Aurora on my wife's computer

I disabled Norton AV autoprotection, uninstalled Spybot and SpywareBlaster and ran KillBox 2 times (first time it found EGDACCESS_1059.dll, the 2nd time it found msclock32.dll) and yet as you can see from the RKFiles log that they aren't all going away.
Here's the logs from the tools, next posting will have HJT.

 

and here's the HijackThis log file.

 

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Also, for each file below check the box "End Explorer Shell While Killing File".

Now, Copy and Paste C:\WINDOWS\system32\EGDACCESS.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\supdate.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. Afterwards post 3 new logs.

 

msclock32.dll and msplock32.dll together

When you find these two files together in the folder Windows\System32 there is probably the ltmvxb.exe file also. First you have to deactivate it in the Task Monitor (CTRL-ALT-DEL) processes tab. Next you have to deactivate the startup in the Registration Database Editor (HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> Current Version -> Run). Delete the entry of the ltmvxb.exe. Delete the following files with the Pocket Killer: ltvxb.exe msclock32.dll msplock32.dll. A reboot is recommended.

 

here are the logs -- still msclock32.dll --
I've been running KillBox in Safe Mode (you admonished me once about this and I've adhered to the policy all along).
any validity to jamesbond77 comments posted? I don't seem to have msplock32.dll though.

 

and the other two log files............

 

Never heard of it before, cant find anything on that particular file. If you like you can search for it and see if it exist.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. Afterwards reboot and post 2 new logs from the tools.

 

arghh.....can't seem to get rid of the EGDACESS & msclock files....here are the log files.
But I must say that we are getting much much fewer pop ups and I don't know if any at all are from Aurora.
I'm going away for the weekend - the Chicago Blues Festival (note the "Blue" in BlueBob) - and am entrusting the safety of this computer to my wife and daughter. Therefore I'm going to reinstall SpyBot and maybe some other protection. If you want me to uninstall or deactivate any anti-spyware or antivirus programs when we do the next fix please be sure to (re)state it.

All in all, I'm pretty pleased with what you've done for us - in fact, I'd be really happy if I didn't learn about all these evil files through the process of cleaning up our mess. Ignorance can be bliss, it's just that I'm no longer (completely) ignorant. Again, I'd like to thank you bjgarrick for making this computer truly usable once more. I don't want to say that I'm quiting our clean up, but I want to express our appreciation for your endless efforts & problemsolving.
If you think we've come to a best possible fix point please let me know.

 

Yes, first I want you to disable any and all antivirus programs and antispyware programs.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

For each of these files below, check the box "Unregister .dll Before Deleting"

Now, Copy and Paste C:\WINDOWS\system32\EGDACCESS.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\EGDACCESS_1059.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. After you have rebooted and windows has loaded attach 2 new logs.

 

here are my log files after following bj's instructions -- I will try chaslang's next. Before I go, I think I should tell you that:
1. I did not do KillBox in Safe Mode; you haven't given any instructions to that end lately so I didn't reboot after the fix.reg process.
2. I did not unregister msclock32.dll in KillBox because it did not show up (in blue) and therefore the box was unavailable to check for unregister dll.
3. Upon reboot after KillBox I got the message "Error loading EGDACCESS_1059.dll" - file could not be found

aren't you even going to ask how the Chi blues festival was? I'll tell you it was more fulfilling than this process....but it ended on the weeekend, this doesn't seem to stop......

 

here are the log files after trying chaslang's method.
as for what happened when I tried:
when I followed the standard file kill procedure I could not delete the msclock32.dll file and the other 3 weren't there (or in KillBox terms "doesn't seem to exist"); when I followed the 2nd procedure (Delete on reboot/unchecked Explorer shell/checked Unregister dll) it seemed to delete msclock32.dll.
Except that the RKFiles log doesn't seem to think so.
Also, when I rebooted I got the error loading EGDACESS_1059.dll message.

 

Lets try this!

