Immortal(e-Group Instant Access)bug

e-Group Instant Access & Magic Control Agent bugs keep coming back after I run through removal procedures. I am PC beginner so I don't know all of the terminology yet. However I have followed all of the procedures in the Read& Run me first to the best of my knowledge. My system is a windows 98, I ran the bitdefender online AV scan (clean) then the Trojan scan it found (malware-dialer) I knew the e-Group bug was in there from previous Spybot S&D runs last week. Now with scans run I've disconnected cable (phone line) & rebooted into safe mode. Ran Ccleaner w/ default on windows tab, ran Ad-aware fix all it finds (found 13 e-Groups). Next I ran Spybot S&D (no tea timer) & it found( Connect MFC Application-e-Group Instant Access & Magic Control Agent) I fixed them & immunized. I finished with cw shredder,Kill2Me,& Stinger- all were clean. I did all this rebooted & went back to Read & Run to follow up on prevention and was taken over by some porn page before I could even get support forum loaded. Next I downloaded & ran A-square personal from Trojan Scan & it found (malware-dialer) again as it did on the online scan, clicked fix & all seemed to be okay. I ran through all procedures again & I still can't get rid of it. I had breif communication with one of the staff members through e-mail & they suggested that the problem might be in my start up(msconfig) items. Remember I am a beginner , I'm not sure how or where to approach the start up items. Any input & guidance would be greatly appreciated. I'm not ready to give up yet!

 

I can't say for sure, I mainly just looked at the common name & quantity of test results before I closed each test. If I had I would not have known what it meant. There has also been numerous entries of (slagent).

 

Okay I'm back again, I tried to install " Ewido "but was unable to. I have windows 98 & it required 2000. As far as the other sites http:/www.spy-bot.net & http:/www.2-spyware.com they seem like they may have the answer. I wil confess though, they seemed a little intimidating to me-(a PC beginner). Also now it seems that I'm having to reset my password to enter the forum now. Any other options before I start deleting items that I'm not sure about through the two sites above.

 

I'm still in the fight! Okay Chas, I created the C:\ Program Files\ HJT. Did the HJT scan (got the MD5 Calc. under control) but I'm not sure if I saved the log right. It wound up in my word pad, but I got that to my WinZip file w/out any problem. Heres what happened, (In step 3 of "Running HJT & Posting..." it says ...-save your log file to the default .log extension type. The only option I saw after the scan was just( save log ). After clicking save log a file direction window came up & I got the log to my new HJT folder. I never found any type of " Manage Attachments" button. I'm windows 98 remember & beginner also, please bear with me if my terminology is not proper. Bottom line is that I have the log saved & awaiting further directions for it. HAVE NEW INFO. also, I right clicked start/explore/C;/Program files and found a file in their called (Instant Access) would'nt you know it! In addition to that in C:\Unzipped Files I found e-Group. I dumped & shredded both of them, ran Window Washer by webroot. Thought maybe I was on my way out of this mess & ran Spybot S&D for grins. It found (Magic Control Agent , MFC application, e-Group & Spy Hunter ) I went back to start menu and the Instant Access file had regenerated itself. Let me know if I saved my HJT log right. I think were closing in on the lil rats!

 

Heres the latest, I was able to go into add/remove programs to locate & remove (Instant Access). It had 25 different files in it's folder. Now with the e-Group problems gone I ran Spybot S&D again just to see what was it would find. The only thing it found was (Magic Control Agent) & it seems that it is causing most of the problems. Just as I was coming in here to post, I was again taken over by the Crazy Girls page. I ran the HJT & even though word pad put it in my HJT folder ,it was a .log file . I know that on your last reply you said ("I believe they (win98) do not associate .log files to notepad and you have to do the association yourself.) I know also that you really do not want Wordpad uploaded for logs. I did a practice run through the Manage Attachments & was able to get my Wordpad HJT .log on there but didn't send. What sould I do , can you coach me on .log files to notepad? Should I send Wordpad?

