VcCleanup.exe

[morocco31477]

I get an error message after a reboot, I have to hit OK then the desktop loads. Here is a hijack-this log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 3:18:26 PM, on 4/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\wwSecure.exe

C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\System32\hphmon04.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\ps2.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Sony\ImageStation\USB Direct Connect\SonyC2W.exe

C:\PROGRA~1\COMMON~1\FOTONA~1\EvLstnr.exe

C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Winamp\winamp.exe

C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://compaq.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus7.hpwis.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

O4 - HKLM\..\Run: [uSB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [uSBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"

O4 - HKLM\..\Run: [sonyC2W] C:\Program Files\Sony\ImageStation\USB Direct Connect\SonyC2W.exe

O4 - HKLM\..\Run: [blockTracker] c:\hp\bin\BlockTracker.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\RunOnce: [VcCleanUp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\VcCleanUp.exe /F C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\ /RemoveAll

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)

O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab

O16 - DPF: Yahoo! MLB StatTracker - http://aud11.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab

O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets/activ...ALStreaming.cab

O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes...ab?ver=1,1,0,32

O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802

O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://akimages.imagestation.com/common/cl...rintActiveX.cab

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37

O20 - Winlogon Notify: avgwlntf - avgwlntf.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--

End of file - 11741 bytes

I'm fixing a friend's computer. Anyone know how to get rid of this? I tried deleting the registry string and it just comes back. I scanned with Ad-Aware and Spybot S&D.

Edited April 9, 2007 by morocco31477

[s3pHiX]

That's some files registered to Symantec -- try downloading this removal tool, and see if it gets rid of that file.. I've run into this issue alot with Symantec, and this is one of the best, if not the only way to remove it, when it doesn't want to work right thru the Add/Remove Programs, in the control panel Here's the download link to it -->Symantec Removal Utility

If that doesn't work, I'll see what else I can find.

Thanks,

Edited April 9, 2007 by s3pHiX

[Jeremy]

Use CCleaner to clean out all the Windows and 3rd party temp/cache on your PC. You'd be surprised how much HDD space is consumed by temp/cache files over time.

Note: Click the Download button, click "Other Builds" at the bottom of the next page and choose the "Slim" version.

If you have Norton installed, please use this tool to remove it.

Spyware:

Download, install and update both Ad-Aware SE Personal v1.06R1 (or Ad-Aware 2007 Beta 4) and Spybot S&D v1.4. Do full system scans with both and clean/fix any infections they report.

Viruses:

Download, install and update Kaspersky Anti-Virus v6.0.2.621. Do a full system scan and let it clean anything it reports. Reboot if an infection cannot be initially cleaned/deleted.

Kaspersky's trial lasts 30 days. If you wish to use this product for one year legally, use the AOL version labeled ActiveVirusShield.

If you prefer freeware then use Avast! Home Edition v4.7 or AntiVir v7.00.03.02. The latter has an even higher detection rate than Kaspersky and NOD32. For more information about anti-virus products, please visit http://www.av-comparatives.org.

What is the error message? It is not always spyware or a virus. Please provide more information and screenshots.

Edited April 9, 2007 by Jeremy

[morocco31477]

OK the Norton uninstall tool and CCleaner both did not work. Here is a picture of the error:

Any other ideas?

[bledd]

paste the log in here

http://hijackthis.de/

remove the nasties!

[s3pHiX]

Okay, here's the info on that file.... VcCleanup.exe -- The following information gives a description of what it applies to, and does.

Symantec Venice Component CleanUp. This is a cleanup task which is installed by many of the Symantec products (Norton AntiVirus, Internet Security, PCAnywhere) when you do a manual LiveUpdate and where one of the updates is an update to the LiveReg Symantec program. The purpose of this startup entry is to perform post-LiveUpdate clean-up tasks on the next reboot of the PC – once those clean-up tasks have been performed, this entry is automatically removed from the Startups tab.

Ok, here's what you need to do to get rid of the pop-up message.

1st -- Go to Start -- Run -- type MSCONFIG -- and go to the startup tab, and find that VcCleanup.exe start up key in there, and delete it.

then

2nd -- Go to Start -- Regedit, and navigate to these keys, once there delete anything in there relating to the VcCleanup.exe, as well as Symantec -->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

That should stop the popup message from loading on your PC, if this still does not resolve the issue, please let me know, and I'll do some more research for you.

Thanks,

Edited April 10, 2007 by s3pHiX

[moongoon]

Just some additional data points..

I had the same problem. I didn't find any hits on vccleanup.exe in the registry, but when I uninstalled some leftover Symantec components the error message went away.

[Tarun]

I would avoid hijackthis.de, as it is an automated log analysis and can flag things that are completely safe.

Since your issue is related to a Symantec product, try using SymNRT.

[morocco31477]

Thanks for all the help people.

There is nothing in my msconfig\startup tab for VcCleanup. Also out of all those registry points, the only one where I see anything for Symantic or vccleanup is in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce. But when I delete that string, it just re-creates itself.

[s3pHiX]

Thanks for all the help people.

There is nothing in my msconfig\startup tab for VcCleanup. Also out of all those registry points, the only one where I see anything for Symantic or vccleanup is in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce. But when I delete that string, it just re-creates itself.

Ok, next thing I would recommend is going into Safe Mode, and deleting all the references of that VcCleanup.exe file that way, going thru all the windows temp folders, as well as the registry Keys I posted above, and run the Symantec Removal Tool under Safe Mode.

I would also do a search of all HDD's installed in your system for the file, if any are found navigate to where they reside, and delete any reference that it may find.

Other than that, I really can't think of much else right now.

Hope this helps

[morocco31477]

The Symantec System Removal Tool cannot be run under safe mode. I also deleted the registry key while in safe mode and still got the error. I forgot to do a system search for the file, I'm going to try that real quick.

[morocco31477]

Search did not find any "vccleanup.exe" files. When I delete the string in the registry under safe mode, it starts normally. But it re-creates itself, so when I do a normal restart, I get the error again.

[Jeremy]

VCCleanup.exe

This is a Symantec file so yes the SymNRT should remove it. Otherwise it's a trojan/worm that you should use Kaspersky or NOD32 to delete. I provided a link to those to-notch anti-virus products in my original post.

[bah80]

Hi,

I was pulling my hair out over this one too.

Using Ad-Aware, I was able to find out that when you uninstall Norton Ghost 10, it reboots and on that following boot it puts that VCCleanup.exe in the temp folder.

It then expects it to be there at the following boot and then adds a reg entry to run it at that next boot. However, the id*** uninstaller program deletes it right before that boot.

So you get stuck with that **** error message for good.

What I did was to reinstall the app, and grab the VCCleanup.exe file before it deletes it. Then I put it back after it had deleted it and allowed the 2nd reboot to happen. Once it was able to run the VCCleanup.exe it deleted the RunOnce reg entry and everything is cool now.

In summary, just place the VCCleanup.exe file (which I've attached) into your temp directory and reboot once. After that, you can clean out the temp dir and you're good to go.

Enjoy.

-- Baseer :-)

VcClnUp0.exe