Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spy Sheriff [RESOLVED]


  • This topic is locked This topic is locked

#31
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You are more than welcome! I will leave this topic open in case you run into any more problems - feel free to post any concerns!

Personally, I prefer Kerio or Sygate to the XP firewall. Both work great! :tazz:
  • 0

Advertisements


#32
jacey32

jacey32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
OK, if you don't mind, I have a few more questions! But then that should be it!

1) Since I downloaded the Sygate firewall, I've been figuring out what processes should be running and which shouldn't (with the help of processlibrary.com) and it turns out I have this svchost.exe file which shouldn't be running (so I blocked it with the firewall) but I would like to get rid of it. Is it as simple as just finding the file and deleting it? It is in the system32 folder.

2) Ewido has been giving me an alert about a file called msclock32.dll, also in system32 folder, which it identifies as a "dialer.generic". Ewido keeps telling me it will clean this after reboot, but when I reboot I get another warning about the same thing. Again, should I just find the file and delete it?

I hope these are easy questions! Thanks.
  • 0

#33
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts

OK, if you don't mind, I have a few more questions! But then that should be it!

1) Since I downloaded the Sygate firewall, I've been figuring out what processes should be running and which shouldn't (with the help of processlibrary.com) and it turns out I have this svchost.exe file which shouldn't be running (so I blocked it with the firewall) but I would like to get rid of it. Is it as simple as just finding the file and deleting it? It is in the system32 folder.


svchost.exe is a legitimate system file which should be running. There is no need to block this and definitely do NOT delete that file!

2) Ewido has been giving me an alert about a file called msclock32.dll, also in system32 folder, which it identifies as a "dialer.generic". Ewido keeps telling me it will clean this after reboot, but when I reboot I get another warning about the same thing. Again, should I just find the file and delete it?

It needs to go. Let's make sure that's the only one (we will take care of it!)

please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode.
Once in Safe Mode, please run RKFiles.bat. It may take a while. When it is finished a windows should appear with a log.

Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.
  • 0

#34
jacey32

jacey32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Sorry, I was confusing evchost.exe (which I do not have) and svchost.exe - thanks for straightening me out on that point.

Here is the contents of the log.txt file:

C:\Documents and Settings\Owner\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\msclock32.dll: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
  • 0

#35
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It's no problem at all! :tazz:

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file name below to the clipboard by highlighting it then press CTRL + C

C:\WINDOWS\system32\msclock32.dll

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, Post a new HiJackThis log and let me know if Ewido is still finding it (this will kill the file, I'm just making sure it doesn't come back!)

Edited by bananafanafo, 22 June 2005 - 08:26 PM.

  • 0

#36
jacey32

jacey32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi - I don't seem to be getting any more ewido alerts about the msclock32 file (great!) but am now getting one about an 'unknown file' which is also a dialer.generic... not sure what we can do about that though, since we don't know where it is. I'm not too worried about it. (Should I be?)

Here is my lasted HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:42:51 AM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094669078428
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://evite.kodakga..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://sympatico.zon...ro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#37
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Your log looks fine, so I'm going to have you run an online virus scan, but this one takes a while. If there is a dialer present it will find it.

Please go here: Kaspersky Web Scanner

Fill out the info and click OK. Follow the instructions on the screen to download the ActiveX and run the scan (it will take a while!) After it's done, please give me the list of the infected files it finds and delete them as well.
  • 0

#38
jacey32

jacey32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hey,

Here are the results from the kaspersky scan - it looks like everything is in the norton quarantine - should I still delete the files?

