Virtumonde Related - Reg Keys Regenerate

[BlazeTheKing]

Hello,

I have not been able to find any topics on a multitude of sites relating to my current problem. Spybot never worked to remove the virus in the first place so I had to find an alternative. Malbytes' Malware worked perfectly, except there are 3 registry keys that keep regenerating everytime I log into windows normally. I'm thinking it has to do with some kind of file that is running because they do not get recreated when going into safe mode.

I'm actually an IT person but since I usually keep myself from getting on sites with trojans etc I'm having trouble getting rid of this persistent virus. Oddly enough it was on some news site but anyways here's the 3 that keep regenerating:

Code:

O4 - HKLM\..\Run: [CPM9f24eeaf] Rundll32.exe "c:\windows\system32\vahuyayu.dll",a
O4 - HKLM\..\Run: [fidufajamo] Rundll32.exe "C:\WINDOWS\system32\nakuteye.dll",s
O4 - HKLM\..\Run: [9c17dd33] rundll32.exe "C:\WINDOWS\system32\zizakohe.dll",b

I've scanned my whole system with F-Secure from Charter, Malbyte's, HJT, the secure libary scan from Microsoft, Spybot S n D, and VundoFix as well as VundoBegone. Malbytes got rid of all the infected files but no matter how many times i delete these regkeys they come back.

Thanks

[Blade81]

Hi

If you want me to help please post a fresh hjt log taken from your system by following these instructions:

Download and install TrendMicro HijackThis
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

[BlazeTheKing]

Yea sorry i didn't feel a need to post my whole log in the first place. I did fix it on my own though, and for future information I:

Removed all functions of the key,
renamed all keys throughout the registry related,
turned them off from startup through Spybot's menu,
Deleted them from startup
Deleted them
Restarted and they we're gone.

Seems it was more simple then i had thought, they we're just trickily hidden in startup that i wasn't able to see w/o Spybot.

Thanks,
BlazeTheKing

[Blade81]

Hi

By twiddling with registry it's also simple to get system in non-recoverable state. That's one reason why users shouldn't try any fixing by themselves without guiding.

Anyway, since this issue is resolved the topic will be now archived.