Jump to content

Options\Arrakis3.exe detected: Trace.Registry.SmartVirusEliminator!A2


gregb204
 Share

Recommended Posts

Hi gregb204, and welcome to the forum

=======

Read the following instructions

START HERE, if you don't we are just going to send you back to this thread <--click

Prepare and post the required log files into this thread

Wait for reply from ShadowPuterDude, Katana, or JeanInMontana

for assistance and further instructions.

=======

Translation Links for Forum Instructions

...also if can and not found by A2 but need help removing trojan-downloader.delf.gck in c user appdata area.

Please provide more detailed information about the security that flagged the "trojan-downloader.delf.gck" and what was flagged

Briefly describe problems and system's misbehaviour, if any

{added} are you using BitDefender?

If so please irrespectively submit the file (Arrakis3.exe) flagged by a2 from the detection list to EMSI developers for analysis

My regards

P.S. Posting just the file name or the alleged infection name does not provide any information

The location of the files / precise names of files and/or Registry Entries ; processes, etc. are required. The same applies to the detections names. All that info should be in the saved report produced by a-squared. That will be one of the steps in the instruction

Link to comment
Share on other sites

read and just added picture of found files from asp. it shows location for trojan downloader but does not clean or at least says it cleans but doesnt. also malware.klone is shown.

My desktop background is black and can not change themes. I have colored icons in my avant browser but can click on toolbar and remove but comes back each time . system restore corrupt on all dates so deleted them. tried several online scanners av products. use bitdefender av,fw.

the black screen showed up when after tried to run combofix but it stopped saying avast was installed. so deleted the exe file where it was. ran ger rootkit and deleted the red file.but no help. computer runs fine otherwise. just dont trust till cleaner.

thanks.

Link to comment
Share on other sites

...

the black screen showed up when after tried to run combofix ...

Please do not run any Utilities other then stated in the instruction... ComboFix in particular

You can render your system inoperable

You will be guided by malware fighter after providing all preliminary required information as per instruction referred

Link to comment
Share on other sites

I want run any till asked ..I use vista home and saw combo not work on vista. but not sure .

Attach all log files as per instruction into this thread only.

Don't use PM for that.

Since you confirmed that you are using BitDefender - submit the file as suggested in addition.

Please post all information/replies into the thread.

My regards

Link to comment
Share on other sites

ok just ran new bd scan and have to take screen shots in parts to send. bd tech support said not false pos and to delete the A2 items. also ran ger rootkit tool that I deleted a red line it found. but didnt save the deleted item. mistake for help.

is this where I reply at. ? I just hit reply not pm.

Link to comment
Share on other sites

... also ran ger rootkit tool that I deleted a red line it found. but didnt save the deleted item. mistake for help.

is this where I reply at. ? I just hit reply not pm.

Stop running anti-rootkits & other Tools without supervision - that was pointed earlier.

You PM'ed a-squared report to me.

You should attached Deep Scan result (not the Quick one as you've sent by PM) and other required log files after running ISeeYouXP & HijackFree

as per instruction with your next reply into this thread

Link to comment
Share on other sites

...

not sure how to find the hjf file , hit online analysis upper rt corner after dwnload. but not sure how to get a log file.

Run a2hijackfree.exe

In order to produce required log file:

Savelog.jpg use drop-down list at the left of the printer icon

and choose "HJT compatible” option.

Plus update a-squared; run Deep Scan and attach its report as well

Link to comment
Share on other sites

ran and posted hjf files . running A2 deep scan now at 3%. I can see there are alot of problems found on hjf and will wait for how to handle. But I have leave for work now and will send deep scan log when get in 7 hrs or so. This is really been eye opening for me. Especially with BD av. These bugs could have been for long time when my wife got us infected and thought removed but anyway glad you are a big help in this process. thanks alot.!!

greg.

Link to comment
Share on other sites

First, update a-squared; rerun Deep Scan and this time save and attach the report.

As for quarantined items there is "Save quarantine list" at the right bottom of the Quarantine. That report can be saved and attached too.

Images are helpful in many cases, but you should always save reports for investigations whether it's a-squared, BitDefender or any other security.

My regards

P.S. {added} In addition you can submit files to the developers from quarantine

Except cookies - cookies are harmless and they are not representing any threats

There is no need to quarantine them.

It is recommended to clean temporery files locations and cookies before the scans.

You always can use the method described in the instruction using CCleaner.

Link to comment
Share on other sites

...will have to send deep scan in am. running now but slow.
Always disable real-time resident of additional Antivirus when running the scan of substantial size (Deep/Smart/Custom with many folders). That reduces the the time of scanning (~2.5-3 times)

Needless to say that a-squared has the highest rate of detection amongst any existing security packages.

Just don't forget to update before the scan.

Link to comment
Share on other sites

Always disable real-time resident of additional Antivirus when running the scan of substantial size (Deep/Smart/Custom with many folders). That reduces the the time of scanning (~2.5-3 times)

Needless to say that a-squared has the highest rate of detection amongst any existing security packages.

