REMOVE HWCLOCK.EXE

      


 

 

 

What is HWCLOCK.EXE?

Hwclock is a unix and linux command and it stands for Hardware Clock. Hwclock should not be confused with hwclock.exe which is a trojan that attacks Windows 32 systems.

Malware is often named something that sounds legitimate (such as sysclock64.exe) so that it is harder to detect. The registered name for hwclock.exe is W32.Hwbot-A Trojan. It is a trojan that allows an attacker to access your system and possibly steal passwords and personal data.

 

How to detect the HWCLOCK.EXE Trojan/W32.Hwbot-A Trojan?

Tell tale signs of any malware on a system is sluggish resources. This means your computer seems slower, your network connection doesn't seem as fast and of course system instability.

There are tools that you can use to see if your system has the HWCLOCK.EXE Trojan.

TASK MANAGER:

Use Ctrl + ALT + Delete and select "Task Manager" or Ctrl + Shift + Esc on an XP machine

From the Task Manager go to the "Processes" tab. Locate the hwclock.exe. Normally you would be able to select the offending process and click the "End Process" button to stop it, but hwclock.exe is viewed as system file so you won't be able to kill it that way.

NETSTAT

Go to Start | Run | type "cmd"

This will bring up a DOS Command prompt. Type "netstat"

You will see a list of your network activity

HWCLOCK.EXE will try and attack other systems from your computer. So you will see a constant stream of traffic going from your system to other systems using your ISP. This can get you in some trouble. If your ISP detects this they can shut you down until the trojan is removed.

Netstat is good at showing the flow of traffic on the network but fport will actually give what applications and which ports are being used.

fport

fport is a creation of foundstone. For information on how to download it go to the tools to Intrusion detection page.

Once fport is downloaded, go to the command prompt and type "fport"

Look for hwclock.exe. If you have the W32.Hwbot-A Trojan you won't have any trouble finding it with fport because it will be the one probing your ISPs users one by one to find one it can exploit.

 

How to get rid of HWCLOCK.EXE/W32.Hwbot-A Trojan?

To get rid of HWCLOCK.EXE you'll have to go into Safe Mode. Getting into Safe Mode on any flavor of window is simple.

You just reboot and hit the "F8" key like a mad man until you are prompted to select different mode in which to boot. Select "Safe Mode." For more on Safe Mode, PCHELL has a great tutorial on getting into Safe Mode.

You will want to Show All files and System files:

With this step make sure you uncheck "Hide Operating System files" if you are on an 2k/XP system

Windows 95
• Open My Computer.
• Select the View menu and click Options.
• Select the View Tab.
• Select the Show all files Radio Button.

• Click OK.
Windows 98
• Open My Computer.
• Select the View menu and click Folder Options.
• Select the View Tab.
• In the Hidden files section select Show all files.
• Click OK.
Windows ME (Get rid of this horrible OS)
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.
• Click Start, Programs and Accessories and open Windows Explorer.
• Select a hard drive from the left hand side of the Windows Explorer window.
• Select View the Entire contents of this drive.
Windows 2000
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.
Windows XP
• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

 

Your next step is to locate and delete the HWCLOCK.EXE file while in Safe Mode.

It should be in your System32 folder. Do a search for HWCLOCK.EXE by going to Start | Search | type in Hwclock.exe. If you can not find the offending trojan but you know it is running, make SURE you are "Showing all files."

Once you find it, delete it.

How can I protect myself from malware like this?

Trojans and other malware get on your system variety of ways.

  • Email Attachments
  • Unscanned disks
  • Websites
  • P2P applications such as Kazaa
  • Freeware/shareware
  • Plugging into the Internet with no protection

The biggest problem is that people are ignorant as to how bad the problem is.

There are currently so many "bots" constantly polling the Internet for systems with no security that you can literally be compromised within SECONDS of plugging into the Internet with no protection. I got the Hwclock.exe while I was testing out my new DSL connection. It only took a few minutes. I imagine it found me the same way it was trying to find other exposed systems on my ISP once it infiltrated my system.

If you want to protect yourself do the following:

Get yourself some broadband Internet Security

Either Secure your Internet Explorer browser or use FireFox and secure that one (either way secure your browser) with pop-ups stoppers and delete cookies and temp files periodically.

Use some sort of Anti-Virus software

Use Intrusion detection tools every now and then to see if you've been compromised.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

       

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 License.