SMVERI3 trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by sproutingbrocoli, Jul 10, 2008.

  1. sproutingbrocoli

    sproutingbrocoli Private E-2

    Suspect File Description SMVERI32 DLL SMVERI32

    Running windows 2000 pro with avast and zonealarm

    Infection started about 2 weeks ago with popups redirecting browser to PC spyware web site.
    Removed BHO with Hijackthis which stopped the redirection.
    Another BHO with no name failed to be removed.
    Winlogon and explorer keep trying to connect to internet but I have blocked this with firewall.
    Suspect file recreates itself after deletion or changing with inuse as do registry entries.
    File creates a service according to registry entries

    VUAII service has been running before this infection but I have never found what it is for so I have disabled it.
    The exe file for VUAII is in a temp folder which seems suspicious.

    There is an empty folder called PCHealth with sub folders in my root directory.

    I have run all your recommended programs and attach the log files.

    Hope you can help
     

    Attached Files:

    sproutingbrocoli, Jul 10, 2008
    #1
  2. sproutingbrocoli

    sproutingbrocoli Private E-2

    Attached are the other 2 log files
     

    Attached Files:

    sproutingbrocoli, Jul 10, 2008
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now use windows explorer to find and delete:
    C:\Documents and Settings\Administrator\Local Settings\Application Data\EE6D33F7-64B9-4D1B-B172-BA87A3B868F5.txt
    C:\WINNT\Downloaded Program Files\OLD4.tmp
    C:\WINNT\Downloaded Program Files\set3.tmp
    C:\WINNT\system32\uwqxqwu.dll

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\%username%\Local Settings\Temp

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    TimW, Jul 11, 2008
    #3
  4. sproutingbrocoli

    sproutingbrocoli Private E-2

    Thanks for your speedy reply.

    The following were not deleted:

    Not found: C:\WINNT\Downloaded Program Files\OLD4.tmp
    Not found: C:\WINNT\Downloaded Program Files\set3.tmp
    Being used by windows. Will not delete: C:\WINNT\system32\uwqxqwu.dll

    I am using my administrators account, which I do not use to connect to the internet, to do these operations.
     

    Attached Files:

    sproutingbrocoli, Jul 12, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now we need to use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Documents and Settings\Administrator\Local Settings\Application Data\EE6D33F7-64B9-4D1B-B172-BA87A3B868F5.txt
C:\WINNT\Downloaded Program Files\OLD4.tmp
C:\WINNT\Downloaded Program Files\set3.tmp    
C:\WINNT\system32\uwqxqwu.dll

Registry::
[B][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE6D33F7-64B9-4D1B-B172-BA87A3B868F5}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yrduvedp][/B]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix.
     
    TimW, Jul 12, 2008
    #5
  6. sproutingbrocoli

    sproutingbrocoli Private E-2

    C:\WINNT\SYSTEM32\uwqxqwu.dll has been deleted

    VUAII service still showing
     

    Attached Files:

    sproutingbrocoli, Jul 12, 2008
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go to start / run / type "services.msc" without quotes ...scroll down and see if you find:
    wzkrjmws

    And do you know what this is:
    C:\Documents and Settings\Ben\Desktop\695fix.exe
    Let me know.

    Also:

    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VUAII.exe
C:\Documents and Settings\Ben\Local Settings\Application Data\dcbc2a~1.ini   
C:\Documents and Settings\Ben\Local Settings\Application Data\ee6d33~1.txt
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix.
     
    TimW, Jul 12, 2008
    #7
  8. sproutingbrocoli

    sproutingbrocoli Private E-2

    wzkrjmws does not exist in services but shows up in registry as legacy_wzkrjmws.
    Shows as service for sony ericsson 750 usb wmc modem sSupport

    C:\Documents and Settings\Ben\Desktop\695fix.exe is combofix renamed

    VUAII still exists in services. When opening the properties windows for this service a

    tmp file called mmce.tmp is created in the temp folder.

    After running these fixes I have to run the repair for Avast as the on access scanner no

    longer works. This fixes this problem.

    Also, until the last fix, I was having problems with the avast email scanner. It was not

    running because it was waiting for sub system. It now runs properly.
     

    Attached Files:

    sproutingbrocoli, Jul 13, 2008
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look good.

    Let's do a little clean up:
    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Tell me if you are having any other issues.
     
    TimW, Jul 14, 2008
    #9
  10. sproutingbrocoli

    sproutingbrocoli Private E-2

    Everything looks clear

    Thanks for your help
     
    sproutingbrocoli, Jul 18, 2008
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Where in the registry is this showing : legacy_wzkrjmws.

    When you go to services.msc and find this:
    Can you disable it?

     
    Last edited: Jul 18, 2008
    TimW, Jul 18, 2008
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This one is okay. It is a Sony Ericsson 750 USB wmc modem Support driver as mentioned in message # 8.

    The VUAII driver/services needs to be removed with ComboFix.
     
    chaslang, Jul 18, 2008
    #12
  13. sproutingbrocoli

    sproutingbrocoli Private E-2

    legacy_wzkrjmws showing in registry:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00\Enum\Root\LEGACY_WZKRJMWS
    \ControlSet004\Enum\Root\LEGACY_WZKRJMWS
    \CurrentControlSet\Enum\Root\LEGACY_WZKRJMWS
    It is not showing in services.msc

    VUAII showing in registry:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VUAII
    \ControlSet001\Services\VUAII
    \ControlSet004\Enum\Root\LEGACY_VUAII
    \ControlSet004\Services\VUAII
    \CurrentControlSet\Enum\Root\LEGACY_VUAII
    \CurrentControlSet\Services\VUAII

    It shows up in services.msc and I have already disabled it.
    VUAII.exe does not show up in a search
     
    sproutingbrocoli, Jul 31, 2008
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Then lets see if we can't remove the VUAII one more time using ComboFix:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Drivers::
VUAII

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VUAII]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VUAII]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_VUAII]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\VUAII]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VUAII]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VUAII]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now reboot and tell me if it still exists.
     
    TimW, Aug 1, 2008
    #14
  15. sproutingbrocoli

    sproutingbrocoli Private E-2

    VUAII not longer exists

    Thanks
     

    Attached Files:

    sproutingbrocoli, Aug 4, 2008
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet.....

     
    TimW, Aug 4, 2008
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds