Solved

Virus / Spyware: Fake System Alert security toolbar

Posted on 2007-11-15
15
4,125 Views
Last Modified: 2013-11-22
I am trying to remove a virus/spyware that pop up Fake System Alert with yellow icon and  give diferent messages. the process seems to be runing in hidden mode. It had e-trust AV and have tried trendMicro AV plus antyspyware with full scan and it seems it can't fix this problem.

it also turn system restore to only one point which is today even though system restore is on.
the problem starts when enabling network connection it then start poping up warnings and copy 2 shortcuts to the desktop and start menu, they are: "online security guide" and "life safety center" they point to a website: kukkakreck.com but when it is not enabled it doesn't pop up msgs or copy these shortcuts.  

It also has a security toolbar on IE7 with dll file: okbykurp.dll

here is hijackthis log:
----------------------------
StartupList version: 1.52.2
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OmniDrive USB Pro\OmniUSBServ.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\admin\Desktop\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

AdwareAlert Scheduled Scan.job

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 3,248 bytes
0
Comment
Question by:fm250
  • 7
  • 7
15 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20292500
Smitfraud here...

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

Also, when done running this tool it would be advised to to run a spyware scan. AVG is my tool of choice and is free for 30 days. NOTE: After updating it I would recommend running the scan in Safe Mode.

AVG AS link:
http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=asf
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20292521
Oh also, forgot to mention. That's the startup list from HijackThis. We need the regular log. From the Main Menu...Do a system scan and save a logfile. Upload that and the log that Smitfraudfix produces to http://www.ee-stuff.com  ...Login and click on Experts Area tab.
Just post the link to them back here.
0
 
LVL 10

Author Comment

by:fm250
ID: 20292620
will try that and let you know. thanks!
0
 
LVL 10

Author Comment

by:fm250
ID: 20293885
that doesn't seems to work. the pop up still there. it seems something hidden. it doens't  have a process runing or anything!
0
 
LVL 10

Author Comment

by:fm250
ID: 20294117
0
 
LVL 10

Author Comment

by:fm250
ID: 20294220
I also got a warning msg like this:
w32.MyZor.fk@yf is virus .... plah plah plah

it seems to work when local area connection on. Any ideas what it be and how to fix it.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20294278
Nope, it's Vundo. Or at least related to it. The description you gave sounded a lot like Smitfraud. Helps to see the HJT log.

Let's try Combofix on it.

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 10

Author Comment

by:fm250
ID: 20294800
it seems the program was able to delete, but they restore themselves somehow?

here is the new log:
https://filedb.experts-exchange.com/incoming/ee-stuff/5640-Combofix-hijackthis.txt
0
 
LVL 10

Author Comment

by:fm250
ID: 20295299
I can 't delete some files that I suspect doing the trouble such as: okbykurp.dll even in save mode nor in command line: del /F /S /Q

---- are they running as system processes?
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 450 total points
ID: 20295606
No, those files will not simply delete like that.

1. Please open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\system32\dfdvmoyy.dll
C:\WINDOWS\system32\okbykurp.dll
C:\WINDOWS\system32\gytnmovl.dll
C:\WINDOWS\system32\tjwfeouh.dll
C:\WINDOWS\system32\edytutrp.dll
C:\WINDOWS\system32\crptogcv.dll
C:\WINDOWS\system32\gebyyay.dll
C:\WINDOWS\system32\vtsqr.dll

Folder::
C:\WINDOWS\system32\Mz08r
c:\program files\zango

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8c7ce44c-db55-445d-889b-0c602ce3c87f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a84fb5c0"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyyay]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\okbykurp]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]

---------------------------------------------------------------------------------------------------------------


3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 50 total points
ID: 20296796
Since you're taking the bad startupreg entry off, these ones below are also bad  that you can include, and their relevant folders just in case they're still present.

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rtasks]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]

Folder::
C:\Program Files\SpyGuardPro
C:\Program Files\Common Files\SpyGuardPro
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20297370
Thanks rpg....missed those.
0
 
LVL 10

Author Comment

by:fm250
ID: 20300827
Thanks for the reply,
I have used Dr.Delete to force delete that file and it seems that was the trouble. here is the new log would you please look at it to see if everything is good.

https://filedb.experts-exchange.com/incoming/ee-stuff/5660-Combofix-hijackthis-2.txt  
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20301290
I see a couple items missed. They are pretty harmlessly disabled by msconfig but we should make sure they can't be started up again.

Use the same CFScript process as last time with the following.




File::

C:\WINDOWS\system32\dfdvmoyy.dll
 

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a84fb5c0]

Open in new window

0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20302471
Thanks. To clean up from Combofix you can do the following:

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now