|
W32.Pinfi Virus
|
Kevin
06/18/03
|
WARNING!!!
BEWARE, BE VERY AWARE
I've just spent three days trying to figure out why my
computer wasn't working. I downloaded a file sharing
site by the name of Kazaa.
There just happens to be some @#holes that like to
reek havoc and include viruses along with there
downloads. I happen to get the W32.Pinfi virus that will
worm its way through your entire system.
I had over 250 files infected in less than three days
including my anti-virus software which to my demise
I hadn't kept updated.
KEEP YOUR ANTI-VIRUS SOFTWARE UPDATED!!!
It's very ugly trying to repair it all.
Here are some sights that are helpful with the problem or
will show you how serious it can be:
http://www.sarc.com/avcenter/venc/data/w32.pinfi.html
http://www.newbie.org/help/messages/4508.html
Simply Super Software
Trojan Remover
http://www.simplysup.com/index.html
FREE. Download a fully-working evaluation copy
W32.Pinfi is a memory-resident polymorphic virus that will infect the .EXE and .SCR files. This virus is also capable of spreading via mapped drives and network shares.
Also Known As: Win32.Parite.a [KAV], W32/Pate.a [McAfee], Win32.Pinfi.A [CA], PE_PARITE.A [Trend], W32/Parite-A [Sophos], Win32/Parite.A [RAV]
Type: Virus
Infection Length: ~177,917 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
TECHNICAL DETAILS
Upon executing a file infected with W32.Pinfi, the virus will perform the following:
1. Adds the registry value:
PINF
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
2. Appends itself to Explorer.exe to remain memory-resident.
3. Appends itself to all the .EXE and .SCR files that it finds on all the local and mapped drives. The virus contains an algorithm to slow the infection, so the virus will only infect a few files at a time.
4. W32.Pinfi will create a tempfile in the temporary folder. It will get the temporary folder by using a Windows API. The tempfile this virus creates will always have the following name:
[3 random letters][4 random hexadecimal digits].tmp
The file it creates is a UPX packed executable file. The temporary file will be executed by the virus, and it is this file that will attempt to infect files over network shares.
Please distribute this e-mail to your Friends and Enemies.
Nobody deserves this !@#$ except the !@#$%$ !@#$#@%
that put it out to the public.
I promise there is no virus on this e-mail.
Kevin,
|
Abnormal
06/18/03
|
Thanks Kevin,
Kazaa is a virus sharing infected playground.
It will not get better, a new virus out
even before antivirus scanners are updated.
I like my computer, problem free.
Say No to Evil Kazaa.
|
Vincent
agashka2@msn.com
07/16/03
|
I need help about w32.pinfi virus;i have this virus on my computer norton 01,02,03 can't fix it beaucaus it can't be update(problem)symatec can't help me.. Anyone can send me a small antivirus for fix it?Send me only it at agashka2@msn.com tank
|
Anna
MEANCAFFEIE@HOTMAIL.COM
07/21/03
|
please help me. i did all that free virus checking stuff and it doesn't say i have ne effected files anymore. but my programs dont even openn
|
Jd
07/22/03
|
ohh god this virus .. i have been wonderin y does my IE hang when i click on any button like send button in hotmail and then i installed norton and i found out that ma pc was infected wid this virus.. and it even infected norton wow antivirus infected with a virus isnt that gr88 but im tryen this trojen remover i hope that helps else i dono wat to do:(
|
Donna
07/22/03
|
First of all if you have ME, or XP, disable system restore and then go online to Panda Active Scan, or Housecall online Scan, and let it scan your computer and remove the virus. If you still have problems, I found this and copied it from another forum where they say it will work if you have still have some of the virus in your machine.
Copied from another forum where they say this works.
First, run a full system scan. Then,
Click Start > Run > type regedit and click OK
Click the + next to the following keys:
HKEY_CURRENT_USER
Software
Microsoft
Windows
Current Version
Scroll down and click on the Explorer Folder (not the + sign) Look in the right hand window for PINF. Right click on this entry and click delete. Collapse the registry tree, close regedit and reboot.
Double click 'My Computer' icon and click 'Tools', 'Folder Options'.
Click the 'View' tab.
Check 'show hidden files and folders' and uncheck 'hide protected operating system files'.
Navigate to:
C:\Documents and Settings\joe\Local Settings\temp and delete the infected file.
As always, before you delete files from registry, it is a good idea to import a copy of your registry to your desktop temporarily just in case you have a problem, so you could export it back if necessary. Donna
|
gap
djinchack@yahoo.com
08/01/03
|
pls mail me the anti-virus
|
Zero
08/03/03
|
Oh man, what if it affected my window system.. what am i going to do, can i fix it without deleting it?
|
rowan
whanz_33@yahoo.com
08/04/03
|
i have a problem with regards to my printer driver because its infected with the virus name w32.pinfi and i could hardly shared it to another computer. If anyone has a fix tool please send me in my email at whanz_33@yahoo.com.
|
Peggy
thosetwosisters@hotmail.com
08/06/03
|
system32.exe virus from Kazaa
Got this from Kaaza. Anyone have a free remedy? Cannot delete the file. Avg cannot isolate. Any suggestions? I have a nightly update from AVG and tested clear at 11:00 pm, by 6am computer infected and shut down. HELP.
Thanks
|
Jay
acevng85@hotmail.com
08/12/03
|
somebody help me get rid of this virus off my computer!!!
|
Donna
08/13/03
|
Please go read the instructions above. They should work. Donna
|
ed
08/13/03
|
Donna never mind they never read the previous posts. And they seem to never be able to find their way back.
|
Donna
08/13/03
|
So I have noticed Ed. Donna
|
Timbo
08/16/03
|
Hey, I like almost all of you got w32.pinfi from kazaa, which i narrowed down to downloading winrar_crack.exe, when i executed it, seemingly nothing happened. Soon after i began to notice that kazaa was sharing 85 files all the time, even though nothing was in my shared folder, it was very odd. Then users began downloading files from my computer on kazaa, files i have never seen before:
Nero Burning ROM 6.7.8.1.exe, ZoneAlarmPro_Crack.exe, Winzip_Crack.exe. I knew these files weren't on my computer so i searched for every file that i had uploaded, countless times, and nothing ever came up.
Finally i got Norton system works, scanned and obviously found that i had w32.pinfi and it had infected hundreds of exe's. It tried to fix what it could, but it took over an hour on one particular directory(98 se) c:\windows\w32temp, which strangely enough had 85 exe's in it(over 100 mb), these are some of them:
daemon tools.exe, diablo 2 crack.exe, diet kazaa.exe, directx_9.exe, divx bundle +xvid.exe, battlefield1942_keygen.exe, aol_instant_messenger.exe, divx_bundle_package_crack.exe, icq hacks.exe, icq lite.exe, imesh 3.6.exe, kazaa hack v2.1.exe, kazaa lite (new).exe, kazaa lite 1.7.2.exe, kazaa lite_privacy_tool.exe, kazaa preview extractor.exe, KaZooM MP3 Kazaa Accelerator.exe, morpheus.exe, MSN_Messenger 5.0.exe, Nero Burning ROM 6.7.8.1.exe,
Nero Burning ROM_Keygen.exe, Net Pumper.exe
Pop-Up Stopper.exe, QuickTime_Pro_Crack.exe,
Serials_2003.exe, Spam Alarm.exe, Spybot-Search & Destroy.exe, Nero Burning ROM_Keygen.exe, Virtua Girls.exe, Winamp 3.8.exe, Windows Media player 9.5b.exe, Windows_2000_Keygen.exe, Windows_XP_Activation_Crack.exe, Windows_XP_Keygen.exe, WinMX.exe, WinRAR 3.5b.exe, Winzip_Crack.exe, WS_FTP_LE.exe, XBox Emulator.exe, XviD crack.exe, Yahoo Messenger.exe, ZoneAlarmPro_Crack.exe,
winrar_crack.exe
Like i said these are just some of the exe's that i jotted down. Almost sure that these were the source of my problems, I deleted them immediately. After that no *more* of my exe's were infected. I reinstalled what I could but IE still freezes all the time like the rest of yours do, and just today my WMP decided to stop working after reinstalling. And yes I did do the registry fix and delete the temp files, but as the theme around here seems to be, all my programs are permanently screwed and there is no way to fix what I can't reinstall. But nothing else is additionally being infected, nontheless, I still must face the dreaded reformat.
My point is basically to avoid any files that resemble these on kazaa, really avoid any exe's on kazaa, they are probably all screwed up. This may only be a win 98 se solution, I don't know, but see if your kazaa has the same 85 (hidden) shared files. If so, delete them immediately.
That's all I got
Tim
|
Donna
08/17/03
|
It is much better to follow the removal above or look for the removal tool for this virus than it is to go just delete folders. You may end up losing everything on your computer to a reformat, if you just uninstall things at random. Donna
|
JaBmEn
jabmen@hotmail.com
08/18/03
|
Donna sems that you have "tha solution" ... i test wath you said .. Works ?? i thought so .. ;) tks sp much !!!
|
Jordan
cha0sj@yahoo.com
08/20/03
|
i have a fix...all you need to do is go buy Norton System Works and run a full scan on your computer and it takes it all away.
hope this helps...did for me ;)
Jordan
|
Jim
08/20/03
|
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=18181
|
Keith
08/23/03
|
Donna is the best, i managed to get rid of the virus by running norton, then going to that temp folder and deleted the virus and going into the registry and deleting the key of pinf
my one looked like this
asxd0c2.tmp
hmm i know the guy who gave me the virus, i will just have to pay him a little visit :)
|
Rob
zodiak@att.net
08/27/03
|
This is one nasty bugger!! My wife got ahold of this virus last ight, and she had Norton remove it..now we cannot get into Windows anymore because it keeps asking us for a password we never established (under the "owner" username (that has no associated password))..when you try to enter through the password login, it gives me an application error with userinit.exe...and if you click through that error, it gives you an error on taskmanager. This is a NIGHTMARE!!! I wuld love to do all of these fixes that are posted here, but I cannot even gain access to my computer in safemode.
Symantec needs to reclassify the w32.pinfi virus as "highly destructive", because I have the sinking feeling that the only solution is to order a restore disk (I have an HP pavilion that has the restore disk on a HD partition).
Anyways...if someone knows how to get around the login, userinit error, I would be very appreciative (for those that think I can change passwords..no dice..tried it).
|
N Dizzle
08/31/03
|
THIS IS NOT A PROblEM VIRUS!
I got it from kazaa, then simply scanned my HD with norten, found that i had something like 450 files infected, and norten did the rest. Problem solved in under 1 hour.
|
Rhonda
09/02/03
|
Well, Dizzle, I'm glad you think it is no problem. I have scanned with Norton, McAfee, Housecall...and have no luck finding the virus/trojan on my computer yet I know it is there, the files are showing in my computer. I am about ready to give up.
|
W32.pisd.off
09/02/03
|
Problem is, just doing the registry solution still leaves the infection on the computer. It just neutralizes the initial sting. Since a registry solution is the simplest of all virus remedies, i tried this - i'm now on my third relapse of this virus. Also please note, it seems to have a talent for diminishing the protection on a computer leaving it open to more viruses of similar type. If anyone has a real solution i'd be happy to hear it. To those who think they have solved the problem , it is unlikely that they have - but until a tool emerges that can handle this virus without succumbing to it - the wisest solution is to isolate the date on which the virus emerged, reformat and destroy all backups since the date on which you contracted the virus. Extreme measures i know, but as yet, no one program seems to completely remove this virus from the system (or at least mine) once it has infected a large portion of the drive. It then requests connections to everything that can handle it, especially p2p and networking. Its expansion is proportional to the size of the virus, so the more files infected tonight, the more extra infections will have occured by tomorrow. Have fun erasing your homework, financial documents, office work, plan for world peace etc...
Do as Donna says if your data is too important to lose, but bear in mind the risk your system poses to others in direct contact with it is a lot higher than virus alerts would have you believe. Others who have 1500+ infected files will concur that its spread is similar to that of a fire storm, p2p being the wind.
|
W32.pisd.off
09/02/03
|
Good news everyone! Bitdefender is the key, do five or six scans of your computer and all (touch wood) infections will soon be a thing of the past, and its part of an evaluation copy:
http://www.bitdefender.com
I'm not guaranteeing success, but i no longer have fluctuating free space.
Still thinking about that format though, just to be safe.
