Re: Could not delete calsp.dll file detected by HijackThis

Hi,

Actually before getting your reply I repeated the basic steps for 1 more time and posted the results in my message earlier this afternoon.

Now after getting your msg, While following the steps suggested by you, when I tried to delete "Windows Overlay Components" using "Delete an NT Service" it said "Service Windows Overlay Components was not found in the Registry. Make sure you entered the shortname of the service., vbExclamation".

Next, while trying to " Kill Processes" I couldnt find the file C:\Windows\system32\wmuuwo.exe. Neither did I find the followinf line while scanning with HijackThis.

O4 - HKLM\..\Run: [olzvvon] C:\WINDOWS\system32\wmuuwo.exe r

Navigating to the folder, I didnt find C:\WINDOWS\system32\wmuuwo.exe either.

Now after rebooting I scanned with HJT, saved the log, visited majorgeeks forum, and re-scanned with HJT just to see if the log changes as I wanted to post both the logs ( before & after accessing internet). But there was some problem in uploading the log files.
So now I am posting only the log that I got after scanning with HJT following the internet access.

Please let me know when I need to post a log should the scanning be done before or after accessing the internet ( I understand even if I scan after accessing the internet, I have to close all browsers which I ALWAYS follow rigorously).

Even this time while posting this msg, I am having "Aurora- part of ABI " popups.

I appreciate your patience and help. Please let me know what I need to do next.

 

I am sorry about starting a new thread which I actually did as I was unable to attach the log in the "reply mode".

I followed your instructions.
In the safe mode, HijackThis did not find the following entry:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

And in the following entry the name of the exe file changes with each reboot ( I noticed this when I ran HJT at the end after rebooting to normal mode) ..!

O4 - HKLM\..\Run: [yacnwob] C:\Windows\system32\kidzqdk.exe r

While running killbox.exe , when I clicked YES to reboot after deleting all the files, the message given was:

"PendingFileRenameOperations Registry Data has been Removed by External Process !"


After I finally logged into normal mode I started browsing the net to see how things are working. I started having a few popups. So I scanned with HijackThis and the F2 entry and the " .exe r " were again there.

I repeated your instructions again ( I dont know if this decision was wrong ) . This time at the end of the cleaning process, when I rebooted to normal mode for a while there were no pop-ups and scanning with HJT showed no F2 or the " .exe r " entries.

But after browsing for sometime again Aurora popups were back .!! I have attached the most recent HJT log ( it again has the F2 and " .exe r" entries in it.
Please let me know what I need to do next.

Thanks.

Regards,
Monalisa

 

I followed the steps that you suggested in your last reply.

The problem that I faced is that after running ABIremover.exe when I reboot , run Hoster.exe and then try to "kill process" using HJT Process Manager, the name of the exe file { C:\WINDOWS\system32\xxx.exe} has already changed from the one listed by HJt scan.

Secondly, I couldnt find any System Startup Service in the services.msc list. And that list has only names of stuff which are NOT .exe files. So I didnt find svcproc.exe file either.

Now moving onto "Delete an NT service" it always gives the msg ( I got it earlier too when I was trying to delete "Windows Overlay Components" )
"Service xxx( whatever name I enter) was not found in the Registry. Make sure you entered the shortname of the service.,vbExclamation" and I dont really know the short name of the service !

Now as I mentioned, since after using ABIremover the Nail.exe file is not there in the HJt log and bcoz of the fact that the name of exe file in "C:\WINDOWS\system32\xxx.exe" as already changed following the reboot after using ABIremover, --- at this stage using Killbox.exe gives the msg
"PendingFileRenameOperation Registry Data has been Removed by External Process". This was the exact msg that I got even yesterday while following the set of instructions sent by you.

Having gone thru all these steps ( most of them being unsuccessful because of the above mentioned reasons), when I reboot to normal mode , there isnt any popups for sometime but then they are back, and I have the Nail.exe file again in the HJt log as you would see in the file attached.

Please let me know what effective steps can be followed next.

By the way, just for your information ( it would be helpful for you to analyze the HJt log) the R0 line with rpinfo.rpi.edu is the home page set by me. So it is not a malicious item.

Awaiting your reply with next set of instructions.

Thanks.

Regards,
Monalisa

 

Ok, I have done what you said. Ran ABIremover in safe mode and then rebooted to normal mode to run HJT , had it fix a " .exe r " file, scanned with HJT again after fixing that file, and here I am now posting both the logs ( HJT scan results before and after fixing the .exe file with HJT).

Majorgeeks is the only internet site that I am visiting after running HJT.

Please let me know what I need to do next. Because I am sure, if I log on to any web address the aurora thing will be back again.

One more quick qs: Why is it that the reply to this post not being delivered to the email a/c that is registered with majorgeeks a/c associated with my name? I was getting an email from majorgeeks until Monday morning, and since then I am NOT receiving any replies to my email a/c.

Could you please let me know why is it happening this way?

 

Please suggest something to fix the RECURSIVE AURORA problem

After killing the process and then having HJT fix the problem, when I opened Pocket killbox it said" File does not seem to exist".

I rebooted the m/c.

I scanned with HJT and am posting the log herewith .

