I am having some severe trouble with the WORM_ASSARM.A trojan. My CD drives won't recognize CDs, I can't use Windows Media Player, and the trojan's process (SVCHOST.EXE) is eating up tons of my RAM. My virus protection has also been completely disabled and I have not been able to fix it. I am at a complete loss as of what to do. All the information I have found on the worm tell me to simply close the process from the task manager, but when I do that it just starts up again. Any help would be greatly appreciated - I haven't had a trojan in a long time, and am very rusty.

Thanks

Did you find the svchost.exe in the startup list by using run>msconfig and disable it there?

The Trend Micro website has the best removal instructions instructions to remove this worm. You need to start by using start>run>sysedit>system configuration editor and win.ini to delete the keys for this.

Hello Infinight,
If you are not familiar with all procedure possible to erase manually a trojan horse virus and the worm related to theses specifics betrayals, I suggest you download the program which will do it automatically for you: Trojan Remover version 5.03,
this program is a freeware for one month, but the version you download is complete. After this period, you will need to buy a licence to be able to update both database virus as well as new update of the program itself.
Best program made for eradication of Trojan's virus, easy to use and very efficient, no manual intervention needed...
Trojan Remover :
http://www.simplysup.com/tremover/details.html

Thank you all very much for responding, but I need more help. SVCHOST.exe does NOT show up in msconfig, sysedit closes itself after about 10 seconds (like my antivirus) and trojan remover finds nothing except a registry change that it says is nearly always the work of a trojan. I click yes for the program to change the registry back, but when I restart and run the program again the same message comes up. Meanwhile, my computer is getting worse and worse - sometimes when I turn it on it is so slow that it is unusable. This seems pretty serious, please help!!

Thanks

Try either TDS from http://diamondc.com.au/-it is one of the best trojan programs, or the program I use, Agnitum's Tauscan. I wish you luck, as it sounds like a bad one.

I recently tried to use the trend micro cleaning tool, which similar to Antivirus and the other trojan cleaning tool closed itself about 10 seconds in.
I'm getting scared.

Have you limited outgoing/incoming programs by using your firewall?

That trojan protection terminated itself too.
I don't have a firewall, I play a lot of online games and firewalls can be troublesome... :/

I have no idea what to do and i'm getting pretty desperate.

This is not supposed to be a destructive trojan. The Trend Micro instructions are:
Open system configuration editor START>RUN type sysedit and press enter
In the system config editor select win.int and under (windows) section locate the line that begins with run= from the same lines-delete the line that begins with run= from the same lines-delete the malware path and filename C:\%Windir%\svchost.exe *where%windows% is windows directory which is usually C:\ windows or C:\winnt close the system config editor and click yes when prompted to save. Please double check these instructions at the Trend Micro website to make sure you have and I have them right.

I cannot access sysedit because it terminates itself after 10 seconds. Is there a way I can edit win.ini manually?

Disconnect you computer from the internet and try using the downloads of the trojan programs, and the manual removal instruction. If that does not work try to install and run them while you are in the safe mode while disconnected from the net.

Most XP machines do not use a win.ini file. If yours does, Click Start > Run > type win.ini and click OK.
The win.ini will open in notepad. Edit it, close and save the changes.

It's likely that the virus has registered itself as a service instead.
Click Start > Run > type services.msc and click OK.

Stop and disable the svchost.exe who's path is C:\Windows. Do not disable any of the svchost.exe's who's path is C:\Windows\System32.

After reading all the posts again, something tells me that you are not infected with WORM_ASSARM.A.
Assarm does not contain a destructive payload. It merely replies to e-mails if you use Outlook.
Let's have a look at what is loading. Go here and download, unzip and run StartupList.
It will create a log file, copy the log and paste it in a reply.

StartupList

This sounds more like the Klez or Opraserv attack that Assarm. Are there any wink.exe files in the startuo menu. Without a firewall it could be almost anything.

svchost.exe does not show up under services.msc.
I am certain that it is not Klez, because when I ran the Trend Micro trojan removal tool it showed my computer was Klez-free in the short time before the program terminated itself.

