Tech Support Forum - View Single Post - MagicControl.agent is the DEVIL....How do I get rid of it???

tetonbob · 03-07-2006, 11:27 PM

OK, here we go....this will take some time, but we should get most of it this time.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

---------------------------------------------------------------------------

I know you have Ewido already. Please update it's definitions, and run a scan where I have placed it in this fix.

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

---------------------------------------------------------------------------

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [ohlyxfprtk] c:\windows\system32\ohlyxfprtk.exe ohlyxfprtk

---------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

---------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

---------------------------------------------------------------------------

Make sure hidden/system files are still visible:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------------------

Delete the following Files if they exist:

C:\WINDOWS\SYSTEM32\ohlyxfprtk.dat.ren
C:\windows\system32\ohlyxfprtk.exe.ren
C:\WINDOWS\SYSTEM32\ohlyxfprtk_nav.dat.ren
C:\WINDOWS\SYSTEM32\ohlyxfprtk_navps.dat.ren
C:\WINDOWS\SYSTEM32\msclock32.dll.ren
C:\WINDOWS\SYSTEM32\msplock32.dll.ren

---------------------------------------------------------------------------

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------

Please return with logs from:

Ewido
HJT

---------------------------------------------------------------------------

How many users are on this system, please?

Run Spybot once again...having now removed the hidden process and files, it should be able to fix those now.

---------------------------------------------------------------------------

Please use the instructions on this page to completely uninstall your Norton Products. It can leave tons of junk on your system.

---------------------------------------------------------------------------

Surf as normal for a day, and let me know how you make out....

03-07-2006, 11:27 PM	#23 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,697 OS: 2000 Pro; XP Pro; XP Home	OK, here we go....this will take some time, but we should get most of it this time. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. --------------------------------------------------------------------------- I know you have Ewido already. Please update it's definitions, and run a scan where I have placed it in this fix. You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. --------------------------------------------------------------------------- Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [ohlyxfprtk] c:\windows\system32\ohlyxfprtk.exe ohlyxfprtk --------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. --------------------------------------------------------------------------- Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop ** Ewido scan would require at least an hour. --------------------------------------------------------------------------- Make sure hidden/system files are still visible: Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. --------------------------------------------------------------------------- Delete the following Files if they exist: C:\WINDOWS\SYSTEM32\ohlyxfprtk.dat.ren C:\windows\system32\ohlyxfprtk.exe.ren C:\WINDOWS\SYSTEM32\ohlyxfprtk_nav.dat.ren C:\WINDOWS\SYSTEM32\ohlyxfprtk_navps.dat.ren C:\WINDOWS\SYSTEM32\msclock32.dll.ren C:\WINDOWS\SYSTEM32\msplock32.dll.ren --------------------------------------------------------------------------- Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! --------------------------------------------------------------------------- Restart in normal mode. --------------------------------------------------------------------------- CLEAR & RESET SYSTEM RESTORE'S CACHE Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter * Tick on the checkbox - Turn off System Restore on all drives * Click Apply Turn it back 'On' by unticking the same checkbox & click Apply, and then OK --------------------------------------------------------------------------- Run a new HijackThis scan. Save the log file and post it here. --------------------------------------------------------------------------- Please return with logs from: Ewido HJT --------------------------------------------------------------------------- How many users are on this system, please? Run Spybot once again...having now removed the hidden process and files, it should be able to fix those now. --------------------------------------------------------------------------- Please use the instructions on this page to completely uninstall your Norton Products. It can leave tons of junk on your system. --------------------------------------------------------------------------- Surf as normal for a day, and let me know how you make out.... __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009