Is 'HDDefrag.exe', a Trojen or Malware?

[blackgold]

I saw a program 'HDDefrag.exe', in the Processes of my Task Manager,
which always use about 100% of my CPU.
It is located at C:\Documents and Settings\User Name\Application Data\Adobe\Flash Player\File Cache.

When I searched Google for 'HDDefrag.exe', I got the following pages.
http://greatis.com/blog/how-to-remove-malware/hddefrag-exe.htm
http://www.averscanner.com/scan/4f/hddefrag-exe.shtml
http://systemexplorer.net/file-database/file/hddefrag-exe/18927850

These pages says that "The file HDDEFRAG.EXE can destroy your system,
thus making the computer to work abnormally. It is identified as the Trojan
Program that is used for stealing bank information and users passwords.".

Is that right? 
Do I have to remove 'HDDefrag.exe' from my computer?
(How can I remove it?)

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download AdwCleaner by Xplode onto your Desktop.

• Please close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with OK
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
  

*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[blackgold]

I have downloaded AdwCleaner & MalwareBytes and the scanning results are given below.
For 'Security Check', both links given by you leads to the same site but I couldn't download it
even after several trials.

Now also HDDefrag.exe is shown in my Task Manager when my computer is started and eats
majority of my CPU.

(1) AdwCleaner Scan Resut:

# AdwCleaner v2.300 - Logfile created 05/07/2013 at 09:50:20
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : Madhu Kumar - ABC-28872D74A25
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Madhu Kumar\desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\Madhu Kumar\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hiiickddnfnbflkhhfagaflkmpfjabjl
Deleted on reboot : C:\Documents and Settings\Madhu Kumar\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcmfgmhakbcbniknmlacoelldfiohmnm
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Berowisse22save
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Browsie2suayve
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\All Users\Application Data\SoftSafe
Folder Deleted : C:\Documents and Settings\Madhu Kumar\Local Settings\Application Data\PackageAware

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\SProtector
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10B12E7E-5011-02EF-C8F5-7AD09D424D7C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{380040F4-312B-F07E-C0BA-789502D563A5}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\Software\SP Global
Key Deleted : HKLM\Software\SProtector

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.5730.13

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Madhu Kumar\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v [Unable to get version]

File : C:\Documents and Settings\Madhu Kumar\Application Data\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [2487 octets] - [07/05/2013 09:50:20]

########## EOF - C:\AdwCleaner[S1].txt - [2547 octets] ##########

========================================================

(2) MalwareBytes Scan Result:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.09.04

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.13
Madhu Kumar :: ABC-28872D74A25 [administrator]

Protection: Enabled

5/10/2013 3:48:42 AM
MBAM-log-2013-05-10 (08-34-28).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 283603
Time elapsed: 2 hour(s), 59 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
F:\System Volume Information\_restore{C29D0E16-2114-49CA-A226-02EEA1BAE97C}\RP86\A0023227.exe (Backdoor.Bot) -> No action taken.
F:\System Volume Information\_restore{C29D0E16-2114-49CA-A226-02EEA1BAE97C}\RP86\A0023228.exe (Backdoor.Bot) -> No action taken.
F:\System Volume Information\_restore{C29D0E16-2114-49CA-A226-02EEA1BAE97C}\RP86\A0023229.exe (Backdoor.Bot) -> No action taken.
F:\System Volume Information\_restore{C29D0E16-2114-49CA-A226-02EEA1BAE97C}\RP86\A0023230.exe (Backdoor.Bot) -> No action taken.
F:\System Volume Information\_restore{C29D0E16-2114-49CA-A226-02EEA1BAE97C}\RP86\A0023231.exe (Backdoor.Bot) -> No action taken.
F:\System Volume Information\_restore{C29D0E16-2114-49CA-A226-02EEA1BAE97C}\RP86\A0023232.exe (Backdoor.Bot) -> No action taken.
F:\System Volume Information\_restore{C29D0E16-2114-49CA-A226-02EEA1BAE97C}\RP86\A0023233.EXE (Backdoor.Bot) -> No action taken.

(end)

[SuperDave]

Please run MBAM again and "Remove the infections".

I'm required to give you this warning.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

I would counsel you to disconnect this PC from the Internet immediately.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

[blackgold]

I have changed the banking passwords. (I am using QFX KeyScrambler).
I will reformat my drives.

You have not given any information about 'HDDefrag.exe'.
It starts when my computer starts and shows in my Task Manager.
I couldn't remove it from start programs by running 'msconfig'.

===========================================

My last scan result is given below:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.11.06

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.13
Madhu Kumar :: ABC-28872D74A25 [administrator]

Protection: Enabled

5/11/2013 10:15:54 PM
mbam-log-2013-05-11 (22-15-54).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 284639
Time elapsed: 5 hour(s), 23 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Madhu Kumar\Local Settings\Temporary Internet Files\Content.IE5\4TK1YZCD\518e08d384ed7[1].exe (PUP.Adware.MultiPlug) -> Quarantined and deleted successfully.

(end)

[SuperDave]

I will reformat my drives.

If you're going to re-format your drives all this other stuff should disappear.
You can run StartupLite and remove that HDDefrag.exe file.

StartupLite

Download StartupLite by MalwareBytes to your Desktop.
Doubleclick StartupLite.exe to launch the program.
Ensure the Disable box is checked.
Click Continue.
A pop up message will tell you the unecessary startup items in your list have been disabled and ask you to restart your computer.
Re-start your computer.