W32/Parite.B problem (not mine, but help)

[_Ace]

k, lordslippy got this worm in her comp, she removed it using Panda Quick Scan, and now she cant browse webs, they all timeout for her, and she tried both with ie and netscape... anybody has an idea of how could she fix that? i gotta post for her cuz she cant browse or anything, but she can use the internet and ping the sites...

 

[icastbigspells]

Get Hijackthis and burn to a cd and run it on her computer

 

[WQ87]

There are probably remaining ones left on the comp. Either listen to icastbigspells (i'm not that great with Hijackthis) or you are going to have to delete them by hand. Goto Start and then click Run and then type in msconfig. Look for anything suspicious. Then search for the suspicious files and delete them. Sometimes they can't be deleted because they are running in the background. Ctrl+alt+delete and end their process. That way, they are vulnerable to the voyage of the recycling bin.

If all else fails: Format, Partition and reinstall windows.

 

[x42bn6]

Grab HijackThis and post the log here. Let me see.....

W32/Parite.B - are you sure you spelt that right? Symantec doesn't have a fix.

 

[xXLordSlippyXx]

I used hijack this and It didn't work. Ill try and see if I can get the Log up here somehow, (using a different comp)

Where do I find the log....all I see is a backuped section, and it shows me what I removed...how do I get that to a log?

Well my AV said it was w/32 Parite.b but I think it's just Parite.b or w32 parite.b

It's also pretty wierd, because I can use my browser and other things like 5 minutes after a restart/shutdown...after those 5 minutes it just says connecting.

 

[x42bn6]

I see, it's memory resident.

http://www.pandasoftware.com/virus_...view.aspx?lst=sol&idvirus=18181#ELIMINARPANDA

Download this and save somewhere. Then start Windows in Safe Mode and run the tool, then restart.

 

[xXLordSlippyXx]

Tried it..... Didn't work......

Im trying to figure out what is running it....because it's not happening as soon as I startup.....it takes like 5 minutes....

Running Process's
Explorer
rnaapp




running Windows 98..... so no fancy XP solutions

I don't think it's Parite.b anymore.....I don't care what it is, I just want to be able to use my computer again, lol

 

[x42bn6]

Download Spybot Search & Destroy from Download.com and run it. You might have something hogging your connection.

 

[aphextwin]

install the updates for windows?

 

[xXLordSlippyXx]

I install the updates, because I can't stay connecting long enough to download them. Although their are these 2 registry entry's that I CANNOT get rid of, iv tried everything

1 is in Hk_Local_Machine
in the Run folder
and it says
NpciDeamon and it runs "winregservices"


And the other is in HK_Current_User
and it's in RunOnce
same thing as above

Could something be hidden in those, or are those normal system files?



I have spybot on my computer, but whenver It gets to c2.lop it freeze's, so I put that in the ignore list and ran it....and "fixed" the rest...


Oh yea, I can ping sites and get a response, just not connect to any of them after 5-7 minutes

 

[Sly]

its a registry problem, im pretty sure. i had the same thing happening with my laptop. just buy/dl a program that cleans and repairs the registry, im sure that will fix it...

 

[x42bn6]

I couldn't find a cleaning thing for your computer, but I found manual ones. Back up your registry and files, then print this out.

------------------------------------------------------------------------

[WORM/Spybot.A]

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:

Winservicess.exe
Winregservices.exe
Sadness.exe
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

To remove the malware autostart entries:

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:

NcplDeamon = "winservicess.exe"
NcplDeamon = "winregservices.exe"
NAV Auto Update = "SADNESS.EXE"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Runonce
In the right panel, locate and delete the entry or entries:

NcplDeamon = "winservicess.exe"
NcplDeamon = "winregservices.exe"
NAV Auto Update = "SADNESS.EXE"
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Removing Other Registry Entries

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER\Software\KAZAA\LocalContent
In the right panel, locate and delete the entry or entries:
Dir0=012345:C:\WINNT\SYSTEM32\kazaabackupfiles\
Close Registry Editor.
Shut down your computer.
Removing Autostart Entries from System Files


A malware modifies system files so that it automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely.

Open the SYSTEM.INI file. To do this, click Start>Run, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).
Under the [boot] section, locate the line that begins with:
Shell=Explorer.exe
From the same line, delete the malware entry:
Winservicess.EXE or Winregservices.EXE
Close the SYSTEM.INI file and click Yes when prompted to save.

-------------------------------------------------------------------

Why your computer hangs: It's a corrupted file for Spybot.

Read these instructions: http://www.safer-networking.org/en/faq/22.html

And good luck. There's a lot of work to be done.

 

[xXLordSlippyXx]

Awww, I changed all that....and it just all re-appeared when I restarted

awwwwww :scary

 

[Korittke]

format c: and learn from your mistakes

 

[xXLordSlippyXx]

Guess I better listen to jesus..

EDIT: NVM...YAY I got them to disapear...but my Browser Still "shuts off" after 5 minutes

I'v scanned with Spybot without it freezing...and mcafee....nuttin.....nuttin at all comes up...and I would like to format, but I can't find any of my software CD's.....so i'd have to either buy em again, or download them.... awwww, really stuck now :fwink


The only thing that I don't get it why it doesn't affect Aol Instant Messanger at all....I can connect to that whenever I want to...whats that doing different then everything else?

 

[Korittke]

your browser uses port 80, AIM another one. only port 80 doesnt work properly as it looks like

 

[xXLordSlippyXx]

Is there any way to change the port it runs off??

 

[Korittke]

Yes, a SOCKS proxy I guess, but that's unsuitable for this situation as well as you. There's still some process running I suppose.

 

[xXLordSlippyXx]

ooo....fun :rollie


Off to teh repair man for $100 Down teh drain

 

[_Ace]

"I should go on a sleep strike..no sleep until some1 at BF solves me problem" <- by LordSlippy lol