Solved

Virus / Spyware: Fake System Alert security toolbar

Posted on 2007-11-15
15
4,126 Views
Last Modified: 2013-11-22
I am trying to remove a virus/spyware that pop up Fake System Alert with yellow icon and  give diferent messages. the process seems to be runing in hidden mode. It had e-trust AV and have tried trendMicro AV plus antyspyware with full scan and it seems it can't fix this problem.

it also turn system restore to only one point which is today even though system restore is on.
the problem starts when enabling network connection it then start poping up warnings and copy 2 shortcuts to the desktop and start menu, they are: "online security guide" and "life safety center" they point to a website: kukkakreck.com but when it is not enabled it doesn't pop up msgs or copy these shortcuts.  

It also has a security toolbar on IE7 with dll file: okbykurp.dll

here is hijackthis log:
----------------------------
StartupList version: 1.52.2
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OmniDrive USB Pro\OmniUSBServ.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\admin\Desktop\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

AdwareAlert Scheduled Scan.job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 3,248 bytes
0
Comment
Question by:fm250
  • 7
  • 7
15 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20292500
Smitfraud here...

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

Also, when done running this tool it would be advised to to run a spyware scan. AVG is my tool of choice and is free for 30 days. NOTE: After updating it I would recommend running the scan in Safe Mode.

AVG AS link:
http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=asf
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20292521
Oh also, forgot to mention. That's the startup list from HijackThis. We need the regular log. From the Main Menu...Do a system scan and save a logfile. Upload that and the log that Smitfraudfix produces to http://www.ee-stuff.com  ...Login and click on Experts Area tab.
Just post the link to them back here.
0
 
LVL 10

Author Comment

by:fm250
ID: 20292620
will try that and let you know. thanks!
0
 
LVL 10

Author Comment

by:fm250
ID: 20293885
that doesn't seems to work. the pop up still there. it seems something hidden. it doens't  have a process runing or anything!
0
 
LVL 10

Author Comment

by:fm250
ID: 20294117
0
 
LVL 10

Author Comment

by:fm250
ID: 20294220
I also got a warning msg like this:
w32.MyZor.fk@yf is virus .... plah plah plah

it seems to work when local area connection on. Any ideas what it be and how to fix it.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20294278
Nope, it's Vundo. Or at least related to it. The description you gave sounded a lot like Smitfraud. Helps to see the HJT log.

Let's try Combofix on it.

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 10

Author Comment

by:fm250
ID: 20294800
it seems the program was able to delete, but they restore themselves somehow?

here is the new log:
https://filedb.experts-exchange.com/incoming/ee-stuff/5640-Combofix-hijackthis.txt 
0
 
LVL 10

Author Comment

by:fm250
ID: 20295299
I can 't delete some files that I suspect doing the trouble such as: okbykurp.dll even in save mode nor in command line: del /F /S /Q

---- are they running as system processes?
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 450 total points
ID: 20295606
No, those files will not simply delete like that.

1. Please open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\system32\dfdvmoyy.dll
C:\WINDOWS\system32\okbykurp.dll
C:\WINDOWS\system32\gytnmovl.dll
C:\WINDOWS\system32\tjwfeouh.dll
C:\WINDOWS\system32\edytutrp.dll
C:\WINDOWS\system32\crptogcv.dll
C:\WINDOWS\system32\gebyyay.dll
C:\WINDOWS\system32\vtsqr.dll

Folder::
C:\WINDOWS\system32\Mz08r
c:\program files\zango

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c7ce44c-db55-445d-889b-0c602ce3c87f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a84fb5c0"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\okbykurp]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]

---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 50 total points
ID: 20296796
Since you're taking the bad startupreg entry off, these ones below are also bad  that you can include, and their relevant folders just in case they're still present.

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]

Folder::
C:\Program Files\SpyGuardPro
C:\Program Files\Common Files\SpyGuardPro
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20297370
Thanks rpg....missed those.
0
 
LVL 10

Author Comment

by:fm250
ID: 20300827
Thanks for the reply,
I have used Dr.Delete to force delete that file and it seems that was the trouble. here is the new log would you please look at it to see if everything is good.

https://filedb.experts-exchange.com/incoming/ee-stuff/5660-Combofix-hijackthis-2.txt 
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20301290
I see a couple items missed. They are pretty harmlessly disabled by msconfig but we should make sure they can't be started up again.

Use the same CFScript process as last time with the following.




File::

C:\WINDOWS\system32\dfdvmoyy.dll
 

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a84fb5c0]

Open in new window

0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20302471
Thanks. To clean up from Combofix you can do the following:

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now