Immortal(e-Group Instant Access)bug

It came back after I made internet connection, I finished all the steps last night & shut it down. Earlier today I went online to get windows updates & other misc. updates. I am a late bloomer, I have (dial-up) and I do not have or use a router.

 

Back again, I got the WinPFind dowloaded & I saw the note about it taking "upwards to 30 minutes or more". It ran for 2&1/2 hours and I didn't see any results. Did I do something wrong or is it possible that it could take that long or longer. I did click stop on it & I went on to deleting (cnjukvps) from the Add/Remove tool. That was successful with no evidence left in system files or HJT. I've ran Spybot S&D again & it still finds MagicControl.Agent & Connect MFC Application. Out of that log I was able to see - MagicControl.Agent:Library-c:\windows\system\msegcompid.dll - and I went there but could not find it. According to the notes I'm keeping, I show that I found & deleted (msegcompid.dll) according to your things to look for at the end of mssg.#18. I must confess that I am beginning to get frustrated by this full circle situation. Let me know about the WinPFind run time, should it be taking that long?

 

Okay, I figured out how to get into the Registry Editor by entering 'regedit'. I found & deleted (HKEY_USERS\DEFAULT\Software\LanConfig) and (HKEY_USERS\DEFAULT\Software\mc) . This has been a learning experience for me, I sat down in front of a computer for the first time in my life about two months ago. I figured this out by going back to the Spy-Bot.net site you informed me about in your 1st mssg. In their instructions in the 3rd to the last sentence they prompt me enter --(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. And then to delete the " cptmgc " entry. Well it wasn't there but something very suspicious was " onduikyvwt ". I didn't touch it, backed out of there and went straight to Add/Remove and there it was. And of course it is in c:\windows\system...also with our familiar extensions of (exe.) - (.nav ) & (_nav.net). Now that I understand the Registry Editor I can go back in there and delete (onduikyvwt) but I have not done so yet. P.S. Also while I was in there I did look for (HKEY_USERS\.DEFAULT\Software\livesvc) but did not find it. It was the source of ( Connect MFC Application ) according to Spybot S&D. If you haven't done so yet check my previous post.(??? about WinPFind)

 

Still having trouble with WinPFind, all entries have mutated to (olqgy.exe) now.

 

I did go back into regedit and delete ( onduikyvwt.exe ) since I said that I haven't touched it in mssg.#56. Thats how it mutated to (olqgy). I see what you mean about needing to get it out of the start up system. At this rate it would just keep me chasing my tail!

 

Forgot about the Zone Alarm, I just looked in there & did notice something that looked strange to me. It seems to me that a legitimate program would have some info on it. This is something called "dw15"-w/no product name- Last policy\NA- Last modified\invalid date-File size\0kb. No info about what it really is, could that be a bogus file size when actually it may have a file. I'm going to let the WinPFind run as you suggest.

 

Okay, I got everything worked out with WinPFind. A file had been lost somewhere along the way in my 1st download of it. Went back to majorgeeks and redownloaded into a fresh folder, scan was completed in 15 minutes. Looking back through Zone Alarm I couldn't find any more info on dw15. I don't think its anything to be concerned about, I think that it is part of windows programming. I did a "Find Files or Folders" search in C:\ and it did find a (DW15.exe) whose properties included Microsoft. I was unable to Rt. click on dw15 in Z/A to find any properties or Rt. click on anything else either. Zone Alarm Pro trial period has ended & it is Std. Z/A now, I have lost some of the features. Wasn't able to find a Components tab. I'd hate to get bogged down on something thats probably nothing to be concerned about. The WinPFind log should attatch below if upload is successful.

 

Yes it looks like (dw15) is just a subfolder/file to a program right above it called ( Distrubuted COM SE..) which is described as Microsoft Operating Systems. There is a subfolder/file similar to it called (Spybot SD.exe) right under Spybot S&D. It is similar in that it shows a 0kb file size, last policy update-N/A, last modified date-(invalid date). All in all Zone/Alarm looks fine! Onward Thru The Fog.

 

I'm sorry about the confusion, I'll explain what I was trying to say. In the programs list on the programs tab of Z/A's Program Control window. Items that are related to one another are next to each other. Being that it is a list that goes from top to bottom. If there are two items that are related to each other, one of them is either above or below. All I was trying to say was that dw15 was related to the item that was listed above it, and the item above it was a Microsoft program. I probably never should have even mentioned dw15, but I didn't make the connection that it was legitamate program till after the fact. Now about the items to delete, Just delete them- no safe mode or restarting. Delete in the order you have them listed?

 

I have made a test pass through windows explorer & I have located everything that you have listed. And I did notice to RENAME , not to delete the one item. I'm ready to do all of this if you have no instructions regarding safe mode or restarting.

 

This is getting crazy! When I made the test pass through windows explr. , all of the (olqgyj) extensions were there-(.exe)-(.dat) &(_nav.dat).The first item would not respond to being deleted, I have Webroot "Window Washer" -similar to Ccleaner. The first item only responded to shred&bleach , but it appears to be gone. Renamed 2nd item to ( Unwash6.xxx) no problem. When I went after the (olqgyj)'s which there were three of in test pass. The (.dat) was missing & the (exe) refused deletion & shred/bleach. The (_nav.dat) was shredded&bleached. olqgyj is still sitting in Add/Remove, I'm sure if I take it from there we will just be looking for the new mutation.

 

I understand that youare working on several different issues at the same time & it's almost impossible to keep up with the details of every thread. If you will refer back to my mssg.#62 you wil see where I stated that I was unable to rt. click on not only dw15 , but anything. I guess that when I'm in the Z/A window, My rt. click capabilities are disabled. Now one thing I do remember is that when I did the file search on dw15, I found the file in windows to be(DW15) all capital letters. This may be a clue! Did you see my results in my previous mssg.??

 

Just tried to download "Unlocker", unsuccessful! It requires Win XP/2K , a file was lost while trying to download to my windows 98. Once again I thought I was closing in on it last night. That renaming of (Unwash6.exe) to (Unwash6.xxx) was not related to problem, that was the uninstall file for "Window Washer" by webroot. Thats ok though, it expired & I uninstalled it anyway. By the way!, it has mutated three times now since three series of removal attempts & restarts. It is currently (wjvpycih), after HJT kill process & other deleting efforts I went back through regedit & found the familiar entries of (HKEY_USERS\.DEFAULT\Software\livesvc)-.....(LanConfig)...(mc) and found (wjvpycih) sitting in LOCAL_MACHINE under Run --(HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\Run) these are all the things that the Spy-Bot.net website has listed in the things to look for. All in all, I'm still caught in the vicious circle (tail chasing). Growing weary after 2 weeks of MagicControl infection! Maybe if we network this issue to other spyware fighters , we may find someone who has been there/done that. That is if you haven't done so already. Thanks for your ongoing support!

 

Here is the "Process Explorer" attatchment of new mutation called (ikdbgfx.exe). I see no sense in my continuing to try to delete this thing only to have it continually changing names. I'm going to the website you referred me to while you look over the P/E attatchment.

 

No websites listed in trusted zones. I got the " fixMCA.reg " file made & into the registry.

 

I have been wandering about that mailskinner program! Remember that I am a beginner & please forgive any ignorance on my part. And I use that word "Ignorance" in its proper context, which simply means that I'm uninformed/uneducated in all areas of PC's. I just assumed that the mailskinner program was related somehow to my AVG A/V as it scanned incoming mail. I did not download that mailskinner on my own free will & if it is the source of my problems then KILL IT I will!

 

Your the Bomb Chas, words can't describe how much I appreciate your help through all of this! All I can say is, Thank you!-Thank you!-Thank you!! MagicControlAgent is no loger in my life or my computer. I will let the results speak for themself. When I got rid of "mailskinner", I was able to remove MagicControlAgent -Connect MFC Application & all their mutated little buddies! It is a good feeling knowing that the PC is clean & seeing that (congratulations!) at the end of a Spybot S&D scan. All of this was done while on-line & after the restart. I went back through all of the scenarios that were causing the mutations to make sure all was well. Personally with the experience I've just came out of, I would have to say that "mailskinner" has everything to do with malware. There are several things to do still in the way of follow-up protection I'm sure. I have already replaced the MS java with sun java according to follow up procedures that I thought I was ready for 2weeks ago. I hope that the info. you gained from this battle will help you in the wonerful work you do of helping others & your zero-tolerance approach to this pathetic world of malware! Thanks again, rayzur from Texas. God bless P.S> HJT below if you need it FYI