Re-occuring problem

[NeruS]

Hi, I'm new to the boards.  I did a google search to find this place, hopefulyl it can help me wiht my issues.  I recently discovered that alot of virus' was in my C:\ drive.

So I did the normal avast search, deleted most of them except for 2.  It said that they could not be deleted.  One file was ashQuick.exe (which was located in one of the avast program ffile folders ironicly enough)  And another one was a .tmp file extension which I can't seem to remember.

However, whenever I try to use avast now, most of my .exes do not load.  It does a browse  search or is replaced by my disk cleanup.  I am not sure if avast is planting virus', or what but now I can't seem to uninstall avast.  Plus, it won't delete the virus that it has.

I tried ad-aware, and it found 115 virus', but still couldn't detect the two that seems to be corrupting most of my programs.

If anyone is having the same problems, please reply back and/or IM me on my aim : CM Punk AAR.  Thanks

[inthewildteam]

Welcome to the forums,

can you supply more information please?

your os
avast version and update info
infected file names and location

[NeruS]

Yes, and thank you for the warm hearted welcome.

OS: Windows XP Home Edition

Avast 4 anti-virus  protection

File location and names:

C:\Program Files\Alwil Software\Avast4\ashQuick.exe

I can't remember the other one but that is the main one that is causing the problem


And plus whenever i use my aim now, whenever I try to put up an away message, it makes this fast clicking sound then it closes the application.  These problems started to occur  last night.

[Eddy]

ashQuick.exe is the quick scanner from Avast. From the info you provided it looks like you at least have a virus that infects applications on install. I suggest you click on the link in my signature and follow all steps on that page. Instead of scanning with Avast I would say scan with at least two online scanners. Take your time to read that page and do the things as explained there. Let us know the status when you are finished.

[NeruS]

Ok, I tried to run the first one that they mentioned  avg) and they detected the main virus was Win32/Parite.  It keeps infecting everything, and it;s infecting my browsers, and i Have to keep re-installing them.  I'm not sure if that's the main virus, but avg is detecting that's what's  infecting everything

[NeruS]

And here's a log of my files from hi-jack this:

Logfile of HijackThis v1.98.2
Scan saved at 12:42:47 PM, on 8/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJTanalyzer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gamefaqs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [SysService32] C:\WINDOWS\systask32l.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Prein] C:\DOCUME~1\Ray\LOCALS~1\Temp\app11.tmp
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://activation.rr.com/install/download/tgctlcm.cab

[Eddy]

I suggest you click on the link in my signature, get the HijackThis Log Analyzer and see what it tells you. Also copy/paste your log file HERE and see what that tells you. After doing so, create a new log and tell us what things you don't know or still have problems/doubts about.

[NeruS]

It won't let me use Hi-jack this now, because the win32/Parite virus has now infected it and it won't le tme run nor uninstall it to re-install hijack this.  This is the virus that is infecting everything and it's not getting deleted/can't be deleted

[Eddy]

Ok, lets aproach it differently. Run one or two online scanners and make sure you enable the "repair/fix" option when running them to at least get rit of the most harmfull things. Let us know the result after you finished them.

ps: HJT can be run from a (boot)floppy as well as can mine HJT log analyzer.

WE ARE GONNA NAIL THIS BASTERD(!)

Oh and I almost forgot: Welcome to this board!

[NeruS]

Hi-jack this doesn't seem to know what's infected and what's not, I figured out how to work it again, but it keeps saying my aim isn't infected and that it's safe when I uninstalled my aim awhile ago when it was infected.

I just need to find someway how to get rid of this win32/Parite virus.  

[NeruS]

I used every single thing on the link you gave me, and it has still not got rid of it.  I think this is a new virus because I have never heard of it before.

[NeruS]

Ok it's infecting everything now except for th ebrowser, it even got into my memory and infected it, luckily I got it out before it did any damage.  It's lurking on almost every file and has corrupted it.  I can't click on anything except for the browser without it saying virus found win32/Parite virus found

It's not letting me uninstall anything now. And I had to be quick because it seems to be timed and infects everything rather quickly before you can fix it.  This is one of the worse virus' I have evr had (worse than the sasser)  And I am not exaggerating at all.  It won't let me re-install anything.  

This is pissing me off. </rant>  Sorry, and thanks for all the help .  I really  do appreciate it

[Eddy]

Hi-jack this doesn't seem to know what's infected and what's not

True, HiajckThis is not a tool that tells you what is harmfull or not. But it does show a lot of information and it is up to you as user to decide what to remove or keep.

I think this is a new virus because I have never heard of it before.

No it is not a new malware. It could be there is a new version of it, but that is not likely. Parite aka Pinfy aka Pate is a memory-resident polymorphic virus that will infect the .EXE and .SCR files and is known since october 2001.

I used every single thing on the link you gave me, and it has still not got rid of it.

Sounds to me applications on your system are infected when installing them. That means that you can't trust them to work properly.

On the Avast website you can ask for a demo/trial version of the BART cd. Although it is a demo/trial version it is fully functioning. Only time period limitation. Get that one and use a clean system to create the cd. Use that to clean/delete at least the majority of the infection.

[NeruS]

Ugh, those bastards turned me down.  You have to fill out this ofrm and they turne dme down *sighs*.  Thanks for your help though.  if you find another way please inform me

[whocares]

Hi,

just get the Cleaner from www.avast.com (download it on another CLEAN PC, and transfer it to your PC on a CD or write-protected floppy)

or try downloading & saving it as .COM or .SCR-file (read instructions.. !!!)

(run the Cleaner at least twice.. maybe 2nd time in safeMode-F8-Boot)

that should take care of it..
*

a Board-search, or the link "VirusRemoval" below shouldl give you lots of other advice and Tools against PARITE