Myclock.info?

[ITnick]

Im throwing this out there to see if anyone has ever heard of this. I just had a user call in complaining that a secure site he nromally visits is now asking him to display nonsecure items. I remoted in, it infact is doing this but if you click Yes it attempts to redirect to a http://myclock.info/fp/index.htm. There is nothing on Google about this accept for one forum post this morning by a fisherman asking what it is. One thing to note is that after clicking yes in the bottom right corner it flashes Waiting for "http://myclock.info/fp/index.htm" the user is on IE7 and running XP pro.

[Dano-dge]

Had same problem - it's an IE add-on. Start IE without add-ons. Then manage add-ons. You will see one that is unknown. Disable it and you are set.

[EmpoweringSolutions]

Note: In my experience, this issue was discovered with IE6 and upgrading to IE8 retained the issue.

Go to IE, and disable these one or two add-ins:

"Discuss" and "Internet Explorer Plugin" The later may show as, "Control name is not available"

I'm not sure if there's anything malicious about this, but disabling these add-ins fixes the symptoms

Alternate solution, don't use IE

~Andrew

Empowering Solutions

[lucas223]

...I'm having this same issue starting yesterday (1/14). I searched the "myclock.info" on google and came up with the same fisherman reference and this forum topic (I've never been to this forum before... just looking for a solution). The fisherman said that he solved it by going back to an old restore point. I may try that or the ideas suggested on this topic although I am not very savvy on the methods discussed. I may also just switch my internet browser to google chrome and ignore the issue. It is very odd. Multiple common sites (amazon, ebay, etc.) ask repeatedly if I want to view secure and non-secure items and then it pauses and shows the myclock.info reference. If I try to close the IE window, it gets erratic and throws up multiple (like 10) mirror tabs of the site I'm on and refuses to close the window. Then I shut down and re-start. - David

[lucas223]

...The suggested solution worked. I'm running Vista / IE 7. Went to Tools / Manage Add Ons and selected disable on the two items mentioned above ("Discuss" and "Internet Explorer Plug-in").... restarted and problem solved. Thanks.

[buybumbye]

Followed the suggested solution.

Go to IE, and disable these one or two add-ins:

"Discuss" and "Internet Explorer Plugin" The later may show as, "Control name is not available"

Restarted IE8 and It worked. Think i'll stick with firefox and stay away from IE8

Thanks!!! it was making me crazy.

[ITnick]

Followed the suggested solution.

Go to IE, and disable these one or two add-ins:

"Discuss" and "Internet Explorer Plugin" The later may show as, "Control name is not available"

Restarted IE8 and It worked. Think i'll stick with firefox and stay away from IE8

Thanks!!! it was making me crazy.

Same thing here, saved us from reimaging a machine, thanks all!

[thx1138]

Ok what I've done to get rid of this beastie because it rescued/reinstalled itself

1) go to Start > Settings > Control Panel > Internet Options and set users home page(s) to about:blank

This way you can launch IE w/o the script running

2) Disable the plugin - note the dll name in the information panel(IE8) - bzhcwci02.dll

3) Opened System32 folder and noted file size with newest date/time at the top

4) After I disabled the plugin and restarted IE I noted the system32 folder refreshed and there was a new dll

5) Got new dll name - uyishz.dll - most likely randomly generated

6) Checked system processes and saw nothing going on out of the ordinary

7) Disabled plug-in, removed internet cache manually

8) Restarted PC - got a warning/error about cannot find C:\Program

9) Task manager after boot shows rundll32 running on its own.

10) Reg search for both DLLs shows this thing uses rundll32 to protect itself from trying to do an unreg.

Get error messages otherwise - believe me - I tried

11) Kill rundll and unreg both dll's

12) Registry searched for both dlls - found keys and exported/deleted

File details on the dlls called it Rox Toolbar Version:1.0.0.1

[ITnick]

A follow-up to my orignal post. It appears that this is a trojan horse today the user called to let us know that Symantec alerted him to deleting a trojan called "bzhcwcio2.dll." Googling turned up few results but it appears this thing was released a short time ago.

[MysteryFCM]

Please note folks. If you are seeing symptoms of this, DO NOT just disable the add-on. Chances are this isn't the only infection onboard.

Get your system checked for infection using the following if you've not already done so.

http://www.malwarebytes.org/forums/index.php?showtopic=9573