Rvhost.exe Virus/Trojan/Worm
• Avira: WORM/Nuqel.A.1
• Symantec: W32.Imaut
• Kaspersky: Worm.Win32.AutoRun.fwl
• Avast: Win32:Hakaglan
• Panda: W32/Autorun.JFD
• Ikarus: Virus.Win32.Hakaglan
Rvhost.exe is a worm similar to our good old Newfolder.exe but comes with features more than just that. Rvhost.exe process is the process launched by this worm in order to spread itself through any of the methods of propagation possible. During the execution of this Rvhost.exe process, the computer's port is opened by the virus and is used to download further malware into the target computer. Rvhost.exe virus pings to several servers and malicious websites from which these files are downloaded to the temporary folder and automatically executed. Not only that, it also adds a copy of itself to all the accessible drives of the computer, including the network drives. So if you find this process running on your computer, you MUST immediately end it in order to protect your computer from other malware.
As I said, Rvhost.exe is a worm that makes a copy of itself in every drive accessible to it from the infected computer. So when a USB device is plugged into this computer, it adds its code to this drive with the same name as the folder or just as a newfolder. An autorun.inf is created to execute this file. When the user opens the drive in another system, he would probably think that it is a new folder and tries to access it. When double-clicked, the worm gets activated and launches a process. The process takes care of the rest. Another way this virus would enter a computer is through other Trojans. If you already have a Trojan or a Backdoor running on your system, there is a possibility that this Trojan is downloaded by that one. Such files are usually downloaded into the temporary folder of the computer and executed. So deleting your temporary folder items after every reboot is recommended if you want to stay away from such malicious programs.
Rvhost.exe exhibits the qualities of a Trojan and a worm. Here is what it does.
1. As soon as it enters the system, Rvhost.exe process runs in the background and one of your ports are opened. It then attempts to connect to a particular server.
2. It records keystrokes and thus your usernames and passwords are saved in a file. As soon as the connection with the server is established, Rvhost.exe sends the file to that server.
3. Apart from that, it may also download other malicious programs from this server.
4. It adds itself to the registry posing as the Yahoo Messengger(note the change in the spelling here). This way, it runs at every startup and continues executing the commands that it receives from the server.
5. The Rvhost.exe virus also disables your Task Manager and Registry editing tools which you may get back if you follow the instructions given here.
6. Even if you kill its process or disable its startup execution in the msconfig, it can still run. This is because it injects its code into processes like the explorer.exe and Winlogon.exe.
7. It also modifies your registry such that your "Show hidden files and folders" option doesn't work.
You'll have to delete the Rvhost.exe Trojan as early as possible. If the virus had spread throughout your computer, even formatting it cant save the system.
Rvhost.exe error might popup if you tried to remove the virus earlier. The main key to removing this Rvhost.exe Trojan is in the registry. Even if you had deleted the actual file, errors might come up saying that one of the files are missing. So please go through the instructions properly to avoid such errors. Follow the instructions given below for Rvhost.exe removal.
Posts that might help you here:
Enabling Safe Mode booting, Enabling the Registry , Enable Hidden files and folders option and Enabling the Command Prompt.
• Symantec: W32.Imaut
• Kaspersky: Worm.Win32.AutoRun.fwl
• Avast: Win32:Hakaglan
• Panda: W32/Autorun.JFD
• Ikarus: Virus.Win32.Hakaglan
What is Rvhost.exe process?
Rvhost.exe is a worm similar to our good old Newfolder.exe but comes with features more than just that. Rvhost.exe process is the process launched by this worm in order to spread itself through any of the methods of propagation possible. During the execution of this Rvhost.exe process, the computer's port is opened by the virus and is used to download further malware into the target computer. Rvhost.exe virus pings to several servers and malicious websites from which these files are downloaded to the temporary folder and automatically executed. Not only that, it also adds a copy of itself to all the accessible drives of the computer, including the network drives. So if you find this process running on your computer, you MUST immediately end it in order to protect your computer from other malware.
How did Rvhost.exe virus enter my computer?
