1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: eAcceleration and Win32.Parite.2 virus

Discussion in 'Virus & Other Malware Removal' started by ShiVER, Aug 2, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. ShiVER

    ShiVER Thread Starter

    Joined:
    Mar 2, 2006
    Messages:
    67
    My computer has been infected with the Win32.Parite.2 virus. This virus seems to
    infect any and all programs .exe that you run. It also likes to rename [anything].exe
    to [anything].exe_eac_qt_

    Below is a snippet eAcceleration support sent to me: (Note the statement in bold)
    ------------------------------------------------------------------------------------------------

    Your scan results show an infection on your machine that needs
    special care to remove. Because the infection attacks most common
    executable files you might need to reinstall some programs on
    the computer.

    Follow these steps to remove the infections on the machine.
    There are five steps to this cleaning process:

    1. Uninstalling StopSign
    2. Running Windows System File Checker (SFC)
    3. Reinstalling StopSign
    4. Activating StopSign
    5. Running a scan and submitting scan results.

    After your scan results have been received and evaluated, you will
    receive further instructions if necessary.


    ------------------------------------------------------------------------------------------------

    What are these 'further instructions?' The exact same instructions. In other words,
    They sent me the same instructions AFTER I went through steps 1-5 and sent them
    the scan results, believing that they would send me a custom cleaner.

    :mad: :mad: :mad: :mad: :mad: :mad: :mad: :mad: :mad: :mad: :mad: :mad: :mad:

    Thank you sooo much, eAcceleration. Your product is so satisfactory [/sarcasm] and
    I will be sure to strongly recommend others to [not] use your product! (y)

    For now, I am now trying Panda Software's free Antivirus Activescan and will post the
    results. I am open to any other recommendations!
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    EAcceleration is junk remove it

    Click here to download HJTsetup.exe:

    http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5
    Scroll down to the download section

    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. ShiVER

    ShiVER Thread Starter

    Joined:
    Mar 2, 2006
    Messages:
    67
    MFDnSC, thank you. Until now I've been afraid of HJT, but the anger I feel towards e*
    gives me the energy to give HJT a try. As for Panda Software's Antivirus Activescan:

    I have:
    47 virus infections, 6 spyware/adware/other infections
    all virus infections are Win32.Parite.2 virus.

    Panda Software's Antivirus Activescan found:
    17 virus infections, 31 spyware/adware/other infections
    they want $29.95 for their product................... Exactly.

    Any recommendations for a reliable Antivirus program to compliment HJT?
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Get the free AVG 7 install it, check for updates and run a full scan

    AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
    ===============

    Hijack is very safe when you follow directions - do not try to do fixes yourself
     
  5. ShiVER

    ShiVER Thread Starter

    Joined:
    Mar 2, 2006
    Messages:
    67
    You have my gratitude MFDnSC! *looks up http://free.grisoft.com/freeweb.php/doc/2/*



    --------------------------------------------------------------------------------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 2:26:19 PM, on 8/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
    C:\Program Files\eAcceleration\Station\station.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
    O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus
    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
    O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139462455546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145037598812
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D1557F0C-0D93-4CDF-A5D6-185AB8DD77ED}: NameServer = 64.136.28.120 64.136.20.120
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
    O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)
     
  6. ShiVER

    ShiVER Thread Starter

    Joined:
    Mar 2, 2006
    Messages:
    67
    AVG 7 - 16.5 megs! But it looks good. I'll have to disconnect now to free up the phone...
    More later on Win32.Parite.2...
    I don't think Win32.Parite.2 == Win32.Parite.B...
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Ouch Dial-Up!!!!!!!!!!!!!!!

    Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
    · Install ewido.
    · Run the application
    · Clickon scanner
    · then select the "Settings" tab.
    · Once in the Settings screen click on "Recommended actions" and then select "Delete".
    · Under "Reports"
    · Select "Automatically generate report after every scan"
    · Un-Select "Only if threats were found"
    · Click Complete System Scan and the scan will begin.
    · When the scan is finished, Set all items to delete
    · Apply all actions
    · look at the bottom of the screen and click the Save report button.
    · Save the report to your C: Drive
    This will take some time to run!
    RE-Boot
    Post that log and a new HiJack log
     
  8. ShiVER

    ShiVER Thread Starter

    Joined:
    Mar 2, 2006
    Messages:
    67
    Okay, Ewido found more spyware/adware. HJT report seems about the same. I'll dl
    AVG 7 in two hours and scan with that, being sure to send the report. This
    Win32.Parite.2 is really bad and I'm afraid to do anything on my computer until
    it is dead like the cockroaches on RAID commercials. :eek:





    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 7:09:41 PM 8/2/2006

    + Scan result:



    C:\Documents and Settings\nick\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][3].txt -> TrackingCookie.Adrevolver : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Clickhype : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected]www.gamefaqs.com[1].txt -> TrackingCookie.Com : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick :

    Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Statcounter : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][2].txt -> TrackingCookie.Valueclick : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\nick\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.


