Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

msclock32.dll NaviPromo


  • Please log in to reply

#1
trackdoctor

trackdoctor

    New Member

  • Member
  • Pip
  • 4 posts
:tazz: BASIC FACTS
VirusScan Dell Dimension 2350
Build 10.0.25 XP Home Service Pack 2
Engine Version 4400 256 Mb RAM
Dat 4568 on Aug. 26/05 Pentium 4, 2.0 GB

Adware detected = msclock32.dll (related files ECDaccess_1063_xp[1}.cab and other EGDaccess files)

SCENARIO

1. Turn on Computer
boot up goes at normal speed but before finishes

2. McAfee window pops up saying PUP found “c:\windows\system32\msclock32.dll”
at this point computer speed drops dramatically.

3. Turn on Task manager and McShield.exe is using most of the CPU (80% or more)

4. Click on remove in the McAfee window and Task Manager shows McShield is using 98 or 99%. All other process nearly stop. It ran five hours once before I stopped it.

5. Selecting McShield I cannot change priority

6. Selecting McShield and trying to “End Process” crashes task manager. By repeatly clicking on Close I finally (5 or more minute later) can get Task Manager to close. Once closed rest of computer operation proceed at normal speeds.

7. IF I open Task Manager again, McShield.exe no longer shows as a process.

WHAT I HAVE DONE

1. XP Home running service pack two.

2. Have uninstalled VirusScan manually cleaning registers as per instruction from McAfee. Uninstalled Sercurity package also.

3. Reinstalled VirusScan and Security package automatically reinstalled.

4. Downloaded XoftSpy and Registry fix. Used both. Cleaned out many problems including references to “msclock.exe,” and ECDaccess_1063_xp[1}.cab and other EGDaccess files which seem to be related to generating msclock32.dll and msplock32.dll.

5. Use Windows Explorer and cleaned out all reference to these files

6. Cleaned out all temporary internet files

7. Turned off internet connection

PROBLEM

1. Turn on computer (no longer connected to the internet) and it all starts again as with step one in the scenrio.

Help

Jim Halfpenny
trackdoctor@tracknature.com

********************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 10:38:40 PM, on 9/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\BFU\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tracknature.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tracknature.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C22877C3-4214-11D0-B0DA-080009C351D7} (Rhino Software ActiveX FtpTree Control 4.0) - http://www.tracknatu...pts/FtpTree.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0C790C3-B063-481C-B1E8-B2BBD3E45755}: NameServer = 65.197.137.3,65.197.137.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
I'll be right with you.

Hang on a sec.
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Download Brute Force Uninstaller.
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)

Copy the part in green below into notepad and save it as findEGDA.vbs
Set Filetype to "all files"

Dim Wshshell, fso ,ts , R, ArrR ,i
Const ForReading = 1

Set Wshshell = Wscript.CreateObject("Wscript.Shell")
Set fso = Wscript.CreateObject("Scripting.FilesystemObject")

Wshshell.run "regedit /a /e runnow.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Do until fso.FileExists("runnow.txt")
Wscript.sleep 100
Loop
Set ts = fso.OpenTextFile("runnow.txt" ,ForReading)
Do while not ts.AtEndOfStream
R = ts.Readall
loop
ts.close

R = Replace(R, "\\", "\")
R = Replace(R, Chr(34), "")

ArrR = Split(R,vbcrlf)
For i = 0 to Ubound(ArrR)
F = Lcase(right(ArrR(i),6))
If F = "-start" Then
ArrR(i) = Replace(arrR(i), "-start" , "-uninstall")
ArrR(i) = Mid(ArrR(i),Instr(ArrR(i),"=") + 1)
MsgBox ArrR(i)
Wshshell.Run ArrR(i)
End IF
Next


Set ts = nothing
Set fso = nothing
set wshshell = nothing



Doubleclick the file to run it. If you have a resident script blocker it may warn you about or stop the vbs script. Please allow it, it is harmless.
You will get a prompt looking like this
c:\windows\system32\random.exe -uninstall
Click OK to execute that command.
You will be prompted if you are sure you want to uninstall. Confirm.

After a little while you will get a prompt the application was removed.

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Let me know if that works.

Regards,
  • 0

#4
trackdoctor

trackdoctor

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
:tazz:

Pieter,

Thank you for your help! However, we ran into a problem as follows:

1. All files down load and saved.
2. Ran findEGDA.vbs.
3. McAfee stopped script, I okayed it and the script continued to run.
4. Received the prompt:
C:\windows\system32\ungvaeow.exe - uninstall

(probably a random generate file name?)


5. Clicked okay
received error message as follows:
Windows Script Host
Script: c:\bfu\findEGDA.vbs
Line: 28
Character: 1
Error: permission denied
Code: 800A0046
Source: Microsoft VBScript runtime error

Can you advise what to do now?

Jim Halfpenny
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Hi Jim,

Can you click Start > Run and paste this command in the dialogbox:
C:\windows\system32\ungvaeow.exe - uninstall

Or run the first part of the script again to get the new filename (it changes at least every reboot)

This way we will circumvent the part of the script that produces the error.
Then execute the BFU script.

Regards,
  • 0

#6
trackdoctor

trackdoctor

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
:tazz:

Pieter,

This puppy is sophisticated and tough to get at.

When I ran ungvaeow.exe from start > run, I received the message “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.”

