Netsky/Prorat

[ilie]

misteriously i got a backdoor trojan which in different programs is got different names:

TuneUpUtilities 2006's process manager calls it Internet worm W32.Netsky
Ad-Aware calls it Backdoor.Prorat.16

none of the fallowing can delete it
i've tried to delete it with AdAvare
Search&Destroy
SpywareBlaster
even Netsky removal tool from norton
wont get rid of it for me
after i log into my computer a black screen resides for 1- to 15 sec and this message shows up (i took screen shot picture attached bellow)

i'd be greatfull if anyone could help me with this
and here's the HJT log


Logfile of HijackThis v1.99.1
Scan saved at 10:52:04 PM, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\services.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

You have no AntiVirus protection on this system. On today's internet, that's inadvisable. We'll address that during the course of this fix.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download Ewido Anti-Malware

• Install Ewido Anti-Malware
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido

• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------------------------------------


Delete the following if they exist:

C:\WINDOWS\system32\fservice.exe
C:\WINDOWS\services.exe<<<From this location only!!!!! This is not the legit Windows file which resides in System32

---------------------------------------------------------------------------------------------


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

---------------------------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------------------------

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available:

• Avast!
• AVG

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

---------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

Ewido
Panda
HJT

[ilie]

hello again
thankyou for the quic response
i'm returning with logs from hjt and ewido
panda didn't wanna work ,after 100 files scanned it just closed on me
so here the requested logs are

HJT
Logfile of HijackThis v1.99.1
Scan saved at 12:54:50 AM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


and ewido
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:54:50 PM 7/29/2006

+ Scan result:



C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winkey.dll -> Backdoor.Prorat.19.ah : Cleaned with backup (quarantined).
[1160] C:\WINDOWS\system32\winkey.dll -> Backdoor.Prorat.19.ah : Error during cleaning.
C:\!KillBox\services.exe -> Backdoor.Prorat.19.i : Cleaned with backup (quarantined).
C:\!KillBox\sservice.exe -> Backdoor.Prorat.19.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fservice.exe -> Backdoor.Prorat.19.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\reginv.dll -> Backdoor.Prorat.19.i : Cleaned with backup (quarantined).
C:\WINDOWS\system\sservice.exe -> Backdoor.Prorat.19.i : Cleaned with backup (quarantined).
[756] C:\WINDOWS\system32\reginv.dll -> Backdoor.Prorat.19.i : Error during cleaning.
[836] C:\WINDOWS\services.exe -> Backdoor.Prorat.19.i : Error during cleaning.
C:\Documents and Settings\ilya\My Documents\My Received Files\client patch.rar/Launcher.exe -> Backdoor.Sturf : Cleaned with backup (quarantined).
C:\Documents and Settings\ilya\Application Data\Azureus\azureus.config.bad -> Downloader.Small.bgv : Cleaned with backup (quarantined).
C:\Documents and Settings\ilya\Application Data\Azureus\azureus.config.bad1 -> Downloader.Small.bgv : Cleaned with backup (quarantined).
C:\Documents and Settings\ilya\Application Data\Azureus\azureus.config.bad2 -> Downloader.Small.bgv : Cleaned with backup (quarantined).

::Report end


and i could not delete the falowing

C:\WINDOWS\services.exe
message poped up saying that its in use

thank you again for your support

[tetonbob]

Download Pocket Killbox and unzip the exe file to your desktop.

Launch KillBox.exe & select the following options:

• delete on Reboot
• All files (if available)

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

• C:\WINDOWS\services.exe
  C:\WINDOWS\system32\fservice.exe
  C:\WINDOWS\system32\reginv.dll

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Once the system has restarted.....back in normal windows:

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe

---------------------------------------------------------------------------------------------


You still have no AntiVirus protection. You must put protection on this system, or any help I give you now will be for naught.

