Hello. I also have this virus which is only detected by Xoftspy. I have the same experience as chirag_gajjar - Xoftspy detects it and removes it and as long as I don't shut down and restart my computer it stays that way. As soon as I boot up it's detected again. I followed the instructions from Howard Hopkinso and when rebooted - there it is again. I don't know what to do at this point. Any suggestions?

thanks,

Katrina

[B]Hello and welcome to Techspot.[/B]

[b][color=red]Very Important:[/color] Before deciding whether you should clean or reformat your system, go and read this thread [b][URL="http://www.techspot.com/vb/topic65943.html"][color=blue]HERE[/color][/URL][/b] and decide what it is you want to do.[/b]

If after reading the above, you wish to clean your system, do the following.

[b]Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT).[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial61.html"]HERE[/URL].

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial62.html"]HERE[/URL].

Click start/run and type regedit into the runbox and press the enter key.

Navigate to H_KEY_LOCAL_MACHINE/SYSTEM/[b]SVKP[/b] and delete it.

Close regedit and reboot your system.

Then, go and read the [b][URL="http://www.techspot.com/vb/topic58138.html"]Viruses/Spyware/Malware, preliminary removal instructions.[/URL][/b] Follow all the instructions exactly.

Post fresh [b]HJT[/b], [b][color=red]AVG Antispyware[/color] and Combofix logs as attachments[/b] into this thread, only after doing the above.

[b]Also, let me know the results of the AVG Antirootkit scan.[/b]

Regards Howard

[color=red][b]This thread is for the use of[/color] katmullinax [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

Hey Howie, I deleted the SVKP folder from the registry, rebooted and ran Xoftspy - which for the first time in 8 days came up without the bug. Can't tell you what a relief that is.

I didn't have time to follow the remaining instructions because I had to leave my office (I'm writing this from home computer) but would you like me to still do that?

thank you thank you thank you.

Katrina

No problem if you can't post the log files right away. Just be sure to post them as soon as you have sufficient time.

Without them, it's hard to tell whether or not your system is really clean.

Regards

Yes mate, I`d still like you to post the requested log files as soon as you can.

Regards Howard

[color=red][b]This thread is for the use of[/color] katmullinax [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

http://hjt-data.trend-braintree.com/...report=3649423

here are the first two reports, but I presently don't have Combofix so I guess I need that?

Thank you!

Katrina

p.s. Xoftspy came up clean again except for a couple of cookies.

Attached Files

Report-Scan-20070406-144207.txt (2.5 KB, 2 views)

Yes, you need to attach a Combofix log. Also, please attach a fresh HJT log.

Your AVG Antispyware log says all items have been ignored. This is because you didn`t tell AVG Antispyware to quarantine results. See [URL="http://www.techspot.com/vb/topic67970.html"]HERE[/URL].

Post fresh HJT, AVG Antispyware and Combofix logs.

Regards Howard

[color=red][b]This thread is for the use of[/color] katmullinax [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

Howard - I don't have Combofix, can you give me a link to the download? Running AVG Antispyware now, will send results and HJT results shortly.

thank you,

Katrina

You`ll find links to all programmes/tools in this thread [URL="http://www.techspot.com/vb/topic58138.html"]HERE[/URL]. Combofix is in step12 of the instructions.

Regards Howard

[color=red][b]This thread is for the use of[/color] katmullinax [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

here are HJT and AVG Antispyware reports...will download and run the Combofix now.

Thanks,

Katrina

here is combofix log....

thanks thanks thanks

Katrina

Attached Files

	Report-Scan-20070409-120930.txt (3.0 KB, 3 views)
	hijackthis 4 9 07.log (11.1 KB, 2 views)
	ComboFix.txt (8.3 KB, 4 views)

What were the results of the AVG Antirootkit scan?

It appears you`re running more than one antivirus programme. McAfee and AVG free. This is not recommended, will slow your system down and can cause serious conflicts. Uninstall one antivirus programme.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

[b]Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT).[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial61.html"]HERE[/URL].

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial62.html"]HERE[/URL].

Delete all files in AVG Antispyware quarantine.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

SpywareBot[b]<This is an antispyware programme of dubious repute.[/b]

Close control panel.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://channels.aimtoday.com/search/aimtoolbar.jsp[/url]

O2 - BHO: posHelp Class - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)

O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

Click on the fix checked button.

Close HJT.

Locate and delete the following [b]bold[/b] files and/or directories(if there).

C:\Program Files\[b]SpywareBot[/b]<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know the results of the AVG Antirootkit scan. Also, let me know if you`re still having problems.

Regards Howard

[color=red][b]This thread is for the use of[/color] katmullinax [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

good day Howard,

the results of the AVG antirootkit scan were negative.

Which of the antivirus software programs would you delete,
McAfee or AVG free?

deleted Spywarebot.

followed instructions and here is updated hijackthis.

No, thanks to you, I'm not having any problems.

Katrina

Attached Files

hijackthis 4 10 07.log (9.3 KB, 3 views)

Personally, I recommend getting rid of McAfee. Once you`ve done that, You will need to install a separate firewall programme such as one of the free firewalls below.

[URL="http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp;jsessionid=EElu1mSWlQjHS1lqOdGhtXP8vPmn2BX3FugIF1oqBBJ4j9pn XWWc!-559734354!-1062696904!7551!7552!NONE?dc=12bms&ctry=US&lang=en&lid=dbtopnav_zass"]Zonealarm[/URL] or [URL="http://www.sunbelt-software.com/Kerio.cfm"]Kerio[/URL] free firewall programmes.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

[b]Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT).[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial61.html"]HERE[/URL].

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how [URL="http://www.bleepingcomputer.com/forums/tutorial62.html"]HERE[/URL].

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

SpywareBot.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

Click on the fix checked button.

Close HJT.

Locate and delete the following [b]bold[/b] files and/or directories(if there).

C:\Program Files\[b]SpywareBot[/b]<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

[color=red][b]This thread is for the use of[/color] katmullinax [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our [URL="http://www.techspot.com/vb/menu28.html"]security and the web forum[/URL].[/color][/b]

Hello everyone,

I tried to follow the advise here, but did not have a H_KEY_LOCAL_MACHINE/SYSTEM/SVKP folder.

I found the SVKP folder in HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SVKP and HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/SVKP.

There is a HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services, but no SVKP there.

I deleted the 2 SVKP folders from the registry in safe mode, ran XoftSpySE and it's gone! I hope this helps you as well. Thanks everybody.