I then re-ran findEGDA.vbs and got the same file name back, ungvaeow.exe. I have NOT rebooted.since I first ran Hijack This. Also, just to be sure I changed all folders and files in C:\windows\system32 to read files (undid Read Only).

I checked for the file in Windows Explorer but it does not show up. My explorer is set to show all files with extensions.

The executable file appears to be hidden, somehow.

Round “upteen,” what next?

Jim
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
I'll make a slightly adapted version of the script for you. :tazz:

Copy the part in bold below into notepad and save it as EGDACCESPLUS.bfu
Set Filetype to All files and save it i the BFU folder you made.


SystemRun %SYSDIR%\ungvaeow.exe|-uninstall
RegDeleteKey HKCU\software\egdhtml
RegDeleteKey HKCU\software\egroup
RegDeleteKey HKCU\software\mc
RegDeleteKey HKCU\Software\livesvc
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Instant Access
RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Instant Access
RegSetStringValue HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Autodial|AutodialDllName32|wininet.dll
RegSetStringValue HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Autodial|AutodialFcnName32|InternetAutodialCallback
RegDeleteKey HKCR\egdhtml.egdialhtml
RegDeleteKey HKCR\egdhtml.egdialhtml.1
RegDeleteKey HKCR\egdialobject.egdial
RegDeleteKey HKCR\eghtmldialer.htmldialer
RegDeleteKey HKCR\eghtmldialer.htmldialer.1
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{FA83E942-B796-46DE-9155-1632ECC5473B}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FA83E942-B796-46DE-9155-1632ECC5473B}|Compatibility Flags|1024
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{26D73573-F1B3-48C9-A989-E6CE071957A1}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{26D73573-F1B3-48C9-A989-E6CE071957A1}|Compatibility Flags|1024
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{1604DF98-D1A5-44FE-844A-98D6FD0518D0}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1604DF98-D1A5-44FE-844A-98D6FD0518D0}|Compatibility Flags|1024
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{EF4DCD99-D26B-44A4-BA77-CFDCC97E7291}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EF4DCD99-D26B-44A4-BA77-CFDCC97E7291}|Compatibility Flags|1024
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{3446598E-00E4-4B5E-99A6-87ECCA8324A2}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3446598E-00E4-4B5E-99A6-87ECCA8324A2}|Compatibility Flags|1024
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{E3943A24-2F83-4505-9AE5-F705E81B50CB}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E3943A24-2F83-4505-9AE5-F705E81B50CB}|Compatibility Flags|1024
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{BFC9677B-8006-4336-9D49-2C797AEFCB9E}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BFC9677B-8006-4336-9D49-2C797AEFCB9E}|Compatibility Flags|1024
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{1CD49DC9-FD88-41FA-B892-47E037267D45}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1CD49DC9-FD88-41FA-B892-47E037267D45}|Compatibility Flags|1024
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157}|Compatibility Flags|1024
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{624321F1-0581-49D8-99BD-2E952C2DF31B}
RegSetDwordValue HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{624321F1-0581-49D8-99BD-2E952C2DF31B}|Compatibility Flags|1024
FileDelete %SYSDIR%\EGDACCESS_*10*.dll
FileDelete %SYSDIR%\EGDACCESS*.inf
FileDelete %SYSDIR%\msegcompid.dll
FileDelete %SYSDIR%\msclock32.dll
FileDelete %SYSDIR%\mswbm32.dll


Then run that script.
Let me know if you still get the confirmation prompt about uninstalling.

Regards,
  • 0

#8
trackdoctor

trackdoctor

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
:tazz:
Pieter,

MSCLOCK32.DLL APPEARS RESOLVED!!!!

THANK YOU!!! THANK YOU!!! THANK YOU!!! THANK YOU!!!

Here’s the story.

When I got the message that “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item,” I got a hunch that even though I was logged on a COMPUTER ADMINISTRATOR, something wasn’t right.

For Reference if it help: FACT 1>> OS = XP home; FACT 2 >> the files appeared invisible - I could not see the files in any manner (Internet Explorer) nor could McAfee or XoftSpy.

Therefore, I safe booted and got into a full Administrator mode. Something changed and things became visible. Since findEGDA.vbs had told me the name to look for, I scanned directories and files using Internet Explorer, msconfig and regedt32. Low and behold there were the files: randomly named file found by findEGDA and msclock32.dll. I deleted them everywhere I could (don’t remember exactly where now).

Returned to normal mode and ran findEGDA — nothing showed. Ran BFU with EGDAccess.bfu and your new version EGDAccesplus.bfu. Scripts completed.

Turned Mcaffee back on (I had made sure to remove trusted PUPS from McAfee while in safe mode / Administrator). NO FIGHT -EVERYTHING SEEMS TO BE OKAY.

Okay final question - this [bleep] thing cost me between 30 and 40 hours over the last two weeks (remember CPU running 99% while fighting McAfee). Who is the SOB who wrote this and why aren’t more Americans running into it (seems many of the references in google are in foreign languages as if it came from across the ocean)?

THANK YOU AGAIN!!! THANK YOU AGAIN!!! THANK YOU AGAIN!!!

I live on the edge of Yellowstone National Park and the nearest computer store is 90 miles and it is 180 to a Best Buy! Your help on the internet was critical! ! ! !

Jim Halfpenny
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
You're very welcome. :tazz:

An article about the distributor:
http://www.extremete...,1125674,00.asp

And their own site:
http://www.electroni...index_flash.htm

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP