Virus.Win32.Delf.ak Again and More

[hikerbear]

I've just joined the group after lurking for a week.
I get 3 instances of Virus.Win32.Delf.ak every time I reboot and yesterday I got 3 instances of WinAntiVirus Pro 2006 and 3 instances of WinAntiVirus Pro 2007.
I have followed the steps in the preliminary removal instructions and all came up clean. Panda was also clean. This is a tech built XP-SP2 home machine that is a bit old, but everything is as up to date as I could make it.
My name is Roger and I live in Maine by way of partial introduction.
Below are the reports you said to send.
It's nice to be a member of the group. Thank you very much.

Roger

 

[howard_hopkinso]

Hello and welcome to Techspot.

Delete all files in AVG Antispyware quarantine.

Your HJT log looks clean.

Which programme is alerting to the Delf and winantivirus problem. It wouldn`t happen to be Xoftspy would it?


Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type regedit into the runbox and press the enter key.

Navigate to HKEY_LOCAL_MACHINE/SYSTEM/SVKP and delete it.

Close regedit, reboot your system and rehide your protected OS files.

Regards Howard :wave: :wave:

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

Hi Howard;
The Delf is certainly Xoftspy.
SVKP was not in the registry- maybe I have to reboot and try again.

Roger

 

[howard_hopkinso]

If it`s not there, it just means that Xoftspy if probably giving you a false positive.

It`s quite good at doing that and I wouldn`t want it anywhere near my system.

What about the winantivirus alert, where`s that coming from?

Regards Howard

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

Hi Howard;
Where did you find the winantivirus alert? I must have overlooked something. Can you help me out with that?
The only SVKP that I could find is here: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVKP

Thanks for all your help- I know how to stop the Delf problem once and for all.

Thanks for all your help- looking forward to your reply.

Hikerbear a.k.a. Roger

 

[howard_hopkinso]

It`s in your first post.

I got 3 instances of WinAntiVirus Pro 2006 and 3 instances of WinAntiVirus Pro 2007.

Anyway, it seems as if the LEGACY_SVKP is indeed nasty and needs to be got rid of.

However, this is not as simple as it seems and I`ve had to do an awful lot of research to try and find a cure for this.

First download the following tool. Multi_AV scanning tool. the download will start automatically after a few seconds.

Then go and follow the instructions in this post HERE.


Please let me know the results.

Regards Howard

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

Hi Howard;
I got the 3 I got 3 instances of WinAntiVirus Pro 2006 and 3 of 2007 in one scan with Xoftspy last week- never saw them again.
I will follow your instructions- take me awhile- there's a bit of detail.
Thanks

Roger

Quick Note;
Somewhere in all this I recall something about stopping and starting System Restore- but I can't find it. Could be from some other post I was reading.

Roger

 

[howard_hopkinso]

Ok mate, probably another of Xoftsoy`s false positives. I recommend you consider getting rid of Xoftspy.

Regards Howard

EDIT: Do not turn off system restore, unless specifically asked to do so.

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

May have an answer

Hi Howard;
I did some thinking and re-reading of my notes. The XoftSpy scanner shows a registry location for Me as: HKEY_Local_Machine\System\CurrentControlSet\Services\SVKP
Why the Regedit search did not find it I don't know, but there it was with Enum, 0,Count and Security. After backing up, I changed it to SVKPOLD. My SVKP was just in a very different place for some reason. I have no more Delf problems and everything else on the machine seems normal. I've looked at the XoftSpy logs and there are many errors reported.
So, hold the thread for a few days and I'll post a conclusion.
Thank you for all your help and guidance and especially your Preliminary post.

Roger

 

[howard_hopkinso]

That`s great news and thanks for letting me know.

I have now added that reg key to my data.

Regards Howard

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

A little more

Hi Howard;
Am a bit under the weather so computer work is slowed so keep the thread open please.
I noted today that XoftSpy doesn't find anything with my fix.
I also need to work on the Legacy problem.
Will keep you advised as I go.

