HJT log, need help... is my laptop safe?

[nazgulbkg]

Hi there,
The other day I got a bad virus that messed up my computer pretty bad. IT stopped me from doing anything with windows except view my background. I reinstalled windows xp and ran a few ant-virus programs to get rid of the viruses but I had a feeling there was still some lurking. So I followed the instructions for "Trojan Pakes and other nasties" thread and everything seems to be ok. Even a system tray icon that was telling me I was in danger of spyware has dissapeared and I could not get rid of the whatever was doing that. So for that I already thank you. I just want to make sure that everything is indeed gone before I continue on with computer life. I have attached both the HJT log and the Ewido log as well. If anyone could help me out I would really appreciate it. O and one more thing when I restart my computer everything seems good except I get a C ++ error about a microsoft image burner or something. It is strange but I tihnk just something messed up with windows now and not a virus. But then again what the hell do I know

 

[howard_hopkinso]

Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint\Viewpoint Toolbar

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

KBBFDC.EXE
attrib.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - {6330F213-4B81-647F-F3DA-6943B565F59F} - (no file)

R3 - URLSearchHook: (no name) - {E91EE2F8-026C-72C1-1185-7CE29F76719C} - C:\WINDOWS\system32\wkz.dll (file missing)

O2 - BHO: (no name) - {E91EE2F8-026C-72C1-1185-7CE29F76719C} - C:\WINDOWS\system32\wkz.dll (file missing)

O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\COMMON~1\ECURIT~1\attrib.exe" -vt yazb

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Viewpoint

C:\PROGRA~1\COMMON~1\ECURIT~1\attrib.exe

C:\WINDOWS\TEMP\KBBFDC.EXE

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.


Regards Howard :wave: :wave:

This thread is for the use of nazgulbkg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nazgulbkg]

Second time around...

Thanks for such a speedy response and for all the help. There is no more error at the beginning of the page. Everything seems fine but per your request here is the updated HJT file you requested.

 

[howard_hopkinso]

One of the files you deleted has come back with a different name.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

KYBE91.EXE

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\TEMP\KYBE91.EXE In fact delete as many files as you can in the C:\WINDOWS\TEMP folder.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of nazgulbkg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nazgulbkg]

Third time's a charm

Hey, here ya go again thanks for the quick reply. Lets hope this is the last try.

 

[howard_hopkinso]

Nope, it`s back again with a different file name.

C:\WINDOWS\TEMP\SAFCCC.EXE I can find no info on this file, nor for that matter on any of the other filenames.

Download and run the ATF cleaner from HERE. Follow the instructions carefully.

See if that helps.

Regards Howard

 

[nazgulbkg]

I ran the cleaner for both windows and firefox so hopefully that worked. I was also wondering if you knew (which I am sure you do) what BHO is because I noticed it in my add remove programs. I do not know its origin or what it does so I am skeptical of it. Thanks

 

[howard_hopkinso]

Nope, the buggers still there.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go into C:\windows\temp folder and make a note of any .exe files.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for any of the .exe files you found in the temp directory.

Close task manager.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

Type the filepath`s to all the .exe files in your temp folder.

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log.

BHO=Browser helper object. You can safely uninstall any of these from add remove programmes.

I also recommend you install one of these free firewall programmes.

Zonealarm or Kerio.


Regards Howard

This thread is for the use of nazgulbkg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nazgulbkg]

the only thing that was in the temp folder was WGAerrlog.txt. There was nothing else. I copied down the processes that were running in safe mode I even included the obvious ones just in case. notepad.exe
taskmgr.exe
explorer.exe
svchost.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system idle process

 

[howard_hopkinso]

The thing is this file is showing up in your HJT log under running processes.

C:\WINDOWS\TEMP\SAFCCC.EXE

Download the Autoruns programme from HERE.

Extract it, then double click on the Autoruns.exe file to run the programme. Click the options menu and select hide Microsoft entries. Click the file menu and select save as, save the file to wherever you want, then attach it here please.

Regards Howard

 

[nazgulbkg]

the file you asked for is attached. Hope this helps

 

[howard_hopkinso]

Delete these two files.

C:\WINDOWS\system32\COOLPH~1.SCR
c:\windows\system32\cool photos.scr

Other than the above I can find nothing wrong.

I don`t know how, why or where those .exe files are coming from in your Windows temp directory. the fact that they keep changing worries me.

Go HERE and run the online scanners, see if they find anything.

Regards Howard

This thread is for the use of nazgulbkg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nazgulbkg]

I am about to run the online scanners but I just wanted to let you know that I did create the cool photos screensaver file with photo screen saver maker program. Is there still a chance that these files could be a virus?

 

[nazgulbkg]

Another quick question, is it normal for there to be a lot more processes running in normal mode rather than safe mode? I imagine it is but I am afraid that the process or program only runs during normal mode?

 

[howard_hopkinso]

If you know the screensaver programme is safe, then keep it.

Yes it`s perfectly normal for there to be more tasks running in normal mode than safe mode.

Regards Howard

This thread is for the use of nazgulbkg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nazgulbkg]

I ran the online scanners... they did find some things so maybe it worked... here is my updated hjt log.

 

[howard_hopkinso]

It`s back again, only this time it`s got the following name. C:\WINDOWS\TEMP\RDC6B5.EXE

I`ve tried everything I can think of and still the bugger comes back.

It seems to me you have two choices. Either live with it, or backup your important data and reformat.

I`m sorry I wasn`t able to help get rid of this annoying piece of crap.

Regards Howard

 

[nazgulbkg]

Do you think it would be safe to move on with my computer life? Or could this be a sneaky guy that will lead to all my money being stolen from my accounts and my computer to spontaneusly combust? haha its a bit dramatic but you know what I mean. Thanks for trying so hard

 

[howard_hopkinso]

If it was my computer, I`d reformat it.

At least you`d know it was clean.

I hate having to advise anyone to reformat, but like I said, I`ve tried everything I can think of and it still won`t go. Maybe it`s some kind of rootkit, I don`t know.

You could try downloading the Sysclean package from HERE. You`ll need to read the instructions carefully. Whether it`ll help or not, I don`t know.

Regards Howard

This thread is for the use of nazgulbkg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nazgulbkg]

I dont know if this is a stupid question but should I search for files you mentioned like attrib.exe and delete it? Because for the hell of it I searched and I did find a few attrib.exe and I am not sure if this is all useless and deleting them could hurt my computer.

 

[howard_hopkinso]

The only attrib.exe you should delete is the one in the directory I gave you. Other attrib.exe files are likely legit.

Regards Howard

 

[nazgulbkg]

Do you think it will help if I keep taking the files out in HJT? Also I am confused how a file can be coming from windows/temp but when I go to windows temp it is not there... that means that another program is causing that file to be formed huh.

 

[howard_hopkinso]

It`s still there just as I thought it`d be. You can keep deleting the files, but I think they`ll just keep coming back with a different file name.

C:\WINDOWS\TEMP\RDC6B5.EXE It`s obviously being created from somewhere, but where I don`t know.

Download the Ccleaner programme from HERE.

Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs. Click the run cleaner button with no browsers open. Do this several times. Click on issues, then the scan for issues button. Click the fix selected issues button, followed by the fix all selected issues button. Do this several times, until no more issues are found.

Post a fresh HJT log.

If that doesn`t work I`m out of ideas I`m afraid.

I can`t find any info for any of the .exe files in your temp folder. I`m just guessing that their bad, especially as they change to random names when deleted.

Like I said earlier, you can either live with it or reformat.

Regards Howard

This thread is for the use of nazgulbkg only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.