The same exe r file is there just with a different name. It seems, it generates a new name each time I scan with HJT after fixing or killing the process.
It is going on recursively now. I am sure AURORA will be back the moment I even logon to my homepage.

Please suggest some solution to this RECURSIVELY occuring grave probelm.

The AURORA is ALWAYS THERE now, and results in tons of pop-ups the moment I logon to the internet.

 

This is the first time when after entering the name of an exe file in killbox worked.

I have attached both the L2MeFix log and HJT log with this message.

I have not browsed any website except posting this msg since the last scan using HJT the log from which is attached herewith.
Awaiting for next set of instructions.

Thanks.

Regards,
Monalisa

 

Hello,

It was happy browsing for 2 days. I turned system restore on and was about to write you an email saying that everything looks fine now. The adaware SE didnt find anything, and HJT log doesnt have Nail.exe or that " .exe r" file either.

Then starting Friday afternoon ( that is yesterday) I started having Aurora again. !!!

I followed your last set of instructions and now got rid of it. But from yesterday's experience, my hunch is that it will be back again.

Could you please suggest what I can do now? Is there any protection ( OTHER THAN the standard ones mentione in the " Read me first" tutorial) that I can enable? Please suggest.
It is not also that I visited very many sites. But the problem seems to back again.

I appreciate your time , patience and effort.

Awaiting for the next set of instructions.

Thanks.

Regards,
Monalisa

 

After A few weeks of peaceful browsing, I started getting popups again, and scanning with HJT showed nail.exe and a ".exe r" file , the same symptoms as before.

I followed the instructions that you gave earlier, like running ABIRemover, "Kill Process" using Process Manager of HJT, running l2mfix.bat, and "Pocket KillBox".

I have attached the HJT log and the WinPFind scan log with this email.

FYI, just a few minutes ago, Symantec Antivirus gave an alert saying " Trojab Horse detected, and quarantined". The HJT log that I have attached is the scan result after I got this notification.

I am infact getting pop-ups again.

Please help me in getting rid of this problem.

Thanks.

Regards,
Monalisa

 

Can somebody please review HijackThis log file?

Hello,

About 2 months ago my computer got infected seriously with spyware and after several communications with the forum the problem appeared to be under control and then I kept getting pop-ups intermittently and finally it got affected by "HackTools" and it crashed and I have to re-install windows.

This scared me quite a bit and I after the basic scannings I did a HJT scan of my OTHER Computer just to save that from what has happened to the first one.

The major geeks basic rules section says not to upload the HJT log file unless asked for. Hence I am wirting this email requesting if somebody can review the logfile from HijackThis scan.

I would appreciate if somebody replies back in positive.
Thanks.

Monalisa

 

Post a HJT log as an ATTACHMENT.

 

To add to my worries, I have started getting pop-ups in this 2nd ccomputer ( laptop) too .

Though scanning with Ad-Aware cleans some critical objects but then on visiting the internet I am having pop-ups again.

Please advise what to do . I have attahced the HJt log file.

Regards,
Monalisa

 

Your system does not appear to be infected; your HijackThis log shows no signs of an Infection.

You can uninstall MyWay using Add or Remove Programs in the Control Panel. MyWay comes bundled with Dell computers and is considered Spyware by many.

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

Scanning with Panda showed " no threats detected".

In the control panel, "My way" is displayed but the option to "remove/ change" is not active. So couldnt remove that. Is there any other way to do this?

I will attach the other log files with this email.

Pease suggest something as I am getting pop-ups & Adware SE is detecting a "crtitical file" which even though it is saying that the file has been deleted repeating the scan is again showing the critical file being detected.

Please help.

Thanks.

Monalisa

 

A ma. So I am attaching tximum of 2 files were allowed to attach with the replyhe HJT log with this reply.

 

MyWay comes bundled with Dell computers. If there is no option to uninstall from Add or Remove Programs the look for an uninstaller in C:\Program Files\MyWay or similar directory.

Please do the following:
Running Ewido Security Suite

 

Hello,

You suggested me to use Ewido Security but you didnt quite comment on the log files that I posted. ( 3 log files attahced with 2 msg).
DO you think my computer has some malicious objects?

Please send in your comments.

I have another problem now:
Whenever I am typing out ( composing) a mail using "Outlook Express " (NOT Microsoft Outlook) , all on a sudden the cursor moves to some other line ( It just happened even while typing in this msg box!!!) or even another compose msg opens up and the cursor is there then and thus messing up the composition.

Could it be a virus problem or is it some problem with the keyboard?

Can you pls advise?

Thanks.

 

Your logs aren't showing anything. I requested the Ewido scan becuase I want to make sure your system is clean. Several viruses lately are using stealth techniques to hide from the normal scans we request.

 

Ok.. SO here is the scan result. It seems it didnt detect any infection.

My qs is should I uninstall this Ewido security or should I leave the Guard ON?

After I visit websites to listen to music online and similar webpages, I start getting pop-ups. Is there any security measure that you would recommend ? ( I already have the standard spyware protections/ updated symantec antivirus & Microsoft AntiSpyware installed and running).

Please advise.

Thanks.