hbkdeeh.exe and .bat files virus !?!

hi,
im new to this forum but use avast free edition. I use the latest and most up to date version.
the problem i have is while surfing the net i keep getting pop ups.
i have pop up blocker on high yet i still receive them. so to investigate i right clicked on the pop us and went properties.
i then tracked the process to a hbkdeeh.exe process which i then ended. This was then found in my app data folder in my documents.
i am wondering why this wasnt detected and how i could go about removal?
there are several files in there i do not recognise and are related to the hbkdeeh.exe
they are:
hbkdeeh.exe
hbkdeeh.dat
hbkdeeh.bat
hbkdeeh_nav.dat
hbkdeeh_navps.dat
they were created roughly according the the file properties on the 26th a few days a go. would a system restore help resolve this issue?
many thanks to all who can help.

You could also check the offending/suspect file (hbkdeeh.exe) at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

If you get multiple detections on VT send this and the other files to avast for analysis.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

http://www.virustotal.com/analisis/8855fdd817cd4a80c36aa898ec4548dcdaae7b48f9b6c84b5755cce873b3680f-1248597184#

here are the results it seems this file has been scanned before and various anti virus programs such as mc afee and authentium show a skintrim virus.

Authentium 5.1.2.4 2009.07.25 W32/Skintrim.1!Generic
F-Prot 4.4.4.56 2009.07.25 W32/Skintrim.1!Generic
McAfee-GW-Edition 6.8.5 2009.07.26 Heuristic.BehavesLike.Win32.Dropper.H
Prevx 3.0 2009.07.26 Low Risk Adware

i will follow your instructions to send this for analysis to avast and will also send the files to the chest/vault.
if you can help me anymore with removal or any advice on this particular problem all information is welcome.
once again much appreciated :slight_smile:

Whilst it isn’t the greatest of confirmations, generic/heuristic detections are more prone to false positive detection. However, given the folder they were in and what appears to be a randomly generated file name, you should send them to avast for analysis.

If you right click the hbkdeeh.bat file (don’t double click or that will run it) and open with Notepad, this may show other files being run, so if you can copy the contents of the file and post it here, it may give other elements to find.

If you haven’t already got this software (freeware), download, install, update and run, it may well find other elements and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Hi KROJim,

Download combofix from here

Link 1 http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Link 2 http://subs.geekstogo.com/ComboFix.exe

We need to disable your local AV (Anti-virus) before running Combofix.

See HERE for how to disable your AV: http://www.bleepingcomputer.com/forums/index.php?showtopic=114351

Double click on ComboFix.exe.

Follow the prompts. NOTE:

ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

It’s strongly recommended to have the Recovery Console installed before doing any malware removal.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.

The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

See picture attached 1

Allow ComboFix to download the Recovery Console.

Accept the End-User License Agreement.

The Recovery Console will be installed.

You will then get this next prompt that asks if you want to continue the malware scan, select yes

See picture attached 2

Allow combofix to run

Post C:\combofix.txt back here,

polonus