Viruses repeatedly attacking me

[Sorrow]

For the last month I have been getting warnings about viruses on both AVG free and Ubiblue PowerSuite...I've been trying to remove them all but they keep coming back, I've been getting things on AVG saying things like Virus found Lop, and on Uniblue its been warning me that sites are being added to my trusted site, Can anyone help me solve these problems?

Edit: Wrote names down this time...Trojan downloader PurityScan (Punctuation not correct)
TrojanHouse.zlob.XB

 

[Bobbye]

This is only a start:
First, please navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall any of the following programs:

Cowabanga by OIN
ipwins
PuritySCAN By OIN,
Snowballwars by OIN,
OuterInfo or similar
Yazzle
Zolero Translator
(Anything) by OIN

Troj/Zlob-XB Aliases * Trojan-Downloader.Win32.Zlob.bip installs itself in the Registry.
Chances are you are not completely getting all the malware off of your system. I suggest you begin with the malware cleaning here:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

IF you have the two you mentioned, you will also have other malware.

 

[DelJo63]

be sure you have a firewall running.

cease using p2p, IM, online poker games

 

[Blind Dragon]

PurityScan/Clickspring is a pain to get off.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.


Then proceed to following the preliminary removal instructions posted above

 

[Sorrow]

Oh boy this is going to take a while hahah =D

 

[Sorrow]

The two logs, have to had the third log somehow....

 

[Blind Dragon]

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

------------------------------------------------------------------------------------------------------------------------------------------------------------------
Your AVG log says NO ACTION TAKEN after each thing that it found.

AVG AntiSpyware

• Launch AVG AntiSpyware
• Click on the Update Icon at the top, then click Start Update in the left pane
• After the update click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan
• Click back to the Scan tab and select Complete System Scan
• Finally, after the scan, select the Infections Icon at the top, click Select All at the bottom then Remove finally also at the bottom

--------------------------------------------------------------------------------------------------------------------------------------------------------------
Please go to Start -> Control Panel -> Add/Remove Programs and uninstall Hijackthis, then reinstall with the below instructions. (Wrong version + installed to desktop)

Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.

 

[Sorrow]

Uploaded the new AVG log just in case, It saids no action taken but I deleted them all =/

 

[kritius]

Go to Start > Run and copy/paste or type: taskmgr

* Under the Processes tab find the following tasks or processes:
ViewpointService.exe
ViewMgr.exe
* Highlight and click "End Process".
* Exit Task Manager.

Click on Start > Run and type: services.msc

* Press "OK".
* Click the "Extended tab".
* Scroll down the list and find the service called "Viewpoint Manager Service"
* When you find the service, double-click on it.
* In the Properties Window > General Tab that opens, click the "Stop" button.
* From the drop-down menu next to "Startup Type", click on "Disabled".
* Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

Run another AVG antispyware check to make sure they are gone and see if you can get it to quarantine anything it finds, then run another HJT scan and attach the log file.

 

[Sorrow]

Well heres one...Can't upload Hijack ..for some reason..Saids its in progress but it doesn't get on the list ~_~

 

[kritius]

Delete the previous files you posted and then try again.

 

[Sorrow]

YESS! I finally got it up >:O

 

[Blind Dragon]

Sorrow,

Looks like we got it. As you can see from the AVG report the only signs of the infection are in your last restore point and in combofix's quarantine.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Launch Hijackthis -> Do a system Scan only -> Check the following:

O2 - BHO: (no name) - {4CADD537-FFDC-48AE-ACCD-B9A4D8CFD524} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {4D0A2AF5-0A7C-4928-BD04-D7A749CCBE3E} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {5E1484DE-8F62-44BC-9B0F-583AFA8282CC} - C:\WINDOWS\system32\vtstu.dll (file missing)
O20 - Winlogon Notify: jkkhiif - jkkhiif.dll (file missing)

The next entries are sometimes reported as malware. I would recommend you remove them but it is not mandatory.
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Program Files\free-downloads.net\tbfree.dll

After checking the above, please select Fix Checked and close Hijackthis

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following files:

Files:
C:\Program Files\free-downloads.net\tbfree.dll <-This file only
-------------------------------------------------------------------------------------------------------

Go to start -> Run -> type in combofix /u
*note the space between
*This will uninstall combofix
*It will remove vundofix backups
*It will remove quarentine files
*It creates a fresh clean restore point

Remove Hijackthis from Start-> control panel -> add/remove programs
Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin

I recommend you keep
1 anti virus program (AVG not anti spyware)
1 firewall
Spybot S&D, Adaware 2007, AVG Anti Spyware if you want but the version we downloaded is a 30 day trial

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Just to be sure please run
AVG AntiSpyware

• Launch AVG AntiSpyware
• Click on the Update Icon at the top, then click Start Update in the left pane
• After the update click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan
• Click back to the Scan tab and select Complete System Scan
• Finally, after the scan, select the Infections Icon at the top, click Select All at the bottom then Remove finally also at the bottom

 

[Bobbye]

Blind Dragon, re: "only signs of the infection are in your last restore point "

How about checking 'turn off System Restore'> reboot> remove the check in 'turn off'. That will drop any infected restore points.

Advise setting new restore points after doing this.

 

[Blind Dragon]

by running combofix /u it flushes your restore points

But it can't hurt to follow the above post as well.

And I still want to see the last AVG AS log

 

[Sorrow]

I can't seem to delete the tbfree.dll =/ Even though I deselected the protected system ops off it saids
" Cannot delete tbfree: Access is denied

Make sure that the disk is not full or write-protected and that the file is not currently in use.

And didn't i attach the last AVG AS log?

P.S And sorry for the late response, schools killing me.

 

[Blind Dragon]

Did you close all browsers before selecting Fix Checked? Before attempting to delete?

If not, please do so

 

[Sorrow]

Hmm...So do you still require another AVG AS log?

 

[Blind Dragon]

tbfree.dll <- is it removed?

If so, lets move on. This wont fix anything, but the kaspersky scanner is great at finding things that are sometimes overlooked.

:Run Kaspersky Online AV Scanner:

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[Sorrow]

tbfree.dll is removed...Got a question though =/ There was a tbfree.dll1 ...Harmful? =/

And I'm on Firefox and the accept button doesn't work =[

 

[Blind Dragon]

any tbfree file is a part of the toolbar that we removed.

Order to use it you have to use Internet Explorer.