[Resolved] win32.parity.b

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Nester

Thread Starter
Joined
Mar 1, 2002
Messages
178
Hi,

I have just been infected with (win32.parity.b) my Anti Virus program caught it and it's now been quarantined but I have just done a search on google for some information about it and what it does ect as I am very interested in things like that, however I can't find one single web site with any information at all on it!

I have tried all the major sites like Symantec, Norton, Macafee and others but none have the virus listed.

Kaspersky Anti Virus picked it up but on there site they just tell you what class of virus, trojan or worm you have and not any information regarding about what it does.

Does anyone know a place to try or even know anything about it and what it does? any technical details will do!

Thank you very much, this site has been of much help to me in the past and all the peeps on it are so helpful, so I would just like to say a big THANK YOU to all in advance!

Nester
 
Joined
Oct 4, 2002
Messages
2,773
Originally posted by Nester:

Kaspersky Anti Virus picked it up but on there site they just tell you what class of virus, trojan or worm you have and not any information regarding about what it does.
could you please post a link to this page

steam
 

Nester

Thread Starter
Joined
Mar 1, 2002
Messages
178
Thank you for quick reply!

I did search on McAfee but must have missed it, sorry but I have been up all night!! but i'm glad you found it, now I know what it does, there is one very interesting thing I have noticed and this is before I got the Virus, there are some files on my hard drive like a copy of regedit.exe but has the icon of a .com file but it is 0bytes in length, I'm not sure if that is related in any way but it seems quite peculiar to me, it has been like that for quite awhile, but has caused no problems, the strange thing is if I delete it, it will come back.

Thank you for your help, and sorry for being so dosey as not to see the page on McAfee!!

nester

ps: KAV has quarantined the Virus but does that mean I am alright now or is there anything else I should do, I have scanned entire Hard Drive and it came up clean.
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Would you please do the following?

Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and post the contents here.
 

Nester

Thread Starter
Joined
Mar 1, 2002
Messages
178
Thanks for reply Tony - here is my Start-up list;

StartupList report, 16/02/2003, 14:51:26
Detected: Windows ME (Win9x 4.90.3000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\AVPCC.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\AVPM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL PRO\AVPCC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZAP\ZAPRO.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
PowerReg SchedulerV2.exe
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZAP\zapro.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
xxx = c:\xxx.bat
OfficeGuard RegChecker = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
AVPCC = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
AVPCC Service = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components

[{89820200-ECBD-11cf-8B85-00AA005B4395}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[>PerUser_MSN_Clean]
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs]
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 16/2/2003, 9:22:12)

[RENAME]
NUL=C:\WINDOWS\COOKIES\INDEX.DAT
NUL=C:\WINDOWS\TEMPOR~1\INDEX.DAT
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 16/2/2003, 1:15:4)

[RENAME]
NUL=C:\WINDOWS\COOKIES\INDEX.DAT
NUL=C:\WINDOWS\TEMPOR~1\INDEX.DAT
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H5 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

@C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: *Registry key not found*
.vbe: *Registry key not found*
.wsh: *Registry key not found*
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: *Registry key not found*
.jse: *Registry key not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

PCHealth Scheduler for Data Collection.job

--------------------------------------------------
End of report, 8,092 bytes
Report generated in 0.057 seconds

StartupList version: 1.31.0
Started from: C:\WINDOWS\TEMP\STARTUPLIST.EXE

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Nester
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
You've got the following startup entry:

xxx = c:\xxx.bat

Would you please go to Start > Run Msconfig, and uncheck this one on the Startup tab.

Click OK, reboot, find the C:\xxx.bat file, and open it in Notepad

Would you please copy its contents and show them to us?
 

Nester

Thread Starter
Joined
Mar 1, 2002
Messages
178
The xxx.bat is what I have created myself and is alright, it just clears my cookies, index.dat ect ect, apart from that do you think everything looks alright?

I am not sure about the superhidden extensions, the one's that are hidden, should they be? and five of the registry keys not being found?

Thanks for your help

Nester
 
Joined
Oct 4, 2002
Messages
2,773
I see you ran your xxx.bat file just before posting your startup list

Are you having problems with visual basic and java script ?

Tony will be along to answer your questions better than I can

steam
 

Nester

Thread Starter
Joined
Mar 1, 2002
Messages
178
Steamwiz, no problems with VB or JS, I just never surf with them on, I block everything like that from running, even ads, they are all blocked by the host file and my firewall, But VB & JS work fine if I have to enable them to get updates, like from Microsoft.

The thing with the empty .exe files which are actually .com files, has been a mystery to me for awhile now, my computer is behaving as normal, but it just seems strange and seems to me like Virus activity, i'm not sure though?

Does my startup list look ok?

Thank you all for helping, it's very much appreciated

Nester
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
The hidden extensions are not a real problem, and if certain registry keys are reported "not found", that just means they aren' there, and can therefore not contain anything malicious either.

As I said, the log looks pretty good to me. As for these mystery com files, no idea, but as they're 0 bytes in length, you can't really have anything to fear from them.
I wouldn't lose any sleep over that.
 

Nester

Thread Starter
Joined
Mar 1, 2002
Messages
178
Thanks Tony,

for your help and thanks to steamwiz, i'm all clear! whew!

keep up the good work & may this great site LIVE FOREVER!

Nester
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top