Help Removing MagicControl.Agent

Magic Control Agent requires a couple of tricks to get it removed. There is a hidden process that will not show. If you run HJT from the command prompt, rather then the normal method it will show.

Copy the below quoted text into a new notepad document.
Click File> Save as... and change Save as type to all files, set the File name to runhjt.bat and save it to your Desktop.

Now execute runhjt.bat by double clicking on it. A new HJT log will come up. The file is already saved in the folder where HJT is run from. This should be C:\Program File\HJT if you followed our directions for installing HJT. Attach this new log. I'm suspecting it will reveal another hidden executable process which is the cause for MCA coming back. HJT is also still running minimized. You can close it.

 

Okay I see as expected the hidden process showed itself:

O4 - HKLM\..\Run: [rxvwfe] c:\windows\system32\rxvwfe.exe rxvwfe

Hang on while I work up a fix!

 

Use runhjt.bat to run HJT again. Just close the notepad log window when it comes up. Then click on the hijackthis process showing minimized in your system tray. Now you will see the HJT window. Click on the Config button on the lower right. Then click Misc Tools. Then select "Open process manager" on the left-hand side. Look for the following process and kill it by selecting it and then clicking "Kill process". Then click yes.
c:\windows\system32\rxvwfe.exe

Now on the Far lower right of the Window click the Back button (do not click the back button next to the Run button). Now you should be back at the scan screen where we can select the check boxes to fix items. Select each of the below lines and then click Fix checked (make sure no browsers are running before you click Fix):
O4 - HKLM\..\Run: [rxvwfe] c:\windows\system32\rxvwfe.exe rxvwfe

Then Exit HJT and continue.

Now Click Start, Run, and enter cmd and click OK. This will open a command prompt window. At the command prompt enter the below commands each followed by the enter key. Take note of any messages you get from the below and tell me later what it says if anything.
C:\windows\system32\rxvwfe.exe -uninstall
exit


Now use Windows Explorer to look for the below and delete them (tell me what you find):
c:\windows\system32\rxvwfe.exe
c:\windows\system32\rxvwfe.dat
c:\windows\system32\msclock32.dll
c:\windows\system32\msplock32.dll

If you find the above files but any of them will not delete, reboot into safe mode and try to delete them again.

At anyrate whether in safe mode or still in normal boot, run the fix.reg registry patch that D3 gave you in message number 6 again.

Now reboot again into normal boot mode and attach a new HJT log using runhjt.bat. Also check a Spybot scan and let me know the results. If it finds anything, fix them and run another scan to see if clean.

Also let me know how all the above steps went and answer my questions about the uninstall and what files were found.

 

You should have waited until I posted the fix. The proper method is to use the uninstall command first.

 

It showed in the previous HJT log. I don't know why it is not showing now. Just continue.

 

I know but I had said

I guess you did not notice it due to the times.

 

But did you have Spybot fix and then do another scan!

Post a log from Spybot if still detected after that.

The use runhjt.bat again and attach the new log. Leave HJT running.

 

You're welcome! And I'll tell you what D3 would say if he were here now:

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!