New Member with a Unmovable Trojan Behind

StealthBD · #1 (**permalink**) 07-03-2007, 03:03 AM

Hello there, im new to this forum and I'm having an issue with an annoying problem that have been slowly agglomerating lately. This is my story.. Everything was normal until suddenly a windows popped off and said Trend Micro PC-Cillin Alert.. TROJ_Generic.ADV... and I thought.. AHA! lets have some fun deleting anomalities... but to tell you the truth.. the fight to kill this.. was one not to be lived again to see... I had every weapon available.. Registry Mechanics, Spyware Doctor S&D, HijackThis, ClCleaner, Killbox, House Call (Online Trend Micro PC-Cillin anti-virus scanner)...
also I tried the following Restarted PC Safe mode twice.. the file was deleted in safe mode TWICE.. but guess what.. in normal mode there it was again.. I've luckly detected the file causing all this trouble... it was located in the Temp Folder
name: clclean.0001.dir.0000
This name may sound familiar but thanks to Neal I found D-A-L..
Neal didn't do anything but thanks to this link darn trojans(RESOLVED)
I found the site that could here my problem...
I can see someone had the similar problem that I have.. but his case was a bit different... he solved his issue by deleting the file from the task manager... I tried doing so.. found the file.. but it still won't come off the Temp folder.. if there is someone who can help me with my bad situation is Neal, thanks for every readers kind comprehension.

VopThis · #2 (**permalink**) 07-03-2007, 04:57 AM

Infections are not often just one file. The following two (2) scans and fixes will attempt to diagnose and address any detectable issues.

You will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

Download and install AVG Anti-Spyware 7.5 (AVG AS - formally known as Ewido anti-spyware 4.0 - uninstall any previous version first).

Click the Download BUTTON. On the next page click the Download now BUTTON.
Save and then install (Run) from the save location.
Open/Run AVG Anti-Spyware
Wait a few moments and AVG Anti-Spyware should Auto update itself (note date of last update). If it doesn't update, click the update ICON at top of screen:
Quote:
Click on the Update now LINK at the top of the window
Click on the Start update button

Wait for the update to download and install
This is very important to get the LATEST updates.
Click on the Status ICON
- Under "Your computers Security"
  Click change status on Resident shield to inactive (ONLY consider activation of that feature once you are clean)
Click on the Scanner ICON at the top of the window
Click on the Settings tab then select Recommended Actions and choose Quarantine
When updating has finished. Close AVG Anti-Spyware.

We will be using this tool in a later step.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware , and run a full scan:

Click on the default Status ICON and select the Scan now LINK.

OR
Click on the Scanner ICON . Select the Scan TAB.
- Select Complete System Scan. AVG Anti-Spyware will now begin to scan your system.

If AVG Anti-Spyware finds anything it will list them in the Preview WINDOW:
- Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
- Select Apply all actions at the bottom of the window (and the items found will be quarantined – and recoverable, if any items are needed back).
When the scan has completed, click on the Save Scan Report button and save the scan to your Desktop where it can be easily found.
Copy and paste the AVG Anti-Spyware scan results into your next post.
Close AVG Anti-Spyware.

REBOOT and Post your latest HijackThis log. And, let us know how your PC is now behaving – any changes in behavior.

StealthBD · #3 (**permalink**) 07-03-2007, 02:23 PM

Thanks for giving quick assistance VopThis, ok.. I downloaded the Ewido anti-spyware 4.0, scanned the system files with it.. and created a Log from it.. here are my results..
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:22:48 AM 3/7/2007

+ Scan result:

C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned.
:mozilla.18:C:\Documents and Settings\Stefan de Rooy\Application Data\Mozilla\Firefox\Profiles\63rytmqu.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Stefan de Rooy\Cookies\stefan_de_rooy@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.28:C:\Documents and Settings\Stefan de Rooy\Application Data\Mozilla\Firefox\Profiles\63rytmqu.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.29:C:\Documents and Settings\Stefan de Rooy\Application Data\Mozilla\Firefox\Profiles\63rytmqu.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.30:C:\Documents and Settings\Stefan de Rooy\Application Data\Mozilla\Firefox\Profiles\63rytmqu.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.31:C:\Documents and Settings\Stefan de Rooy\Application Data\Mozilla\Firefox\Profiles\63rytmqu.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.17:C:\Documents and Settings\Stefan de Rooy\Application Data\Mozilla\Firefox\Profiles\63rytmqu.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.

::Report end

ok.. here is what it found.. but it didn't seem to spot the file I wanted it to... the clclean0001.dir.0000 sometimes it runs on the task Manager.. when I remove it.. it reappears on the next windows restart..and worst.. it still won't leave the temp file. but lets follow your procedure and see what happens....

VopThis · #4 (**permalink**) 07-03-2007, 03:57 PM

I need the requested HijackThis LOG in order to proceed. That one known infected file is likely being protected and/or being reinstated by other RELATED infected files. TO BE CLEAR HERE: You said the file of interest appears to delete which is a very different situation from a file refusing to be deleted.

Alternately,

Your best option may be to try a system restore point (if available) to a date before any known problems or before you started performing any recent fixes?

Click on Start>All Programs>Accessories>System Tools>System Restore.

Check Restore my computer to an earlier date> Click Next.

Choose the date before you performed any recent fixes and click Next and Next again.

Once rebooted, please post a revised HJT log. Do not uninstall anything.

