Re: CVMONITOR.EXE

From: Richard Urban (richardurbanREMOVETHIS_at_hotmail.com)
Date: 05/09/04 

Date: Sun, 9 May 2004 09:25:59 -0400

"This worm makes entries in the HOSTS file on your machine which effectively
hijack any requests to the AV vendor's web sites."

That's why knowledgeable people lock down their hosts file 

-- 
Regards:
Richard Urban
aka  Crusty (-: Old B@stard :-)
"Mike" <anonymous@discussions.microsoft.com> wrote in message 
news:a68101c435a9$54ea8fa0$a501280a@phx.gbl...
> Hi Guys,
> Following my recent post on CVMONITOR.exe I did a bit of
> digging and found out that this is a nasty worm. I was
> wondering why my anti virus software would not install
> and run properly and why I counln't access any virus
> software retail sites. This worm makes entries in the
> HOSTS file on your machine which effectively hijack any
> requests to the AV vendor's web sites. To clean up your
> machine you need to do the following, after this run AV
> scanning software, visit
>
> http://uk.trendmicro-
> europe.com/consumer/products/housecall_it.php
>
> Terminating the Malware Program
>
> This procedure terminates the running malware process
> from memory.
>
> Open Windows Task Manager.
> On Windows 95/98/ME systems, press
> CTRL+ALT+DELETE
> On Windows NT/2000/XP systems, press
> CTRL+SHIFT+ESC, and click the Processes tab.
> In the list of running programs*, locate the process:
> CVMONITOR.EXE
>
> Select the malware process, then press either the End
> Task or the End Process button, depending on the version
> of Windows on your system.
> To check if the malware process has been terminated,
> close Task Manager, and then open it again.
> Close Task Manager.
> *NOTE: On systems running Windows 95/98/ME, Windows Task
> Manager may not show certain processes. You may use a
> third party process viewer to terminate the malware
> process. Otherwise, continue with the next procedure,
> noting additional instructions.
>
>
>
> Removing Autostart Entries from the Registry
>
> Removing autostart entries from the registry prevents the
> malware from executing during startup.
>
> Open Registry Editor. To do this, click Start>Run, type
> Regedit, then press Enter.
> In the left panel, double-click the following:
> HKEY_LOCAL_MACHINE>Software>Microsoft>
> Windows>CurrentVersion>Run
> In the right panel, locate and delete the entry:
> Cvmonitor.exe = "Cvmonitor.exe"
> In the left panel, double-click the following:
> HKEY_LOCAL_MACHINE>Software>Microsoft>
> Windows>CurrentVersion>RunServices
> In the right panel, locate and delete the entry:
> Cvmonitor.exe = "Cvmonitor.exe"
> In the left panel, double-click the following:
> HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services
> Still in the left panel, locate and delete the key:
> S1TRACE
> Close Registry Editor.
> NOTE: If you were not able to terminate the malware
> process from memory as described in the previous
> procedure, restart your system.
> Clearing the HOSTS file
>
> This malware added loopback addresses in your hosts file.
> Cleaning this enables access to the Web sites.
>
> Using Notepad, edit the file "hosts" located in the %
> System%\drivers\etc folder.
> Remove the lines containing these sites:
> avp.com
> ca.com
> customer.symantec.com
> dispatch.mcafee.com
> download.mcafee.com
> f-secure.com
> kaspersky.com
> liveupdate.symantec.com
> liveupdate.symantecliveupdate.com
> mast.mcafee.com
> mcafee.com
> my-etrust.com
> nai.com
> networkassociates.com
> rads.mcafee.com
> secure.nai.com
> securityresponse.symantec.com
> sophos.com
> symantec.com
> trendmicro.com
> update.symantec.com
> updates.symantec.com
> us.mcafee.com
> viruslist.com
> www.avp.com
> www.ca.com
> www.f-secure.com
> www.kaspersky.com
> www.mcafee.com
> www.my-etrust.com
> www.nai.com
> www.networkassociates.com
> www.sophos.com
> www.symantec.com
> www.trendmicro.com
> www.viruslist.com
>