SMVERI32.DLL trojan, unable to delete

Discussion in 'Malware Help (A Specialist Will Reply)' started by ScottJay, Mar 30, 2009.

  1. ScottJay

    ScottJay Private E-2

    Have been trying unsuccessfully to clean this virus on my own.
    file owvzhrp.dll appears to be a trojan virus with original version smveri32.dll. Have followed similar threads in forum, but I am unable to perform clean. File is resistant to deletion. Have tried HJT follewed by a FixMe registry editor of:

    REGEDIT4
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xwsigcet]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3A2603AC-1F11-4AD5-A0BC-FA9C2F4853E0}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9242342-7938-46DA-91E7-5D82FDEE4ADC}]

    But I appear to need some help. Thanks
     

    Attached Files:

    ScottJay, Mar 30, 2009
    #1
  2. ScottJay

    ScottJay Private E-2

    On my first post I did not link the SuperAntiSpyWare Logs which are now attached. I have run the program 3 times and only the first run detected the problem. All three attached. I have also run MalwareBytes Anti-malware, 3 times with persistant errors, ComboFix run three times with different actions occuring on first run but with repeated problems found, HijackThis (MGTools) also run several times with problematic lines:

    O2 - BHO: (no name) - {3A2603AC-1F11-4AD5-A0BC-FA9C2F4853E0} - c:\windows\system32\owvzhrp.dll
    O2 - BHO: (no name) - {C9242342-7938-46DA-91E7-5D82FDEE4ADC} - C:\DOCUME~1\Jessica\LOCALS~1\Temp\res80j.dll (file missing)

    I still am unable to delete owvzhrp.dll (originally smveri32.dll).

    Have combined multiple Scan Logs into one error_log file thru cut and paste because of the limits on attachements. hope this information is adequate.
    Was I wrong in running the programs more than once?
     

    Attached Files:

    ScottJay, Mar 31, 2009
    #2
  3. ScottJay

    ScottJay Private E-2

    appear to not have included last log
     

    Attached Files:

    ScottJay, Mar 31, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Why are you running this PC with no protecion???

    Please only attach the logs we ask for and do not run multiple scans unless we ask you to. In the READ & RUN ME, we clearly state to only run scans once and then attach the logs.

    Your Malwarebytes log shows you took no action. Did you fix what it found? Make sure you always fix before saving the log rather than the other way around.

    Your MGtools logs are incomplete. Please run the fix for Error Message Type 1 in this link Using MGtools but do not rerun MGtools yet.

    Did you purchase XoftSpySE ?

    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 2, 2009
    #4
  5. ScottJay

    ScottJay Private E-2

    Thank you, file now appears deleted.
    I thought I was running protection with XoftSpySE, apparantly not.
    Is it OK to re-run programs to see that prior error messages are now gone?
    I am also sorry about the re-thread, I was worried that I had not included the correct four file attachments.
     

    Attached Files:

    ScottJay, Apr 3, 2009
    #5
  6. ScottJay

    ScottJay Private E-2

    tools all ran without error.
    searched hard-drive and registry for any lingering files or links.
    only one possible link persisted, but was simply deleted.
    Classes_Root\Qaarnvnq\CLSID{Default}={3A2603AC-1F11-4AD5-AOBC-FA9C2F-FA9C2F4853EO}.
    Thanks again for your help. :)
     
    ScottJay, Apr 3, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you apply the MGtools fix for Error Type 1? I still see the same problem in your logs which are incomplete.

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.



    You only installed it on 03-27-2009 so you had nothing before that date. And this is only an antispyware program and not a very good one. It is not an antivirus program nor is it a firewall. Also since all you have installed from XoftSpySE is a scan only version of XoftSpySE, it therefore does not provide any active protection. Thus you have none of the below required protections in place:
    • antivirus
    • antispyware
    • firewall with true bidirectional operation (the Windows firewall is not adequate)
    Let's get an antivirus and real firewall on your PC now before problems come back.

    Download and install this: AntiVir Personal Edition Make sure you install updates after installing. Then reboot. Run a full scan of your PC. Don't worry about detections found in C:\QooBox or C:\System Volume Information. The first folder is just the Quarantine from ComboFix and the second is System Restore which we will fix later.

    Now download and install this firewall: PC Tools Firewall Plus <-- make sure you uncheck the options to install Google Toolbar and Threatfire free edition. There's is no sense in installing excess baggage.
     
    Last edited: Apr 6, 2009
    chaslang, Apr 6, 2009
    #7
  8. ScottJay

    ScottJay Private E-2

    My error on the "non-fix" of R0 and R1 errors on HJT, now fixed.

    No new error messages on the "ShowNew" run.

    Downloaded and installed Avira-Antivir. Detections found in folders you mentioned (QooBox and Restore). 2 warnings about files which could not be opened, hiberfil.sys and pagefile.sys. also found TR/Trash.GEN trojan in file c:\windows\system32\drivers\hydkrrhp.sys which it deleted.

    PC Tools Firewall+ now installed and running.
     
    ScottJay, Apr 7, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure about this? Did you actually run it from the command prompt as requested? You will not see the error messages by just double clicking on it from a Windows Explorer session.

    We are going to fix it again since there is a hidden driver related to it.


    Delete the current version of ComboFix that you have from your Desktop. Now download the new version to your Desktop from here:
    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner to clean out only temp files and nothing else!

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Apr 11, 2009
    chaslang, Apr 11, 2009
    #9
  10. ScottJay

    ScottJay Private E-2

    I was previously having unexpected loading of Avira-antivirus and PC tools firewall plus on start up. The icon for Avira showed a closed umbrella, I assumed guard inactive; I could cycle the activate twice and open umbrella icon would then continue. The firewall icon would never show up in system tray. I would start the program from start/all programs/pc tools firewall plus and get no response, but pop up messages would routinely appear suggesting program working. I can through task manager, stop FirewallGUI.exe, and then start the program, which then loads normally and icon appears. Firewall command in start-up,
    "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
    has -s modifier, is this "stealth mode".
    now after your instructed ComboFix, MGTools (both new) runs the Avira loads normally and umbrella Icon open from start, but firewall behavior continues (working properly but no icon, unless I stop and start the GUI).
    I again noticed the R1 errors on HJT, which I have been fixing, and refixed, thus the HJT log2 in MGTools.zip
    Files attached
     

    Attached Files:

    ScottJay, Apr 11, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Back in message number 9 I asked the below and you did not answer this. MGtools is still not running properly and we need to determine why!
    I suggest that you uninstall it, reboot. And then reinstall. Note I do see a left over driver from McAfee Firewall. Did you have McAfee installed at some point in time?

    They are not errors and you should not be fixing them because I did not ask you to.

    Your malware appears to be gone based on the logs we have but without seeing complete logs from MGtools, I cannot say for sure that you are clean. Also If MGtools is not running, it would normally mean you have somekind of problem within Windows. Malware rarely blocks MGtools from running. It is almost always a Windows related issue of some kind.
     
    Last edited: Apr 14, 2009
    chaslang, Apr 14, 2009
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds