My Anti Spyware

[rickrogers]

Sorry 'bout that (I have one problem - you have thousands!!)
1) None of Windows/ Norton, etc automatic updates will work - can't automatically connect.
2) Opening Expolorer can't find the defaul page (Google)
3) any link to anything updating/ antivirus, etc comes up with something like "http://licosearch.com/search.php?w&q=XXX XXX" XXX varies each time), or skips directly to a blank screen with I've been dowoloading SupoerAntipy, etc as you've directed by using a laptop.
I started trying to get rid of virus by re-loading the PC to the 'as delivered' condition (2006...) you can imagine I'm reluctant to re-install all my working programs, or use the internet even for normal browsing, etc

[12056]

Sorry 'bout that (I have one problem - you have thousands!!)
1) None of Windows/ Norton, etc automatic updates will work - can't automatically connect.
2) Opening Explorer can't find the default page (Google)
3) any link to anything updating/ antivirus, etc comes up with something like "http://licosearch.com/search.php?w&q=XXX XXX" XXX varies each time), or skips directly to a blank screen with I've been downloading SuperAntispyWare, etc as you've directed by using a laptop.
I started trying to get rid of virus by re-loading the PC to the 'as delivered' condition (2006...) you can imagine I'm reluctant to re-install all my working programs, or use the internet even for normal browsing, etc

Please check that the browser and program proxy settings haven't been modified!
If you find that they are set to use a proxy, please remove/disable the setting(s).

Then, Please download Kaspersky's virus removal tool and run it.
Do NOT delete any items, instead skip them.
Please post me the results.

[rickrogers]

No Proxy set (ie none enabled)
Ran Kapersy - big list ...too many incidents to post maximum characters exceeded: log had 1.9 million characters, only 16000 allowed. Size of file too big to upload (abour 1MB). I have posted some samples, hopefully you get the idea- these go through the whole system - 7502 detected.. Is there any way to post the full file? Do you need it?

also - someone seems to be spamming this topic - can these be removed? (I hae reprted the previous malicious posts)

Autoscan: completed 38 minutes ago (events: 7502, objects: 244985, time: 03:01:36)
8/05/2011 21:19:59 Task completed
08/05/2011 21:19:58 Untreated: Virus.Win32.Nimnul.a c:\Program Files\SUPERAntiSpyware\SASSEH.DLL Skipped by user
08/05/2011 21:19:58 Detected: Virus.Win32.Nimnul.a c:\Program Files\SUPERAntiSpyware\SASSEH.DLL
08/05/2011 21:19:58 Untreated: Virus.Win32.Nimnul.a c:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll Skipped by user
08/05/2011 21:19:58 Detected: Virus.Win32.Nimnul.a c:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
08/05/2011 21:19:48 Untreated: Virus.Win32.Nimnul.a c:\Program Files\SUPERAntiSpyware\SASWINLO.DLL Skipped by user
08/05/2011 21:19:48 Detected: Virus.Win32.Nimnul.a c:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
08/05/2011 21:16:58 Untreated: Virus.Win32.Nimnul.a C:\hp\recovery\wizard\SWR_Wizard.exe Skipped by user
08/05/2011 21:16:57 Detected: Virus.Win32.Nimnul.a C:\hp\recovery\wizard\SWR_Wizard.exe
08/05/2011 21:16:55 Untreated: Virus.Win32.Nimnul.a C:\hp\VINETLINK\VINETLINK.exe Skipped by user
08/05/2011 21:16:55 Detected: Virus.Win32.Nimnul.a C:\hp\VINETLINK\VINETLINK.exe
08/05/2011 21:16:54 Untreated: Trojan.Win32.Diple.itf C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\cdvhpbso.exe Skipped by user
08/05/2011 21:16:54 Detected: Trojan.Win32.Diple.itf C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\cdvhpbso.exe
08/05/2011 21:16:53 Untreated: Trojan.Win32.Diple.itf C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\cdvhpbso.exe Skipped by user
08/05/2011 21:16:53 Detected: Trojan.Win32.Diple.itf C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\cdvhpbso.exe
08/05/2011 21:16:53 Untreated: Trojan.Win32.Diple.itf C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\cdvhpbso.exe Skipped by user
08/05/2011 21:16:53 Detected: Trojan.Win32.Diple.itf C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\cdvhpbso.exe
08/05/2011 21:16:47 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll Skipped by user
08/05/2011 21:16:47 Detected: Virus.Win32.Nimnul.a C:\Program Files\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll
08/05/2011 21:16:45 Untreated: Virus.Win32.Nimnul.a C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL Skipped by user
08/05/2011 21:16:45 Detected: Virus.Win32.Nimnul.a C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
08/05/2011 21:16:44 Untreated: Virus.Win32.Nimnul.a C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe Skipped by user
08/05/2011 21:16:43 Detected: Virus.Win32.Nimnul.a C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe
SAmple 2:

/05/2011 21:14:02 Untreated: Virus.Win32.Nimnul.a C:\Program Files\HP\HP Software Update\hpwuSchd2.exe Skipped by user
08/05/2011 21:14:01 Detected: Virus.Win32.Nimnul.a C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
08/05/2011 21:14:00 Untreated: Virus.Win32.Nimnul.a C:\Program Files\iTunes\iTunesHelper.exe Skipped by user
08/05/2011 21:14:00 Detected: Virus.Win32.Nimnul.a C:\Program Files\iTunes\iTunesHelper.exe
08/05/2011 21:13:59 Untreated: Virus.Win32.Nimnul.a C:\hp\KBD\kbd.exe Skipped by user
08/05/2011 21:13:59 Detected: Virus.Win32.Nimnul.a C:\hp\KBD\kbd.exe
08/05/2011 21:13:59 Untreated: Virus.Win32.Nimnul.a C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe Skipped by user
08/05/2011 21:13:59 Detected: Virus.Win32.Nimnul.a C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
08/05/2011 21:13:58 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll Skipped by user
08/05/2011 21:13:58 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll
08/05/2011 21:13:58 Untreated: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe Skipped by user
08/05/2011 21:13:57 Detected: Virus.Win32.Nimnul.a C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
Sample 3:

8/05/2011 21:09:06 Detected: Virus.Win32.Nimnul.a D:\TOOLS\windows\creator\ToolsCDLauncher.exe
08/05/2011 21:08:50 Untreated: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\rsaenh.dll Skipped by user
08/05/2011 21:08:50 Detected: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\rsaenh.dll
08/05/2011 21:08:50 Untreated: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\start.exe Skipped by user
08/05/2011 21:08:50 Detected: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\start.exe
08/05/2011 21:08:37 Untreated: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\nvraidco.dll Skipped by user
08/05/2011 21:08:37 Untreated: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\nvuide.exe Skipped by user
08/05/2011 21:08:37 Detected: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\nvuide.exe
08/05/2011 21:08:37 Untreated: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\nvraidservice.exe Skipped by user
08/05/2011 21:08:37 Detected: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\nvraidservice.exe
08/05/2011 21:08:37 Detected: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\nvraidco.dll
08/05/2011 21:08:37 Untreated: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\nvcoi.dll Skipped by user
08/05/2011 21:08:37 Detected: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\nvcoi.dll

SAmple 4:
8/05/2011 21:08:10 Untreated: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\Bootini.exe Skipped by user
08/05/2011 21:08:10 Detected: Virus.Win32.Nimnul.a D:\I386\SYSTEM32\Bootini.exe
08/05/2011 21:07:48 Untreated: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP31051\src\ZH_TW\LSUpdate.htm Skipped by user
08/05/2011 21:07:48 Detected: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP31051\src\ZH_TW\LSUpdate.htm
08/05/2011 21:07:36 Untreated: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP31051\src\ZH_HK\LSUpdate.htm Skipped by user
08/05/2011 21:07:36 Detected: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP31051\src\ZH_HK\LSUpdate.htm
08/05/2011 21:07:32 Untreated: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP31051\src\ZH_CN\LSUpdate.htm Skipped by user
08/05/2011 21:07:32 Detected: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP31051\src\ZH_CN\LSUpdate.htm
08/05/2011 21:07:31 Untreated: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP31051\src\UK\LSUpdate.htm Skipped by user
08/05/2011 21:07:31 Detected: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP31051\src\UK\LSUpdate.htm
08/05/2011 21:07:28 Untreated: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP31051\src\SV\LSUpdate.htm

Sample 5

/05/2011 20:55:51 Untreated: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP05988\static\AR\Chat.htm Skipped by user
08/05/2011 20:55:51 Detected: HEUR:Trojan-Dropper.Script.Generic D:\I386\DRV\APP05988\static\AR\Chat.htm
08/05/2011 20:55:41 Untreated: Virus.Win32.Nimnul.a D:\I386\DRV\APP05988\src\kbd.exe Skipped by user
08/05/2011 20:55:41 Detected: Virus.Win32.Nimnul.a D:\I386\DRV\APP05988\src\kbd.exe
08/05/2011 20:55:41 Untreated: Virus.Win32.Nimnul.a D:\I386\DRV\APP05988\src\Help.exe Skipped by user
08/05/2011 20:55:41 Detected: Virus.Win32.Nimnul.a D:\I386\DRV\APP05988\src\Help.exe
08/05/2011 20:55:40 Untreated: Virus.Win32.Nimnul.a D:\I386\DRV\APP05988\pre_ps2\ps2bat.dll Skipped by user
08/05/2011 20:55:40 Detected: Virus.Win32.Nimnul.a D:\I386\DRV\APP05988\pre_ps2\ps2bat.dll
08/05/2011 20:55:40 Untreated: Virus.Win32.Nimnul.a D:\I386\DRV\APP05988\src\CreateVF.exe Skipped by user
08/05/2011 20:55:40 Detected: Virus.Win32.Nimnul.a D:\I386\DRV\APP05988\src\CreateVF.exe

Sample 6:
/05/2011 20:27:38 Detected: Virus.Win32.Nimnul.a D:\MiniNT\system32\drivers\EtCoInst.dll
08/05/2011 20:27:33 Untreated: Trojan.Win32.Diple.itf D:\MiniNT\system32\shutdownmgr.exe Skipped by user
08/05/2011 20:27:33 Detected: Trojan.Win32.Diple.itf D:\MiniNT\system32\shutdownmgr.exe
08/05/2011 20:27:33 Untreated: Trojan.Win32.Diple.itf D:\MiniNT\system32\MBRmgr.exe Skipped by user
08/05/2011 20:27:33 Detected: Trojan.Win32.Diple.itf D:\MiniNT\system32\MBRmgr.exe

[12056]

links to po*n material? What is this doing here?? is it possble to delete? same post name

It looks like a spambot attacked the site, I've since removed the posts, thanks for reporting them!

Go ahead and re-run the scan, but allow it to remove/repair the items.

[rickrogers]

The scan took over 6 hours and found over "14000 events", nearly all .dll or .exe files. It had to "skip" several times, including on shutdown.exe and shutdownmgr.exe. It managed to disinfect/ delete all but 9 "disinfect active threats" section in log listed these, and included a message "Disinfection on system restart failed". These 9 (and the skipped files) had either Trojan.Win32.Diple.itf or Virus.Win32.Nimnul.a
The PC auto restarted - i forced into Safe mode again, and re-rant the Kaspersky (to check the effect of the maleware on the shutdown.exe - It found around 2000 files in the first 10 minutes - I stopped the programme to report. I have not since re-started (or shutdown)
I am reluctant to copy the log file onto the laptop (corss infection?) so have reported as above.
Thanks for removing the spam (again). Rick

[12056]

As the infection you have is a worm, and a file injector, removal is almost impossible without a reformat!

I can help you and others prevent infections like this if you can send me the actual file that is causing the infection or has been injected with malicious code.
Preferably I would like to have a copy of D:\MiniNT\system32\shutdownmgr.exe or any other file that was not able to be removed e-mailed to me: trappmanrhett@fastmail.fm

Please let me know if you are willing to reformat, or if you need assistance in backing-up your files, etc...

[rickrogers]

Tried to e-mail the files, but was prevented by my internet provider (it suspended my mail account...)

Yes, I am willing to reformat. I have the original set up discs, and have already backed up all relevant files. SHould I use the Kaspersky to check the external hard drive where the backup is kept?
Would appreciate assistance in formatting.
Thanks

[12056]

Oh ok, sorry about that, were you able to get your account reactivated?

The backup was made before the infection occured, right? Then, there shouldn't be any problems, but a double-check with Kaspersky won't hurt!

[rickrogers]

Email is fine.
Not sure when last back-up was done. Mostly MP3, itunes settings and documents etc - will double check antivirus before loading anything back onto PC hard drive after re-install.
Are you able to assist reformatting and installation (I assume the latter is simply inserting the installation CDs and letting it do its stuff) Do I have to wipe the drives flat first?

[12056]

Email is fine.
Not sure when last back-up was done. Mostly MP3, itunes settings and documents etc - will double check antivirus before loading anything back onto PC hard drive after re-install.
Are you able to assist reformatting and installation (I assume the latter is simply inserting the installation CDs and letting it do its stuff) Do I have to wipe the drives flat first?

The formatting process is exactly how you described it, no need to wipe the drives, the CDs will do that automatically.
I'll be able to assist if needed, but if not I can close the topic. Let me know!

[rickrogers]

Unfortunately my external hard drive has also been infectd. Kaspersky seems to have cleende it up, although it keeps coming up with 'read error' on differnt types of files (or, more accuratley, different folders of similar file types).

Have tried to re-install by inserting the System Recovery discs, but there does not seem to be an autorun file anywhere - the CD just sits there. I've searched for likely run / exe files to get it going but no luck. Any advice?

[12056]

You must go into the BIOS (the fist screen that appears when you turn your computer on) and change the boot order to CD first, then harddrive.
Then it will boot off of the CD, and start System Recovery.

[12056]

Thanks. That's sorted. All seems to be fixed aparts from a filw on my media drive (additional , removable hard drive in PC) which has a file containing W32.Ramnit!html, detected by Norton antivirus, but was unable to remove automatically. Have deleted manually, so hopefully all is OK and post can be closed. Any futher issues I'll open a new post.
Thnaks. Rick

Glad I could be of assistance, post closed.
Reason: Issue Appears to be Resolved.