Jump to content

Can't remove Worm.Parite


SKILLAN

Recommended Posts

One day my explorer.exe freezed, so I scanned with MBAM and I found there's I'm Worm.Parite infected. I Formatted all of my Hard Drives, Reinstalled my Windows (im using XP btw) and it's still here. I cant remove it. MBAM does not removes it.

Here's a pic:

LrxrN.png

Here are the Attach and DDS:

Attach.txt


.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/19/2012 12:43:46 PM
System Uptime: 12/20/2012 3:04:59 PM (0 hours ago)
.
Motherboard: EPoX COMPUTER CO.,LTD | | i925XE DDR2: 5LWAJ
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Socket 775 | 3583/155mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 15 GiB total, 14.168 GiB free.
D: is FIXED (NTFS) - 46 GiB total, 42.803 GiB free.
E: is FIXED (NTFS) - 41 GiB total, 16.742 GiB free.
F: is FIXED (NTFS) - 51 GiB total, 44.976 GiB free.
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_10DE&DEV_0393&SUBSYS_04121462&REV_A1\4&FD38F8A&0&0008
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_10DE&DEV_0393&SUBSYS_04121462&REV_A1\4&FD38F8A&0&0008
Service:
.
==== System Restore Points ===================
.
RP1: 12/19/2012 12:46:32 PM - System Checkpoint
RP2: 12/19/2012 12:50:27 PM - Installed Realtek High Definition Audio Driver
RP3: 12/19/2012 1:13:38 PM - Installed Dr.Web anti-virus for Windows 7.0.
RP4: 12/19/2012 1:23:56 PM - Installed Styler
RP5: 12/19/2012 1:25:55 PM - asd
RP6: 12/19/2012 6:39:16 PM - Installed DirectX
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 11 Plugin
Dr.Web anti-virus for Windows 7.0
ESL Wire 1.15.1
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 17.0.1 (x86 en-US)
Mozilla Maintenance Service
Realtek High Definition Audio Driver
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB980195)
Styler
TeamSpeak 3 Client
Update for Microsoft Windows (KB971513)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
WebFldrs XP
Winamp
.
==== Event Viewer Messages From Past Week ========
.
12/20/2012 3:05:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
12/20/2012 3:05:31 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.
12/19/2012 5:43:47 PM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: An attempt was made to access a socket in a way forbidden by its access permissions.
12/19/2012 12:43:59 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
12/19/2012 1:42:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/19/2012 1:31:39 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
.
==== End Of File ===========================

DDS.txt


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by CERBER at 15:14:05 on 2012-12-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1343 [GMT 2:00]
.
FW: Dr.Web Firewall *Disabled*
.
============== Running Processes ================
.
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\EslWire\service\WireHelperSvc.exe
F:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
F:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
F:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
F:\WINDOWS\System32\alg.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Mozilla Firefox\plugin-container.exe
F:\Documents and Settings\CERBER\Desktop\antiparite-en.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\WINDOWS\system32\svchost.exe -k NetworkService
F:\WINDOWS\system32\svchost.exe -k LocalService
F:\WINDOWS\system32\svchost.exe -k LocalService
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
TB: StylerToolBar: {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - f:\program files\styler\tb\StylerTB.dll
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [ESL Wire] "f:\program files\eslwire\wire.exe" --tray
mRun: [exflashservice] "f:\program files\epox\efs\EZ_FLASH_SERVICE.exe" "5000"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SpIDerAgent] "f:\program files\drweb\spideragent.exe"
mRun: [Firewall] "f:\program files\drweb\frwl_notify.exe"
StartupFolder: f:\docume~1\cerber\startm~1\programs\startup\styler.lnk - f:\documents and settings\cerber\application data\microsoft\installer\{e9ecf354-2422-4fdb-9abf-d8adac0ef941}\_585b207a.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-System: NoColorChoice = dword:0
uPolicies-System: NoSizeChoice = dword:0
uPolicies-System: NoVisualStyleChoice = dword:0
mPolicies-Explorer: NoSimpleStartMenu = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{9F09D111-AF7E-48FA-A24B-8AF65E745279} : DHCPNameServer = 192.168.1.1
SSODL: WPDShServiceObj - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - f:\documents and settings\cerber\application data\mozilla\firefox\profiles\7kz8ntig.default\
FF - plugin: f:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DrWebLwf;Dr.Web Firewall Kernel-Mode Driver;f:\windows\system32\drivers\DrWebLwf.sys [2012-12-19 179416]
R0 DwProt;DrWeb Protection;f:\windows\system32\drivers\dwprot.sys [2012-12-19 214360]
R0 SpiderG3;DrWeb file system scanner;f:\windows\system32\drivers\spiderg3.sys [2012-12-19 167128]
R2 DrWebAVService;Dr.Web Control Service;f:\program files\drweb\dwservice.exe --loglevel=inf --logfile="f:\documents and settings\all users\application data\doctor web\logs\dwservice.log" --> f:\program files\drweb\dwservice.exe --loglevel=inf --logfile=f:\documents and settings\all users\application data\doctor web\logs\dwservice.log [?]
R2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);f:\program files\common files\doctor web\scanning engine\dwengine.exe [2012-12-19 1919400]
R2 DrWebFwSvc;Dr.Web Firewall Service;f:\program files\drweb\frwl_svc.exe [2012-12-19 1170432]
R2 ESLWireAC;ESLWireAC;f:\windows\system32\drivers\ESLWireACD.sys [2012-12-19 867344]
R2 EslWireHelper;ESL Wire Helper Service;f:\program files\eslwire\service\WireHelperSvc.exe [2012-12-19 615440]
R2 MBAMScheduler;MBAMScheduler;f:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-12-20 399432]
R2 MBAMService;MBAMService;f:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-12-20 676936]
R3 MBAMProtector;MBAMProtector;f:\windows\system32\drivers\mbam.sys [2012-12-20 22856]
S?4 MBAMSwissArmy;MBAMSwissArmy;\??\f:\windows\system32\drivers\mbamswissarmy.sys --> f:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2012-12-20 13:05:57 -------- d-----w- f:\documents and settings\cerber\application data\Styler
2012-12-20 12:52:40 22856 ----a-w- f:\windows\system32\drivers\mbam.sys
2012-12-20 12:52:40 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2012-12-19 19:42:27 -------- d-----w- f:\documents and settings\cerber\application data\TS3Client
2012-12-19 16:39:18 1892184 ----a-w- f:\windows\system32\D3DX9_42.dll
2012-12-19 16:39:17 2414360 ----a-w- f:\windows\system32\d3dx9_31.dll
2012-12-19 16:39:12 -------- d-----w- f:\windows\Logs
2012-12-19 16:28:36 -------- d-----w- F:\e9af60e1b739619c0fbc
2012-12-19 16:26:21 -------- d-----w- F:\33767317f7b9a84b997d87dd
2012-12-19 16:26:18 867344 ----a-w- f:\windows\system32\drivers\ESLWireACD.sys
2012-12-19 16:26:11 -------- d-----w- f:\program files\EslWire
2012-12-19 16:26:11 -------- d-----w- f:\documents and settings\all users\application data\ESL Wire
2012-12-19 15:56:16 874974 ----a-w- f:\windows\system32\FlashPlayerApp.exe
2012-12-19 15:56:16 73656 ----a-w- f:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2012-12-20 13:10:01 90112 ----a-w- f:\windows\SoundMan.exe
2012-12-20 13:10:01 73728 ----a-w- f:\windows\Alcmtr.exe
2012-12-20 13:10:01 2811392 ----a-w- f:\windows\alcwzrd.exe
2012-12-19 11:14:31 214360 ----a-w- f:\windows\system32\drivers\dwprot.sys
2012-12-19 11:14:30 179416 ----a-w- f:\windows\system32\drivers\DrWebLwf.sys
2012-12-19 11:14:24 167128 ----a-w- f:\windows\system32\drivers\spiderg3.sys
.
============= FINISH: 15:14:35.39 ===============

Link to post
Share on other sites

Win32/Parite virus is a polymorphic file infector, can't be fixed

You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Some links to read:

http://forums.malwar...ndpost&p=320816

http://miekiemoes.bl...s-throwing.html

http://www.bleepingc...28#entry1366528

MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.