
CurrentVersion>Winlogon
In the right panel, locate the entry:
Shell = "Explorer.exe RVHOST.exe"
Right-click on the value name and choose Modify. Change the value data of this entry to:
Explorer.exe
In the right panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>Schedule
In the right panel, locate the entry:
NextAtJobId = "2"
Right-click on the value name and choose Modify. Change the value data of this entry to:
1
Close Registry Editor.
Deleting the Malware File(s)
Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type:
AT1.JOB
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.
Note: AT1.JOB is a Sheduled Task so you can find this in C:\WINDOWS
polonus