-Please download Ewido Security Suite

- Install and get any updates!
- Run a full scan on Local Disk C:\
- Remove ALL found infections

After you complete the scan above, run this last online scan:

Panda Online Scan

After you complete this step, attach BOTH logs as attachments to your post.

 

here are the two new reports -- I was about to state the Ewido seems to work & identify the threats - a number of times it has actually caught & prevented msclock32.dll from executing. But then I had a couple of pop ups just now (however, I am using Internet Explorer -- had to to run the Panda scan).
Anyway, here they are

 

Now run the 2 tools and get me 2 new logs.

 

here are the 2 logs -- my wife said that Ewido found msclock32.dll a number of times today and was instructed to reboot to remove the virus. I noticed the same in the RKFiles log, so I rebooted, ran Ewido again, it found msclock32.dll and yet it keeps showing up. Not getting rid of it.
Also I get the message on startup that EDGACCESS_059.dll cannot be found.

These logs are before I ran Ewido. I thought I posted them, but I must've closed the replay before posting.

 

here's the RKFiles log after I rebooted once (but before I ran Ewido again).

 

Download PFind.zip and unzip the contents to its own folder such as C:\Program Files\PFind.

REBOOT INTO SAFE MODE!

Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Once the scan has completed, attach the log it produces. It will be in the following location:

C:\pfind.txt

 

that didn't take so long -- I think RKFiles takes much longer -- anyway, here's the new log.

 

Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\system32\cbomrca.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Do the above for each file below. Do NOT reboot until you enter the last file into Killbox. Afterwards reboot with 3 new logs from the tools.

C:\WINDOWS\system32\cbomrca.exe
C:\WINDOWS\system32\ati2dvag.exe
C:\WINDOWS\system32\cdmodem0.exe
C:\WINDOWS\system32\cdral512.exe
C:\WINDOWS\system32\cpdup.dll
C:\WINDOWS\system32\EGDACCESS.dll
C:\WINDOWS\system32\redit.cpl
C:\WINDOWS\system32\msclock32.dll
C:\WINDOWS\system32\mspclock32.dll

 

only a few of those showed up in KillBox (but I did them all anyway).
What is msclock32.dll anyway? is it related to Aurora?
here's the HJT log

 

and now the Quoologic & RKTools logs.

 

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Be sure you check the boxes "Unregister dll before rebooting" and "End Explorer Shell While Killing File"

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Reboot and attach 2 new logs from the tools.

 

okay, first a few comments before I post the logs (esp since the RKFiles log still shows the msclock32.dll):
1. When I ran KillBox the first time msclock32.dll did not show up so I couldn't check the Unregister dll box -- I ran it anyway and rebooted.
2. But I decided to reboot in Safe Mode and run KillBox again -- this time it did show up and I checked all the boxes you asked me to.
3. When I ran HijackThis, Ewido caught some bad files/viruses, and it also crashed. I was tempted to uninstall Ewido, figuring it might be getting in the way of some (potential) fixes, yet it seems to be the only thing that actually detects msclock32.dll and I am therefore reluctant to disable it. However, it does not appear to remove it entirely.
4. Upon start up I get the message that EGDACCESS_1060.dll cannot be found - I used to get _1059 was not found - is this considered progress?

Anyway, here is the HJT log, next the other two logs.

 

here are the Qooologic and RKFiles logs.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = htttp://webproxy.artic.edu/flaxman .pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1060.dll,InstantAccess

O16 - DPF: {1604DF98-D1A5-44FE-844A-98D6FD0518D0} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1060_XP.cab
O16 - DPF: {1CD49DC9-FD88-41FA-B892-47E037267D45} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1059_XP.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_EN_XP.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option along with the Unregister dll before deleting box. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

At this point, I want you to pull the power cord to your PC (yes you read that correctly). I want to try to prevent it from spawning on shutdown.

Wait a couple minutes and plug your power chord back in and then reboot your PC.

Now get a new HJT log. Reconnect to the internet, run your browser and come back here and post the HJT log along with 2 new logs from both tools.