If you happen upon the bottom feeder that invented this, you'll know what to do.
|
Larry
09/02/03
|
Go to: http://securityresponse.symantec.com/avcenter/venc/data/w32.pinfi.html You can download a trial version of Norton's Antivirus if you don't have it, and run the scan on your system. Then follow the instuctions on their site to complete the removal.
|
Rhonda
09/02/03
|
Sorry, Larry, but Norton has done nothing for me. It can't find anything wrong with my computer..
|
Larry
09/02/03
|
Rhonda, if you are running Windows ME/XP, have you disabled System Restore as per the Symantec instructions? The virus scanner cannot detect and repair infected files in the System Restore folder unless it is disabled, and that might be your problem. Also, look in the list of viruses that your version of Norton blocks, and see if you find W32.Pinfi in it. If you don't find it, you may need to run Live Update.
|
Paulo Almas
09/04/03
|
Here is the remove tool from Panda Software:
remove Parite.B
1,2mb
http://updates.pandasoftware.com/pq/gen/pariteb/pqremove.com
Also Known As: Win32.Parite.a [KAV], W32/Pate.a [McAfee], Win32.Pinfi.A [CA], PE_PARITE.A [Trend], W32/Parite-A [Sophos], Win32/Parite.A [RAV]
|
Kerrichu
09/04/03
|
Hi, I was infected by this virus. I had been getting strange e-mails from people telling me that I was sending them attachments...but they were all for times that I wasn't online, so I ignored them...last night, I received another, and showed my boyfriend, who's a little bit of a computer geek. He read the e-mail, and told me I had a virus..he tried to update PC-Cillin, my virus scanner, but it was infected and we had to delete it...so he tried going online to Norton...but Internet Explorer has been corrupted and I can't use it. I'm online now through My Computer, using the address bar. We installed Norton, and scanned my computer. I ended up having 1353 files infected with this virus. I do not use Kazaa or any other P2P service. One of the infected files was actually a patch from windowsupdate.com, so we're guessing that's where this thing came from, since I had been downloading patches since catching the blaster worm a few weeks ago. Right now, the only programs that will load are Windows Media Player and Outlook Express...everything else was destroyed. I have to try to figure out a way to save the things I want and do a system restore. It's a huge pain in the ass..
|
jason
humveeluvr@aol.com
09/08/03
|
Well that's it for me, I'm throwing in the towel on this W32.Pinfi garbage. It infected my Norton 03' anti-virus, and left me missing Windows98' start up files. Norton decided to delete files on it's own, so I'm luckily now able to use AOL and my Word. So the only solution I have found to fix my situation is to FORMAT C:
and start over with XP instead of 98'. I would like to join the rest of you in a final thanks to Kazaa and if any of you received W32.Pinfi from my shared files I'm sorry I didn't know.
Sadly a innocent computer user!
|
Russ
twofingersonagstring@hotmail.com
09/09/03
|
Had lots of probs with this bugger, programs not recognising it and stuff.
I got rid of it using
AVG Anti-virus (Free download from www.grisoft.com)
and then clearing up the registry using Panda Quick Remove
(Also free from http://updates.pandasoftware.com/pq/gen/pariteb/pqremove.com)
Ive still had to reinstall most programs as the clear up left them in tatters, but the virus is gone for good, windows files are all intact and Ive not needed to format the hard disk
|
David
09/10/03
|
Yea.. thanx Kevin,, But serious.. AHHAH.. all u did was basically copy what the symantic website and pandasofware had for their virus definitions,, but anyways,. it was good to get some advice on what to do.., Thanx
|
Linda
BabieGanksta04@yahoo.com
09/12/03
|
Please, some one, any one help me. I have the W32.Pinfi virus. I've tried all i can ta get rid of it. Norton AntiVirus can't even get access to it so that it can repair it. Please somebody help me. I once downloaded Kazaa but i deleted all da programs that i downloaded after i found out that i had a virus on my computer but tha virus is still there. Please...some help me get id of this virus. You know tha email address so please hit me up. please.
|
Dan
09/17/03
|
Hey Guys, disable "system restore'" boot safe mode,run updated antivirus,delete pinfi from registry.
|
FullMasta
g_2002@abv.bg
09/21/03
|
please someone help me... i cant get rid of w32/parite... it really does 172kb .tmp files... but how can i remove it ?! i am on dialup... pretty slow internet access... :(
please someone mail me !! thank you all..
|
Donna
09/21/03
|
http://securityresponse.symantec.com/avcenter/venc/data/w32.pinfi.html
Follow ALL the directions here to get rid of this virus. Donna
|
William
willy@avidfx.co.uk
09/22/03
|
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) of VGA mode (Windows NT).
