Registry value for Vundo.H keeps reappearing

Several months ago, when I first posted on the Mcafee forums trying to remove the ddrawexk.dll that Mcafee software found to be a trojan, I was eventually instructed to boot from Windows CD to delete the ddrawexk.dll from my system32 folder. Since the deep scanning process in DOS took some ridicilous amounts of time for my 100GB harddrive, I was tired fighting to remove all bits of this trojan from my PC and I gave up after succeeding to reastablish my internet connection. At that time, I was not following the guidelines at MajorGeeks, but decided to do so a few days ago.

What I realized is that I still have some registry values reappearing and some registry keys reappearing in every Malwarebytes scan. Vundo.H registry values keeps reappearing and also 4 registry keys for Trojan.agent always there after each Malwarebytes scan. I suspect there is at least 1 orphan file, related too ddrawexk.dll that did not get deleted properly, tough I am not sure if I am using the "orphan" term correctly.

I followed the procedure you described in winXP cleaning process.

I am suspicious about the Ati2evxx.dll in my system32 folder, perhaps I should remove it as well just like I removed the ddrawexk.dll.

Let me know what you think please, I really don't want any traces left back from this trojan or I will format my harddrive.

 

Here is the 4th log file in ZIP format

 

Hi Tim, thank you for your fast help.

The registry update was successful. I am attaching the new MGlog files.

I want to do a new scan with Malwarebytes, because it was the only software to detect those Vundo.H registry values and Trojan.Agent keys.

 

The new Malwarebytes scan still reports the same 2 registry values and 4 registry keys, so nothing seems to have been deleted.

 

Hey TimW,

I used Brat PE tools and believe my harddrive is clean now. Superantispyware, Spybot Search&Destroy, and Malwarebytes scans are clean. And CCleaner fixed all issues, including the reappearing Activex/COM issue related to ddrawexk.dll.

I thought since I deleted the ddrawexk.dll using the recovery console, I could maybe delete these reappearing registry keys and values in the same way. However, I found out that recovery console does not allow registry editing, so after several hours of search and trial&error, I created a "Brat PE" boot-CD. I searched for registry items that the Malwarebytes had found and deleted them all. Now, I am logged in back on normal winXP and the Malwarebytes scan is clean, the registry values did not reappear. I guess the PC is clean, what do you think?

Your site is super great, but it would have been fantastic if there was a link to Brad PE tools, of course with some warning that you give no warranty for its use. I could not wait for your help, because I was really angry with this infection :-/

Take care,