1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] win32.parity.b

Discussion in 'Virus & Other Malware Removal' started by Nester, Feb 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Nester

    Nester Thread Starter

    Joined:
    Mar 1, 2002
    Messages:
    178
    Hi,

    I have just been infected with (win32.parity.b) my Anti Virus program caught it and it's now been quarantined but I have just done a search on google for some information about it and what it does ect as I am very interested in things like that, however I can't find one single web site with any information at all on it!

    I have tried all the major sites like Symantec, Norton, Macafee and others but none have the virus listed.

    Kaspersky Anti Virus picked it up but on there site they just tell you what class of virus, trojan or worm you have and not any information regarding about what it does.

    Does anyone know a place to try or even know anything about it and what it does? any technical details will do!

    Thank you very much, this site has been of much help to me in the past and all the peeps on it are so helpful, so I would just like to say a big THANK YOU to all in advance!

    Nester
     
  2. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    could you please post a link to this page

    steam
     
  3. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
  4. Nester

    Nester Thread Starter

    Joined:
    Mar 1, 2002
    Messages:
    178
    Thank you for quick reply!

    I did search on McAfee but must have missed it, sorry but I have been up all night!! but i'm glad you found it, now I know what it does, there is one very interesting thing I have noticed and this is before I got the Virus, there are some files on my hard drive like a copy of regedit.exe but has the icon of a .com file but it is 0bytes in length, I'm not sure if that is related in any way but it seems quite peculiar to me, it has been like that for quite awhile, but has caused no problems, the strange thing is if I delete it, it will come back.

    Thank you for your help, and sorry for being so dosey as not to see the page on McAfee!!

    nester

    ps: KAV has quarantined the Virus but does that mean I am alright now or is there anything else I should do, I have scanned entire Hard Drive and it came up clean.
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Would you please do the following?

    Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

    Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and post the contents here.
     
  6. Nester

    Nester Thread Starter

    Joined:
    Mar 1, 2002
    Messages:
    178
    Thanks for reply Tony - here is my Start-up list;

    StartupList report, 16/02/2003, 14:51:26
    Detected: Windows ME (Win9x 4.90.3000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\AVPCC.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\AVPM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\AVPCC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\ZONE LABS\ZAP\ZAPRO.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    PowerReg SchedulerV2.exe
    Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    Shell folders Common Startup:
    [C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
    ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZAP\zapro.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    xxx = c:\xxx.bat
    OfficeGuard RegChecker = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
    AVPCC = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
    AVPCC Service = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service
    TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components

    [{89820200-ECBD-11cf-8B85-00AA005B4395}]
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [>PerUser_MSN_Clean]
    StubPath = C:\WINDOWS\msnmgsr1.exe

    [PerUser_LinkBar_URLs]
    StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    StubPath = "C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}]
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    [{89820200-ECBD-11cf-8B85-00AA005B4383}]
    StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.INI listing:
    (Created 16/2/2003, 9:22:12)

    [RENAME]
    NUL=C:\WINDOWS\COOKIES\INDEX.DAT
    NUL=C:\WINDOWS\TEMPOR~1\INDEX.DAT
    NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 16/2/2003, 1:15:4)

    [RENAME]
    NUL=C:\WINDOWS\COOKIES\INDEX.DAT
    NUL=C:\WINDOWS\TEMPOR~1\INDEX.DAT
    NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET BLASTER=A220 I7 D1 H5 P330 T6
    SET CTSYN=C:\WINDOWS
    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    @C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: *Registry key not found*
    .vbe: *Registry key not found*
    .wsh: *Registry key not found*
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: *Registry key not found*
    .jse: *Registry key not found*

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    PCHealth Scheduler for Data Collection.job

    --------------------------------------------------
    End of report, 8,092 bytes
    Report generated in 0.057 seconds

    StartupList version: 1.31.0
    Started from: C:\WINDOWS\TEMP\STARTUPLIST.EXE

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    Nester
     
  7. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You've got the following startup entry:

    xxx = c:\xxx.bat

    Would you please go to Start > Run Msconfig, and uncheck this one on the Startup tab.

    Click OK, reboot, find the C:\xxx.bat file, and open it in Notepad

    Would you please copy its contents and show them to us?
     
  8. Nester

    Nester Thread Starter

    Joined:
    Mar 1, 2002
    Messages:
    178
    The xxx.bat is what I have created myself and is alright, it just clears my cookies, index.dat ect ect, apart from that do you think everything looks alright?

    I am not sure about the superhidden extensions, the one's that are hidden, should they be? and five of the registry keys not being found?

    Thanks for your help

    Nester
     
  9. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    I see you ran your xxx.bat file just before posting your startup list

    Are you having problems with visual basic and java script ?

    Tony will be along to answer your questions better than I can

    steam
     
  10. Nester

    Nester Thread Starter

    Joined:
    Mar 1, 2002
    Messages:
    178
    Steamwiz, no problems with VB or JS, I just never surf with them on, I block everything like that from running, even ads, they are all blocked by the host file and my firewall, But VB & JS work fine if I have to enable them to get updates, like from Microsoft.

    The thing with the empty .exe files which are actually .com files, has been a mystery to me for awhile now, my computer is behaving as normal, but it just seems strange and seems to me like Virus activity, i'm not sure though?

    Does my startup list look ok?

    Thank you all for helping, it's very much appreciated

    Nester
     
  11. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    The hidden extensions are not a real problem, and if certain registry keys are reported "not found", that just means they aren' there, and can therefore not contain anything malicious either.

    As I said, the log looks pretty good to me. As for these mystery com files, no idea, but as they're 0 bytes in length, you can't really have anything to fear from them.
    I wouldn't lose any sleep over that.
     
  12. Nester

    Nester Thread Starter

    Joined:
    Mar 1, 2002
    Messages:
    178
    Thanks Tony,

    for your help and thanks to steamwiz, i'm all clear! whew!

    keep up the good work & may this great site LIVE FOREVER!

    Nester
     
  13. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You're welcome! :)
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/119094

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice