Can't remove MagicControl.Agent-ADW_SLAGENT.A

Spybot S&D reports that I have MagicControl.Agent spyware. PC-cillin is reporting it as ADW_SLAGENT.A -- I understand these are the same thing.

After apparently removing the problem it reappears without rebooting.

I can find and delete the registry keys indicated by Spybot -
[HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\LanConfig]
"LAN"="UP"
and
[HKEY_CURRENT_USER\Software\LanConfig]
"LAN"="UP"

but the keys reappear, again before I reboot.

I have gone through all the steps in " READ & RUN ME FIRST Before Asking for Support" and have attached the logs.

I booted into Safe Mode with no Internet connection and ran the following:

Ccleaner - did not report any problems.

Windows Malicious Software Removal Tool - did not detect anything.

Ad-Aware - did not report any problems.

Spybot Search & Destroy - found MagicControl.Agent. I told S&D to fix it and did another run, it was still showing clean.

Microsoft Antispyware did not report any problems.

I booted into Safe Mode with Network Support and ran the following-

Bitdefender - log saved

Panda ActiveScan – ran but couldn't access the button to save the log.
I ran it again in normal boot mode and saved the log.

After rebooting into normal mode I re-ran Spybot S&D and it again found MagicControl.Agent
Re-ran PC-cillin and it found ADW_SLAGENT.A.

I ran Hijack This and saved the log.

I would be grateful for any advice on how to permanently remove MagicControl.Agent (ADW_SLAGENT.A).
Also the logs show other unresolved problem about which I would appreciate any advice.

Attached logs: Hijack This, ActiveScan, BitDefender.

Thank you
Roger

 

As far as I know I do not have a program named Mailskinner and I have never heard of it. I have searched for it and can't find it. It is not in the Add or Remove Programs list.

I uninstalled my Norton firewall when I installed Trend Micro (PC-cillin) firewall. The WinXP SP2 firewall is not enabled.

HKLM\..\Run: [Sidi] C:\ProgramFilesAllUsers\Sidi\Sidi.exe is a program that locks my CD and DVD trays - it prevents junior from trying to destroy them.

>Are you using a script to create a restore point each time you boot?
>O4 - HKCU\..\Run: [!Shortcut to RestorePoint.vbs] >C:\WINDOWS\RestorePoint.vbs
Yes - I have used it for a year or more with no apparent ill effects.

Yes I installed NetMeter when my ISP imposed a monthly usage cap. Following your advice I will remove it.

Thanks for the advice. However the above do not seem to relate to MagicControl.Agent - ADW_SLAGENT.A spyware.

 

Symantec/Norton
I tried to find and remove the remnants of Symantec/Norton stuff but without success. I can't use SymNRT because it doesn't apply to my versions – Norton AntiVirus 2002 and Norton Personal Firewall 2002. So I followed the procedure on the same link – "Remove programs that cannot be removed with SymNRT" – specifically "Step 3: Use the Windows Installer CleanUp utility". However when I ran it the only Symantec item I could only see in the Windows Installer Clean-Up dialog box was Symantec Network Drivers Update, which I left untouched.

MagicControl Agent
I copied your Quote Box and made the fixMCA.reg file. It seemed to run OK.
I then did another Spybot scan which still showed MagicControl Agent. I ran a TrendMicro scan and again saw ADW_SLAGENT.A. I will attach both logs, but I can't see any reference to MagicControl Agent in Spybot's log. I screen-captured what Spybot flashed up and pasted it into a Word doc, it said MagicControlAgent ---- HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\LanConfig (still there) and HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\mc\SA (can't now locate).

I ran Hijack this and got an installed programs list which I'll attach.

As I was still getting the same reports from Trend and Spybot I ran http://www.trendmicro.com/vinfo/gray..._SLAGENT.A as you suggested.

It says that ADW_SLAGENT.A creates a folder where it drops 2_ MSLAGENT.DLL, MSLAGENT.EXE and UNINSTALL.EXE. I could find either of the first two in Windows folders, though later I found them in the Registry.
I opened the Registry editor, as instructed, but didn't find mslagent.exe in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run . However I found it in [HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603] and in [HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\Microsoft\Search Assistant\ACMru\5603].
I also found 2_mslagent.dll and uninstall.exe in the same places. I exported the keys and then deleted them.

