Infected by RVHOST.exe?

WORM_SILLYFDC.B is a low-risk worm with medium damage and distribution potentials. This worm copies itself into removable drives and runs on Windows 98, ME, NT, 2000, XP, and Server 2003. I’ve successfully remove this worm and all its traces from the system belonging to a [cute]friend. Hence, I created this step-by-step guide for other infected users. Hope it helps[in getting a cute friend].

1. Go to Start > Run…

2. Type “cmd” and click “Ok”. This opens Command Prompt.

3. In Command Prompt, type “taskkill /t /im “rvhost.exe”

4. Delete “rvhost.exe” in the following locations:

c:\windows\system32\
c:\windows\

5. Delete “new folder.exe” in the following location(s):

%all drives%\

6. Delete “at1.job” in the following location:

c:\windows\tasks\

7. Download and execute the following file to re-enable Task Manager, Registry Editor and Folder Option.

Re-Enable All.reg - Execute this file and restart system.

8. Go to Start > Run…

9. Type “regedit” and click “Ok”. This opens Registry Editor.

* If Registry Editor failed to open, download and execute the following file to re-enable Registry
Editor.

Re-Enable Registry Editor.vbs - Execute this file and restart system.

Or for Windows XP Professional users, try this:

1. Go to Start > Run…
2. Type “gpedit.msc” and click “Ok”.
3. Go to User Configuration > Administrative Templates > System > Group Policy
4. Ensure all the entries are set to “Not Configured” in their properties.
5. Restart system.

10. Remove Yahoo Messengger = “%System%\RVHOST.exe” entry in the following location:

HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run

(Note: %System% is the Windows system folder, usually C:\Windows\System for Windows 98
and Windows ME, C:\WINNT\System32 for Windows NT and Windows 2000, and
C:\Windows\System32 for Windows XP and Server 2003)

11. Modify nofolderoptions = “1″ to nofolderoptions = “0″ in the following location:

HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>Explorer

12. Modify shell = “explorer.exe rvhost.exe” to shell = “explorer.exe” in the following location:

HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon

13. Modify nextatjobid = “2″ to nextatjobid = “1″ in the following location:

HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Schedule

14. Modify attaskmaxhours = “0″ attaskmaxhours = “24″ in the following location:

HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Schedule

15. Close Registry Editor and restart system.