Roger

 

[howard_hopkinso]

Ok, no worries mate.

Regards Howard

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

Legacy_svkp

Hi Howard;
Am having trouble with this. Where you tell me to follow instructions after getting Multi_Av.Exe- I did that- in the instructions I ran execute; services.msc- I did not find SVKP. So I can skip the part about DELSERVE.EXE
He then talks about using MULTI_AVE.EXE and I get lost there as I have none of the scanners he mentions.
Let me try running MULTI_AVE.EXE and see if that helps. I'll get back to you.

Roger

 

[hikerbear]

Multi_Av.exe

Hi Howard;
No Joy.
I ran Multi_Av.exe to the best of my ability to understand the instructions. Kaspersky was very difficult as I had to be there right when it ran to enable the scan which took 5+ hours. The other places were more like the instructions. All of them did not find anything according to the log files. There were a number of error messages.
I read the url: http://vil.nai.com/vil/content/v_135434.htm and looked at the registry locations mentioned and couldn't find anything.
I did some searching my registry for pnpsrv.exe and it was found. I'll have to do another search and see if I can report where my machine found it- sometimes it was just a long string of hex characters.
I am a bit discouraged, but will report my search findings the best I can and anything else you can think of that may help.
Thanks for staying with me.

Roger

 

[howard_hopkinso]

The pnpsrv.exe file is part of the sdbot worm and is very nasty.

Given all your problems, I think it may be time to consider backing up your important data and reformatting.

However, this has to be your decision.

If you would like to post fresh HJT and Combofix logs, I`ll see if there`s anything further I can do to help.

Regards Howard

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

It was a good effort

Hi Howard;
I think you are right about re-install. I've added the new HJT and ComboFix logs for what it may be worth.
Thank you for all your help- we'll close after your post about the logs.
You've been very helpful and I've got quite a job ahead of me.

Roger

 

[howard_hopkinso]

Can`t see anything in either of your log files that will help us out.

On last thing I`d like you to try, if you don`t mind.

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Attach the Autoruns log here.

Regards Howard

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

Autoruns Log

Ok Howard; Here it is

Roger

 

[howard_hopkinso]

Nope, nothing useful there either.

I`m really sorry mate, but I really don`t have any further ideas.

Regards Howard

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

Another Try

Hi Howard;
I found this on the same board as you found Multi_Av.exe

"> Do a thorough scan in Safe Mode with your antivirus. If it still can't
> remove the registry key, start regedit and navigate to the key.
> Right-click on it and try Delete. If that doesn't work, use right-click
> again and change its permissions to full control for your user account
> and/or Administrator. Then you will be able to delete it."

That worked for me.
I have a number of Legacy entries- should I delete them all?

Roger

 

[hikerbear]

Howard;
Quick additional thinking- After looking, I see 20+ Legacy entries- many of which look quite valid- so I'm not going to go rampantly deleting stuff- I only deleted the SVKP one.

Roger

 

[howard_hopkinso]

Thanks very much for the info, it`s really appreciated.

Whether you should delete them all is open to debate. I suppose a lot depends on exactly what they are.

We know that LEGACY_SVKP is nasty, what are the other legacy keys you are finding?

Regards Howard

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

Legacy Keys

Hi Howard;
I don't know if it solved my potential virus problem, or not- we'll see.

The keys are at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT

I've uploaded a screenshot of some of mine- I found them on all three of my computers.

I'm still getting prepared to re-install, but trying not to.

Thanks again for staying with me.

Roger a.k.a. hikerbear

 

[howard_hopkinso]

Ah, I see.

No, under no circumstances should you delete those keys. I have them too and they are needed.

Regards Howard

This thread is for the use of hikerbear only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hikerbear]

Hi Howard;
I took your advice and and re-installed xp! As you can see, I've got the browser working.
Many, many thanks for all your help. I'd keep this thread open for a bit, but cut some of it if you can.

Roger a.k.a. hikerbear