Just don't forget to update before the scan.

yes it does rock on this area. will start leaving on toolbar all the time since works with bdefender ok. it updates automatic if leave in toolbar on. full vers. anyway here is new files.

I will turn off bd realtime next time..

gb

Link to comment
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

Link 3

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

hi,

i run combofix but get error saying avast antivirus 4.8.1229 vps 081120-0 is running. should I go ahead and run combo. I had avast back in jan. but do not see in program files or uninstall.

fp? or any idea where to search.. or bug.? I now run bitdefender.

gb

Link to comment
Share on other sites

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\
 00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

-----------------------------------------------------------

Now we need to use ComboFix to remove some stuff.

  • Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
  • Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Arrakis3.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdreinit.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdsubwiz.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdtkexec.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdwizreg.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\livesrv.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\seccenter.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\uiscan.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\upgrepl.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\vsserv.exe]

File::
c:\windows\system32\09wutili.sys
c:\windows\342440337.dat
c:\windows\system32\REN750C.tmp
c:\windows\system32\REN74FB.tmp
c:\windows\system32\REN74EB.tmp

  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    th_CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Attach fresh logs for:

  • ComboFix (C:\combofix.txt)
  • a-squared Free/Anti-Malware
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to comment
Share on other sites

after copying to notpad the box I hit save and to desktop but when go to desktop file it says not a registry script can only import from a registry editor.

Also delay in doing this since missed email but I checked logs on forum and saw your replyto my last post.

regards

greg

Link to comment
Share on other sites

not sure but ran another spyware program and it is finding 3 different roque antispyware program.

It isnt able to remove them even though says it is clean they have come back on rescan.

called ms-antivirus 2009 and winantivirus pro 2006. have log saved in txt if would like to see the detailed registry keys.

But have not noticed any popups or changes in comp operation.

Link to comment
Share on other sites

the file is exported as htm file. so can not attach in notpad as txt. anyway I did take a scrn shot of it and maybe you can see this jpg file. If not I can type some of the reg hklocal location. or how can change to txt. ? I tried several things didnt work.

regards.

Link to comment
Share on other sites

got to save as txt. opened as webpage and copied/pasted into notpad. the items say quarantined but come back . my system mechanic says I have no firewall installed but windows security does show bdefender as my firewall. that is only thing I can see the new bugs are doing to computer

if they are not false pos.

Link to comment
Share on other sites

wanted to mention that virus/trojan is making livehotmail acct to be blocked on sending email and when go to sign in the solutions page it just flashes so can not read the page. Also believe acct was used as a spammer since it is blocked. I get email at hotmail but to send I use livemail if it works.

Link to comment
Share on other sites

Have a-squared quarantine the following:

Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe 	detected: Trace.Registry.VirusShield2009!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Arrakis3.exe 	detected: Trace.Registry.SmartVirusEliminator!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdreinit.exe 	detected: Trace.Registry.SmartVirusEliminator!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdsubwiz.exe 	detected: Trace.Registry.SmartVirusEliminator!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdtkexec.exe 	detected: Trace.Registry.SmartVirusEliminator!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdwizreg.exe 	detected: Trace.Registry.SmartVirusEliminator!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\livesrv.exe 	detected: Trace.Registry.SmartVirusEliminator!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\seccenter.exe 	detected: Trace.Registry.SmartVirusEliminator!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\uiscan.exe 	detected: Trace.Registry.SmartVirusEliminator!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\upgrepl.exe 	detected: Trace.Registry.SmartVirusEliminator!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\vsserv.exe 	detected: Trace.Registry.SmartVirusEliminator!A2

Then attach a fresh log from a-squared.

Link to comment
Share on other sites

Download -->> OTL <<-- to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Link to comment
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    PRC - C:\Windows\explorer.exe (Microsoft Corporation)
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    
    :Files
    C:\Users\greg\zerxr6qe.exe
    C:\Windows\System32\_WDYSZYG.sys
    C:\Windows\342440337.dat 
    C:\Windows\System32\rezumatenoi.dat
    C:\Windows\System32\sasnative32.exe
    @C:\ProgramData\TEMP:C97C8631
    @C:\ProgramData\TEMP:DFC5A2B2
    @C:\ProgramData\TEMP:5C321E34
    
    :Commands
    [purity]
    [emptytemp]
    [resethosts]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Link to comment
Share on other sites

found same trojan on other desktop. both are on same home network. just put a2q on it and found. It didnt get on my laptop that is used wirless only. the 2 desktop cabled to same router.

should I put the ole exe on it for repairs ? this 2nd comp is not used much. so tricky it got on it.

tonite my comp programs stopped running except internet browser. now back to normal . it was like low memory so believe something was running in background at 630 my time.last for hr .

Link to comment
Share on other sites

got another problem tried to run ole and get message system restore interface not present.

went to system tools to system restore and click on and nothing happens. my comp has been hanging again today so not sure what going on . should I contact ms help to restore system restore?

I have have cd to restore comp made when bought comp. and ms windows on disc from factory if that will help solve.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...