Can't delete registry virus-avast not detecting it, mbam did

Scanned my computer with MBAM and it keeps showing these same registry ‘hijack’ viruses and I click to delete them but they are still there every time MBAM says it deleted them. Even using regedit doesn’t work.

Here is the log:

Malwarebytes’ Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

11/24/2009 4:01:16 PM
mbam-log-2009-11-24 (16-01-16).txt

Scan type: Full Scan (C:|)
Objects scanned: 214749
Time elapsed: 1 hour(s), 26 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Avast did not detect this problem. And even though the log says the virus was quaranteened and deleted successfully IT IS NOT because I still have the regedit open and can view it is still there. I’ve had this problem for a few days now and MBAM is always detecting it but not able to delete it even though it ‘thinks’ it did.

So, what is causing it and what do I do about it?

Thank you.

:slight_smile:

This isn’t a virus!

This a registry entry, but some values in the registry MBAM considers bad, this could have been changes a user made or in this case possible corruption, see the difference between the two.

Bad (%fystemroot%\system32\svchost.exe -k netsvcs)
Good: (%SystemRoot%\System32\svchost.exe -k netsvcs)

Can you see it %f and not %S.
The %SystemRoot% is a variable for C:\Windows now the %fystemroot% isn’t a valid variable so it would have no assigned value, so is effectively dead in the water and can’t do anything.

How this became corrupt I haven’t the slightest idea, but avast doesn’t look for registry problems in this way, avast scans your system and if it finds infected files then it would look for associated registry entries for those files.

MBAM doesn’t actually delete the registry entry as far as I’m aware it should chnage it but keep a copy of the original registry key in the quarantine area of MBAM.

If you had regedit open whilst making the decision about this and MBAM said quaranteened and deleted the item may still appear, close the regedit and open it again. If it is still the same you could manually change the value.
From:
%fystemroot%\system32\svchost.exe -k netsvcs
To:
%SystemRoot%\system32\svchost.exe -k netsvcs

Windows XP Service Pack 3 has been available for over a year and provides many Critical Updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

MBAM database is at 3224 level.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Thank you for replying. I thought it was a virus. And I did like you said but it won’t allow me to edit.

If it is not a virus and does not do anything then I am not worried about it.

:slight_smile:

That is a sign of infection. The registry entry is changed to stop windows updates.

Changing it manually is a little more difficult as the permissions on the key also have been altered.