StealthBD · #5 (**permalink**) 07-03-2007, 04:20 PM

HijackThis Log after running system restore... thanks again for the quick reply..

Logfile of HijackThis v1.99.1
Scan saved at 12:14:50 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\STEFAN~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\PROGRA~1\COMMON~1\AOL\116181~1\EE\AOLHOS~1.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\COMMON~1\AOL\116181~1\EE\AOLServiceHos t.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Stefan de Rooy\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.ca/ig/dell?hl=en&c...ca&ibd=6061025
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161810115\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecial Action
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

VopThis · #6 (**permalink**) 07-03-2007, 07:30 PM

ClClean appears to be a known legitimate file. Did you recently install a cleanup tool? Is it still on your PC or did you get a less than complete uninstall? See link below:

http://fileinfo.prevx.com/filesearch...h=clclean.0001

Is your PC still reporting or showing indications of a malware infection?

Be aware that the above file may be incorrectly diagnosed as infected (is a false positive). Might consider uninstalling the less well known cleaner if you installed it yourself. Or completely reinstall and then try to get a clean uninstall.

StealthBD · #7 (**permalink**) 07-03-2007, 11:08 PM

Well.. you are absolutely right, I have a program called Ccleaner Installed.. but the file named clclean.0001.dir.0000 was there BEFORE I installed it.. I just recently installed the Ccleaner program because I thought it would ''clean'' the malicious file.. The program itself cleaned specifically the Temp folder.. but to my disgrace it did not clean the one file..

check this out
http://forums.spywareinfo.com/index.php?showtopic=95384
this fella have the exact same problem as I have but this time he contacted the Trend Micro PC-Cillin Anti-virus trusted website.. and the exact same thing happened with me.. 2 days ago it popped up as TROJ_Generic.ADV on the PC-Cillin Anti-virus scanner.. now.. it's gone.. but the file is still active in the Temp folder.. it slowly creates different small sized files.. and I have to go every time and delete these...

now about the definition of the malaware... the definition you gave me is more contextualized then the one I saw fron the Anti-virus Scanner.. in the scanner it said it was a low threat Trojan..
http://www.trendmicro.com/vinfo/viru...ENERIC&VSect=P

Do I still proceed in uninstalling the program named Ccleaner?.. as I said.. the malaware was there before the program was installed.. I installed this program in a desperate attempt to remove the malaware.... . any suggestions from you are most welcome right now... now if you please, give me the next step..

OK then.. I will do what you just said.. reinstall the Clcleaner and Uninstall it completely afterwards...
(plz post the next step so we can hasten through the necessary steps..)

sorry to ask you this man.. but.. am I being clear to you?

VopThis · #8 (**permalink**) 08-03-2007, 12:02 AM

Ccleaner has no known relationship to clclean.0001 as I have that tool but no such file.

Might try the following:

Go back even further on selected 'restore point' date.

OR,

If a file stubbornly refuses to be deleted by conventional means, HijackThis (version 1.98.2 onward) provides a method to have Windows delete the file as it boots up, before the file has the chance to load. To do this, follow these steps:

How to use the Delete on Reboot tool (in HijackThis)

Start Hijackthis
Click the ‘Open the Misc Tools section’ button
Click on the button labeled ’Delete a file on reboot...’
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the ‘Yes’ button if you would like to reboot now, otherwise click on the ‘No’ button to reboot later.

StealthBD · #9 (**permalink**) 08-03-2007, 12:38 AM

Hate to tell you this.. but I have no previews restore point in system restore.. I tried what you told me to do in the HijackThis Program (Using the Delete on Reboot Tool..)... I tried to delete the file twice.. but everytime I restarted.. it ran in the background of the task manager.. occupying total memory space of 2,500ish... and when I go to the temp folder.. there it is again.. intact...
we must understand here that this clclean.0000.dir.0000 so called by my computer TROJ_Generic.ADV is a sub-folder containing 2 small files...
here are the name of these
~df394b
and
~efe2
these are contained inside the sub-folder called clclean.0001.dir.0001
and when I restart each time it creates another clclean.0001.0002 (but renamed with a ''2'' at the end.. and so on so forth... the replicas.. are easily deletable when I delete them with the Ccleaner program.. but the original file is unmovable and undeletable.. I really don't know what to do.. I think we are running out of ideas.. aren't we?

-Man thanks alot for all the info... really.. it's very kind of you helping people with these situations..

VopThis · #10 (**permalink**) 09-03-2007, 05:26 AM

UPDATE:

Have found a DELL forum link on your issue but have had to use Google cache entry since the page is not currently displaying properly for me.

http://www.google.ca/search?hl=en&q=...G=Search&meta=
http://forums.us.dell.com/rss/board?board.id=si_virus
http://209.85.165.104/search?q=cache...lnk&cd=1&gl=ca

TOPIC TITLE: Software - Virus/Spyware

Quote:

The files in clclean.001 etc. are created/launched by some of the Sound Blaster Audiology software from Creative Labs. Apparently it is part of their license verification. It appears we have to tolerate this trojan in order to use their software.

Quote:

...what I did to turn the software off. It seems to work. I will try to get to it this evening. In loose terms, I looked through the startup items (using msconfig) and the services (using the services program under administrative tasks in the control panels) to disable startup items/services related to creative labs stuff. I didn't need to delete anything. When those items were no longer started, the directories 'clclean.001.****' and the subitem which registers as a trojan were no longer created/present.