TechSpot

Please elp: Virus.Win32.Delf.ak

By Eriya
Mar 29, 2007
  1. Hi,
    I noticed that there was a thread from someone who also had this problem i tried what was said on there but my anti spyware program keeps finding the virus. I did click remove but once the computer has rebooted its back.

    I used xoftspy v 4.22 and it comes up with 3 instances of Virus.Win32.Delf.ak, all type: registry value, category: Trojan and the objects: system\currentcontrolset\services\svkp\enum\0 ,
    system\currentcontrolset\services\svkp\enum\count
    and finally
    system\currentcontrolset\services\svkp\enum\next instance

    I have zone alarm security firewall and anti virus, this didnt pick up the files, i also tried trendmicro online anti virus and anti spyware, they picked up other problems but not that one. Erm, I also used ss&d, i have ad-aware personal se, AVG anti spyware,AVG anti-rootkit and ccleaner I also tried the 4 tools on the help page but they came back clean.

    I'm not sure if this is caused by the virus but when i tried to use smart system restore it failed, apart from than and a little bit of lagging my computer doesnt seem to be much different.

    I use this computer for a lot of things so I'm really hoping that someone could help me to get rid of this if it's a threat.

    I'm sorry if i wrote too much useless stuff I'm just hoping it could maybe help a little. I tend to panic when i see the words virus. ^_^;;;

    I would really appreciate any help that anyone could give me.
    kind regards,
    Erii
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Run the Trend micro Antispyware scanner.

    Let me know the results.

    Regards Howard :wave: :wave:

    This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Eriya

    Eriya TS Rookie Topic Starter

    Thank you for your reply :)

    I did the trend micro anti-spyware earlier and it did come up with something but i can't remember what, however i did it again just now like you said and it said:
    'no spyware found'.

    *note* The computer had been rebooted between the two spyware scans, don't know if that is important.

    Hope that helps.
    Kind Regards,
    Erii
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It looks like the Trend scanner may have got it.

    See how it goes and post back if you have any more problems.

    Regards Howard :)

    This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Eriya

    Eriya TS Rookie Topic Starter

    I really hope your right i don't like having to fight with viruses.

    Only problem is Xoftspy still says that those three instances i mentioned in my first post are still on my computer. :S

    Kind Regards,
    Erii
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    1. Click Start > Run.
    2. Type regedit
    3. Click OK.
    4. Navigate to the subkey:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    5. In the right pane, delete the values(if there):

    "ctflog manager" = "%Windir%\ctflog.exe"explore manager" = "%Windir%\explore.exe"
    "inetinfomon manager" = "%Windir%\inetinfomon.exe"
    "MPM manager" = "%Windir%\MPM.exe""service manager" = "%Windir%\service.exe"
    "winlog manager" = "%Windir%\winlog.exe"

    6. Navigate to and delete the subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExtA

    7. Exit the Registry Editor.

    Let me know if that helps. run Xoftspy again.

    Regards Howard :)

    This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Eriya

    Eriya TS Rookie Topic Starter

    Hi again :)

    I went to
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    however the things you mentioned weren’t there all i had was:
    CTFMON.exe
    Peerguardian
    Uniblue registry booster
    Uniblue SpeedUpmyPc
    uniblue SpyEraser

    I also tried looking for:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExtA

    but i could only find:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext

    Should i delete that one or am i supposed to keep it?

    I really appreciate all of your help.
    Kind Regards,
    Erii.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No, don`t delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext

    Download the Spysweeper trial from HERE and see what it comes up with.

    Regards Howard :)

    This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Eriya

    Eriya TS Rookie Topic Starter

    ok i wont touch that then.

    I downloaded spy sweeper and it came up with the following:
    sogou toolbar , category: adware, risk rating: 4/5, traces found: 1, description: sogou toolbar is an adware program that may display advertisements on your system.
    a cookie, category: cookie, risk rating: 1/5, traces found: 1, description: a Cookie is a cookie that may track the unique visitors to a web site, as well as their personal preferences.

    thats all that came up but xoftspy still says the same old thing. ^_^;;


    I've just realised I've been doing all this in normal mode is that ok?

    Kind regards,
    Erii :D
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have you tried running your Xoftspy programme from safe mode? If not, give it a try.

    I`m starting to think that Xofspy maybe giving you a false positive. This isn`t unheard of with xoftspy.

    Post a fresh HJT log when done.

    This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Eriya

    Eriya TS Rookie Topic Starter

    I ran Xoftspy in safe mode and it came up with the 3 same entries.

    I've also done another hijackthis and I'll attach it.

    It would kind of be a relief if thats what it is :)

    Kind Regards,
    Erii
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Geviosr

    Close the services window.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - blank (file missing)

    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - blank (file missing)

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - blank (file missing)

    O23 - Service: Geviosr - GEAR Software Inc. - (no file)

    Click on the fix checked button.

    Close HJT and reboot your system.

    Post a fresh HJT log and let me know if you`re still having the same problem.

    Regards Howard :)

    This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. Eriya

    Eriya TS Rookie Topic Starter

    I was able to disable Geviosr through services.msc

    and i was also able to fix all that you said in HJT except i could no longer find find:
    O23 - Service: Geviosr - GEAR Software Inc. - (no file)

    I just ran xoftspy again and it came up with the 3 instances again.

    Here is a new hjt log for you :D

    Thank you for keeping on trying to help me
    Kind Regards,
    Erii
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download and install the free AVG Antivirus programme. Run the antivirus updates, then boot into safe mode and run a full system scan.

    Let me know if it finds anything.

    Regards Howard :)

    This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. Eriya

    Eriya TS Rookie Topic Starter

    Hi,

    I downloaded AVG and went into safe mode,
    AVG anti-virus just finished now and it didnt find anything. ^^;;

    Kind Regards,
    Erii.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    In that case, I must conclude it`s a false positive by Xoftspy, since nothing else is picking up the supposed infection.

    Besides AVG free which you have just installed, are you running any other antivirus programme? If you are, I suggest you uninstall it and keep AVG free.

    Regards Howard :)

    This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. Eriya

    Eriya TS Rookie Topic Starter

    Well all of that for a false positive, I'm happy it isn't anything serious mind :D

    I have the anti virus which comes with zone alarm security suite I'll switch that off now though.

    Thank you very much for giving me your time and helping.
    Kind Regards,
    Erii.
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No worries. I suggest you uninstall Xoftspy.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Eriya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. Saint M

    Saint M TS Rookie

    Hi Eirya and howard

    I don't think it's a false positive, In fact I'm pretty sure it's not.
    But I can't get rid of it either.
    I found it using regedit, then watched as the entry was deleted when I clicked remove using xoftspy, It was removed.
    Back again next time I rebooted.
    Deleted manually,
    Back again next time I rebooted.
    Turned off system restore, used xoftspy to delete in safe mode,
    Back again next time I rebooted.

    At the moment all I do everytime I start up, is run xoft and delete the buggers before I do aything else.

    I'd be grateful if anyone could post a definitive response for getting rid of it.
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Can you give me the path to the registry keys? I still can`t think why Xoftspy would be the only programme to detect this.

    Regards Howard :)

    This thread is for the use of Saint M only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. Saint M

    Saint M TS Rookie

    H_KEY_LOCAL_MACHINE/SYSTEM/SVKP/Enum/0
    H_KEY_LOCAL_MACHINE/SYSTEM/SVKP/Enum/count
    H_KEY_LOCAL_MACHINE/SYSTEM/SVKP/Enum/nextinstance

    within the folder there is the following entries

    Name Type Data
    0 REG_SZ Root\LEGACY_SVKP\0000
    Count REG_DWORD 0x00000001 (1)
    nextinstance REG_DWORD 0x00000001 (1)


    Hope this helps
    M
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type regedit into the runbox and press the enter key.

    Navigate to H_KEY_LOCAL_MACHINE/SYSTEM/SVKP and delete it.

    Close reg edit.

    Go to C:\windows\system32\SVKP.sys and delete the bold file if there.

    Reboot into normal mode and rehide your protected OS files.

    Let me know the results.

    Regards Howard :)

    This thread is for the use of Saint M only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. Saint M

    Saint M TS Rookie

    Thanks Howard

    That seems to have done the trick.
    There was no sign of SVKP.sys in C:
    But deleting the SVKP folder in registry looks to have worked
    I even had turned my system restore back on and created a restore point before removing the registry folder (just in case for the first attempt)
    There's no sign of it.

    Thanks a million
    Saint M
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s great news.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Saint M only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. Eriya

    Eriya TS Rookie Topic Starter

    Hi,

    I just wanted to say that what you last suggested worked for me too no more Delf~~ (well i hope its all gone and not just hiding lol)

    :D

    Kind Regards,
    Erii
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...