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Thursday, June 23, 2005 21:41:47
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/06/2005
Kaspersky Anti-Virus database records: 127525
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 33420
Number of viruses found: 11
Number of infected objects: 31
Number of suspicious objects: 2
Duration of the scan process: 3358 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\039B6A93.php Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\0846337D.exe Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Program Files\Norton AntiVirus\Quarantine\084A5D79.exe Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Program Files\Norton AntiVirus\Quarantine\08503172.exe Infected: Trojan-Downloader.Win32.Agent.hw
C:\Program Files\Norton AntiVirus\Quarantine\08503172.php Infected: Trojan-Downloader.JS.IstBar.k
C:\Program Files\Norton AntiVirus\Quarantine\08545B6E.php Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\0857056B.php Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\0C904EC5.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\124C0753.exe Infected: Trojan-Downloader.Win32.Small.alr
C:\Program Files\Norton AntiVirus\Quarantine\14FB3619.php Infected: Trojan-Downloader.JS.IstBar.k
C:\Program Files\Norton AntiVirus\Quarantine\1925652E.php Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\207C2274.php Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\299E24DC.php Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\2F3471A2.exe Infected: Trojan-Downloader.Win32.IstBar.ir
C:\Program Files\Norton AntiVirus\Quarantine\2F381B9F.php Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\307D3E2F.exe Infected: Trojan.Win32.Dialer.gx
C:\Program Files\Norton AntiVirus\Quarantine\32AE5745.php Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\3DA91509.exe Infected: Trojan.Win32.P2E.br
C:\Program Files\Norton AntiVirus\Quarantine\3DB06902.exe Infected: Trojan.Win32.P2E.br
C:\Program Files\Norton AntiVirus\Quarantine\3DB312FE.exe Infected: Trojan.Win32.P2E.br
C:\Program Files\Norton AntiVirus\Quarantine\4F325819.exe Infected: Trojan-Downloader.Win32.Dyfuca.dx
C:\Program Files\Norton AntiVirus\Quarantine\51F33391.exe Infected: Trojan.Win32.P2E.br
C:\Program Files\Norton AntiVirus\Quarantine\51F9078A.dll Infected: Trojan.Win32.P2E.bt
C:\Program Files\Norton AntiVirus\Quarantine\53B608BA.exe Infected: Trojan-Downloader.Win32.Small.alr
C:\Program Files\Norton AntiVirus\Quarantine\5948361C.php Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\75772557.exe Infected: Trojan.Win32.P2E.br
C:\Program Files\Norton AntiVirus\Quarantine\76C44E61.php Infected: Trojan-Downloader.JS.IstBar.k
C:\Program Files\Norton AntiVirus\Quarantine\77560366.dll Infected: Trojan.Win32.P2E.bt
C:\Program Files\Norton AntiVirus\Quarantine\77A03386.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\7B9C4FB6.exe Infected: Trojan.Win32.P2E.br
C:\Program Files\Norton AntiVirus\Quarantine\7B9F79B3.exe Infected: Trojan.Win32.P2E.br
C:\Program Files\Norton AntiVirus\Quarantine\7BA323AF.exe Infected: Trojan.Win32.P2E.br
C:\Program Files\Norton AntiVirus\Quarantine\7F926D42.exe Infected: Trojan-Downloader.Win32.Small.alr

Scan process completed.
  • 0

#39
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Open Norton, click on "View Reports", then click on the Quarantine button to go into the Quarantine folder and delete all files quarantined. Ewido may have been finding those!
  • 0

#40
jacey32

jacey32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Done!

I think that should just about do it - I must have the cleanest computer in all of Canada. Thank you once again for all your help!
  • 0

Advertisements


#41
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You are more than welcome! :tazz: I'm happy I was able to help ;)
  • 0

#42
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#43
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Would you mind doing me a favor? We're trying to research some things about the infected system file and XP service packs. This information will help us out :tazz: I would really appreciate it!

Copy everything in the code box below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt

Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.

Thank you!!
  • 0

#44
jacey32

jacey32

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Thanks for reopening! It took me a few days to see that you had posted.

Everything is still running great - still a few pop-ups, and that weird ewido message about msclock32.dll still shows up every once in a while - but that file doesn't seem to be anywhere on my computer, so it must just be an ewido blip or something. Compared to what was going on before, this is perfection!!!

Anyway, here is the text from the files.txt file - hope it's helpful!

Volume in drive C has no label.
Volume Serial Number is 8480-4E0D

Directory of C:\WINDOWS\$hf_mig$\KB883939\SP2QFE

05/02/2005 04:57 PM 658,944 wininet.dll
1 File(s) 658,944 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/18/2005 04:19 PM 592,384 wininet.dll
1 File(s) 592,384 bytes

Directory of C:\WINDOWS\$NtUninstallKB883939$

08/04/2004 03:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes

Directory of C:\WINDOWS\$NtUninstallKB890923-IE6SP1-20050225.103456$

02/06/2004 07:05 PM 588,288 wininet.dll
1 File(s) 588,288 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 03:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819

08/04/2004 03:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\c18f704c05de93348e71fb7005eeea05\sp2gdr

05/02/2005 04:52 PM 657,920 wininet.dll
1 File(s) 657,920 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\c18f704c05de93348e71fb7005eeea05\sp2qfe

05/02/2005 04:57 PM 658,944 wininet.dll
1 File(s) 658,944 bytes

Directory of C:\WINDOWS\system32

05/02/2005 04:52 PM 657,920 wininet.dll
1 File(s) 657,920 bytes
  • 0

#45
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Thank you for posting again! I appreciate it :tazz:

I don't like that Ewido is popping up about msclock especially when the real-time protection will only last for 2 weeks from download. If this scan doesn't find it, then Ewido is probably finding the file in System Restore (which we can fix!)

*Please download DLLCompare.
*Save it to the desktop and run it by double-clicking DLLCompare
*Put a check next to "Include SubDirectories"
*Click "Run Locate.com" to scan for DLL files.
*When the scan is finished (it will say "Completed the Scan" in blue), click "Compare".
*Finally, when it's done comparing (It will say "Completed" in blue), click "Make a Log of What Was Found".
*Click YES at the prompt.
*Copy the entire contents of the notepad and paste it here.

Edited by bananafanafo, 29 June 2005 - 01:46 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP