Virus / Spyware: Fake System Alert security toolbar

Posted on 2007-11-15
Last Modified: 2013-11-22
I am trying to remove a virus/spyware that pop up Fake System Alert with yellow icon and  give diferent messages. the process seems to be runing in hidden mode. It had e-trust AV and have tried trendMicro AV plus antyspyware with full scan and it seems it can't fix this problem.

it also turn system restore to only one point which is today even though system restore is on.
the problem starts when enabling network connection it then start poping up warnings and copy 2 shortcuts to the desktop and start menu, they are: "online security guide" and "life safety center" they point to a website: but when it is not enabled it doesn't pop up msgs or copy these shortcuts.  

It also has a security toolbar on IE7 with dll file: okbykurp.dll

here is hijackthis log:
StartupList version: 1.52.2
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options

Running processes:

C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OmniDrive USB Pro\OmniUSBServ.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\admin\Desktop\HijackThis.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Task Scheduler jobs:

AdwareAlert Scheduled Scan.job


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

End of report, 3,248 bytes
Question by:fm250
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
LVL 20

Expert Comment

ID: 20292500
Smitfraud here...

Download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

Also, when done running this tool it would be advised to to run a spyware scan. AVG is my tool of choice and is free for 30 days. NOTE: After updating it I would recommend running the scan in Safe Mode.

AVG AS link:
LVL 20

Expert Comment

ID: 20292521
Oh also, forgot to mention. That's the startup list from HijackThis. We need the regular log. From the Main Menu...Do a system scan and save a logfile. Upload that and the log that Smitfraudfix produces to  ...Login and click on Experts Area tab.
Just post the link to them back here.
LVL 10

Author Comment

ID: 20292620
will try that and let you know. thanks!
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

LVL 10

Author Comment

ID: 20293885
that doesn't seems to work. the pop up still there. it seems something hidden. it doens't  have a process runing or anything!
LVL 10

Author Comment

ID: 20294117
LVL 10

Author Comment

ID: 20294220
I also got a warning msg like this: is virus .... plah plah plah

it seems to work when local area connection on. Any ideas what it be and how to fix it.
LVL 20

Expert Comment

ID: 20294278
Nope, it's Vundo. Or at least related to it. The description you gave sounded a lot like Smitfraud. Helps to see the HJT log.

Let's try Combofix on it.

Download and Run ComboFix (by sUBs)

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
LVL 10

Author Comment

ID: 20294800
it seems the program was able to delete, but they restore themselves somehow?

here is the new log: 
LVL 10

Author Comment

ID: 20295299
I can 't delete some files that I suspect doing the trouble such as: okbykurp.dll even in save mode nor in command line: del /F /S /Q

---- are they running as system processes?
LVL 20

Accepted Solution

IndiGenus earned 450 total points
ID: 20295606
No, those files will not simply delete like that.

1. Please open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:



c:\program files\zango

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c7ce44c-db55-445d-889b-0c602ce3c87f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\okbykurp]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-A new HijackThis log
LVL 47

Assisted Solution

rpggamergirl earned 50 total points
ID: 20296796
Since you're taking the bad startupreg entry off, these ones below are also bad  that you can include, and their relevant folders just in case they're still present.

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]

C:\Program Files\SpyGuardPro
C:\Program Files\Common Files\SpyGuardPro
LVL 20

Expert Comment

ID: 20297370
Thanks rpg....missed those.
LVL 10

Author Comment

ID: 20300827
Thanks for the reply,
I have used Dr.Delete to force delete that file and it seems that was the trouble. here is the new log would you please look at it to see if everything is good. 
LVL 20

Expert Comment

ID: 20301290
I see a couple items missed. They are pretty harmlessly disabled by msconfig but we should make sure they can't be started up again.

Use the same CFScript process as last time with the following.

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a84fb5c0]

Open in new window

LVL 20

Expert Comment

ID: 20302471
Thanks. To clean up from Combofix you can do the following:

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Operating system developers such as Microsoft ( and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question