M
Mike
Hi Guys,
Following my recent post on CVMONITOR.exe I did a bit of
digging and found out that this is a nasty worm. I was
wondering why my anti virus software would not install
and run properly and why I counln't access any virus
software retail sites. This worm makes entries in the
HOSTS file on your machine which effectively hijack any
requests to the AV vendor's web sites. To clean up your
machine you need to do the following, after this run AV
scanning software, visit
http://uk.trendmicro-
europe.com/consumer/products/housecall_it.php
Terminating the Malware Program
This procedure terminates the running malware process
from memory.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
CVMONITOR.EXE
Select the malware process, then press either the End
Task or the End Process button, depending on the version
of Windows on your system.
To check if the malware process has been terminated,
close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Windows Task
Manager may not show certain processes. You may use a
third party process viewer to terminate the malware
process. Otherwise, continue with the next procedure,
noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the
malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type
Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Cvmonitor.exe = "Cvmonitor.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Cvmonitor.exe = "Cvmonitor.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services
Still in the left panel, locate and delete the key:
S1TRACE
Close Registry Editor.
NOTE: If you were not able to terminate the malware
process from memory as described in the previous
procedure, restart your system.
Clearing the HOSTS file
This malware added loopback addresses in your hosts file.
Cleaning this enables access to the Web sites.
Using Notepad, edit the file "hosts" located in the %
System%\drivers\etc folder.
Remove the lines containing these sites:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
Following my recent post on CVMONITOR.exe I did a bit of
digging and found out that this is a nasty worm. I was
wondering why my anti virus software would not install
and run properly and why I counln't access any virus
software retail sites. This worm makes entries in the
HOSTS file on your machine which effectively hijack any
requests to the AV vendor's web sites. To clean up your
machine you need to do the following, after this run AV
scanning software, visit
http://uk.trendmicro-
europe.com/consumer/products/housecall_it.php
Terminating the Malware Program
This procedure terminates the running malware process
from memory.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
CVMONITOR.EXE
Select the malware process, then press either the End
Task or the End Process button, depending on the version
of Windows on your system.
To check if the malware process has been terminated,
close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Windows Task
Manager may not show certain processes. You may use a
third party process viewer to terminate the malware
process. Otherwise, continue with the next procedure,
noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the
malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type
Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Cvmonitor.exe = "Cvmonitor.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Cvmonitor.exe = "Cvmonitor.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services
Still in the left panel, locate and delete the key:
S1TRACE
Close Registry Editor.
NOTE: If you were not able to terminate the malware
process from memory as described in the previous
procedure, restart your system.
Clearing the HOSTS file
This malware added loopback addresses in your hosts file.
Cleaning this enables access to the Web sites.
Using Notepad, edit the file "hosts" located in the %
System%\drivers\etc folder.
Remove the lines containing these sites:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com