My win.ini (if you want to see it):; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
au=MPEGVideo
ivf=MPEGVideo2
m1v=MPEGVideo
m3u=MPEGVideo2
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo2
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmp=MPEGVideo2
wmv=MPEGVideo2
wmx=MPEGVideo2
wvx=MPEGVideo2

Thanks everyone for staying with me. Here is the log from Startup List:

C:\WINXP\System32\smss.exe
C:\WINXP\SYSTEM32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\SYSTEM32\logonui.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINXP\System32\CTHELPER.EXE
C:\PROGRA~1\QUICKT~1\qttask.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe
C:\PROGRA~1\WinZip\WZQKPICK.EXE
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE
C:\WINXP\svchost.exe
C:\DOCUME~2\INFINI~1\Desktop\STARTU~1.EXE

---------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup]
Microsoft Works Calendar Reminders.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

---------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINXP\system32\userinit.exe,

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINXP\UpdReg.EXE
Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
QD FastAndSafe =
QuickTime Task = "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
NeroCheck = C:\WINXP\system32\NeroCheck.exe
NAV CfgWiz = C:\PROGRA~1\NORTON~2\Cfgwiz.exe /R
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE

---------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe "infinight"

---------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

---------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = shell32.pif "%1" %*

---------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = shell32.pif "%1" %*

---------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = shell32.pif "%1" %*

---------------------

Shell & screensaver key from C:\WINXP\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINXP\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

---------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Yahoo! Companion BHO - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll - {13F537F0-AF09-11d6-9029-0002B31F9E59}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

---------------------

Enumerating Task Scheduler jobs:

Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

---------------------

Enumerating Download Program Files:

[{2B323CD9-50E3-11D3-9466-00A0C9700498}]
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

[Alice Control]
InProcServer32 = C:\WINXP\DOWNLO~1\alice.ocx
CODEBASE = http://www.skotos.net/MarrachGame/Alice44.cab

[GSDACtl Class]
InProcServer32 = C:\WINXP\Downloaded Program Files\gsda.dll
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[HouseCall Control]
InProcServer32 = C:\WINXP\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003042101/housecall.antivirus.com/housecall/xscan53.cab

[YahooYMailTo Class]
InProcServer32 = C:\WINXP\Downloaded Program Files\ymmapi.dll
CODEBASE = http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

[{CD17FAAA-17B4-4736-AAEF-436EDC304C8C}]
CODEBASE = http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINXP\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

---------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINXP\system32\SHELL32.dll
CDBurn: C:\WINXP\system32\SHELL32.dll
WebCheck: C:\WINXP\System32\webcheck.dll
SysTray: C:\WINXP\System32\stobject.dll

---------------------
End of report, 6,824 bytes
Report generated in 0.188 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I was thinking of reinstalling Windows, but since my CD ROM drives don't seem to be working, that would be impossible unless I could boot from the CD. Presumably if the process isn't running my CD drives would work. However, I don't even think reinstalling Windows would help, and I REALLY don't want to reformat. I would really hate to have to do that.

This is becoming sort of urgent. I have a big essay due and Word isn't working. :/ Argh.

Well, You are infected with Assarm:
C:\WINXP\svchost.exe

Boot into safe mode and delete C:\WINXP\svchost.exe

You also have some file associations that were damaged by Backdoor.Beasty.F

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.beasty.f.html

I don't see any of the files related to Beasty, they may have been removed by your antivirus. Follow Symantec's instructions above for repairing the file associations for .exe .com and .pif files. (this is why your programs won't run)
Run a full virus scan when done.

THANK YOU SO MUCH FOR IDENTIFYING THE PROBLEM! However, i'm very sorry but I don't really understand which one of those steps i'm supposed to follow...am I supposed to run safe mode and do the registry key deletion thing, or the other steps?
Also, one problem...I am not sure my computer has a safe mode.

Yes, this could be a problem...I just checked and on my boot menu there is only

1. Normal
2. IDE CD ROM device
3. Hard Drive
4. Diskette Drive

No safe mode. I tried booting from Hard Drive, which I am in now, and it appears no different from normal.

Sorry I did not know that you did not know how to get into the safe mode. You click the one of F keys will you are starting the boot up sequence. Different computers use different keys F8/F5/F2 are the common ones.

Hi All,

If you are unable to access the boot menu using the F8 key then try the following.

Start, Run and type msconfig.
Select the boot.ini tab at the top.
Place a check next to Safeboot.
Click on Apply.
When prompted restart the computer.
It will now start in Safemode.

Go to C:\WinXP and delete the file svchost.exe
Do Not delete svchost.exe located in C:\WinXP\System32.

Remove the registry entries in the link provided by Tom41 in response #18.

Go back and remove the check next to Safeboot in msconfig.

Restart the computer.

Go to Houscall and run it.

HTH

Best Regards,
Mesich

Thank you very much. I am at school right now - when I get home i'll do that. (by the way, safe mode was F8... :/ i feel like an idiot...i'm used to it showing up at boot) Should I renable system restore? I turned it off.

After everything is up and running properly reenable system restore, but only then. I am sorry that I just assumed that you knew how to get into safe mode. It is a very handy feature as only the essential tasks are running. If you ever encounter a file that cannot be deleted because it is in use, it is the tool to use. Sometimes scan disk and defrag must be run from it, if you are constantly getting restarts. You had me worried when the instructions for assarm were not working and things were crashing before your eyes, because it is not supposed to be a destructive worm. I want to thank Tom, and especially Mesich who responded with my call for help. These are some great people who are a lot better at explaining things, they also have great knowledge and abilities to draw on. You should checkout Mesich's website, very nice, with great information! Please do yourself a favor and get a firewall, try a hardware one at least from DLink or Lyksys for 40-50 dollars if gaming is the issue. Leaving yourself completely exposed to the bad guys is not good! Take care and all the best!

It didn't work. What a nightmare. I was able to change the values easily, but the two keys I was supposed to delete could not be found. One thing of interest is that I was not able to open regedit through the command prompt like it said, the command prompt wouldn't accept the commands given.]
Please, help, I really need to get this fixed...:(

Oh, I forgot. Since the command prompt wouldn't accept the commands, I just opened regedit through Run in the start menu.

I think maybe the trojan removal deleted the keys it added, but the registry keys i've edited simply revert back when I reboot regularly. I couldn't find a save command, am I just not saving the changes?

Have you disabled "SYSTEM RESTORE"? You do it by: right clicking MY Computer>Properties>System Restore>Turn Off System Restore

Yes, I did that a long time ago.

Have you tried installing one of the trojan programs you downloaded, but could not run in the normal mode? Then try using it while still in the safe mode? Do you have you Norton resue disks, or have you tried using the cd while in the safe mode?

Somehow I don't think that will work. It's a matter of the things I do in Safe Mode not registering in Normal mode. I tried doing these things twice - ASSARM's svchost.exe is still here and the registry remains unchanged.

You are right clicking the item listed in the registry, it is then highlighted, you then right click delete, and the item does not disappear? Or does it comes back later?

The instructions say to edit certain keys, and to delete two. The two keys I am supposed to delete are not on my machine, so I just skipped those tests. The keys i've edited don't stay edited when I reboot. They just revert to the values they were before I edited them.

So you cannot rename them? When you rename them the come back exactly as they were listed before?

Yes, that's about it. They stay renamed when i'm actually doing it, but once I reboot in Normal mode they revert.

I have no idea what to do! if you cannot rename or delete them? There is something big time going on. Having your antivirus software disabled, this, and not being able to do anything is not assarm. Do you use Kazaa? Have you tried to use your Norton Rescue disks? Hopefully you have backed up your important files, because things are not looking good.

Oh, no... :( I really need my computer working again...

I do use Kazaa, which is where, I assume, I got the virus(es) in the first place. I foolishly never made rescue disks because I haven't had any security problems for so long.

Does anyone know what to do? I'm pretty desperate...

Since you do not have a firewall, have you tried doing all these actions with your computer disconnected from the internet? Perhaps the system has been completely taken over by a hacker and now is a bot.

There must be an infected file hiding somewhere and when you reboot, it 'runs' when Windows starts.
Try doing the registry editing in normal mode
without rebooting and then try to run your antivirus or try an online scan here:

www.ravantivirus.com/scan

Making the registry changes in Normal mode without rebooting did nothing except now Windows Media Player works. However, I started the online scan, and...
It found two file infected with W32.Parite.B. One it failed to cure, so i'm going to delete it. The scan's still going.