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available:

• Avast!
• AVG

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

---------------------------------------------------

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

---------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

DrWeb
HJT

[ilie]

hello all, i've come with reports from pieces of software u told me to run
here they are

DR.WEB
Process in memory: explorer.exe;;Win32.Parite.2;Eradicated.;
InterviewGodInstall.exe;D:\;Win32.Parite.2;Cured.;
pathways.exe;D:\;Win32.Parite.2;Cured.;
spywareremovval tool.exe;D:\;Win32.Parite.2;Cured.;
77.72_win2kxp_english_whql.exe;D:\from FireFox;Win32.Parite.2;Cured.;
HijackThis.exe;D:\from FireFox;Win32.Parite.2;Cured.;
KRC HijackThis Analyzer.sfx.exe;D:\from FireFox;Win32.Parite.2;Cured.;
wrar35b5.exe;D:\from FireFox;Win32.Parite.2;Cured.;
aawsepersonal.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
AVIcodec_1.2_b109.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
awxDTools_105b072.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
Azureus_2.3.0.2_Win32.setup.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
Azureus_2.3.0.6_Win32.setup.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
bcwipe3.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
cklk388.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
CleanUp40.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
Crack - Lavasoft adware 6 pro+crack.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
cwshredder.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
daemon400.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
DCPlusPlus-0.689.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
flashget.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
gaim-1.5.0.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
itv45.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
keygen.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
MP10Setup.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
MP3 Audio Sound Recorder.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
Office XP.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
opera.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
SonicStageInstaller.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
spywareblastersetup34.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
trialwinrar.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
tvplayerGOOD.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
vlc-0.8.2-win32.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
walkman software.exe;D:\ILYA'S\Programs;Win32.Parite.2;Cured.;
setup.exe;D:\ILYA'S\Programs\Adobe Audition v1.0;Win32.Parite.2;Cured.;
keygen.exe;D:\ILYA'S\Programs\Adobe Photoshop CS2 ISO + Keygen\keygen;Win32.Parite.2;Cured.;
setup.exe;D:\ILYA'S\Programs\Adobe Premiere Pro v1.5;Win32.Parite.2;Cured.;
Keymaker.exe;D:\ILYA'S\Programs\Adobe Premiere Pro v1.5\Crack;Win32.Parite.2;Cured.;
dxsetup.exe;D:\ILYA'S\Programs\Adobe Premiere Pro v1.5\directx9;Win32.Parite.2;Cured.;
rusfonts.exe;D:\ILYA'S\Programs\Adobe Premiere Pro v1.5\Russian;Win32.Parite.2;Cured.;
update.exe;D:\ILYA'S\Programs\Adobe Premiere Pro v1.5\Russian;Win32.Parite.2;Cured.;
wmfdist.exe;D:\ILYA'S\Programs\Adobe Premiere Pro v1.5\wmf;Win32.Parite.2;Cured.;
Alcohol 120% setup.exe;D:\ILYA'S\Programs\Alcohol 120 % 1.9.2.1705 + crack;Win32.Parite.2;Cured.;
crack.exe;D:\ILYA'S\Programs\Alcohol 120 % 1.9.2.1705 + crack;Win32.Parite.2;Cured.;
all-sound-recorder-xp.exe;D:\ILYA'S\Programs\All.Sound.Recorder.XP.v2.21-TBE;Win32.Parite.2;Cured.;
DivXCodecPlasmaBuild1394.exe;D:\ILYA'S\Programs\codecs;Win32.Parite.2;Cured.;
DivX_Total_Pack1.8.exe;D:\ILYA'S\Programs\codecs;Win32.Parite.2;Cured.;
klcodec235f.exe;D:\ILYA'S\Programs\codecs;Win32.Parite.2;Cured.;
DrvgenPro5.EXE;D:\ILYA'S\Programs\Driver Genius Pro 2005 v5.0.1082;Win32.Parite.2;Cured.;
crack.exe;D:\ILYA'S\Programs\Driver Genius Pro 2005 v5.0.1082\Crack;Win32.Parite.2;Cured.;
nvsvc32.exe;D:\ILYA'S\Programs\driversbackup\NVIDIA GeForce2 MX MX 400;Win32.Parite.2;Cured.;
gw32try.exe;D:\ILYA'S\Programs\GameWizard 1.43 with crack;Win32.Parite.2;Cured.;
Setup.exe;D:\ILYA'S\Programs\GameWizard 1.43 with crack;Win32.Parite.2;Cured.;
hideippla.exe;D:\ILYA'S\Programs\HideIp\HideIp1.4Platinum;Win32.Parite.2;Cured.;
keygen.exe;D:\ILYA'S\Programs\HideIp\HideIp1.4Platinum;Win32.Parite.2;Cured.;
hideip.exe;D:\ILYA'S\Programs\HideIp\HideIp1.7;Win32.Parite.2;Cured.;
keygen.exe;D:\ILYA'S\Programs\HideIp\HideIp1.7;Win32.Parite.2;Cured.;
ipswwsftp2k6.exe;D:\ILYA'S\Programs\Ipswitch WS_FTP Professional 2006 + Keygen\Ipswitch WS_FTP Professional 2006 + Keygen;Win32.Parite.2;Cured.;
KeygenIpswitchWSFTPProf2006.exe;D:\ILYA'S\Programs\Ipswitch WS_FTP Professional 2006 + Keygen\Ipswitch WS_FTP Professional 2006 + Keygen;Win32.Parite.2;Cured.;
LAsetup.exe;D:\ILYA'S\Programs\LAsetup;Win32.Parite.2;Cured.;
Launcher.exe;D:\ILYA'S\Programs\MUOnline\MuAngels;Win32.Parite.2;Cured.;
main.exe;D:\ILYA'S\Programs\MUOnline\MuAngels;Win32.Parite.2;Cured.;
mu.exe;D:\ILYA'S\Programs\MUOnline\MuAngels;Win32.Parite.2;Cured.;
MuAngels.exe;D:\ILYA'S\Programs\MUOnline\MuAngels;Win32.Parite.2;Cured.;
muplayer.exe;D:\ILYA'S\Programs\MUOnline\MuAngels;Win32.Parite.2;Cured.;
Launcher.exe;D:\ILYA'S\Programs\MUOnline\Patch;Win32.Parite.2;Cured.;
main.exe;D:\ILYA'S\Programs\MUOnline\Patch;Win32.Parite.2;Cured.;
My 3D Christmas Tree Full.exe;D:\ILYA'S\Programs\My 3D Christmas Tree Full Version;Win32.Parite.2;Cured.;
Nod32 2.50.19.exe;D:\ILYA'S\Programs\Nod;Win32.Parite.2;Cured.;
NOD32-FiX-v1.3.exe;D:\ILYA'S\Programs\Nod;Win32.Parite.2;Cured.;
p2kman.exe;D:\ILYA'S\Programs\Razr V3c USB Drivers\Motorola USB Drivers v2.9;Win32.Parite.2;Cured.;
p2kseem.exe;D:\ILYA'S\Programs\Razr V3c USB Drivers\Motorola USB Drivers v2.9;Win32.Parite.2;Cured.;
P2KTools.exe;D:\ILYA'S\Programs\Razr V3c USB Drivers\Motorola USB Drivers v2.9;Win32.Parite.2;Cured.;
XVI32.exe;D:\ILYA'S\Programs\Razr V3c USB Drivers\xvi32;Win32.Parite.2;Cured.;
rminstall.exe;D:\ILYA'S\Programs\Registry Mechanic v5.0.0.136;Win32.Parite.2;Cured.;
usrsetup.exe;D:\ILYA'S\Programs\universalsoundrecord\Universal Sound Recorder v2.0;Win32.Parite.2;Cured.;
PSr.exe;D:\ILYA'S\Programs\universalsoundrecord\Universal Sound Recorder v2.0\Crack;Win32.Parite.2;Cured.;
PT2A.exe;D:\ILYA'S\Programs\universalsoundrecord\Universal Sound Recorder v2.0\Crack;Win32.Parite.2;Cured.;
microsoft visual basic 6.exe;D:\ILYA'S\Programs\visual basic;Win32.Parite.2;Cured.;
ms visual studio enterprise 6 0 (viusal c++ 6 0 visual basic 6.exe;D:\ILYA'S\Programs\visual basic;Win32.Parite.2;Cured.;
SETUP.EXE;D:\ILYA'S\Programs\visual basic;Win32.Parite.2;Cured.;
SMSINST.EXE;D:\ILYA'S\Programs\visual basic;Win32.Parite.2;Cured.;
DEVENV.EXE;D:\ILYA'S\Programs\visual basic\COMMON\IDE\IDE98;Win32.Parite.2;Cured.;
SQLDBREG.EXE;D:\ILYA'S\Programs\visual basic\COMMON\IDE\IDE98;Win32.Parite.2;Cured.;
VALES.EXE;D:\ILYA'S\Programs\visual basic\COMMON\IDE\IDE98;Win32.Parite.2;Cured.;
VCSPAWN.EXE;D:\ILYA'S\Programs\visual basic\COMMON\IDE\IDE98;Win32.Parite.2;Cured.;
CLIREG32.EXE;D:\ILYA'S\Programs\visual basic\COMMON\IDE\IDE98\REDIST;Win32.Parite.2;Cured.;
VJREG.EXE;D:\ILYA'S\Programs\visual basic\COMMON\IDE\IDE98\REDIST;Win32.Parite.2;Cured.;
MSDEV.EXE;D:\ILYA'S\Programs\visual basic\COMMON\MSDEV98\BIN;Win32.Parite.2;Cured.;
MSVCMON.EXE;D:\ILYA'S\Programs\visual basic\COMMON\MSDEV98\BIN;Win32.Parite.2;Cured.;
REGCLADM.EXE;D:\ILYA'S\Programs\visual basic\COMMON\MSDEV98\BIN;Win32.Parite.2;Cured.;
SETUPDBG.EXE;D:\ILYA'S\Programs\visual basic\COMMON\MSDEV98\BIN;Win32.Parite.2;Cured.;
SQLPRXY.EXE;D:\ILYA'S\Programs\visual basic\COMMON\MSDEV98\BIN;Win32.Parite.2;Cured.;
VCSPAWN.EXE;D:\ILYA'S\Programs\visual basic\COMMON\MSDEV98\BIN;Win32.Parite.2;Cured.;
BIND.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
DEPENDS.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
DFVIEW.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
DOBJVIEW.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
ERRLOOK.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
FONTEDIT.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
GUIDGEN.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
HCRTF.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
HCW.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
IROTVIEW.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
OLEVIEW.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
SPYXX.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
TRACER.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
TSTCON32.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
UNDNAME.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
UUIDGEN.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
WINDIFF.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
ZOOMIN.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS;Win32.Parite.2;Cured.;
CLIREG32.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\CLIREG;Win32.Parite.2;Cured.;
JPMVIEW.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\VJ98\UNSUPPRT\TOOLS\ALL\JPMVIEW;Win32.Parite.2;Cured.;
KILLLEC.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\VS-ENT98\VANALYZR;Win32.Parite.2;Cured.;
VALEC.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\VS-ENT98\VANALYZR;Win32.Parite.2;Cured.;
VARPC.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\VS-ENT98\VANALYZR;Win32.Parite.2;Cured.;
MSVM.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\VS-ENT98\VMODELER;Win32.Parite.2;Cured.;
AVIEDIT.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\WIN95;Win32.Parite.2;Cured.;
CL32TEST.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\WIN95;Win32.Parite.2;Cured.;
PVIEW95.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\WIN95;Win32.Parite.2;Cured.;
SR32TEST.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\WIN95;Win32.Parite.2;Cured.;
CL32TEST.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\WINNT;Win32.Parite.2;Cured.;
DDESPY.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\WINNT;Win32.Parite.2;Cured.;
PSTAT.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\WINNT;Win32.Parite.2;Cured.;
PVIEW.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\WINNT;Win32.Parite.2;Cured.;
SR32TEST.EXE;D:\ILYA'S\Programs\visual basic\COMMON\TOOLS\WINNT;Win32.Parite.2;Cured.;
MSQRY32.EXE;D:\ILYA'S\Programs\visual basic\OS\MSAPPS\VBA;Win32.Parite.2;Cured.;
AUTMGR32.EXE;D:\ILYA'S\Programs\visual basic\OS\SYSTEM;Win32.Parite.2;Cured.;
HH.EXE;D:\ILYA'S\Programs\visual basic\OS\SYSTEM;Win32.Parite.2;Cured.;
MDM.EXE;D:\ILYA'S\Programs\visual basic\OS\SYSTEM;Win32.Parite.2;Cured.;
ODBCAD32.EXE;D:\ILYA'S\Programs\visual basic\OS\SYSTEM;Win32.Parite.2;Cured.;
REGSVR32.EXE;D:\ILYA'S\Programs\visual basic\OS\SYSTEM;Win32.Parite.2;Cured.;
WINDBVER.EXE;D:\ILYA'S\Programs\visual basic\OS\SYSTEM;Win32.Parite.2;Cured.;
ACMSETUP.EXE;D:\ILYA'S\Programs\visual basic\SETUP;Win32.Parite.2;Cured.;
ACOST.EXE;D:\ILYA'S\Programs\visual basic\SETUP;Win32.Parite.2;Cured.;
ODBCCONF.EXE;D:\ILYA'S\Programs\visual basic\SETUP;Win32.Parite.2;Cured.;
PKGINST.EXE;D:\ILYA'S\Programs\visual basic\SETUP;Win32.Parite.2;Cured.;
WFCCLEAN.EXE;D:\ILYA'S\Programs\visual basic\SETUP;Win32.Parite.2;Cured.;
C2.EXE;D:\ILYA'S\Programs\visual basic\VB98;Win32.Parite.2;Cured.;
CVPACK.EXE;D:\ILYA'S\Programs\visual basic\VB98;Win32.Parite.2;Cured.;
LINK.EXE;D:\ILYA'S\Programs\visual basic\VB98;Win32.Parite.2;Cured.;
VBSDICLI.EXE;D:\ILYA'S\Programs\visual basic\VB98\TSQL;Win32.Parite.2;Cured.;
MAKECAB.EXE;D:\ILYA'S\Programs\visual basic\VB98\WIZARDS\PDWIZARD;Win32.Parite.2;Cured.;
SETUP.EXE;D:\ILYA'S\Programs\visual basic\VB98\WIZARDS\PDWIZARD;Win32.Parite.2;Cured.;
ST6UNST.EXE;D:\ILYA'S\Programs\visual basic\VB98\WIZARDS\PDWIZARD;Win32.Parite.2;Cured.;
BSCMAKE.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
CL.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
CVPACK.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
CVTRES.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
LINK.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
MAPSYM.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
MC.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
MIDL.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
MKTYPLIB.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
NMAKE.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
PLIST.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
PREP.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
PROFILE.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
REBASE.EXE;D:\ILYA'S\Programs\visual basic\VC98\BIN;Win32.Parite.2;Cured.;
40COMUPD.EXE;D:\ILYA'S\Programs\visual basic\VC98\REDIST;Win32.Parite.2;Cured.;
FOXHHELP.EXE;D:\ILYA'S\Programs\visual basic\VFP98;Win32.Parite.2;Cured.;
VFP6.EXE;D:\ILYA'S\Programs\visual basic\VFP98;Win32.Parite.2;Cured.;
GRAPH8.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC;Win32.Parite.2;Cured.;
ACMSETUP.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SETUP;Win32.Parite.2;Cured.;
DIANTZ.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SETUP;Win32.Parite.2;Cured.;
MAKECAB.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SETUP;Win32.Parite.2;Cured.;
ODBCCONF.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SETUP;Win32.Parite.2;Cured.;
AUTMGR32.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SYSTEM;Win32.Parite.2;Cured.;
CLIREG32.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SYSTEM;Win32.Parite.2;Cured.;
HH.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SYSTEM;Win32.Parite.2;Cured.;
ODBCAD32.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SYSTEM;Win32.Parite.2;Cured.;
QFEUPD.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SYSTEM;Win32.Parite.2;Cured.;
REGSVR32.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SYSTEM;Win32.Parite.2;Cured.;
WINDBVER.EXE;D:\ILYA'S\Programs\visual basic\VFP98\DISTRIB.SRC\SYSTEM;Win32.Parite.2;Cured.;
VFP6RUN.EXE;D:\ILYA'S\Programs\visual basic\VFP98\OS\SYSTEM;Win32.Parite.2;Cured.;
VFPCGI.EXE;D:\ILYA'S\Programs\visual basic\VFP98\TOOLS\INETWIZ\SERVER;Win32.Parite.2;Cured.;
JAVAREG.EXE;D:\ILYA'S\Programs\visual basic\VID98\BIN;Win32.Parite.2;Cured.;
ANALYZE.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
DDCONV.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
DDUPD.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
MKSS.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
SS.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
SSADMIN.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
SSARC.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
SSEXP.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
SSINT.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
SSRESTOR.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
TESTLOCK.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
UNLOCK.EXE;D:\ILYA'S\Programs\visual basic\VSS\WIN32;Win32.Parite.2;Cured.;
setup.exe;D:\ILYA'S\Programs\watchtv_eng;Win32.Parite.2;Cured.;
WinDVD6.exe;D:\ILYA'S\Programs\WinDVD Platinum v6;Win32.Parite.2;Cured.;
onlinetv403_.exe;D:\ILYA'S\Programs\World Online TV v4.03 Final;Win32.Parite.2;Cured.;
end of report

HJT
Logfile of HijackThis v1.99.1
Scan saved at 3:21:32 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

what is the best antivirus outthere, if mcafee and symantec are aut of the picture?
thank you ya'all

[tetonbob]

I'm going to be a bit blunt here. I hope you're not offended.

If you want to spend $$, get Kaspersky or Nod32 are 2 of the best. McAfee and Norton are also effective. We try to recommend free AVs to users first, so they don't have to spend $$.

As DrWeb just cleared out a bunch of cracks and keygens, I'd recommend to you to stick with the free AVG or AVAST I already linked to, or it seems you may go searching for cracks for these AVs. Many cracks are infected, as you can clearly see.

The best AV is one that's installed and up to date. Right now you have none. The longer you wait, the greater chance you have at reinfection.

Get an AV, and a firewall, on this system, and post a new HJT log.

Here are 3 free firewalls available for personal use:

• ZoneAlarm
• Tiny Personal Firewall
• OutPost Firewall

[ilie]

now i'm using ubantuLive cd cus apparently AVG quarantined some files that were neede to start up windows, i can only go up to log in screen when i type in name and passowrd it will automatically log off, i cannot get into save mode or boot from cd nor repair from window cd, what do i do now?

[tetonbob]

Well, ilie, Parite is a nasty customer, and infects most exe and scr files on the system.

For most users it is not cleanable. A format is generally the best cure for this infection.

I can't see how AVG would have quarantined any legit files, I've used it on my systems, and have tested it in heavily infected environments.

We can try to do some work, but I need some more information first please.

You're running from a Linux boot disk, but you cannot boot to the Windows CD?

What happens when you try to?

Next question...do you have a floppy drive on this system?

Next question....In ubuntu, (I don't speak linux, but am trying to find my compatriots who do) can you view the Windows partition? Is your Windows partition formatted as NTSF? (likely, but it's possibly FAT)

[ilie]

after couple hours or break i could boot the window cd and right now i can use IE in safe mode with networking, but still normal mode wont work, do u think u can help me? cus i so do not want to repair the windows.:(

system i'm using has a floppy drive
master hdd is formated NTFS and i believe that is what stops it from showing in ubantu, but also if its a live cd, the cd works like partition and the two hdd's i have don't show up, but maybe i do not know the command to ask for them.
thanx again

[tetonbob]

Ilie -

What did you to to enable you to get into safe mode?

[ilie]

that is a tricky question, i didn't do anything special.
i turned my computer off, and then went and played pool for more than 4 hours, when i came home i tried to boot windows. safe mode worked, also i started to boot the windows cd and it seemed to work but i didn't go any further cus i didn't want to repair.

[tetonbob]

Hi ilie -

A couple more questions, please.

Do you have more than one account on this system? If so, can you log on to any of them?

Can you log on (in normal mode) to the Administrator account? To access the Administrator account from the Welcome Screen, press Ctrl + Alt + Del twice in succession. An old-style Windows logon box shall appear, and you should then be able to type in the password (if you've assigned one the Administrator account, many people are unaware of it's existance, and do not, in that case, press Enter instead) and logon to normal windows.

Let me know how that goes....

[ilie]

there is only one account on this machine, one that i use and it has the administrator privileges,
but i tried many times to type administrator instead of my name and try to log in from normal mode but there aint not admin account in normal mode(for winXp home edition) only in safe mode.

[tetonbob]

Hi ilie -

Let's try something here....from safe mode, Go to Control Panel>User Accounts>create a new user account with admin privileges, and see if you can logon to it.

We're trying to rule out account corruption.

[ilie]

haha i beat u to it i've already tried that

[tetonbob]

OK, well, it seems you know your way around....and you probably know where this is leading. We can try a few more things, but as I've said, Parite is nasty.

A repair install should not cause you to lose much data, but you would likely have to reinstall drivers and programs.

If you can boot to safe mode with networking, you may be able to back up data to another media first.

Try this, so we can see if there's a driver loading issue:

Enable Bootlogging by pressing F8 during startup, and choosing Enable Bootlogging from the Windows Advanced Options Menu. Bootlogging is a diagnostic feature that will list every driver the operating system tries to load. It creates a text file named Ntdtlog.txt in the Windows directory that can be opened with Notepad. Please post that text file in your next reply.

Also, Let's have a look at Windows Event Viewer. It might give us a clue as to what is causing these issues

Go to Start > Run - type in eventvwr <Press Enter>




This is a picture of what the event viewer looks like.
You will see Application, Security & System listed in the left pane.

1. In the left pane click on Application.
2. Click the gray title “Type” at the top of the source name column in the right pane to sort by type name
   Look for “Error” & double-click on the most recent 5, and evaluate the event description for any indication of the cause of the problem.
3. Make note of the Description, EventID and Source of these Event Properties.
4. From the right pane, doubleclick on the line where it says error & you should get a window like the example below
   
   
   
   
   
   
5. In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down.
   There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard)
6. Open notepad & paste the info in there. This will copy the event information to the clipboard. Paste the information for each event here

Repeat steps 1-6 for System

[ilie]

i think we were looking for this

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 8/1/2006
Time: 2:04:04 AM
User: N/A
Computer: JU454GYT-DL490S
Description:
The following boot-start or system-start driver(s) failed to load:
Avg7Core
Avg7RsW
Avg7RsXP
Fips
Processor


i will go ahead and try to get Ntdtlog.txt log

[greyknight17]

Try uninstalling AVG, restart your computer and reinstalling it back.