i have a problem with the file hclean32.exe.
this malware seems to cause small pop up balloons in the corner of my desktop stating windows security issues. i have followed all the preperation steps and believe me i ahve all the decent programs to wipe such anoyances but it still re-installs every start-up.
norton find the file, says it cant fix it, quanantines it , and them the opo-uup ballons start.
the only thing i could not do from the pre-post list was get all the windows updates to install. i recived this messege:
unable to install
Microsoft .NET Framework 1.0 Service Pack 3, English Version
oh and i dont use service pack two yet, this was the 1a update.
i have recently had some other spyware problems like:
IST.ISTbar
coolwebsearch.searchx
and a home page change to;
jimbutts.......
however i think that i have managed to get rid of these already, but you can never be too sure.
here is my hijackthis log:-
Logfile of HijackThis v1.99.1
Scan saved at 20:24:13, on 08/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe
C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe
C:\New Folder\SpySub.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\EzButton VE 2.14\EzButton.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\WINDOWS\REGEDIT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\Philip Lyon\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R3 - Default URLSearchHook is missing
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {29EE5CD9-7371-41B9-B204-D17145DD9495} - (no file)
O2 - BHO: Bugnosis - {3A6514CD-A457-11D4-8AF3-000102686B79} - C:\Program Files\Bugnosis\WebBug.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe"
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe"
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: EzButton.lnk = C:\Program Files\EzButton VE 2.14\EzButton.exe
O4 - Startup: SpySubtract.lnk = C:\New Folder\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\New Folder\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Bugnosis - {630CB4FA-AA9E-4bf2-BBD1-81C239203E2F} - C:\Program Files\Bugnosis\WebBug.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124301119631
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124301101625
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} -
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{89EC5EEA-3832-44DC-8FCD-C1FEAC09184D}: NameServer = 195.95.218.1 85.255.112.7
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Program Files\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MSSQLSERVER - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - Unknown owner - C:\WINDOWS\wanmpsvc.exe (file missing)
plus here are my running processes
Process list saved on 20:27:14, on 08/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
[pid] [full path to filename] [file version] [company name]
324 C:\WINDOWS\System32\smss.exe 5.1.2600.1106 Microsoft Corporation
400 C:\WINDOWS\system32\csrss.exe 5.1.2600.0 Microsoft Corporation
424 C:\WINDOWS\system32\winlogon.exe 5.1.2600.1557 Microsoft Corporation
468 C:\WINDOWS\system32\services.exe 5.1.2600.0 Microsoft Corporation
480 C:\WINDOWS\system32\lsass.exe 5.1.2600.1106 Microsoft Corporation
680 C:\WINDOWS\system32\svchost.exe 5.1.2600.0 Microsoft Corporation
704 C:\WINDOWS\System32\svchost.exe 5.1.2600.0 Microsoft Corporation
856 C:\WINDOWS\System32\svchost.exe 5.1.2600.0 Microsoft Corporation
880 C:\WINDOWS\System32\svchost.exe 5.1.2600.0 Microsoft Corporation
988 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 1.0.0.37 Symantec Corporation
1064 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE 1.0.0.1026 SuperAdBlocker.com
1100 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.1699 Microsoft Corporation
1200 C:\WINDOWS\System32\alg.exe 5.1.2600.1106 Microsoft Corporation
1224 C:\Program Files\ewido\security suite\ewidoctrl.exe 3.0.0.1 ewido networks
1244 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe 7.0.9064.9150 Microsoft Corporation
1264 C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe 9.0.5.1015 Symantec Corporation
1288 C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE 16.0.0.22 Symantec Corporation
1316 C:\WINDOWS\System32\nvsvc32.exe 6.13.10.4230 NVIDIA Corporation
1460 C:\WINDOWS\System32\snmp.exe 5.1.2600.1106 Microsoft Corporation
1476 C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe 7.0.0.24 Symantec Corporation
216 C:\WINDOWS\Explorer.EXE 6.0.2800.1106 Microsoft Corporation
376 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe 7.2.5.0 Synaptics, Inc.
396 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 7.2.5.0 Synaptics, Inc.
528 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe 1.0.0.615 Microsoft Corporation
632 C:\Program Files\Common Files\Symantec Shared\ccApp.exe 1.0.0.104 Symantec Corporation
752 C:\WINDOWS\SOUNDMAN.EXE 5.0.0.3 Avance Logic, Inc.
736 C:\WINDOWS\LTSMMSG.exe 3.1.113.0 Lucent Technologies
840 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe 301.0.0.12 THOMSON Telecom Belgium
1456 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe 1.0.9.2 Symantec Corporation
1232 C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe 9.7.0.9 BillP Studios
1624 C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe 1.0.0.615 Microsoft Corporation
2068 C:\WINDOWS\System32\ctfmon.exe 5.1.2600.1106 Microsoft Corporation
2096 C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe 1.1.0.10
2120 C:\PROGRA~1\Cacheman\Cacheman.exe 5.5.0.30 Outer Technologies
2160 C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe 2.0.0.1130 SuperAdBlocker.com
2176 C:\PROGRA~1\iolo\SYSTEM~1\PopupStopper.exe 5.5.1.0 iolo technologies, LLC
2196 C:\Program Files\iolo\System Mechanic 5\StartupGuard.exe 5.5.1.0 iolo technologies, LLC
2420 C:\New Folder\SpySub.exe 1.0.1.49 InterMute, Inc.
2464 C:\Program Files\BHODemon 2\BHODemon.exe 2.0.0.23 Definitive Solutions, Inc.
2488 C:\Program Files\EzButton VE 2.14\EzButton.exe 1.0.0.1
2532 C:\Program Files\SpywareGuard\sgmain.exe 2.2.0.1
2612 C:\Program Files\SpywareGuard\sgbhp.exe 2.2.0.1
2836 C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe 1.0.0.104 Symantec Corporation
2968 C:\WINDOWS\REGEDIT.EXE 5.1.2600.1106 Microsoft Corporation
3092 C:\Program Files\Messenger\msmsgs.exe 4.7.0.2010 Microsoft Corporation
3380 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.0.2800.1106 Microsoft Corporation
3064 C:\Program Files\Windows NT\Accessories\wordpad.exe 5.1.2600.1606 Microsoft Corporation
3440 C:\Documents and Settings\Philip Lyon\Desktop\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.
3520 C:\WINDOWS\system32\NOTEPAD.EXE 5.1.2600.0 Microsoft Corporation
any help here would be awesome. please i need a clean system for uni purposes
many thanks in advance
phil.