As I said, Rvhost.exe is a worm that makes a copy of itself in every drive accessible to it from the infected computer. So when a USB device is plugged into this computer, it adds its code to this drive with the same name as the folder or just as a newfolder. An autorun.inf is created to execute this file. When the user opens the drive in another system, he would probably think that it is a new folder and tries to access it. When double-clicked, the worm gets activated and launches a process. The process takes care of the rest. Another way this virus would enter a computer is through other Trojans. If you already have a Trojan or a Backdoor running on your system, there is a possibility that this Trojan is downloaded by that one. Such files are usually downloaded into the temporary folder of the computer and executed. So deleting your temporary folder items after every reboot is recommended if you want to stay away from such malicious programs.
What does Rvhost.exe virus do?
Rvhost.exe exhibits the qualities of a Trojan and a worm. Here is what it does.
1. As soon as it enters the system, Rvhost.exe process runs in the background and one of your ports are opened. It then attempts to connect to a particular server.
2. It records keystrokes and thus your usernames and passwords are saved in a file. As soon as the connection with the server is established, Rvhost.exe sends the file to that server.
3. Apart from that, it may also download other malicious programs from this server.
4. It adds itself to the registry posing as the Yahoo Messengger(note the change in the spelling here). This way, it runs at every startup and continues executing the commands that it receives from the server.
5. The Rvhost.exe virus also disables your Task Manager and Registry editing tools which you may get back if you follow the instructions given here.
6. Even if you kill its process or disable its startup execution in the msconfig, it can still run. This is because it injects its code into processes like the explorer.exe and Winlogon.exe.
7. It also modifies your registry such that your "Show hidden files and folders" option doesn't work.
You'll have to delete the Rvhost.exe Trojan as early as possible. If the virus had spread throughout your computer, even formatting it cant save the system.
Are you getting an Rvhost.exe error?
Rvhost.exe error might popup if you tried to remove the virus earlier. The main key to removing this Rvhost.exe Trojan is in the registry. Even if you had deleted the actual file, errors might come up saying that one of the files are missing. So please go through the instructions properly to avoid such errors. Follow the instructions given below for Rvhost.exe removal.
Manual instructions to remove Rvhost.exe:
- Boot your computer in the Safe Mode. Click here if you're finding trouble doing that.
- As mentioned earlier, the key to deleting Rvhost.exe worm lies in the Registry. Your Registry is probably disabled by now. Follow these instructions to enable it again. Once it is enabled, go to run --> type
regeditto open the editor. - You will have to do the following modifications to prevent the worm from launching at every startup. Navigate to the following points in the Registry:
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
Delete the entry
"Yahoo Messengger"="%SYSDIR%\RVHOST.exe"
HKey_Local_Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Look for the entry with the nameShellon the right side. Open the key, remove the name "Rvhost.exe" and save it back.
HKey_Local_Machine\SYSTEM\ControlSet001\Services\Schedule
Delete the following key from the right
"AtTaskMaxHours"=dword:00000000
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\System
Delete the following keys
• "DisableTaskMgr"=dword:00000001
• "DisableRegistryTools"=dword:00000001
HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Now delete the key
• "NofolderOptions"=dword:00000001
Reboot your computer for the changes to take effect. But remember to boot it again in the Safe Mode. - Its time to completely remove Rvhost.exe from the system. After the restart, go to Start --> Run and type
cmdto open the Command Prompt. Type the following commands once it opens
- cd\
- cd Windows
- cd System32
- attrib -r -a -s -h RVHOST.exe
- del RVHOST.exe
- cd..
- attrib -r -a -s -h RVHOST.exe
- del RVHOST.exe
- cd\
- attrib -r -a -s -h autorun.inf
- del autorun.inf
- [Type the drive letter followed by a colon. Here's an example]D:
- attrib -r -a -s -h autorun.inf
- del autorun.inf
- Once all the autorun files are deleted, check the "Show hidden files and folders" in the folder options and delete all the files that you suspect. Remember that the files will have a .exe extension and look similar to a folder icon. So be careful not to launch the virus again.
- After you're sure you deleted all the malicious files, delete your temporary folder and reboot your computer. It must be back to normal.
Posts that might help you here:
Enabling Safe Mode booting, Enabling the Registry , Enable Hidden files and folders option and Enabling the Command Prompt.