Run a full system scan and repair all the files detected as W32.Pinfi.
Reverse the value that the virus added to the registry.
For specific details on each of these procedures, read the following instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
3. Restarting the computer in Safe mode or VGA mode
For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, refer to the document, "How to start the computer in Safe Mode."
For Windows NT 4 users, restart the computer in VGA mode.
4. Scanning for and repairing the infected files
Start your Symantec antivirus software and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with W32.Pinfi, click Repair.
5. Reversing the value from the registry
CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit, and then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
In the right pane, delete the value: PINF
Exit the Registry Editor.
|
Wilson
wmutenza@hotmail.com
09/22/03
|
Before you have to disable Restore.
01. In simple terms, start in safe mode then go to my documents and setting, to the administratotrs folder and delete anything in temp folder.
02. Click Start, and then click Run. (The Run dialog box appears.)
Type regedit, and then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
In the right pane, delete the value: PINF
Exit the Registry Editor.
3. If you have Norton on a Cd-Rom do a fresh instal and scan your system. Delete all files in the quarantine folder.
4. Restart and unistal Norton and delte all files related to Norton.
5. Do another fresh instal of Norton and update t your virus definition if you dont have internet connection you can update from a friends pc with norton and copy that file and replace the old file.
Believe me you will never see pinf unless you go to kazaa or share a file downloaded from kazaa.
|
karwan
karwan701@msn.com
09/29/03
|
it maek maay pc tostop
|
John
ryphis_demeanor@yahoo.com
10/03/03
|
Thanks for all these useful tips. I'm hoping I won't have to reload everything. But I know it's no use. I might as well restore my Ghost.
|
Reaper
10/10/03
|
1.) delete the reg entry
2.) close explorer from task manager
3.) use your fav antivirus
=> 4.) virus is removed but (almost) all your exe & scr files are corupted.
how do you repair the files? (without having to delete them afterwards)
??
|
ncs
10/21/03
|
once you delete the key, the temp file, use f-prot from a floppy to clean up the mess. (boot to DOS.) Only way I was able to get rid of it.
|
The Hawk
11/01/03
|
Hi everybody. At the moment my KAV is disinfecting my computer from Win32.Parite.a. I could only suggest one thing. Just p#@s of Kazaa, because there are more viruses than clean files...so if you want to work with p2p software there is a better solution >> DC++ << Direct Connect works the same way like Kazaa, but in DC you should have a big share - there are rules e.g. if you want to enter a hub you will need 8gb share - consisted ONLY of music, videos(80% of the hubs forbid to share childporn and other s*it in the same category), games, softs and others(depends on hub rules). Here in Latvia we have ~25 hubs and each hub contains about 20Tb of information(the bigger ones have ~ 100Tb), but we have a small network, so you could possible guess, what happens in Sweden, Germany, Poland and other countrys where are ~100 hubs and each hub has...MUCH share :) just www.dcplusplus.com and you will find the best p2p software on the earth. Kazaa sux :)
|
Rob
icedout@comcast.net
11/04/03
|
hey i tried to get rid of this, i have another hard drive with the virus, it wouldnt let me boot into it, so i knew there was a virus but didnt really care at the time, so i scanned, the it allowe me back on, but now i rebooted can boot to the desktop only half of it, and scanned and found more viruses, i deleted the reg key, and hope nothing else stops it from loading
|
BobMarley
11/11/03
|
People, people.. This is not the fault of Kaaza, Grokster, or any of the hundreds of P2P programs out there.
Kaaza didn't create and distribute this virus!
ALWAYS, ALWAYS, ALWAYS scan every file you download, executable or not, BEFORE you open them!! I actually use 2 or 3 different scanners before I do as a precaution.
If people are going to download and run programs such as the one guy on here who actually said he tried the WinRAR_Crack, you've got to expect that they'll be infected.
Now, with the recording industry going after people I wouldn't be suprised if they are distributing bogus, possibly virus infected matieral and programs.
BE CAREFUL WHAT YOU DOWNLOAD!!!
|
|
