Cant Remove Help!

Great i "Think" i have a virus....

So my little brother downloaded a "Game" for free, when it didn't work he got suspicious. So he looked around for a while reading what people have said to try get it working and he finds out that its apparently a key logger so my brother gets me to help. Anyway, this guy posted an MSN address to contact him for removal details and he tells me the key logger injects itself into everything on the PC including explorer.exe and it is actually impossible to remove.

I asked how he knows and he simply replied "I helped code the virus with some friends but it wasn't made for this" this is where i though he was lier, but i scanned the file for the first time and there it came up as Win32/Parite. I read about this and it seems to fit the description of what he has told me but it says low risk, medium spread but maybe he has adapted it to become more harmful.

I tried removing it with Anti-Parite and it got halfway through the removal and crashed, now i cant even run the removal tool for 30seconds.

I checked other PC on my network and now they seem to be infected also. All i ask is for a little help and a few questions answered and i know my brother has been stupid he should have scanned it before also i regret not having an anti virus installed i never expected anything like this would happen to me.

1) Is it possible for this to be a key logger or steal any harmful information from me?

2) How should i go about removing it (e.g. Unplug all PCs on network and run the scanner on each one) ?

Thanks for any help.

Find more posts tagged with

Comments

AndreiASM

Hi!

First of all, win32.Parite is a file infector, and it doesn't seem like having any keyloger capabilities.

1. Yes, keyloggers are written to steal password informations etc. etc. However, they mostly target credit card codes, etc.

2. You could restart your PC in safe mode and re-run the tool again.

Andrei

Cd-MaN

There float around the 'net many keyloggers / bots which (beside being malicious themselves) are infected with the Win32.Parite virus. This seems to be case here.

bootsu

This is my first post.

Not sure if your still having trouble with this or not, I came across a string of Parite on a grouping of servers for a new customer of mine. I used the Bitdefender online scanner to identify the virus, the removal tool they have seems to work but left behind some service dependancies that would cripple the servers after they had been restarted. I wrote the following as I went and got the cleanup time down to about 5 minutes per server. I hope this helps someone, I put about 10 hours into researching and cleaning this up across 15 servers:

WIN32.PARITE cleanup

The Parite Virus that I encountered seemed to run via the following executable: “c:\windows\system\svchost.exe”. The svchost.exe is a valid process for generic execution, but the proper location would be in the “%systemroot%\system32” directory. The virus ran as a service called “netsvc” and changed many of my other services to be dependent on this new service. I attempted to use the Bitdefender cleanup tool which seemed to kill the virus but did not remove the service dependances so my machines would not boot correctly. I came up with the following cleanup process which seems to completely remove the infection:

1.) Delete the following registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]

2.) Search “HKLM\System\CurrentControlSet\Services” for “netsvc”, every time you come across a “DependonService” key with “netsvc” listed, I remove netsvc from the key. In my situation I found the following Keys, representing services, that had been modified:

DHCP –removed “netsvc” from dependancies

DNSCACHE – removed “netsvc” from dependancies, replaced with “TCPIP”

EVENTLOG - removed “netsvc” from dependancies

LANMANServer - removed “netsvc” from dependancies

LANMANWORKSTATION - removed “netsvc” from dependancies

NETMAN - removed “netsvc” from dependancies, replaced with “RpcSs”

Protected Storage - removed “netsvc” from dependancies, replaced with “RpsSs”

RpcSs - removed “netsvc” from dependancies

3.) Delete the following key:

“HKLM\System\CurrentControlSet\Services\netsvc”

**note: This service can be a legit service, I believe that certain Intel network drivers install a service with this name, the executable for the service in my case was set to c:\windows\system\svchost.exe which is the infected executable. The proper svchost.exe executable should be in the system32 directory. If your not sure, you can set the “start” key to a value of “4” which will set the service as “disabled” rather than deleting it.

4.) At this point the “c:\windows\system\svchost.exe process was still running, but the netsvc service in services showed as “disabled”, if you kill the service in services.msc, it will kill all of the services that were dependant on the service even though you removed the dependencies In the registry. Open a command prompt and run “tasklist /svc” which will list all current running tasks, the services they are attached to and their “PID”. Look for the “netsvc” service and note the PID.

5.) In your command prompt window type “taskkill /PID XXXX” replace “XXXX” with your PID number from step 4. If the above command does not work, try adding “/F” to the command to force termination. This should kill the infected svchost.exe process.

6.) Delete “c:\windows\system\svchost.exe” if you use explorer, you will have to change your view options and disable “hide protected operating system files” to view the file.

7.) Run the BitDefender Win32.Parite.A/B/C Removal too which can be downloaded from the following location:

http://www.bitdefender.com/site/Downloads/...FreeRemovalTool

Great i "Think" i have a virus....

So my little brother downloaded a "Game" for free, when it didn't work he got suspicious. So he looked around for a while reading what people have said to try get it working and he finds out that its apparently a key logger so my brother gets me to help. Anyway, this guy posted an MSN address to contact him for removal details and he tells me the key logger injects itself into everything on the PC including explorer.exe and it is actually impossible to remove.

I asked how he knows and he simply replied "I helped code the virus with some friends but it wasn't made for this" this is where i though he was lier, but i scanned the file for the first time and there it came up as Win32/Parite. I read about this and it seems to fit the description of what he has told me but it says low risk, medium spread but maybe he has adapted it to become more harmful.

I tried removing it with Anti-Parite and it got halfway through the removal and crashed, now i cant even run the removal tool for 30seconds.

I checked other PC on my network and now they seem to be infected also. All i ask is for a little help and a few questions answered and i know my brother has been stupid he should have scanned it before also i regret not having an anti virus installed i never expected anything like this would happen to me.

1) Is it possible for this to be a key logger or steal any harmful information from me?

2) How should i go about removing it (e.g. Unplug all PCs on network and run the scanner on each one) ?

Thanks for any help.