Virus / Spyware: Fake System Alert security toolbar

I am trying to remove a virus/spyware that pop up Fake System Alert with yellow icon and  give diferent messages. the process seems to be runing in hidden mode. It had e-trust AV and have tried trendMicro AV plus antyspyware with full scan and it seems it can't fix this problem.

it also turn system restore to only one point which is today even though system restore is on.
the problem starts when enabling network connection it then start poping up warnings and copy 2 shortcuts to the desktop and start menu, they are: "online security guide" and "life safety center" they point to a website: but when it is not enabled it doesn't pop up msgs or copy these shortcuts.  

It also has a security toolbar on IE7 with dll file: okbykurp.dll

here is hijackthis log:
StartupList version: 1.52.2
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options

Running processes:

C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OmniDrive USB Pro\OmniUSBServ.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\admin\Desktop\HijackThis.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Task Scheduler jobs:

AdwareAlert Scheduled Scan.job


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

End of report, 3,248 bytes
LVL 10
Who is Participating?

Improve company productivity with a Business Account.Sign Up

IndiGenusConnect With a Mentor Commented:
No, those files will not simply delete like that.

1. Please open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:



c:\program files\zango

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c7ce44c-db55-445d-889b-0c602ce3c87f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\okbykurp]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-A new HijackThis log
Smitfraud here...

Download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

Also, when done running this tool it would be advised to to run a spyware scan. AVG is my tool of choice and is free for 30 days. NOTE: After updating it I would recommend running the scan in Safe Mode.

AVG AS link:
Oh also, forgot to mention. That's the startup list from HijackThis. We need the regular log. From the Main Menu...Do a system scan and save a logfile. Upload that and the log that Smitfraudfix produces to  ...Login and click on Experts Area tab.
Just post the link to them back here.
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

fm250Author Commented:
will try that and let you know. thanks!
fm250Author Commented:
that doesn't seems to work. the pop up still there. it seems something hidden. it doens't  have a process runing or anything!
fm250Author Commented:
fm250Author Commented:
I also got a warning msg like this: is virus .... plah plah plah

it seems to work when local area connection on. Any ideas what it be and how to fix it.
Nope, it's Vundo. Or at least related to it. The description you gave sounded a lot like Smitfraud. Helps to see the HJT log.

Let's try Combofix on it.

Download and Run ComboFix (by sUBs)

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
fm250Author Commented:
it seems the program was able to delete, but they restore themselves somehow?

here is the new log: 
fm250Author Commented:
I can 't delete some files that I suspect doing the trouble such as: okbykurp.dll even in save mode nor in command line: del /F /S /Q

---- are they running as system processes?
rpggamergirlConnect With a Mentor Commented:
Since you're taking the bad startupreg entry off, these ones below are also bad  that you can include, and their relevant folders just in case they're still present.

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]

C:\Program Files\SpyGuardPro
C:\Program Files\Common Files\SpyGuardPro
Thanks rpg....missed those.
fm250Author Commented:
Thanks for the reply,
I have used Dr.Delete to force delete that file and it seems that was the trouble. here is the new log would you please look at it to see if everything is good. 
I see a couple items missed. They are pretty harmlessly disabled by msconfig but we should make sure they can't be started up again.

Use the same CFScript process as last time with the following.

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a84fb5c0]

Open in new window

Thanks. To clean up from Combofix you can do the following:

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.