 

Here is the HJT log file

 

Okay Chas, back again. Sorry about that zip file, I have that 2nd HJT log file & will load from Word Pad . Things are looking good On the list of items to fix in your log anaylisis the last item to fix was ( 016-DPF:{E114CD5B-17C-4807-890E-7B1EDF9F2E5E} Five lines up from it I noticed another entry that ended the same way as the last item. It was not on your list to fix, but it had the same definition after all the numbers as the last item. It was ( 016-DPF:{A1C39A2-B274-46DB-89BE-1FBD476B9393} & I checked it to fix also, It looked like part of the same group with ( EGDAccess ) in it. No harm appears to be done by my decision to fix it. As far as performance goes, System is working faster than ever & things seem to be working very well. No sign of the Rats & the Crazy Girls have gone home . It seems that I have had a lot of error notices popping up whenever I close some programs, I don't think it's related to our current issue, just more info. for you. Web settings have been reset & homepage has been set to MajorGeeks(something useful- I agree!). Your next post-" Now let's look for more of MagicControl"--- I opened the DOS promt window & entered all items w/ quotes in place. One said "file missing", all others said "bad command or file name" - then I entered "exit". I was not really sure what I was doing , but I did it even though I rebooted into safe mode to look for the(c:\windows\mc) -(c:\windows\wintrim) & (c:\windows\wincomp) folders, did not find any of them nor did I find the (c:\Program Files\iexplore ). Heres the 2nd HJT log. Private Amatuer Geek is awaiting orders Sir!

 

I saw that the HJT #2 log was encrypted, I have not quite got the hang of this file moving business just yet. Let's try again, I'll call it HJT#3 this time. Just the same , here is the second log.

 

New Info., I've just ran the Zone Alarm online spyware scan & it reported Navpmc-Hacker Tool -- Registry Key-HKEY_CURRENT_USER\Software\mc I'm sure that the (mc) at the end stands for MagicControl right. I remember that when I went to the MC removal sites you referred me to in pg.#2 (your 1st reply to me) that I saw Navpmc as one of the items listed. As far as pg#14("Now let's look for more MagicControl) that's where things are getting unclear for me in using the command prompt window. After entering the items & then entering exit the window just closed. What am I looking for, what is my goal in this step?

 

Okay Chas, I found ( msegcompid.dll ) in c:\ Program Files by using Windows Search & deleted it. Did not find any of the( c:\windows\system\ mc's or win's) by using the Command Prompt. After both of these steps I ran Spybot S&D to see what was going on & found ( Connect MFC Application ,1-entry ) & ( Magic Control Agent, 3-entries ). I rebooted into Safe Mode & repeated everything again ( No Files Found this time ) & Spybot S&D found 1-entry of Magic Control Agent , which seems to be the problem now. It looks as if the file that I found may be a remnant of the e-Group bug which seems to be taken care of. I guessing this because of the _ _(eg) _ _ _ _ .dll in it. Any thoghts on a new approach to Magic Control?

 

Heres the Spybot log.

 

Yes , it showing that it is there. But I can't open it up, it acts like an empty file. We killed it w/ HJT through your instructions on pg#13. I found & treated everything according to all your instructions on pg#22. FYI- When I was running through HJT again, I noticed that the items that had been fixed were going into backup via default settings. Reading in the tutorial I found out that it is possible for spyware scans to pick up those items. I have since deleted them to eliminate this possibility & knowing that we could refer back to my posted logs if we needed any past info. New HJT log below.

 

HEADLINE NEWS: WE HAVE LOCATED THE IMMORTAL INTRUDERS!! In c:\windows\system - I found the whole (yfcbtg) family- (yfcbtg.exe)-(yfcbtg_nav.dat)-(yfcbtg.dat)-(yfcbtg_navps.dat) THEY REFUSE TO BE DELETED !! Also in c:\windows\system- I found, (ejamciltvh.dat) and (ejamciltvh_navps.dat) I've deleted them and it appears to have worked. Ready & Waiting for your thoughts on the next action to take. Have one question for you also, My Zone Alarm Pro trial period ends tommorrow. Should I let it roll into the free standard version or is there another free firewall that you prefer to ZA.

 

Things are lookin good now, it seems that I was able to delete all of the (yfcbtg) stuff after the (ejamciltvh) was gone. As far as looking for other files with similar creation dates, I'm not quite sure how to go about that. If you still think it's neccessary after reviewing the new HJT log you might need to help me understand exactly what I'm looking for. It appears that the files are gone & I assume the dates are gone with them. Unless there in the previously posted log files. See what you think, BY THE WAY - I really appreciate your help & your patience with me through all of this . It has been a good learning experience for me.

 

Forgot the HJT log, here it is. Thanks again, Rayzur

 

I guess it had problems uploading , lets try again here . If not, I'll get back later.

 

Yes I was getting an error message, I will try it again. If it does'nt go through , explain how to post my log inline with your next reply. I am also going to try to attach a Spybot log that I think you need to see. It may not be the right one, but it does have the search results in the opening paragraph. How do I locate something like -HKEY_USERS\.DEFAULT\Software\LanConfig or HKCU\Software\mc. These are just two of 5 or 6 of them. Let me see if I can get it to you.

 

I can't get the Spybot log to upload, but here are some of the items it found. Magic Control Agent- ( HKEY-USERS\.DEFAULT\Software\LanConfig)--Magic Control Agent-(HKEY-USERS\.DEFAULT\Software\mc\SA) --Magic Control Agent-(c:\windows\system\msegcompid.dll) I have looked for this last one since I knoe how to search by clicking Start\Explore\c:\windows etc. but I did not find it there. It was one we deleted a couple of days ago. Don't know why it showed up on todays Spybot scan. In addition the scan found Connect MFC Application-(HKEY-USERS\.DEFAULT\Software\livesvc) How do I approach thes HKEY or HKCU entries ?

 

I was getting vM error notices on them , even though they were .txt files and I even tried to use a .zip file. I was able to send one a few days ago even though it was not the one you wanted. What about this posting inline bus. ,how does that work? And if You can tell me how the Spybot log works I can make sure you get the one you want.

 

Let's see if you get this Spybot log.

 

Okay Chas, I got my updates on Spybot S&D. Ran the scan, no sign of Connect MFC Application this time. Still got that stinking Magic Control Agent though. Heres is the log.

 

There may have been an old log in there. I have just purged all of the old logs as you were replying. Log posted below is fresh.

 

Opps, I missed the safe mode part on that fresh spybot s&d scan. Now heres the updated Spybot S&D with fresh scan in safe made. I just went into c:\windows\system\... to check once more for that (yfcbtg) & there was no sign of it. Now about that new item you were wandering about! Let me print out that page w/ my printer & I look around while waiting for reply. I just tried to attatch the safe mode Spybot log. Manage attatchments says that it is already in this thread. I tried to rename it five differtent ways, I guess it's reading the content as it's uploading & knows that it has it , no matter what I call it. I going to sit tight for a while & let you evaluate the situation

 

New Info! Our (yfcbtg's) may have turned into ( wilrptn's) that you were wondering about on your pg. 41 . What I have now in c:\windows\system\.. is (wilrptns.dat)-(wilrptns_navps.dat)-(wilrptns_nav.dat) & there very unstable, they sit there & flicker.

 

No I have not done the patch in #45 yet, I wanted to update you first before going any further. I'll wait to for your reply on which one to do, pg.45 or pg.47. I would guess 47 , but I'm waiting for confirmation

 

" Magic Control.Agent is out of Control " is what the title of this thread should have been! Let me start by telling you what I did & then what is happening now. In response to your mssg.#49, I created the (fix.MC.reg) patch & put it on desktop. I followed mssg.#47 to the Tee,(wilrptns.exe was not found running by HJT) and I was able to delete all of the (wilrptns') in c:\windows\system. I Pulled The Plug on my PC for that hard shutdown & when I repowered, I went straight to HJT scan & fix(ed) (c:\windows\system\wilrptns.exe) Whether one should have been done before the other I'm not sure. Regardless everything was cleaned up & I had clean Spybot & HJT scans. Went back to windows explore loking for traces of the (wilrptns) w/ none to be found. I went into Add/Remove just to see what was going on there & I found dead files of (ejamciltvh)-(yfcbtg)&(wilrptns) I seem to remember seeing the (yfcbtg) when I was in ther removing "Instant Access" but that was last week & my untrained eye didn't notice it as bogus! Now heres is were it gets sticky, I have just ran secondary Spybot & HJT scans for precautionary measures & Spybot greeted me with (MagicControl)&(Connect MFC Application) again Big Sigh, I went to HJT & guess what is sitting right where all the others were...(HKLM\..\Run\ (cnjukvps) thats right ! this sucker is spawning & its sitting in my Add/Remove right now also. Magic Control is out of Contrl- I'm sending both my scans, I'm sure you will want to see them. Time to pull out the BIG GUNS!