Viruses repeatedly attacking me

By Sorrow
Mar 6, 2008
Topic Status:
Not open for further replies.
  1. For the last month I have been getting warnings about viruses on both AVG free and Ubiblue PowerSuite...I've been trying to remove them all but they keep coming back, I've been getting things on AVG saying things like Virus found Lop, and on Uniblue its been warning me that sites are being added to my trusted site, Can anyone help me solve these problems?

    Edit: Wrote names down this time...Trojan downloader PurityScan (Punctuation not correct)
    TrojanHouse.zlob.XB
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    This is only a start:
    First, please navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall any of the following programs:

    Cowabanga by OIN
    ipwins
    PuritySCAN By OIN,
    Snowballwars by OIN,
    OuterInfo or similar
    Yazzle
    Zolero Translator
    (Anything) by OIN

    Troj/Zlob-XB Aliases * Trojan-Downloader.Win32.Zlob.bip installs itself in the Registry.
    Chances are you are not completely getting all the malware off of your system. I suggest you begin with the malware cleaning here:
    http://www.techspot.com/vb/topic58138.html

    IF you have the two you mentioned, you will also have other malware.
  3. jobeard

    jobeard TS Ambassador Posts: 13,031   +222

    be sure you have a firewall running.

    cease using p2p, IM, online poker games
  4. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    PurityScan/Clickspring is a pain to get off.

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.


    Then proceed to following the preliminary removal instructions posted above
  5. Sorrow

    Sorrow Newcomer, in training Topic Starter Posts: 141

    Oh boy this is going to take a while hahah =D
  6. Sorrow

    Sorrow Newcomer, in training Topic Starter Posts: 141

    The two logs, have to had the third log somehow....
  7. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder


    ------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Your AVG log says NO ACTION TAKEN after each thing that it found.

    AVG AntiSpyware
    • Launch AVG AntiSpyware
    • Click on the Update Icon at the top, then click Start Update in the left pane
    • After the update click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan
    • Click back to the Scan tab and select Complete System Scan
    • Finally, after the scan, select the Infections Icon at the top, click Select All at the bottom then Remove finally also at the bottom
    --------------------------------------------------------------------------------------------------------------------------------------------------------------
    Please go to Start -> Control Panel -> Add/Remove Programs and uninstall Hijackthis, then reinstall with the below instructions. (Wrong version + installed to desktop)

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  8. Sorrow

    Sorrow Newcomer, in training Topic Starter Posts: 141

    Uploaded the new AVG log just in case, It saids no action taken but I deleted them all =/
  9. kritius

    kritius TechSpot Guru Posts: 2,087

    Go to Start > Run and copy/paste or type: taskmgr

    * Under the Processes tab find the following tasks or processes:
    ViewpointService.exe
    ViewMgr.exe

    * Highlight and click "End Process".
    * Exit Task Manager.

    Click on Start > Run and type: services.msc

    * Press "OK".
    * Click the "Extended tab".
    * Scroll down the list and find the service called "Viewpoint Manager Service"
    * When you find the service, double-click on it.
    * In the Properties Window > General Tab that opens, click the "Stop" button.
    * From the drop-down menu next to "Startup Type", click on "Disabled".
    * Now click "Apply", then "OK" and close any open windows.

    Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Finally, delete the following folders if they still exist:
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder

    Run another AVG antispyware check to make sure they are gone and see if you can get it to quarantine anything it finds, then run another HJT scan and attach the log file.
  10. Sorrow

    Sorrow Newcomer, in training Topic Starter Posts: 141

    Well heres one...Can't upload Hijack ..for some reason..Saids its in progress but it doesn't get on the list ~_~
  11. kritius

    kritius TechSpot Guru Posts: 2,087

    Delete the previous files you posted and then try again.
  12. Sorrow

    Sorrow Newcomer, in training Topic Starter Posts: 141

    YESS! I finally got it up >:O
  13. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Sorrow,

    Looks like we got it. As you can see from the AVG report the only signs of the infection are in your last restore point and in combofix's quarantine.
    --------------------------------------------------------------------------------------------------------------------------------------------------------
    Launch Hijackthis -> Do a system Scan only -> Check the following:

    O2 - BHO: (no name) - {4CADD537-FFDC-48AE-ACCD-B9A4D8CFD524} - C:\WINDOWS\system32\gebya.dll (file missing)
    O2 - BHO: (no name) - {4D0A2AF5-0A7C-4928-BD04-D7A749CCBE3E} - C:\WINDOWS\system32\geedc.dll (file missing)
    O2 - BHO: (no name) - {5E1484DE-8F62-44BC-9B0F-583AFA8282CC} - C:\WINDOWS\system32\vtstu.dll (file missing)
    O20 - Winlogon Notify: jkkhiif - jkkhiif.dll (file missing)


    The next entries are sometimes reported as malware. I would recommend you remove them but it is not mandatory.
    R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
    O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
    O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll


    After checking the above, please select Fix Checked and close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files:

    Files:
    C:\Program Files\free-downloads.net\tbfree.dll <-This file only
    -------------------------------------------------------------------------------------------------------

    Go to start -> Run -> type in combofix /u
    *note the space between
    *This will uninstall combofix
    *It will remove vundofix backups
    *It will remove quarentine files
    *It creates a fresh clean restore point

    Remove Hijackthis from Start-> control panel -> add/remove programs
    Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin

    I recommend you keep
    1 anti virus program (AVG not anti spyware)
    1 firewall
    Spybot S&D, Adaware 2007, AVG Anti Spyware if you want but the version we downloaded is a 30 day trial

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.
    -------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Just to be sure please run
    AVG AntiSpyware
    • Launch AVG AntiSpyware
    • Click on the Update Icon at the top, then click Start Update in the left pane
    • After the update click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan
    • Click back to the Scan tab and select Complete System Scan
    • Finally, after the scan, select the Infections Icon at the top, click Select All at the bottom then Remove finally also at the bottom
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Blind Dragon, re: "only signs of the infection are in your last restore point "

    How about checking 'turn off System Restore'> reboot> remove the check in 'turn off'. That will drop any infected restore points.

    Advise setting new restore points after doing this.
  15. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    by running combofix /u it flushes your restore points

    But it can't hurt to follow the above post as well.

    And I still want to see the last AVG AS log
  16. Sorrow

    Sorrow Newcomer, in training Topic Starter Posts: 141

    I can't seem to delete the tbfree.dll =/ Even though I deselected the protected system ops off it saids
    " Cannot delete tbfree: Access is denied

    Make sure that the disk is not full or write-protected and that the file is not currently in use.

    And didn't i attach the last AVG AS log?

    P.S And sorry for the late response, schools killing me.
  17. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Did you close all browsers before selecting Fix Checked? Before attempting to delete?

    If not, please do so
  18. Sorrow

    Sorrow Newcomer, in training Topic Starter Posts: 141

    Hmm...So do you still require another AVG AS log?
  19. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    tbfree.dll <- is it removed?

    If so, lets move on. This wont fix anything, but the kaspersky scanner is great at finding things that are sometimes overlooked.

    :Run Kaspersky Online AV Scanner:

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  20. Sorrow

    Sorrow Newcomer, in training Topic Starter Posts: 141

    tbfree.dll is removed...Got a question though =/ There was a tbfree.dll1 ...Harmful? =/

    And I'm on Firefox and the accept button doesn't work =[
  21. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    any tbfree file is a part of the toolbar that we removed.

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.