Please elp: Virus.Win32.Delf.ak

[Eriya]

Hi,
I noticed that there was a thread from someone who also had this problem i tried what was said on there but my anti spyware program keeps finding the virus. I did click remove but once the computer has rebooted its back.

I used xoftspy v 4.22 and it comes up with 3 instances of Virus.Win32.Delf.ak, all type: registry value, category: Trojan and the objects: system\currentcontrolset\services\svkp\enum\0 ,
system\currentcontrolset\services\svkp\enum\count
and finally
system\currentcontrolset\services\svkp\enum\next instance

I have zone alarm security firewall and anti virus, this didnt pick up the files, i also tried trendmicro online anti virus and anti spyware, they picked up other problems but not that one. Erm, I also used ss&d, i have ad-aware personal se, AVG anti spyware,AVG anti-rootkit and ccleaner I also tried the 4 tools on the help page but they came back clean.

I'm not sure if this is caused by the virus but when i tried to use smart system restore it failed, apart from than and a little bit of lagging my computer doesnt seem to be much different.

I use this computer for a lot of things so I'm really hoping that someone could help me to get rid of this if it's a threat.

I'm sorry if i wrote too much useless stuff I'm just hoping it could maybe help a little. I tend to panic when i see the words virus. ^_^;;;

I would really appreciate any help that anyone could give me.
kind regards,
Erii

 

[howard_hopkinso]

Hello and welcome to Techspot.

Run the Trend micro Antispyware scanner.

Let me know the results.

Regards Howard :wave: :wave:

This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eriya]

Thank you for your reply

I did the trend micro anti-spyware earlier and it did come up with something but i can't remember what, however i did it again just now like you said and it said:
'no spyware found'.

*note* The computer had been rebooted between the two spyware scans, don't know if that is important.

Hope that helps.
Kind Regards,
Erii

 

[howard_hopkinso]

It looks like the Trend scanner may have got it.

See how it goes and post back if you have any more problems.

Regards Howard

This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eriya]

I really hope your right i don't like having to fight with viruses.

Only problem is Xoftspy still says that those three instances i mentioned in my first post are still on my computer. :S

Kind Regards,
Erii

 

[howard_hopkinso]

1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. In the right pane, delete the values(if there):

"ctflog manager" = "%Windir%\ctflog.exe"explore manager" = "%Windir%\explore.exe"
"inetinfomon manager" = "%Windir%\inetinfomon.exe"
"MPM manager" = "%Windir%\MPM.exe""service manager" = "%Windir%\service.exe"
"winlog manager" = "%Windir%\winlog.exe"

6. Navigate to and delete the subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExtA

7. Exit the Registry Editor.

Let me know if that helps. run Xoftspy again.

Regards Howard

This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eriya]

Hi again

I went to
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
however the things you mentioned weren’t there all i had was:
CTFMON.exe
Peerguardian
Uniblue registry booster
Uniblue SpeedUpmyPc
uniblue SpyEraser

I also tried looking for:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExtA

but i could only find:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext

Should i delete that one or am i supposed to keep it?

I really appreciate all of your help.
Kind Regards,
Erii.

 

[howard_hopkinso]

No, don`t delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext

Download the Spysweeper trial from HERE and see what it comes up with.

Regards Howard

This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eriya]

ok i wont touch that then.

I downloaded spy sweeper and it came up with the following:
sogou toolbar , category: adware, risk rating: 4/5, traces found: 1, description: sogou toolbar is an adware program that may display advertisements on your system.
a cookie, category: cookie, risk rating: 1/5, traces found: 1, description: a Cookie is a cookie that may track the unique visitors to a web site, as well as their personal preferences.

thats all that came up but xoftspy still says the same old thing. ^_^;;


I've just realised I've been doing all this in normal mode is that ok?

Kind regards,
Erii

 

[howard_hopkinso]

Have you tried running your Xoftspy programme from safe mode? If not, give it a try.

I`m starting to think that Xofspy maybe giving you a false positive. This isn`t unheard of with xoftspy.

Post a fresh HJT log when done.

