Page 1 of 2
Got a virus :-/ W32.Pinfi <=
Posted: Sat Jan 11, 2003 7:37 pm
by Hipnotic_Tranz
Yep, so my computer started acting a little crazy, thought I might scan my drive with that free site that floats around (forget the name) It found a virus called P Partie.A (if I remember correctly) Tried to clean it with that website and it didn't work. Installed Norton 2002 and it finds it as "W32.Pinfi" but is unable to clean my machine.
Haven't been able to find out too much, though I'm still looking. It places a 172kb randomly named temp file on your drive and infects all executables (yeah, it's a bitch!) It also infects any other PC's accesable on the network so needless to say it infected my backup.
I don't really know what it does beyond that but either way I want it off! Any suggestions?
[edit]
hears a good info page:
http://vil.nai.com/vil/content/Print99690.htm
But I want instructions to get rid of it, I don't care the history behind it!
I see I have to disable "System Restore" but I've looked in "services" under Win2k and I dont' see it.
Posted: Sat Jan 11, 2003 7:56 pm
by FlyingPenguin
Seems to be very new, but it looks like the latest NAV definitions will detect and clean it. Don't know if it tampers with your registry.
Damn little info on Symantec's site:
http://securityresponse.symantec.com/av ... 33106.html
I'd just take the usual virus cleaning steps: disconenct from the network and disable System Restore, then do a system scan.
I'd also check the Startyo to see if there's anything suspicious looking being run when the computer boots.
If you have a recent Ghost image of your boot partition you might just want to restore that then scan the other drives. That's why I Ghost my boot partition once a month.
Posted: Sat Jan 11, 2003 8:01 pm
by Hipnotic_Tranz
I do the same (ghost my boot partition) Last ghost was, coincidentally, about a month ago. My PC was actin' weird so I loaded up that old image--now it seems just as bad if not worse. I'm thinking that since it infected all the exec's then it won't matter. I'll have to basically format C, D, & G (windows, games, and misc drive) and only keep my music/movies since thats the only two partitions that don't have anything on 'em (no exe's thus no virus). Too much of a bitch, I just need to clean it.
Right now the rest of the machines are disconnected from the network so it's only my machine. Where I can locate "system restore?" And yeah I've noticed, symantec has hardly anything on it.
Posted: Sat Jan 11, 2003 8:04 pm
by blade
Found this
http://www.computing.net/security/wwwbo ... /3880.html
Run Norton. When Norton is finished,
Click Start > Run > type regedit and click OK
Click the + next to the following keys
HKEY_CURRENT_USER
Software
Microsoft
Windows
Current Version
Explorer
Scroll down and right click on the PINF folder and delete it. Reboot. Then delete everything in C:\Windows\Temp
**Edit
and this
http://vil.nai.com/vil/content/v_99690.htm
Scroll down to the bottom, they say pinfi is an alias.
Posted: Sat Jan 11, 2003 8:11 pm
by Hipnotic_Tranz
Yeah, I've seen all those blade & tried it and no go. The registry key just pops back in there each time I reboot and i can't delete those temp files. I'm getting frustrated. About to format & forget.
Posted: Sat Jan 11, 2003 8:18 pm
by blade
Damn
You try the free av at
http://www.grisoft.com? It's found and removed some viri that norton could not. Plus they updated on the 9th.
Posted: Sat Jan 11, 2003 8:28 pm
by Hipnotic_Tranz
Thanks, I'll try that. I just bought some CD-RW's tonight by coincidence and I figured I'd burn all misc files that weren't infected (like my pictures, config files, etc) but the virus infected nero.exe and now nero won't run cause it doesn't like that it's exe has been modified
[edit]
%@#$*@#%$*@&#$ Tried to run that setup blade, gives an error and tells me to contact my vendor :| Grrr :| :| :| :| :| :|
[align=center]:| :| :| :| :| :| :|
:| :| :| :| :| :| :| :| :| :| :| :| :|
:| :| :| :| :| :| :|[/align]
Posted: Sat Jan 11, 2003 8:41 pm
by blade
The virus must have infected the av .exe preventing the install.
Been searching around on this virus and it is still very new as FP said. All I could find is some end up formatting. A few said even then they couldn't format, as one here said.
http://miataru.computing.net/windowsxp/ ... 50382.html
If that's the case then I'd suggest a low level format. If you do that it removes all partitions so basically you start back over like it's a new hard drive.
Still searching, if I find anything usefull I'll post it.
Any idea how you got this?
Posted: Sat Jan 11, 2003 10:14 pm
by d_b
Hope this helps
Good Luck,
dan
Posted: Sun Jan 12, 2003 12:13 am
by Hipnotic_Tranz
Thanks d_b. I remember seeing that while I was browsing through sites, however something weird (I'll have to try it again now that I've re-installed windows
) I've <i>never</i> been able to get into safe-mode. I don't know if it has something to do with my <del>totally legit</del> windows CD or not (I get errors with setup not being able to copy certain files, but windows works).
When I went to format my games partition, I had problems doing a low-level format. It would hang at 27% and would pop up funky characters (characters of playing cards and such) so I just did a quick format, scanned the drive and tried to do another low-level and it still hung. So I decided I'd just install windows and I formatted again in windows even though the drive looked fine
unno:
Thanks guys, even though it was all in vein since I formatted
Posted: Sun Jan 12, 2003 9:27 am
by marscheese
did you format all the misc. files you wanted to back up? I could run over a hard drive, and you could just copy them all over if you want...
Posted: Sun Jan 12, 2003 1:24 pm
by Hipnotic_Tranz
I formatted my misc partition, but I kept all my pictures/documents & other non-executable files that weren't infected so if you happen to have all that stuff (my patches & misc-files dir are the big ones) then that would be sweet. I didn't know you copied my misc drive? Might wanna check your computer for the virus as well, seeing as how I was on your network & it travles through any accessable resource
That'd be pretty sweet though, cause I do need all those pictures from the SW convention as well, so maybe I'll do that. Just give me a call sometime today if you aren't busy....but check it for virus first
I don't want that shit back on my computer
http://housecall.antivirus.com/housecall/start_corp.asp
[edit]
Any idea how you got this?
I'm sure it's not my constant downloading of files off of kazaa....nah, couldn't be!
(specifically duke nukem, manhatten project--this is what I'm starting to believe did it cause it was the only <i>software</i> I installed from kazaa in, like, a one month period)
Posted: Sun Jan 12, 2003 6:26 pm
by CaterpillarAssassin
Yeah I make sure I scan EVERYTHING i get off of kazaa. Hate to lose all my stuff, ya know. Up until a few months ago I didnt really actively use any antivirus software. Now I see it as a must, I recommend it to all my customers.
Posted: Mon Jan 13, 2003 6:54 am
by marscheese
I haven't experienced any problems (and neither has matt, given that he was hooked up to the network as well). Is it only people on your domain, or all the people on the network? In anycase, I'll probably run something over tonight or tomorrow...
Posted: Mon Jan 13, 2003 9:33 am
by Hipnotic_Tranz
It passes through <i>any</i> available network resource wheather it be the same workgroup/domain/whatever. Only exception is that if it's required that you need a password to access the drive (I know I needed a password for matts computer so I'd assume it would be the same for you). However, I did log into matts so it would have been accessable at that point.
I'm pretty sure that it's not on any of your guys system since I'm pretty darn sure it was Duke that had it and I downloaded duke way after we had that 'lil lan party. I'm half tempted to download it again on another machine and run a virus scan over it.