Afterwards I re-ran TrendMicro and Spybot with the same result – i.e. the same problem is still there and if I remove the problem it re-appears.

Thank you for your continuing help.
Roger

 

NetMeter.exe – I did previously uninstall this using Add/Remove programs and it no longer appears in the Add/Remove list. It isn't in my Program Files folder and I can't find any netmeter files (except my saved download) using Windows Search. However it does appear more than once in some Registry keys – shall I delete these?

My Spybot Search & Destroy is now version 1.4 +updates. Once again it reports MagicControl.Agent. It also reported Winfixer tracking cookie. Tried fixing both and re-ran Spybot. Winfixer did not re-appear but MagicControl.Agent did and is still there.

I will attach the log from the first run, when I selected Fix - SpybotSD.Report-Jan6_6.29p.txt, and from the later run - SpybotSD.Report-Jan6_6.50p.txt – when MagicControl has reappeared though Winfixer has not reappeared.

Regarding the Registry keys, I did find HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\LanConfig
but I couldn't find
HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\mc\SA

I have looked again and found [HKEY_CURRENT_USER\Software\LanConfig]
"LAN"="UP"
and [HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\LanConfig]
"LAN"="UP"

I saved and then deleted them but they re-appeared when I re-ran the registry editor.

I still can't find
HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\mc\SA – this was flagged up previously by S&D as part of the problem but this is not happening now.

Roger

 

Silent Runners - ran and log Startup Programs (ROGER-0XVI49MES) 2006-01-07 10.57.10.txt attached.

I notice it has an entry "wolhqexrni" = "c:\windows\system32\wolhqexrni.exe wolhqexrni" [null data]
I think I remember seeing some recent warnings about this from Microsoft AntiSpyware – should I delete it from the Registry?

runhjt.bat – ran and log attached.

Roger

 

Ran runhjt.bat and opened Process Manager. Cannot find C:\windows\system32\wolhqexrni.exe Will attach text file of list. wolhqexrni.exe not found in Windows search.

Found in Registry –
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603\wolhqexrni.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\wolhqexrni
and as above in
HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\Microsoft\Search Assistant\ACMru\5603
HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache

Got back to HJT scan screen and checked
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [wolhqexrni] c:\windows\system32\wolhqexrni.exe wolhqexrni
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
Then clicked Fix Check.

Shortly afterwards I saw a System Tray pop-up from MS AntiSpyware that said "An Internet Explorer URL Search Hook ({CFBFAE00-17A6-11D0-99CB-00C04FD64497}) has been added to Internet Explorer and has been automatically allowed. Microsoft AntiSpyware has determined this program to be free of known spyware".

I opened a command prompt window and typed C:\windows\system32\wolhqexrni.exe –uninstall <enter>
Response was "Did you really want to uninstall?" [Yes]
Response was "wolhqexrni has been removed"
Exited command prompt window.

Used Windows Explorer to look for --

c:\windows\system32\wolhqexrni.exe
c:\windows\system32\wolhqexrni.dat
c:\windows\system32\msclock32.dll
c:\windows\system32\msplock32.dll
C:\Program Files\NetMeter <--- the whole folder

None of the above found.

I ran the fixMCA.reg registry patch, then I rebooted into normal boot mode and ran HJT. I will attach the log.

I ran Spybot and it found
MagicControl.Agent: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-790525478-1343024091-268654771-1004\Software\LanConfig

I ran another scan which this time said no threats found.
I rebooted and ran another scan – still said no threats found.

It's starting to look if MagicControl.Agent has been removed, though I'm not sure how.

Attached: HijackThisProcessList21.19-Jan07-06.txt – re first item in message; hijackthis.log – towards end of message.

Roger

 

Ran HJT and fixed
O4 - HKLM\..\Run: [wolhqexrni] c:\windows\system32\wolhqexrni.exe wolhqexrni

Rebooted and ran HJT – the above did not return.

I have run Spybot and Trend Micro PC-cillin again and they do not report any malware.

I disabled System Restore then rebooted and enabled System Restore.

I have worked through "How to Protect yourself from malware!"

Many thanks for your help and advice.

Roger
Hertfordshire UK