Unable to delete malware keys from registry.

Ok no offence ment but please read this carefully. I am unable to delete the keys found from the register, Hijack this is unable to delete the keys found from the register as well.

Here goes

Hi,

Have a computer that is having problems with Happy888. When you log in it fires up tons of internet pages. I am very sure that the machine is virused as there are a lot of strange processes in the register.

I have run Ad Aware which finds between 8 -13 entries per reboot.

I have run Hijack this and tried to delete the suspect entries, but although Hijack this says that they are deleted, when you scan again they all re appear. I have tried this in both safe mode and normal mode.

I have gone into safe mode and searched for the entries I have found them under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run when I select the suspect entries and try to modify or delete them I recived the message "Unable to delete all specified values. "

I cannot seem to clean out the viruses by software or manually, does anyone have any ideas?

Right here is the Hijack this log, taken in safemode:

Logfile of HijackThis v1.99.1
Scan saved at 14:10:22, on 01/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\regedit.exe
C:\Liger\Hijack\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Belkin\Belkin keyboard driver\KbdAp32A.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\evdgtngf.dll ",setvm
O4 - HKLM\..\Run: [apap1] C:\WINDOWS\System32\apap1.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [stivcot] c:\windows\system32\stivcot.exe
O4 - HKLM\..\Run: [MSConfigh] c:\temp\svchost.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [tvctray] c:\windows\system32\tvctray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175857131231
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = *****.local
O17 - HKLM\Software\..\Telephony: DomainName = *****.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ****.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ****.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: Indexing Helper (Indexingboxs) - Unknown owner - c:\temp\svchost.exe (file missing)

The entries that are causing me problems are:

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\evdgtngf.dll ",setvm
O4 - HKLM\..\Run: [apap1] C:\WINDOWS\System32\apap1.exe
O4 - HKLM\..\Run: [stivcot] c:\windows\system32\stivcot.exe
O4 - HKLM\..\Run: [MSConfigh] c:\temp\svchost.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [tvctray] c:\windows\system32\tvctray.exe

Dont know why I cannot delete them and now I dont know how to delete them!

Quick note. I am unable to update the computer to SP2 because it is running old autocad software that is incompatable with SP2.

Hope you can help. Thankyou in advance for your replies and have a great day .

Vortigern

 

Hi and welcome.

I suspect there are a few other launch points or other files HJT can't see loading this junk.
I also suspect some of those startups are of the backdoor variety.

I'd like to see a startuplist please:

Start Hijackthis
Click "open misc tools section "
check both options beside "generate startuplist log" and generate the log.
Post results.

Next....Need some file samples.

Please download Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Copy the below bold list to a notepad file so you have access in safe mode.

Boot to safe mode.

Run SFP.exe.

Please copy the following lines:

C:\WINDOWS\System32\evdgtngf.dll
C:\WINDOWS\System32\apap1.exe
c:\windows\system32\stivcot.exe
c:\temp\svchost.exe
C:\WINDOWS\SCVHOST.exe
C:\WINDOWS\System32\svehost.exe
c:\windows\system32\tvctray.exe

and paste it in the box in SFP, then click "Continue ".

It will copy the files and zip em up to a cab file on your desktop.
Called something like "Requested files [time/date].cab "

Please upload the cab file to this site when you get back to normal mode.

http://www.thespykiller.co.uk/index.php?board=1.0

Start yourself a new topic
Put in topic title "Request by Blender "
Put in body of messege the link to our thread here.
then press the browse button and then navigate to & select the cab file on desktop.
press Post to upload the file

It is normal you will not see the file you just posted cus only approved members can see em to download them.

Let me know here when you have posted.

Next:

Download catchme.exe form here:

http://www.gmer.net/catchme.exe

Save file to your desktop.
Double click it and let it run.
A "dos" window will pop up while the program scans system for hidden files/processes.
It will tell you when done and lets you know if anything is found.
You can close the "dos" window.
A log file called catchme.txt will be placed on the desktop.

Please post the contents of that file.

Note:

You may need 2 posts to get both logs in.

Thanks

 

Shoot!

Computer is now rebooting itself when starting up, not able to get into windows at all now.

Maybe something I have done. Maybe the virus has ramped itself up. Gonna try repairing, if not going to have to format and rebuild.

If I can get it to a state where I can get at those files will let you have them.

Thanks for your time, its a nusiance the computer decided to fall over.

Vortigern

 

Managed to repair the machine. Still unable to edit registry. Going to find those files .

Vortigern

 

HJT log taken in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 11:25:41, on 02/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
C:\Program Files\Belkin\Belkin keyboard driver\KbdAp32A.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\svehost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Liger\Hijack\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Belkin\Belkin keyboard driver\KbdAp32A.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\evdgtngf.dll ",setvm
O4 - HKLM\..\Run: [apap1] C:\WINDOWS\System32\apap1.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [stivcot] c:\windows\system32\stivcot.exe
O4 - HKLM\..\Run: [MSConfigh] c:\temp\svchost.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
O4 - HKLM\..\Run: [tvctray] c:\windows\system32\tvctray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175857131231
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = designservicesengineeringltd.local
O17 - HKLM\Software\..\Telephony: DomainName = designservicesengineeringltd.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = designservicesengineeringltd.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = designservicesengineeringltd.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: Indexing Helper (Indexingboxs) - Unknown owner - c:\temp\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)

Files to follow, Thanks

Vortigern

 

Have uploaded the files to the website and included the Catchme log. Bit edgy that the catchme log didnt seem to identify anything. Could this be a case of virus plus computer fault?

Thanks again for your time.

Vortigern

 

Hi,

sorry for delay.

Looking at those files now. Only a couple did get copied. I suspect cus several are protecting themselves.

I'm not sure if "catchme" should hit on anything or not yet. Crashes do sometimes do wierd things and I am trying to cover a few possible areas at once to get as much info as possible.

At what point did you crash? Meaning what were you doing at the time?

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally copy and paste the contents of the results file Report.txt back onto the forum.

Next:

Forums:

Please download
VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• If your security software asks about installing a service; please allow it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting
from "Click the Scan for Vundo button." when VundoFix appears at reboot.

I would also like a log from the following:

Open Hijackthis
Click "open misc toold options "
check both options beside "generate startuplist log" and generate the log.
Post results.

Likely take a couple posts to get all logs in.

Thanks

Try and keep this box offline as much as possible please.

If we need it you familliar with working in the recovery console off the CD?

 

Blender,

Thankyou for your time you spent on this. I am afraid that I had a problem with the board when my old email address expired.

Time ran against me with this problem and I ended up having to format and rebuild .

Thanks again for your time.

Vortigern