CVMONITOR.EXE

[Mike]

Hi Guys,
Following my recent post on CVMONITOR.exe I did a bit of
digging and found out that this is a nasty worm. I was
wondering why my anti virus software would not install
and run properly and why I counln't access any virus
software retail sites. This worm makes entries in the
HOSTS file on your machine which effectively hijack any
requests to the AV vendor's web sites. To clean up your
machine you need to do the following, after this run AV
scanning software, visit

http://uk.trendmicro-
europe.com/consumer/products/housecall_it.php

Terminating the Malware Program

This procedure terminates the running malware process
from memory.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
CVMONITOR.EXE

Select the malware process, then press either the End
Task or the End Process button, depending on the version
of Windows on your system.
To check if the malware process has been terminated,
close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Windows Task
Manager may not show certain processes. You may use a
third party process viewer to terminate the malware
process. Otherwise, continue with the next procedure,
noting additional instructions.



Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the
malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type
Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Cvmonitor.exe = "Cvmonitor.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Cvmonitor.exe = "Cvmonitor.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services
Still in the left panel, locate and delete the key:
S1TRACE
Close Registry Editor.
NOTE: If you were not able to terminate the malware
process from memory as described in the previous
procedure, restart your system.
Clearing the HOSTS file

This malware added loopback addresses in your hosts file.
Cleaning this enables access to the Web sites.

Using Notepad, edit the file "hosts" located in the %
System%\drivers\etc folder.
Remove the lines containing these sites:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com

 

[Richard Urban]

"This worm makes entries in the HOSTS file on your machine which effectively
hijack any requests to the AV vendor's web sites."


That's why knowledgeable people lock down their hosts file

--
Regards:

Richard Urban

aka Crusty (-: Old B@stard

 

[Dave Garrett]

Hi Guys,
Following my recent post on CVMONITOR.exe I did a bit of
digging and found out that this is a nasty worm. I was
wondering why my anti virus software would not install
and run properly and why I counln't access any virus
software retail sites. This worm makes entries in the
HOSTS file on your machine which effectively hijack any
requests to the AV vendor's web sites. To clean up your
machine you need to do the following, after this run AV
scanning software, visit

http://uk.trendmicro-
europe.com/consumer/products/housecall_it.php

Terminating the Malware Program

This procedure terminates the running malware process
from memory.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
CVMONITOR.EXE

Select the malware process, then press either the End
Task or the End Process button, depending on the version
of Windows on your system.
To check if the malware process has been terminated,
close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Windows Task
Manager may not show certain processes. You may use a
third party process viewer to terminate the malware
process. Otherwise, continue with the next procedure,
noting additional instructions.



Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the
malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type
Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Cvmonitor.exe = "Cvmonitor.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Cvmonitor.exe = "Cvmonitor.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services
Still in the left panel, locate and delete the key:
S1TRACE
Close Registry Editor.
NOTE: If you were not able to terminate the malware
process from memory as described in the previous
procedure, restart your system.
Clearing the HOSTS file

This malware added loopback addresses in your hosts file.
Cleaning this enables access to the Web sites.

Using Notepad, edit the file "hosts" located in the %
System%\drivers\etc folder.
Remove the lines containing these sites:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com

[etc - list snipped for brevity]

I'm running Win2K instead of XP, but I ran across your post in a Google
search and felt compelled to followup, as I'm at my wits' end. Both
machines on my network (behind a Netgear router connected to the net)
are exhibiting almost identical symptoms as the ones you describe,
including the exact changes to my HOSTS file. Unfortunately, fixing the
problem does not appear to be as easy as you describe in my case. I'm
not showing the CVMONITOR.exe process in Task Manager, and when I tried
to run regedit, it quit almost immediately. I was able to boot in safe
mode and run regedit, but the registry keys you list were not present.

My antivirus program (Grisoft's AVG Anti-Virus 6.0, updated regularly)
also refused to run, quitting almost immediately after startup. I was
also able to get it to run from the command line in safe mode, but it
didn't detect anything.

My net connection is also hosed, as it looks like something has screwed
up DNS, but all the usual settings seem OK.

Obviously, I've got malware on my machines somewhere - the question is
where? Does anyone have any ideas as to how I should proceed from here?
I'm about ready to reinstall Win2K, as I have all of my data backed up,
but before I take that fairly drastic step without even knowing if it's
going to get rid of the malware, I thought I'd ask here.

Dave

 

[Dave Garrett]

[etc - list snipped for brevity]

I'm running Win2K instead of XP, but I ran across your post in a Google
search and felt compelled to followup, as I'm at my wits' end. Both
machines on my network (behind a Netgear router connected to the net)
are exhibiting almost identical symptoms as the ones you describe,
including the exact changes to my HOSTS file. Unfortunately, fixing the
problem does not appear to be as easy as you describe in my case. I'm
not showing the CVMONITOR.exe process in Task Manager, and when I tried
to run regedit, it quit almost immediately. I was able to boot in safe
mode and run regedit, but the registry keys you list were not present.

My antivirus program (Grisoft's AVG Anti-Virus 6.0, updated regularly)
also refused to run, quitting almost immediately after startup. I was
also able to get it to run from the command line in safe mode, but it
didn't detect anything.

My net connection is also hosed, as it looks like something has screwed
up DNS, but all the usual settings seem OK.

Obviously, I've got malware on my machines somewhere - the question is
where? Does anyone have any ideas as to how I should proceed from here?
I'm about ready to reinstall Win2K, as I have all of my data backed up,
but before I take that fairly drastic step without even knowing if it's
going to get rid of the malware, I thought I'd ask here.

Following up on my own post, I think I've discovered the problem - a
particularly nasty combination of avupdchk.exe and wuamgrd.exe. The
former was the culprit preventing the antivirus program from running
(not that it would have mattered, as apparently many AV programs aren't
detecting these yet) and copying the loopback entries into the HOSTS
file - more info can be found here:

http://tinyurl.com/2x4lz

The latter was a lot nastier - check out this thread for info:

http://www.computercops.biz/postt24086.html

and this for removal instructions:

http://www.sophos.com/virusinfo/analyses/w32rbota.html

It is particularly insidious because it is memory-resident, and will
keep recopying itself into the registry if you delete the keys listed in
the page above. And you can't kill it with Task Manager - access is
denied. I finally downloaded a third-party task manager-like process
viewer called PrcView:

http://www.teamcti.com/pview/prcview.htm ,

and was able to kill the wuamgrd.exe process with it. Once I did so the
registry modifications stuck. For now, anyway, as I keep my fingers
crossed. There isn't a whole lot of info out there on either one of
these, so I'm hoping that this post will save someone else the effort of
expending almost an entire day trying to figure out why they're having
similar problems.

Dave