Options\Arrakis3.exe detected: Trace.Registry.SmartVirusEliminator!A2

[ShadowPuterDude]

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update
  

Note: If you recieve an error message, chose a different source, then click Start again

• After the update, from the "File" menu, choose "Standard Scripts"
  
• Put a check next to item 2: Advanced System Investigation
  
• Click Execute selected scripts
  
• At the next prompt, click the OK button
  
• Let the scan run and click "OK" when the completion prompt pops up
  
• Now Close out of the Standard Scripts window, and exit AVZ
  
• Navigate to the avz4 folder and locate the folder LOG
  
• Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  
• Attach the Compressed file, virusinfo_syscheck.zip, to your next reply, along with a fresh HijackThis log
  

[gregb204]

do not see scripts to click on and number 2 took scrm prt to show what I see.

it is in russian ? I did do exe file and got update to work.

[gregb204]

scrn shot again.

[Lynx]

Hi gregb204,

Yes it is in Russian, but you don't have the respective language settings

After pressing the button for update as in the instruction given by ShadowPuterDude you are getting this “Operational Automatic Update” screen

“Run” the update

Then

#1 is “File” menu and #2 means “Standard Scripts”

Please ask if you have other question with translations

My regards

[gregb204]

can not find log files in avz folder on desktop. tried to find in c drive but didnt see. base looks like files for program itself. can not open some of others. none say log.. need help.

[gregb204]

It started in english and I saw a save log and clicked on before scanning.

did save to log in folder. whiles scanning my av found win32 bagle swq. took scrn prt to show..2 times. one file is html want upload.

tried to show scan data saying nothing found.

[Lynx]

the screen at the end of the scan

Attach...Compressed file, virusinfo_syscheck.zip, to your next reply...

have you found virusinfo_syscheck.zip in the ...\LOG\ folder, as per instruction?

[gregb204]

found it.

[gregb204]

could these reg files just be left over traces of fake av? that are not active. or do you feel these are active trojan? Can not find in reg keys. hidden in location shows on scan .

[ShadowPuterDude]

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  

  :OTL
  PRC - C:\Windows\explorer.exe (Microsoft Corporation)
  
  :Reg
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Arrakis3.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdreinit.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdsubwiz.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdtkexec.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdwizreg.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\livesrv.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\seccenter.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\uiscan.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\upgrepl.exe]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\vsserv.exe]
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [start explorer]
  [Reboot]

  
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
  
• Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )

[gregb204]

still show on a2s scan the 11 files.

[ShadowPuterDude]

Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program

Click on the Report tab at the bottom of the program window

Click the Scan button

In the Select Scan dialog, check:

• Drivers
  
• Files
  
• Processes
  
• SSDT
  
• Stealth Objects
  
• Hidden Services

Click the OK button

In the next dialog, select all drives showing

Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

When the scan is complete, the Save Report button will become available. Click this and save the report to your Desktop as RootRepeal.txt

Go to File, then Exit to close the program

Attach it to your reply.

[gregb204]

didnt find ok but did click scan after the selection of each tab.

no items found.

[ShadowPuterDude]

It doesn't appear that RootRepeal run correctly.

-----------------------------------------------------------

Download GMER

1. Click-on the "Download Exe" button, this will generate a random name for GMER, accept the default file name and save the file to your Desktop.

2. Double click the file you just downloaded.

3. Click the Rootkit tab and then click the Scan button.

4. IMPORTANT: Do NOT use the computer while the scan is in progress

5. Do not select the "Show all" checkbox during the scan.

6. When it finishes, click the Copy button. This will copy the results to your clipboard.

7. Paste the clipboard into a notepad file and save it to a log (like gmer.log).

Post the GMER log with your next reply.

[gregb204]

first time frozeup next 2x gave bsod. so can not run. have sophos on comp and ran it few days ago and didnt locate anything. have ran ger weeks ago and nothing seen.

[gregb204]

forgot sophos did find 9 files that were deleted. but none that were found in a2s scan.. was told they were not active keys.

[gregb204]

did try again and wouldnt let me upload the file in txt. so took pic.

[ShadowPuterDude]

Download Avenger from HERE and unzip to your desktop.

• Run Avenger
  
• Read the prompt that appears, and press OK
  
• Copy & paste the following text in Input script Box:
  

  Registry keys to delete:
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Arrakis3.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdreinit.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdsubwiz.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdtkexec.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdwizreg.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\livesrv.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\seccenter.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\uiscan.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\upgrepl.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\vsserv.exe

  
  Then click "Execute".
  

• You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
  Note: It is possible that Avenger will reboot your system TWICE.
  
• Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Attach that log in your next post.

[gregb204]

one reboot . thanks for your tenacity.

[ShadowPuterDude]

Download to your Desktop:

- RegASSASSIN

• Start FileASSASSIN
  
• Enter the registry key to delete:

  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe

• Ensure the following are selected:
  
  • Reset registry key permissions
    
  • Delete registry key and all subkeys

  [*]Click Delete

  [*]Repeat for each of the following registry keys:

  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\Arrakis3.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdreinit.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdsubwiz.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdtkexec.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\bdwizreg.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\livesrv.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\seccenter.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\uiscan.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\upgrepl.exe
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\vsserv.exe

  [*]Exit FileASSASSIN

-----------------------------------------------------------

Attach fresh logs for:

• a-squared Free/Anti-Malware

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[gregb204]

trouble with each reg file. took pic. want delete tried all but some in the middle.

[ShadowPuterDude]

Completely exit BitDefender and try again.

If we can't get those registry keys to delete, you may need to reinstall your Operating System.

[gregb204]

removed the keys by uninstalling bd , used bd removal tool also.

thanks for all the time . have to remove on 2nd comp also but will unhook cable to vista one first so cant spread back to vista. xp same network.

have no files found on scan.

[gregb204]

Was able to use a2s to delete the first 6 files after I deleted the last five manually. Didnt have all saved to desktop so did the last five then used a2s luckily to remove the remaining ones. now both comp check out clean.

It even cleaned up my scan by asp which now shows no trojans. think they were same with diff names. iseeyouxp put a password stealer on comp but wasnt worried since new where it came from. now deleted by uninstalling iseeyou.

thanks much for sticking with problem. alot said not active just traces but it went to my other comp on same network.

[ShadowPuterDude]

iseeyouxp put a password stealer on comp but wasnt worried since new where it came from. now deleted by uninstalling iseeyou.

No, it didn't. ISeeYouXP contains no malware. That is a FP and needs to be reported to the vendor that detected it.

[gregb204]

ok will notify asp. thanks again.

[ShadowPuterDude]

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread