0

So I have this icon of this girl on my C drive. I have scanned it and deleted it in safe mode and regular mode, but it comes right back every time. It changes its name from !apihook to the dl11 each time it comes back. I'm sure it is some kind of porn virus, but I can't get rid of it. She's creepy and I want her gone! What is left for me to do? I have scanned with Trendmicro, Avast, and SpyDoctor. I scan daily and delete daily. I have also used HijackThis and deleted the appropriate files. I also run ZoneAlarm constantly except for when working offline. I'm a CIS student and they haven't taught me this in school. Help! Please give me the education I'm paying the school for!

4
Contributors
8
Replies
9
Views
13 Years
Discussion Span
Last Post by Schneisx
0

here is my current hijack log. i'm curious if the running process devldr32.exe is a virus. i think it is and have shut it down a few times, but my computer is having a horrible time loading now and i don't know if they are related. as always, thanks for the knowledge use!


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\gtwnnjmp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [hvmyjrjry] C:\WINDOWS\System32\gtwnnjmp.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\64msSPPEor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Corel Network monitor worker - {B397EE6F-E954-4F7B-A3E1-8BC7CEB4C23D} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {B397EE6F-E954-4F7B-A3E1-8BC7CEB4C23D} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {B397EE6F-E954-4F7B-A3E1-8BC7CEB4C23D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {B397EE6F-E954-4F7B-A3E1-8BC7CEB4C23D} - (no file) (HKCU)
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Emffimon.dll

0

and i forgot to ask... where are you guys learning how to deal with these viruses. i'm taking a security class next semester, but i still don't think i will be prepared. are there any certain places on the web you go? or is it just trial and error? km

0

Hi. :) First, you left off the top part of your hijackthis log that states your operating system and what version of hijackthis you are running. Make sure you are using version 1.98.2 and post another log including the top part. Also be sure that all other browser windows are closed when you scan.

0

opps, that was a sloppy cut/paste...sorry. here is the newest hijack log.

Logfile of HijackThis v1.98.2
Scan saved at 6:22:26 PM, on 10/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\gtwnnjmp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [hvmyjrjry] C:\WINDOWS\System32\gtwnnjmp.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\system32\64msSPPEor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Corel Network monitor worker - {B397EE6F-E954-4F7B-A3E1-8BC7CEB4C23D} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {B397EE6F-E954-4F7B-A3E1-8BC7CEB4C23D} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {B397EE6F-E954-4F7B-A3E1-8BC7CEB4C23D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {B397EE6F-E954-4F7B-A3E1-8BC7CEB4C23D} - (no file) (HKCU)
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Emffimon.dll

:o thanks!

0

devldr32.exe is part of your Creative Labs Audio.

The Sticky Thread near the beginning of this forum has a link to a HijackThis tutorial, and there are others if you do a search with google.

Google is also one of the best ways to learn about viruses.

I don't have time to review your log now, hopefully someone else will shortly.

0

Close all windows, scan with HJT, and have it fix the following entries:
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\multimpp.dll
(for more info on this one, http://www.giantcompany.com/antispyware/research/spyware/file-multimpp.dll.aspx)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
(more info, http://www.giantcompany.com/antispyware/research/spyware/file-conscorr.exe.aspx)
O4 - HKLM\..\Run: [hvmyjrjry] C:\WINDOWS\System32\gtwnnjmp.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)

Note: the 'more info' links are only there if you want to find out more about these entries.

Go to Add/Remove Programs in your Control Panel and remove these if found:
conscorr
gtwnnjmp

Reboot into Safe Mode, go to C:\WINDOWS and delete this entry, if found:
conscorr.exe
Go to C:\WINDOWS\System32 and delete this entry, if found:
gtwnnjmp.exe

That's all I see, perhaps one of the experts will see something I missed.

0

I discovered on a norton scan (safe mode) what I think is the root of the hook.dll/dl11.exe/LDR.exe problem. It's a program called Wnim.dll. When I erased it (norton couldn't do it) all the above problems went away. (Over a week now.)
Look in \Windows\system32.

I hope this helps.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.