    ::Report end






    ==========================================================





    Logfile of HijackThis v1.99.1
    Scan saved at 7:11:37 PM, on 8/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
    C:\Program Files\eAcceleration\Station\station.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

    http://my.netzero.net/s/search?r=minisearch
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program

    Files\NZSearch\SearchEnh1.dll
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {B753C7C5-0942-4b7f-BC27-942B52BDAC66} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll

    (file missing)
    O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration

    Software\Anti-Virus\sstsmon.dll",VerifyStatus
    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} -

    C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
    O9 - Extra 'Tools' menuitem: Block This Page - {24BE56F9-F0B6-4ac7-97F1-8CACEDA9A427} -

    C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139462455546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

    http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145037598812
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

    http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner -

    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
    O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown

    owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido

    anti-spyware 4.0\guard.exe
    O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - C:\Program Files\Windows Media

    Connect 2\wmccds.exe (file missing)
     
  9. ShiVER

    ShiVER Thread Starter

    Joined:
    Mar 2, 2006
    Messages:
    67
    From http://old.antivir.ru/english/inf/virus.php?id=262
    ==========================================================
    Virus name: Win32.Parite.2

    Added to Dr.Web virus base
    December 08, 2002, 21:07 MSK - add-on to version 4.29


    Aliases:
    W32/Pate.b, W32.Pinfi, PE_PARITE.A, W32/Parite-B, W32/Pate-B, W95/Parite.B, Win32.Parite.b, W32/Parite.B, W32/Parite.B, W32/Pate.b.tmp,


    Virus type:
    network worm


    Affected platforms:
    Windows 95/98/Me/NT/2000/XP


    Infection signs:

    presence of file with .TMP extension and random name generated of alpha-numeric symbols in the Windows\Temp folder
    presence of the following key in the system registry
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\PINF

    Virus description:
    Win32.Parite.2 is a memory-resident file infector, which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. Its main binary component is written in Borland C++ and is UPX - packed. The size of the virus is 176,128 bytes.

    The virus capable of spreading across shared drives of the local network.
    It infects files with .EXE and .SCR extensions on infected computers and in the local network. The virus appends its viral code thus increasing their length at 176,128 bytes.


    System infection:
    Being released on the infected computer the virus drops to the Windows\Temp folder a randomly named dynamic library file , the name of which consists of alpha-numeric symbols and .TMP extension.
    To mark its presence in the system in order to avoid repeated infection the virus creates a mutex named "RESIDENTED".

    The worm adds the value
    PINF to the Windows system registry
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\

    At the beginning of the process of the file infection the worm creates additional section at the end of the file and then appends its viral code to it, thus increasing its length at 176,128 bytes.

    The worm infects all executables on the infected machine. It also spreads across shared resources with write permission. As a result, nearly all executables on such shares may become infected in no time.



    From http://www.viruslist.com/en/viruses/encyclopedia?virusid=20925
    ==========================================================
    Virus.Win32.Parite.b
    Other versions: .a
    Aliases
    Virus.Win32.Parite.b (Kaspersky Lab) is also known as: Win32.Parite.b (Kaspersky Lab), W32/Pate.b (McAfee), W32.Pinfi (Symantec), Win32.Parite.2 (Doctor Web), W32/Parite-B (Sophos), Win32/Parite.B (RAV), PE_PARITE.A (Trend Micro), W32/Parite (H+BEDV), W32/Parite.B (FRISK), Win32:BackDoor-Servu (ALWIL), Win32/Parite (Grisoft), Backdoor.FtpUServ.A (SOFTWIN), W32/Parite.B (Panda), Win32/Parite.B (Eset) Description added Jan 17 2005
    Behavior Virus
    Technical details


    This parasitic memory resident virus is functionally identical to Win32.Parite.a. It differs from Parite.a only in the key that it creates in the system registry:

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]















    http://www.drweb.com/
    claims to have an answer...
    more later...
     
  10. ShiVER

    ShiVER Thread Starter

    Joined:
    Mar 2, 2006
    Messages:
    67
    SOLVED !!!

    SpIDer Guard (found at http://www.drweb.com/) is the personal nemesis of
    Win32.Parite.2 !!! It was very satisfying to watch Dr. Web administer the long-
    awaited, painful end to this little monster. My only regret is that SpIDer Guard
    automatically closed itself after the scan, preventing me from getting a record
    of the extermination process. But I did watch and saw easily more than a
    hundred, perhaps two hundred or even more cases of Win32.Parite.2 infections
    cured, as well as a few other viruses I was unaware of.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\PINF

    I could not find this registry key (seen above) that is created by the virus and can
    only assume that SpIDer Guard fixed it or it was never created. My infection came
    from a cd-R that was burned sometime in 2005.

    Note on SpIDer Guard and Dr. Web: The program prefers that no other antivirus
    programs are on the system. To me, it was worth it. My system is only minorly
    damaged (exe's renamed, name of computer changed, ATI needs re-installation)
    but at least the virus is gone and I can move on to recovering what I can. You
    will have to restore your .exe files by removing the unwanted extensions.

    search: *.exe._eac_qt to find them
     
  11. ShiVER

    ShiVER Thread Starter

    Joined:
    Mar 2, 2006
    Messages:
    67
    Correction:

    The extension

    _eac_qt_

    was added to files that were quarantined by eAcceleration.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/488861

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice