Re-occuring problem

Hi, I’m new to the boards. I did a google search to find this place, hopefulyl it can help me wiht my issues. I recently discovered that alot of virus’ was in my C:\ drive.

So I did the normal avast search, deleted most of them except for 2. It said that they could not be deleted. One file was ashQuick.exe (which was located in one of the avast program ffile folders ironicly enough) And another one was a .tmp file extension which I can’t seem to remember.

However, whenever I try to use avast now, most of my .exes do not load. It does a browse search or is replaced by my disk cleanup. I am not sure if avast is planting virus’, or what but now I can’t seem to uninstall avast. Plus, it won’t delete the virus that it has.

I tried ad-aware, and it found 115 virus’, but still couldn’t detect the two that seems to be corrupting most of my programs.

If anyone is having the same problems, please reply back and/or IM me on my aim : CM Punk AAR. Thanks

Welcome to the forums,

can you supply more information please?

your os
avast version and update info
infected file names and location

Yes, and thank you for the warm hearted welcome.

OS: Windows XP Home Edition

Avast 4 anti-virus protection

File location and names:

C:\Program Files\Alwil Software\Avast4\ashQuick.exe

I can’t remember the other one but that is the main one that is causing the problem

And plus whenever i use my aim now, whenever I try to put up an away message, it makes this fast clicking sound then it closes the application. These problems started to occur last night.

ashQuick.exe is the quick scanner from Avast. From the info you provided it looks like you at least have a virus that infects applications on install. I suggest you click on the link in my signature and follow all steps on that page. Instead of scanning with Avast I would say scan with at least two online scanners. Take your time to read that page and do the things as explained there. Let us know the status when you are finished.

Ok, I tried to run the first one that they mentioned avg) and they detected the main virus was Win32/Parite. It keeps infecting everything, and it;s infecting my browsers, and i Have to keep re-installing them. I’m not sure if that’s the main virus, but avg is detecting that’s what’s infecting everything

And here’s a log of my files from hi-jack this:

Logfile of HijackThis v1.98.2
Scan saved at 12:42:47 PM, on 8/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJTanalyzer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gamefaqs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM..\Run: [SysService32] C:\WINDOWS\systask32l.exe
O4 - HKLM..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [Prein] C:\DOCUME~1\Ray\LOCALS~1\Temp\app11.tmp
O4 - HKLM..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [DeadAIM] rundll32.exe “C:\Program Files\AIM\DeadAIM.ocm”,ExportedCheckODLs
O4 - HKLM..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://activation.rr.com/install/download/tgctlcm.cab

I suggest you click on the link in my signature, get the HijackThis Log Analyzer and see what it tells you. Also copy/paste your log file HERE and see what that tells you. After doing so, create a new log and tell us what things you don’t know or still have problems/doubts about.

It won’t let me use Hi-jack this now, because the win32/Parite virus has now infected it and it won’t le tme run nor uninstall it to re-install hijack this. This is the virus that is infecting everything and it’s not getting deleted/can’t be deleted

Ok, lets aproach it differently. Run one or two online scanners and make sure you enable the “repair/fix” option when running them to at least get rit of the most harmfull things. Let us know the result after you finished them.

ps: HJT can be run from a (boot)floppy as well as can mine HJT log analyzer.

WE ARE GONNA NAIL THIS BASTERD(!) :smiley:

Oh and I almost forgot: Welcome to this board!

Hi-jack this doesn’t seem to know what’s infected and what’s not, I figured out how to work it again, but it keeps saying my aim isn’t infected and that it’s safe when I uninstalled my aim awhile ago when it was infected.

I just need to find someway how to get rid of this win32/Parite virus.

I used every single thing on the link you gave me, and it has still not got rid of it. I think this is a new virus because I have never heard of it before.

Ok it’s infecting everything now except for th ebrowser, it even got into my memory and infected it, luckily I got it out before it did any damage. It’s lurking on almost every file and has corrupted it. I can’t click on anything except for the browser without it saying virus found win32/Parite virus found

It’s not letting me uninstall anything now. And I had to be quick because it seems to be timed and infects everything rather quickly before you can fix it. This is one of the worse virus’ I have evr had (worse than the sasser) And I am not exaggerating at all. It won’t let me re-install anything.

This is pissing me off. Sorry, and thanks for all the help . I really do appreciate it

Hi-jack this doesn't seem to know what's infected and what's not
True, HiajckThis is not a tool that tells you what is harmfull or not. But it does show a lot of information and it is up to you as user to decide what to remove or keep.
I think this is a new virus because I have never heard of it before.
No it is not a new malware. It could be there is a new version of it, but that is not likely. Parite aka Pinfy aka Pate is a memory-resident polymorphic virus that will infect the .EXE and .SCR files and is known since october 2001.
I used every single thing on the link you gave me, and it has still not got rid of it.
Sounds to me applications on your system are infected when installing them. That means that you can't trust them to work properly.

On the Avast website you can ask for a demo/trial version of the BART cd. Although it is a demo/trial version it is fully functioning. Only time period limitation. Get that one and use a clean system to create the cd. Use that to clean/delete at least the majority of the infection.

Ugh, those bastards turned me down. You have to fill out this ofrm and they turne dme down sighs. Thanks for your help though. if you find another way please inform me

Hi,

just get the Cleaner from www.avast.com (download it on another CLEAN PC, and transfer it to your PC on a CD or write-protected floppy)

or try downloading & saving it as .COM or .SCR-file (read instructions… !!!)

(run the Cleaner at least twice… maybe 2nd time in safeMode-F8-Boot)

that should take care of it…
*

a Board-search, or the link “VirusRemoval” below shouldl give you lots of other advice and Tools against PARITE

This link provides some information on the virus and its removal: PARITE.A-1

Since its from TrendMicro I would suggest trying their online scanner Housecall
if you haven’t already tried it

Ok these guys know more about this kind of thing than I do but if you have the windows instilation disks for your computer my suggestion is to wipe the drive clean…I know that’s typically the last thing anyone wants to do but if it’s infecting everything that might be 1 of your only options?

Again just my input.

This is like using a sledge hammer to crack a nut and I would say an option of last resort. Not least having to re-install everything and have to go online and re-download all windows update patches, etc. (especially when SP2 has just been released), not to mention all your programs and tweaks and settings (a real pain).

An other potential problem is getting infected when you go inline for hours to download the patches, taking you right back to square one. Recent reports state the average time to get infected (for a vulnerable PC) is 20 mins, I however feel that 20 minutes is a high figure.

People should have a reasonable backup and recovery strategy for when they experience serious system problems. I take an image of my C: (windows) and D: (programs and Data files) partitions every week and a backup of data files daily. I can restore an image in about 15 minutes or less and data in seconds.

If you don’t make a plan then you plan to fail.

Hi David…

everything has two sides…
a) you’re probably right generally about the sledgeHammer
b) imho you’re wrong in this here case…:

  • even if PARITE is seemingly successfully removed/Cleaned, that doesn’t mean that all programs will be successfully repaired/working…
    (especially if avast & VRDB isn’t working properly anymore).
    And this sure can wreak havoc on your system …

  • OP had obviously some active trojans/worms probably with BackdoorFunctions → the system’s security is compromised already…

  • For XP: There’s SP2 available → Just get the full Installer somehow on CD.
    flatten your Windows-Partition, and reinstall (OFFLINE!!) XP + SP2, avast and maybe firewall…
    Then you’ve a basic protection…

Secure Passwords, Secure Browser-settings of course still need to be done immediately…Plus SafeHex & Brain1.x

:wink: :wink: