clock.exe in windows xp is using 10 - 20% of my cpu

[Ed]

Hi,

clock.exe in windows xp sp1 is using 10 - 20% of my cpu (1Ghz), and I
can't figure out why, or if this is even a legitimate windows process.

It started roughly 2-3 weeks ago. I've run the latest spybot 1.3
with updates, but it didn't find clock.exe to be a problem. I also run
AVG antivirus, and it scans the whole PC every day.

Programs I've recently added are:

emule
mozilla and mozilla calendar
firefox
spampal
tightvnc
dantz retrospect
cygwin
winamp5
and others...


Does anyone know more about this process?

thanks,

-Ed

 

[John McGaw]

Hi,

clock.exe in windows xp sp1 is using 10 - 20% of my cpu (1Ghz), and I
can't figure out why, or if this is even a legitimate windows process.

It started roughly 2-3 weeks ago. I've run the latest spybot 1.3
with updates, but it didn't find clock.exe to be a problem. I also run
AVG antivirus, and it scans the whole PC every day.

Programs I've recently added are:

emule
mozilla and mozilla calendar
firefox
spampal
tightvnc
dantz retrospect
cygwin
winamp5
and others...


Does anyone know more about this process?

thanks,

-Ed

My wild guess would be the mozilla calendar program but only because it
deals with time. But the easy way to find out is to simply run a search for
clock.exe and see if it turns up in some directory that can tie it to a
particular install. For example if the search turns up clock.exe in a
mozilla folder and nowhere else you can make a good guess about what it is
doing and how it got there.
--
John McGaw
[Knoxville, TN, USA]

Return address will not work. Please
reply in group or through my website:
http://johnmcgaw.com

 

[Chuck]

Hi,

clock.exe in windows xp sp1 is using 10 - 20% of my cpu (1Ghz), and I
can't figure out why, or if this is even a legitimate windows process.

It started roughly 2-3 weeks ago. I've run the latest spybot 1.3
with updates, but it didn't find clock.exe to be a problem. I also run
AVG antivirus, and it scans the whole PC every day.

Programs I've recently added are:

emule
mozilla and mozilla calendar
firefox
spampal
tightvnc
dantz retrospect
cygwin
winamp5
and others...


Does anyone know more about this process?

thanks,

-Ed

Ed,

In addition to identifying clock.exe by its folder location, you can find out
beaucoup details with Process Explorer (free) from
<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>. Provides way more
information than Task Manager. You can look at any process and see what modules
it contains, and who wrote or distributed each module. And graph its memory and
CPU usage.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[king_douglas]

Sounds like a virus, I find it strange that clock.exe is running. If you use
task manage to end clock.exe, does the clock in the system tray go away? I
would imagine it doesn't, I would update your virus defs, scan, then try
another virus scanner, such as Symantec. They have a free one at...

http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

Also, please read...

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]


Good luck.

 

[Ed]

Thanks guys.

Well, I found it in:
C:\WINDOWS\Pluglns

It was there with a bunch of trojan horse files all dated 5/30/2004
hmmm, I was out of town that whole weekend, too. (May need to have a
talk with my roommates who use my computer.)

So, my machine was turned into a spam generator by clock.exe and some
associated files. I don't know exactly how I was infected, but this
is scary.

I am using Spybot 1.3, Ad-aware (latest release), and AVG anti-virus.
All were updated today w/ latest updates and ran full scans. Not one
caught this while it was running.

It's very obvious when I view my Tiny Firewall Status Window. Just
dozens of smtp connections flooding out of my nic. (I know, I know,
why didn't I have Tiny Firewall actually protecting my machine?...ok,
I enabled it now.)

I will send this to all three companies, but in the meantime, here's a
list of files stored in: C:\WINDOWS\Pluglns (note the spelling of
Plugins with a lowercase 'L' instead of 'i')

clock.exe 128KB
froms.txt 8KB
MSWINSCK.OCX 107KB
subjects.txt 1KB
txtmailbody.txt 1KB
w0.txt 263KB
w1.txt 255KB
w2.txt 240KB
w3.txt 240KB
w4.txt 263KB
w5.txt 265KB
w6.txt 289KB
w7.txt 270KB

 

[Chuck]

Thanks guys.

Well, I found it in:
C:\WINDOWS\Pluglns

It was there with a bunch of trojan horse files all dated 5/30/2004
hmmm, I was out of town that whole weekend, too. (May need to have a
talk with my roommates who use my computer.)

So, my machine was turned into a spam generator by clock.exe and some
associated files. I don't know exactly how I was infected, but this
is scary.

I am using Spybot 1.3, Ad-aware (latest release), and AVG anti-virus.
All were updated today w/ latest updates and ran full scans. Not one
caught this while it was running.

It's very obvious when I view my Tiny Firewall Status Window. Just
dozens of smtp connections flooding out of my nic. (I know, I know,
why didn't I have Tiny Firewall actually protecting my machine?...ok,
I enabled it now.)

I will send this to all three companies, but in the meantime, here's a
list of files stored in: C:\WINDOWS\Pluglns (note the spelling of
Plugins with a lowercase 'L' instead of 'i')

clock.exe 128KB
froms.txt 8KB
MSWINSCK.OCX 107KB
subjects.txt 1KB
txtmailbody.txt 1KB
w0.txt 263KB
w1.txt 255KB
w2.txt 240KB
w3.txt 240KB
w4.txt 263KB
w5.txt 265KB
w6.txt 289KB
w7.txt 270KB

Ed,

That's excellent news (that you found it, NOT that you have it). Thanks for
updating us.

You might want to post this in alt.comp.virus and
microsoft.public.security.virus also - there might be somebody knowledgeable
there.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.