This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eriya]

I ran Xoftspy in safe mode and it came up with the 3 same entries.

I've also done another hijackthis and I'll attach it.

It would kind of be a relief if thats what it is

Kind Regards,
Erii

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Geviosr

Close the services window.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - blank (file missing)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - blank (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - blank (file missing)

O23 - Service: Geviosr - GEAR Software Inc. - (no file)

Click on the fix checked button.

Close HJT and reboot your system.

Post a fresh HJT log and let me know if you`re still having the same problem.

Regards Howard

This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eriya]

I was able to disable Geviosr through services.msc

and i was also able to fix all that you said in HJT except i could no longer find find:
O23 - Service: Geviosr - GEAR Software Inc. - (no file)

I just ran xoftspy again and it came up with the 3 instances again.

Here is a new hjt log for you

Thank you for keeping on trying to help me
Kind Regards,
Erii

 

[howard_hopkinso]

Download and install the free AVG Antivirus programme. Run the antivirus updates, then boot into safe mode and run a full system scan.

Let me know if it finds anything.

Regards Howard

This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eriya]

Hi,

I downloaded AVG and went into safe mode,
AVG anti-virus just finished now and it didnt find anything. ^^;;

Kind Regards,
Erii.

 

[howard_hopkinso]

In that case, I must conclude it`s a false positive by Xoftspy, since nothing else is picking up the supposed infection.

Besides AVG free which you have just installed, are you running any other antivirus programme? If you are, I suggest you uninstall it and keep AVG free.

Regards Howard

This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eriya]

Well all of that for a false positive, I'm happy it isn't anything serious mind

I have the anti virus which comes with zone alarm security suite I'll switch that off now though.

Thank you very much for giving me your time and helping.
Kind Regards,
Erii.

 

[howard_hopkinso]

No worries. I suggest you uninstall Xoftspy.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Saint M]

Hi Eirya and howard

I don't think it's a false positive, In fact I'm pretty sure it's not.
But I can't get rid of it either.
I found it using regedit, then watched as the entry was deleted when I clicked remove using xoftspy, It was removed.
Back again next time I rebooted.
Deleted manually,
Back again next time I rebooted.
Turned off system restore, used xoftspy to delete in safe mode,
Back again next time I rebooted.

At the moment all I do everytime I start up, is run xoft and delete the buggers before I do aything else.

I'd be grateful if anyone could post a definitive response for getting rid of it.

 

[howard_hopkinso]

Can you give me the path to the registry keys? I still can`t think why Xoftspy would be the only programme to detect this.

Regards Howard

This thread is for the use of Saint M only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Saint M]

H_KEY_LOCAL_MACHINE/SYSTEM/SVKP/Enum/0
H_KEY_LOCAL_MACHINE/SYSTEM/SVKP/Enum/count
H_KEY_LOCAL_MACHINE/SYSTEM/SVKP/Enum/nextinstance

within the folder there is the following entries

Name Type Data
0 REG_SZ Root\LEGACY_SVKP\0000
Count REG_DWORD 0x00000001 (1)
nextinstance REG_DWORD 0x00000001 (1)


Hope this helps
M

 

[howard_hopkinso]

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type regedit into the runbox and press the enter key.

Navigate to H_KEY_LOCAL_MACHINE/SYSTEM/SVKP and delete it.

Close reg edit.

Go to C:\windows\system32\SVKP.sys and delete the bold file if there.

Reboot into normal mode and rehide your protected OS files.

Let me know the results.

Regards Howard

This thread is for the use of Saint M only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Saint M]

Thanks Howard

That seems to have done the trick.
There was no sign of SVKP.sys in C:
But deleting the SVKP folder in registry looks to have worked
I even had turned my system restore back on and created a restore point before removing the registry folder (just in case for the first attempt)
There's no sign of it.

Thanks a million
Saint M

 

[howard_hopkinso]

That`s great news.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Saint M only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Eriya]

Hi,

I just wanted to say that what you last suggested worked for me too no more Delf~~ (well i hope its all gone and not just hiding lol)



Kind Regards,
Erii