Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "HDD defragmenter" and false alert affiliate


  • This topic is locked This topic is locked
2 replies to this topic

#1 IhateHDDdefrag

IhateHDDdefrag

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 07 December 2010 - 02:53 PM

I followed the instructions in this page and restated my computer and I still have the malware on my computer. I have my DDS here along with the two attachments:

[edit: I did the DDS and all other programs and am currently running the computer in "safe mode w/ networking". The malware doesn't come up until I run my computer in normal mode. The affiliate gives me the "Critical Error. Hard Drive not found" and "RAM Memory usage is critically high." and similar messages found in the topic "Infected with System Defragmenter, Pakes.hvk"]



DDS (Ver_10-12-05.01) - NTFSx86 NETWORK
Run by J-MannxxMnemic at 10:05:46.80 on Tue 12/07/2010
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1978.1315 [GMT -8:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Users\J-MannxxMnemic\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = google.com
uDefault_Page_URL = hxxp://www.Google.com
uSearch Page = hxxp://www.Google.com/
uSearch Bar = hxxp://www.Google.com/
uDefault_Search_URL = hxxp://www.Google.com
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.Google.com/
uCustomizeSearch = hxxp://www.Google.com/
BHO: SuperAdBlockerBHO SearchAdBlocker Class: {00000000-6c30-11d8-9363-000ae6309656} - c:\program files\superadblocker.com\sponsored ad blocker\SCHBHO.dll
BHO: PE_IE_Helper Class: {0941c58f-e461-4e03-bd7d-44c27392ade1} - c:\program files\ibm\lotus forms\viewer\3.5\PEhelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Google Update] "c:\users\j-mannxxmnemic\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\77299770-2757-43b9-8838-65ecffb3355a.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [IGwqNKmplw.exe] c:\users\j-mann~1\appdata\local\temp\IGwqNKmplw.exe
uRun: [696419] c:\users\j-mann~1\appdata\local\temp\696419.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [PSNUpd] "c:\program files\panda security\panda cloud antivirus\psnupd.exe" /UpgradeNotification
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Cobian Backup 10 Interface] "c:\program files\cobian backup 10\cbInterface.exe" -service
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {14CD42DD-ABCD-3586-DCAB-40E3693E3737} - c:\program files\stylish profile\ct.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: bmnet.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\users\j-mann~1\appdata\roaming\mozilla\firefox\profiles\g6di0zt1.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5555
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\j-mannxxmnemic\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-5 162768]
S1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2009-10-13 114184]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-15 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 68168]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-5 19024]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-5-5 51792]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-5 40384]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-12-7 67584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S2 NanoServiceMain;NanoServiceMain;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2009-10-30 136448]
S2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2009-10-30 146440]
S2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2009-10-13 97800]
S2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2009-10-13 101384]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-5 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-5 40384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-5 112640]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2009-5-26 124160]
S4 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-22 193840]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-22 365952]

=============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-12-07 17:36:11 -------- d-----w- c:\program files\Cobian Backup 10
2010-12-07 10:13:25 -------- d-----w- c:\users\j-mann~1\appdata\roaming\Malwarebytes
2010-12-07 10:13:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-07 10:13:17 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-07 10:13:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-07 10:13:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-06 01:47:55 -------- d-----w- c:\users\j-mann~1\appdata\roaming\Digiarty
2010-12-06 01:47:45 -------- d-----w- c:\program files\Digiarty
2010-12-05 18:11:49 -------- d-----w- c:\progra~2\QuickMediaConverter
2010-12-05 18:11:11 -------- d-----w- c:\users\j-mann~1\appdata\roaming\CocoonSoftware
2010-12-05 18:10:51 -------- d-----w- c:\program files\QuickMediaConverter
2010-12-05 18:10:45 -------- d-----w- c:\users\j-mann~1\appdata\local\WDSetup
2010-12-05 17:58:55 -------- d-----w- C:\output media
2010-12-05 17:50:18 -------- d-----w- c:\users\j-mann~1\appdata\roaming\Leawo
2010-12-05 17:50:18 -------- d-----w- c:\progra~2\Leawo
2010-12-05 17:49:47 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-12-03 22:14:55 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{9a4d1311-d498-47b5-a5e5-aac36c48b324}\mpengine.dll
2010-11-26 20:54:39 -------- d-----w- c:\users\j-mann~1\appdata\local\Electronic Arts
2010-11-26 14:12:45 -------- d-----w- c:\progra~2\Electronic Arts
2010-11-26 14:09:04 3540 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-11-26 14:08:23 -------- d-----w- c:\users\j-mann~1\appdata\local\Downloaded Installations
2010-11-24 16:45:57 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-11-15 08:13:54 -------- d-----w- c:\program files\iPod
2010-11-10 18:59:25 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
==================== Find3M ====================

2010-12-07 09:37:00 119296 ----a-w- c:\windows\system32\zlib.dll
2010-11-26 20:40:57 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-28 23:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 18:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 10:06:44.05 ===============

Attached Files


Edited by IhateHDDdefrag, 08 December 2010 - 12:39 PM.


BC AdBot (Login to Remove)

 


#2 IhateHDDdefrag

IhateHDDdefrag
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 08 December 2010 - 08:43 PM

--IMPORTANT--
I don't mean to bump my topic but I can't seem to edit my original post. Anyways, I just wanted to say I somehow fixed my problem. playing around with both rkill and malwarebytes a bunch and it just kinda stopped when I started it up this time. Thanks anyways, I'll post more if it comes up again. I truely hate HDDdefragmenter and I'm glad to be rid of it but I want to list a few things I noticed as my problem came to a close:

-HDDdefragmenter changed to "HDDdiagnose" this boot up but the shortcut didn't even work, deleted the source file.

-For the most part this can be moved to the side like most malware but some actions I took made the malware want to forcingly shutdown/restart my computer.

-A better description of my problem than the ones I found on this site can be found here along with the removal instructions on this site.

-I didn't really do much this start up besides running rkill which failed to run due to some weird error saying it didn't have access to some fill under win32 but neither HDDdefreagmenter or the affiliate started this boot up.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:15 PM

Posted 08 December 2010 - 08:45 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users