Ok: Scan results -

Found viruses
File: C:\Program Files\netquartz ez-platform 2\ez-pad\zip.exe
Virus: Win32/Parite.B Status: Cured

File: C:\Documents and Settings\infinight\Local Settings\Temp\yma1.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\svchost.exe
Virus: Backdoor:Win32/Beasty Status: Failed to cure

File: C:\WINXP\system32\shell32.pif
Virus: Backdoor:Win32/Beasty Status: Failed to cure

File: C:\WINXP\system32\ñbßm\øb.Ýoç
Virus: Backdoor:Win32/Beasty Status: Failed to cure

File: C:\WINXP\system32\Com\mscom32.com
Virus: Backdoor:Win32/Beasty Status: Failed to cure

File: C:\WINXP\Temp\kla1.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\fla2.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\hla3.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\gla1.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\ola2.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\tla3.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\nra4.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\rra5.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\moa1.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\gla2.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\vjc43.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\vla1.tmp
Virus: Win32/Parite.B Status: Failed to cure

File: C:\WINXP\Temp\uma1.tmp
Virus: Win32/Parite.B Status: Failed to cure

Do I go through and delete all of these? Some of them must be running, so I can't really do that, so I guess I can boot in safe mode and do it? I guess I don't even have Assarm. By the way, shell32.pif was the file name that was added to those registry keys.
I dunno what to do, so i'll just wait for instructions...

Delete your temp internet and off line files. Then try using your Norton CD as a recovery disk, by installing and getting the scan to work?

I can't use my Norton CD because my CD ROM drives aren't working. And i'm not sure what you mean by temp internet and offline files, sorry...

In INTERNET EXPLOYER at the top of the screen you will see TOOLS>open it>INTERNET OPTIONS>open it>DELETE TEMPORARY INTERNET FILES. Please go to the TREND MICRO website and use their virus encyclopedia. The two problems that you have are listed there with the complete removal instrucions. They are very long and detailed, and I am afraid I might make a mistake in relaying them to you.You need to delete the Pariteb files, the beasty files are in the registry and in your task manager. Perhaps if we can stop it in the task manager you can get some other things to work. Use the CTRL+SHIFT+ESC keys click the proccesses tab, select the name "explri.exe and press end task or end proccesses button. To make sure the proccess is terminated close the task manage and open it again and check for it to be running, if not close the task manager.

I'm really sorry, but could you link to the solution(s)? The ones I find on Trend just tell me to scan, which i've done and have been useless except for telling me that I have the viruses.

Sorry to bother you again, but I really just want my stuff working..:(

See these instructions: (try to do everything in safe mode)

http://securityresponse.symantec.com/avcenter/venc/data/w32.pinfi.html

You will have to remove the W32.Pinfi (Parite) registry entry first before you can delete all those files.

Then check these two registry locations for any entries for any of the Backdoor.Beasty files:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Delete any entries that are found. Also repair the file association entries.

Delete all the files listed as infected.
Reboot and run another scan.

If you need virus deletion procedures or other information use the virus encyclopedias at Trend Micro or Symantec. Trend Micro>
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=beasty&alt=beasty

I'm in way over my head here. I can't even find some of the added registry keys or the PINF value that W32.Pinfi added. Can I just reformat my C drive or something? Or re install Windows?

Also, explri.exe isn't running in my Task Manager processes.

Yeah, i've been looking since Tom41's post.

The symantec page says:
a. Click Start, and then click Run. (The Run dialog box appears.)
b. Type regedit, and then click OK. (The Registry Editor opens.)
c. Navigate to the key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

d. In the right pane, delete the value: PINF
e. Exit the Registry Editor.

There does not seem to be a PINF value anywhere there. Also, in the Beasty instructions there are two keys I am supposed to delete - they don't seem to exist either.

I'm really sorry to be a bother...

There must be some of those listed in the registry. Can you still download programs from the internet? Since you could use the scan that Tom told you about, go to the srnmicro website and download SOLO and see if you can install it and use its scan to repair your files, if it is possible to do a download.

Ok, I used Solo to delete all the files it found deleted with W32/Parite.B, but that didn't fix my problems.

Now go to the Agnitum website and download Tauscan to see if it can fix all the trojans.

Won't run...argh!!!

Do you still have TDS from diamondc from the time you downloaded it before, if you do try it.

No, I just deleted it after trying to make it run again.

Won't run...argh!!!

Whoops, disregard that last one. TDS wouldn't run.