 

okay -- HJT log attached, other 2 in the next posting -- but first:
Ewido detected msclock32.dll sometime when the computer was running (not connected to the internet though) before I did the procedures outlined & I cleaned it and (therefore?) it was not found when I ran KillBox. I should also tell you that there was something strange in KillBox, i.e. I got a box with GetLongFileName in the title bar stating "invalid procedure call or argument." This simply wouldn't close without popping up again and again. Finally I was quick enough to close that box and KillBox. So I rebooted in Safe Mode to see if that helped, but alas I got the same message. I was able to type in the c:\windows\system32\msclock32.dll (I couldn't pasted because we had run CCleaner and my browser had no history). But it didn't locate the file.
Also, when I ran Qoologic, Ewido found a "Dialer.Generic" which I cleaned after Qooologic finished, but then I got the message "Ewido Security Suite Guard crashed."
Is this helpful or more confusing??

 

and now the other logs.

 

BlueBob,

First, uninstall ewido then disable Norton and any other antispyware programs you have running.

After you do the above then complete the below as is! If you get that error with Killbox again then reboot manually!

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option along with the Unregister dll before deleting box. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

At this point, I want you to pull the power cord to your PC (yes you read that correctly). I want to try to prevent it from spawning on shutdown.

Wait a couple minutes and plug your power chord back in and then reboot your PC.

Now get a new HJT log. Reconnect to the internet, run your browser and come back here and post the HJT log along with 2 new logs from both tools.

 

msclock32.dll doesn't show up in KillBox, so the "dummy" & "unregister dll" options didn't get a chance.
By the way I'm on a laptop, so I pulled the battery as well as disconnected the power cord - but still, no msclock so nothing happened.
We don't seem to be getting anywhere - either msclock32.dll doesn't show up in KillBox or KillBox doesn't get rid of it.
The drastic measures I contemplated at the outset - i.e., reinstalling the system software & programs - don't seem so bad anymore. What else is there anyway?

here are the logs.

 

here are the other two log files.

what is msclock32.dll anyway? is it still part of Aurora/Nail? or is it something else that we picked up after Aurora started screwing up our computer?

 

You must follow every step exactly as I provide you with it. It doesnt matter if the file shows in Killbox or not, thats the point of the infection, to hide from everything.

Complete this below step even if it doesnt show in Killbox, that doesnt mean anything!

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Replace on Reboot and also check the Use Dummy option and also check the End Explorer Shell While Killing File option. Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your computer, after you have rebooted and windows has loaded run this Uninstaller and then reboot once more.

After you have completed the above get me 2 new logs from the tools. Also, probably wouldnt hurt to download the tools again just in case a newer version is out.

 

oh, don't worry, I am following your instructions and I have run KillBox even without the appearance of msclock32.dll in blue. The last 2 times it has not shown up and therefore I cannot check the dummy option box nor the unregister dll box.
I won't be able to do your most recent routine until Friday - the laptop went out of town for a couple days - - but I will upon it's return.

 

You should be able to check the use dummy option even if Killbox doesnt see the file. The unregister dll is normal not to show if the file isnt found.

Will be awaiting results!

 

well, I made it back - but unfortunately I brought my msclock32 with me.
When I initially ran KillBox it did not show msclock32.dll (in blue) but I followed your instructions, chose the dummy option & replace on reboot and end explorer shell (but nothing came up in the replace box - or is that the dummy box?), anyway I also got this message: PendingFileRename Operations Registry Data has been REmoved by External Process. And it did not reboot.
So I figured I'd better reboot in Safe Mode and try it all over again. This time msclock32.dll did appear in blue and I was able to choose all of the stated options and the unregister dll option too.
I rebooted. I still got the Error Loading EGDACCESS_1060.dll message upon reboot.
Then I used the MyPCTuneup uninstaller. Also downloaded the Qoologic Finder & RKFiles tools once again.
The log files are posted.

What next?

(you know that the evil empire had the nerve to ask why I was uninstalling its software after I uninstalled - if it really does that - however, I resisted telling them....I certainly would've used some of my most colorful language).

 

BlueBob,

Since its been a while since we did anything, download the tools again because they have most likely been updated.

Qoologic Tool

RKFiles Tool

 

I did download both the Qoologic and RKFiles tools agaiin before I ran them this time.

 

I just realized that when I knew I was going to be away from this computer for awhile that I reinstalled Ewido for some hope of protection -- anyway, I've uninstalled it and followed the instructions again -- this time I went directly to Safe Mode and ran KillBox (replace on reboot, dummy option, end Explorer shell, unregister dll), rebooted ran the MyPCTuneup uninstaller and then both tools and HijackThis.
Attached are the various logs - I included a HJT log too.

 

here's the HJT log too.

 

Read this entire post before you begin the fix so you wont miss anything!


First, I want you to disable Norton temporarily so it wont block anything we do this time.

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = htttp://webproxy.artic.edu/flaxman .pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1060.dll,InstantAccess

O16 - DPF: {1604DF98-D1A5-44FE-844A-98D6FD0518D0} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1060_XP.cab

Make sure All Browser Windows are Closed when you Click FIX.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Check the option "Unregister DLL before deleting"

Now, Copy and Paste C:\WINDOWS\system32\EGDACCESS.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\msclock32.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow Killbox to reboot your system. If you get the error "PendingFileRename Operations Registry Data has been REmoved by External Process" reboot manually.

After you have rebooted and windows has loaded attach 2 new logs from the tools.

 

HijackThis seemed to go okay, and KillBox netted the EGDACCESS.dll file, but the msclock32.dll file did not appear in blue (and therefore I couldn't check unregister dll) -- anyway I was able to reboot from KillBox.
Logs attached - msclock still hanging around.

in the meantime, or rather sometime today, I assume while my wife was on line we picked up a couple of shortcuts on the desktop, both with a lowercase e with a circle around it as the icon -- one is called VizitUs (target is: C:\WINDOWS\system32\rundll32.exe EGDACCESS.dll,OpenAccess C:\Program Files\Instant Access\Dialer\6221634615\index.htm), the other is called NoCreditCard.
I don't like being naked w/o Ewido or whatever protection I was getting.....where are we going?
If there is nothing that can get rid of this msclock, I'll quit, throw in the towel and reinstall the system software....at some point I've got to be willing to admit that the spies are winning....

 

Hey Chas,

Did you see that Instant Access has been installed in Program Files? I wonder if it has been there all along?

The odd thing is, I've seen Ewido remove this baddie and that's why I recommended to BJ that he try it. Surely it would have caught the install, if that were the case . . . .

PP

 

hey guys - I read your postings, didn't know if they were conversations among the Major Geeks or if they were intended for my action as well - but I went ahead and used Add/Remove Programs to get rid of InstantAccess (I did it while still on-line and it looked like that was necessary to get the uninstaller program, which I did despite Windows warnings about unsigned programs). Then I ran HijackThis and followed BJ's instructions from the last time. 3 of the lines were there (the O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1060.dll,InstantAccess was not). And of course, I ran KillBox, with Delete on Reboot and unregister dll (unregister only on the msclock because it was found/in blue and the option was available).
Here are the logs: this posting the Qooologic and RKTools (note msclock is still here) - the next posting will have the HJT log.

 

here is the HJT log.

thanks.

 

Since its been a while, download Ewido Security Suite again and install.

You MUST get the updates before doing the scan. After you get the updates REBOOT INTO SAFE MODE!

Once in Safe Mode run a full system scan and remove all found infections. Once the scan is complete, reboot back into normal mode and attach the log.

 

Here is the Ewido log - from Safe Mode.
Found msclock32.dll - but past installations of Ewido had detected it, but did not completely remove it - let's hope that this time, newer version, run in safe mode, will do the trick.

 

so, I was curious if we had actually eliminated msclock32.dll and ran the QooologicFinder and RKFiles tools --- here are those logs ---alas......

 

Something is blocking this if Ewido doesnt remove it, do you have any anti-spyware programs running?

Also, is Norton disabled while removing the file?