Can't get rid of CALLINGHOME.biz and MAGIC CONTROL AGENT

Make sure you follow the steps below exactly and then post your HJT log.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

We need to stop a bad service from running. It is indicated by the below line:

O23 - Service: cfhvttdptdu - Unknown owner - C:\WINDOWS\System32\tdptdu\cfhvt.exe


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to cfhvttdptdu ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":
cfhvttdptdu

Now exit Hijackthis!

See if you can now locate and delete: C:\WINDOWS\System32\tdptdu\cfhvt.exe
If you cannot delete it now, try it later in step 2 below when you are in safe mode. Let me know the results.

You also have some problems that require some special tools to helps us fix them. First we need to find a bunch of hidden bad files. The steps below will help us do that:

Follow the steps below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder - C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log after rebooting back to normal mode.


Also get a new Hijackthis log and attach it. That will require you to post in a second message because you can only have two attachments in one message.

 

Yes! Try it in safe mode. Also make sure you have Administrator priviledges.
Either way complete the other steps.

 

Please disable Spybot from running at startup. It could be getting in our way.

Download Pocket Killbox and save it to its own folder where you can find it.

Read thru the below steps and make sure you understand them before starting. Ask questions if you have any before starting.

Run Killbox by double clicking on the killbox.exe file.

Check the following boxes:

Standard File Kill
End Explorer Shell While Killing file

Copy & paste (you must use copy & paste - typing will give an error) the full path of each of the files below (one at a time - see directions after the list) into the Full Path of File to Delete box.
C:\WINDOWS\System32\tdptdu\cfhvt.exe
C:\WINDOWS\SYSTEM32\msclock32.dll
C:\WINDOWS\SYSTEM32\msplock32.dll
C:\WINDOWS\SYSTEM32\nppow.exe
C:\WINDOWS\SYSTEM32\iayeoko.exe
C:\WINDOWS\SYSTEM32\ikfqc.exe
C:\WINDOWS\SYSTEM32\oqasukn.exe
C:\WINDOWS\System32\CQOAXNQ.EXE
C:\WINDOWS\SYSTEM32\nqaro.dll
C:\WINDOWS\SYSTEM32\pbgyeib.dll
C:\WINDOWS\SYSTEM32\qyvug.dat
C:\WINDOWS\AVKNR.DLL
C:\WINDOWS\SYSTEM32\rlnzap.exe
C:\WINDOWS\SYSTEM32\winup2date.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DCTA.EXE

With the full path to the file name in the Full Path of File to Delete textbox. The filename will appear under the box in a blue color to indicate it was found. Now Click the Red X and for the confirmation message that will appear, you will need to click Yes. If the file is successfully delete you will get a message of confirmation. Just click OK!
Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them.

Now for any files not deleted properly above (the ones you wrote down), do the below (if all of them deleted, skip these steps):
- in Killbox select the option to Delete on Reboot
- uncheck the option to End Explorer Shell While Killing file

Copy & paste the full path of each of the files you could not delete above into the box and then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? You will need to click No (since you are not finished adding all related files in yet).

When you do enter the last file name that needs to be deleted, click Yes on the last file.
Note: Killbox will let you know if the file does not exist.

Okay so now your PC should be reboot. If you get an error message about Pending Operations, just reboot your PC yourself.

After reboot run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rlnzap.exe
O4 - HKLM\..\Run: [cfhvt] C:\WINDOWS\System32\tdptdu\cfhvt.exe
O23 - Service: cfhvttdptdu - Unknown owner - C:\WINDOWS\System32\tdptdu\cfhvt.exe

After clicking Fix, get a new scan from HJT and post it here as an attachment and tell me the results of the above steps.

 

You're log is basically clean. The popup could be due to

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

Do you use Windows Messenger? If not, use the below to disable it:
Disable/Remove Windows Messenger


Post your logs from Ad-aware and/or Spybot that show the problems you mentioned.


Also do the following:

Please download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

 

Click on the Mode menu selection and select Advanced. Then select Tools and View Report

 

You are not running the proper version of Spybot! I thought you said you ran thru the tutorial. Please get updated. That also does not look like the full info Spybot would report. It normally includes filename and or registry key information. And I have to ask, when you tell Spybot to fix the items what is the exact error message. (Maybe the new version will not have a problem.)

 

You're welcome.