OK we got SOLO to install, but no antitrojan programs. Did you have 2002 or 2003? If it was 2002, go to the Symantec website a try the trial version of 2003, before you install it, uninstall 2002. I know Norton is not working properly, but to get 2003 to work all of 2002 must be removed. According to Symantec 2003 is supposed to be good at detecting and cleaning trojans. I sure hope so!

2003...do you want me to uninstall it and get the trial version? But I thought I got rid of the viruses themselves, and just had to fix the registry? I dunno.

Windows media player isn't working again! oh my god this is ridiculous!!! why can't i fix it??!

Since you cannot find the problems in your registry, I am trying to find a program that will detect and repair the trojan(trojans) that is in your system. We know you have beasty, but you cannot find any files or registry keys for it. Dealing with the registry is not fun, and it is intimidating, and a mistake can cause all kinds of problems when you are deleting things. I am trying to get a program to assist you. I thought you might have a backdoor trojan that is allowing a hacker complete access to all you files and computer controls. Your cd drives are not working, usually they just jack you around by randomly opening the drive, mess with your settings, sounds, icons and mouse to have some fun. This is why I was suggesting disconnecting the machine from the internet. Since 2003 was disabled, and you cannot install it from the cd, a trial is the only option left. Since it was 2003 that failed you had I am not sure it will resolve the problem, but it about all we have to try. The only other programs I know that might work is ESET's NOD32 or Kapersky. Let's try them first and then Norton. Uninstall Norton just to make sure there is no program conflicts. Antivirus programs sometimes do not get a long at the same time.

Ok, i'll try those now. Maybe I should make another post, since people that may be able to help might not look at this one because it only says assarm?

Also, thank you SO much for not giving up on me yet. :)

I'm downloading NOD32 right now, but I wasn't able to find a trial for Kapersky.

I'm not sure that NOD32 is going to be very helpful, since it's in Italian...

Italian? Yes, please repost state clearly all the symtoms you have, what has been detected, any registry cahanges etc. and ask for special attention from the real experts Tank, Mesich, TheKid, Tom, EC in your heading!

Open regedit and click 'Edit' then 'Find' and type in PINF and click 'Find Next' or hit F3. Let it search for the registry entry. When it finds an entry, remove the entry and hit F3 again. Keep doing this until you receive the 'Finished searching registry' message.
Then delete the entire contents of C:\WINXP\Temp. and also this File: C:\Documents and Settings\infinight\Local Settings\Temp\yma1.tmp

Then do the same for the Beasty file names.

I think i'm going to reformat my C drive in the morning. The few important files I have that I am sure are not infected I just moved to my F drive. Just, tell me, will this work? Will it reset the registry and everything?
If not, I will just continue trying to navigate the registry with Tom41's suggestions.

I searched the registry like you suggested, but the keys are simply not there.

Sounds like you have (had?) what I got. My drives stopped working about two months ago, and 2 days ago, I tried running a program. In return it gave me an error saying the prog could have been infected with a virus. I installed nortons2k3 and found 1123 cases of infection by w32.Pinfi (aka w32.Pate, w32.PirateB)-heres step by step of what i did

1. I installed NAV2k3 and searched my entire machine, only to find 1123 infected files, and 1122 fixed files. The one last file that wasnt fixed was a .tmp (which NAV2k3 CANNOT download no matter how up-to-date your virus def. are)

2. I rebooted in safe mode and scanned again. Found a few more files infected, along with just about every EXE found on my machine. I found out that, it generates random .tmp files that hold the code to the virus inside. These viruses have a random 3 character name, followed by a number. (I had mna1.tmp and ouj6.tmp) I went into my Temp folder c:/docs and settings/*USERS*/local settings/temp and I deleted the entire folder, not just the files inside, but everything. I went into my other users folders and deleted their temp to. It seems it really only stores itself inside the Temp folder.

3. I checked online and found that it adds a registry key called PINF inside HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer i used regedit and deleted that as well.

4. I rebooted in safe mode once again, and scanned my machine for a final time. No infection, no unfixed files, gone

I did notice side efffects. My taskmgr.exe stopped working, so I had to go into c:/windows/lastgood and grab the good one there. I also had a problem with my Windows Messenger starting back up (even though I shut it off when I first installed XP) - so I went into the registry and turned that off too.

I still havent gotten my drives to work yet , but im glad everything else is ship shape