Hi All,
Does anybody ever faced with the same problem with Win 32: Hakaglan [Wrm] before?
Because one of our customer detected thi threat on their network environment.
There’s a post here about it, hope that might help.
Check That Flash Drive: W32/Hakaglan.worm Finds Its Way Onto USB Flash Drives
http://www.pc1news.com/news/0515/check-that-flash-drive-w32-hakaglan-worm-finds-its-way-onto-usb-flash-drives.html
ThreatExpert’s Statistics for Win32/Hakaglan.worm.462264 [AhnLab]:
http://www.threatexpert.com/threats/win32-hakaglan-worm-462264.html
There's a post here about it, hope that might help.Hi Tar,
Formerly thanks for your kindly referenced information, and i has been read it.
And give advise to our customer already, hopefully could solved their issues.
Check That Flash Drive: W32/Hakaglan.worm Finds Its Way Onto USB Flash Drives http://www.pc1news.com/news/0515/check-that-flash-drive-w32-hakaglan-worm-finds-its-way-onto-usb-flash-drives.html
Hi Pondus,
I had read your referenced article, it quite interesting me to know more.
But if looked from the attacks method, this virus has spreading a long time ago till today.
Normally avast should be able to detected and rid it.
ThreatExpert's Statistics for Win32/Hakaglan.worm.462264 [AhnLab]: http://www.threatexpert.com/threats/win32-hakaglan-worm-462264.htm
Based on this referenced site, what is actually avast renamed this virus/malware family?
Hi Yanto.Chiang,
Here you read instructions as how to remove this worm manually:
http://www.askmehelpdesk.com/spyware-viruses-etc/how-remove-rvhost-exe-malware-71164.html
You need to unlock the Task Manager and the Registery Editor
-
In the Run Dialog Type: gpedit.msc
-
TASK MANAGER
============
go to user configuration then Administrative Templates then System then Alt+Ctrl+Del Options double click Remove Task Manager at Right side window and set it to disabled -
Registery Editor
============
go to user configuration then Administrative Templates then System then double click Prevent access to registert editing Tools at Right side window and set it to disabled
You can also use this tool to be able to use the Registry Editor again:
Zip-file checked here with DrWeb online scanner: :Checking: http://www.askmehelpdesk.com/attachments/spyware-viruses-etc/2944d1173913897-how-remove-rvhost-exe-malware-anetgames-pkg_0023349.zip
Engine version: 5.0.1.12222
Total virus-finding records: 900950
File size: 360 bytes
File MD5: 7a9d281c45d15d2da3d2ec2cf2c8a4eb
http://www.askmehelpdesk.com/attachments/spyware-viruses-etc/2944d1173913897-how-remove-rvhost-exe-malware-anetgames-pkg_0023349.zip/re_enable_regedit&taskmanager&options.reg - Ok
http://www.askmehelpdesk.com/attachments/spyware-viruses-etc/2944d1173913897-how-remove-rvhost-exe-malware-anetgames-pkg_0023349.zip - Ok
Follow these steps to completely remove this worm:
1-Start>RUN
2-Write CMD
3-In CMD,write "Taskkill /T /IM “RVHOST.EXE”
then open a Notepad Start>RUn
4-Write “NOtepad”
5-in notepad paste these lines below
On Error Resume Next
Set shl = CreateObject(“WScript.Shell”)
Set fso = CreateObject(“scripting.FileSystemObject”)
shl.RegDelete “HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableRegistryTools”
shl.RegDelete “HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr”
shl.RegDelete
6- save the notepad as “Enable.VBS” and the change the file type to “All”
7-double click “Enable.VBS”
8-now Start>Run. Write “Regedit” in it and press enter
9- Do the following changes in Registy
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Yahoo Messengger = “%System%\RVHOST.exe”
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)–>
Removing Other Entry from the Registry
Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Policies>Explorer
In the right panel, locate and delete the entry:
NofolderOptions = “1”
Restoring Modified Entries from the Registry
Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
CurrentVersion>Winlogon
In the right panel, locate the entry:
Shell = “Explorer.exe RVHOST.exe”
Right-click on the value name and choose Modify. Change the value data of this entry to:
Explorer.exe
In the right panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>Schedule
In the right panel, locate the entry:
NextAtJobId = “2”
Right-click on the value name and choose Modify. Change the value data of this entry to:
1
Close Registry Editor.
Deleting the Malware File(s)
Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
In the Named input box, type:
AT1.JOB
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.
Note: AT1.JOB is a Sheduled Task so you can find this in C:\WINDOWS
polonus
Hi Polonus,
It would be many thanks for your specific and technically advice.
Let us try it first, then let you know.
Anyway, just one question which part of website that i can gain as your information was gave to me?
Hi Yanto.Chiang,
What is given there by members anetgames and Zaithe see the link I gave-
polonus
Hi Polonus,
Thanks again, so far our customer don’t have any further issues anymore since we give the steps how to rid Win32:Hakaglan [Wrm].