Have you limited outgoing/incoming programs by using your firewall?

0

That trojan protection terminated itself too. I don't have a firewall, I play a lot of online games and firewalls can be troublesome... :/ I have no idea what to do and i'm getting pretty desperate.

0

This is not supposed to be a destructive trojan. The Trend Micro instructions are: Open system configuration editor START>RUN type sysedit and press enter In the system config editor select win.int and under (windows) section locate the line that begins with run= from the same lines-delete the line that begins with run= from the same lines-delete the malware path and filename C:\%Windir%\svchost.exe *where%windows% is windows directory which is usually C:\ windows or C:\winnt close the system config editor and click yes when prompted to save. Please double check these instructions at the Trend Micro website to make sure you have and I have them right.

0

I cannot access sysedit because it terminates itself after 10 seconds. Is there a way I can edit win.ini manually?

0

Disconnect you computer from the internet and try using the downloads of the trojan programs, and the manual removal instruction. If that does not work try to install and run them while you are in the safe mode while disconnected from the net.

0

Most XP machines do not use a win.ini file. If yours does, Click Start > Run > type win.ini and click OK. The win.ini will open in notepad. Edit it, close and save the changes. It's likely that the virus has registered itself as a service instead. Click Start > Run > type services.msc and click OK. Stop and disable the svchost.exe who's path is C:\Windows. Do not disable any of the svchost.exe's who's path is C:\Windows\System32.

0

After reading all the posts again, something tells me that you are not infected with WORM_ASSARM.A. Assarm does not contain a destructive payload. It merely replies to e-mails if you use Outlook. Let's have a look at what is loading. Go here and download, unzip and run StartupList. It will create a log file, copy the log and paste it in a reply. StartupList

0

This sounds more like the Klez or Opraserv attack that Assarm. Are there any wink.exe files in the startuo menu. Without a firewall it could be almost anything.

0

svchost.exe does not show up under services.msc. I am certain that it is not Klez, because when I ran the Trend Micro trojan removal tool it showed my computer was Klez-free in the short time before the program terminated itself. My win.ini (if you want to see it):; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] aif=MPEGVideo aifc=MPEGVideo aiff=MPEGVideo asf=MPEGVideo2 asx=MPEGVideo2 au=MPEGVideo ivf=MPEGVideo2 m1v=MPEGVideo m3u=MPEGVideo2 mp2=MPEGVideo mp2v=MPEGVideo mp3=MPEGVideo2 mpa=MPEGVideo mpe=MPEGVideo mpeg=MPEGVideo mpg=MPEGVideo mpv2=MPEGVideo snd=MPEGVideo wax=MPEGVideo2 wm=MPEGVideo2 wma=MPEGVideo2 wmp=MPEGVideo2 wmv=MPEGVideo2 wmx=MPEGVideo2 wvx=MPEGVideo2 Thanks everyone for staying with me. Here is the log from Startup List: C:\WINXP\System32\smss.exe C:\WINXP\SYSTEM32\winlogon.exe C:\WINXP\system32\services.exe C:\WINXP\system32\lsass.exe C:\WINXP\system32\svchost.exe C:\WINXP\System32\svchost.exe C:\WINXP\SYSTEM32\logonui.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINXP\Explorer.exe C:\WINXP\system32\spoolsv.exe C:\WINXP\System32\nvsvc32.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINXP\System32\CTHELPER.exe C:\PROGRA~1\QUICKT~1\qttask.exe C:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe C:\PROGRA~1\MESSEN~1\msmsgs.exe C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe C:\PROGRA~1\WinZip\WZQKPICK.exe C:\PROGRA~1\INTERN~1\IEXPLORE.exe C:\WINXP\svchost.exe C:\DOCUME~2\INFINI~1\Desktop\STARTU~1.exe --------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup] Microsoft Works Calendar Reminders.lnk = ? Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe --------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINXP\system32\userinit.exe, --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run NvCplDaemon = RUNDLL32.exe NvQTwk,NvCplDaemon initialize nwiz = nwiz.exe /install WINDVDPatch = CTHELPER.exe UpdReg = C:\WINXP\UpdReg.exe Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe QD FastAndSafe = QuickTime Task = "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime NeroCheck = C:\WINXP\system32\NeroCheck.exe NAV CfgWiz = C:\PROGRA~1\NORTON~2\Cfgwiz.exe /R ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe Advanced Tools Check = C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.exe --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce washindex = C:\Program Files\Washer\washidx.exe "infinight" --------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background --------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = shell32.pif "%1" %* --------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = shell32.pif "%1" %* --------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = shell32.pif "%1" %* --------------------- Shell & screensaver key from C:\WINXP\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINXP\System32\logon.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* --------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} Yahoo! Companion BHO - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll - {13F537F0-AF09-11d6-9029-0002B31F9E59} NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} --------------------- Enumerating Task Scheduler jobs: Norton SystemWorks One Button Checkup.job Symantec NetDetect.job Norton AntiVirus - Scan my computer.job --------------------- Enumerating Download Program Files: [{2B323CD9-50E3-11D3-9466-00A0C9700498}] CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab [Alice Control] InProcServer32 = C:\WINXP\DOWNLO~1\alice.ocx CODEBASE = http://www.skotos.net/MarrachGame/Alice44.cab [GSDACtl Class] InProcServer32 = C:\WINXP\Downloaded Program Files\gsda.dll CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab [HouseCall Control] InProcServer32 = C:\WINXP\DOWNLO~1\xscan53.ocx CODEBASE = http://a840.g.akamai.net/7/840/537/2003042101/housecall.antivirus.com/housecall/xscan53.cab [YahooYMailTo Class] InProcServer32 = C:\WINXP\Downloaded Program Files\ymmapi.dll CODEBASE = http://download.yahoo.com/dl/installs/ymail/ymmapi.dll [{CD17FAAA-17B4-4736-AAEF-436EDC304C8C}] CODEBASE = http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab [Shockwave Flash Object] InProcServer32 = C:\WINXP\System32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab --------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINXP\system32\SHELL32.dll CDBurn: C:\WINXP\system32\SHELL32.dll WebCheck: C:\WINXP\System32\webcheck.dll SysTray: C:\WINXP\System32\stobject.dll --------------------- End of report, 6,824 bytes Report generated in 0.188 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

0

I was thinking of reinstalling Windows, but since my CD ROM drives don't seem to be working, that would be impossible unless I could boot from the CD. Presumably if the process isn't running my CD drives would work. However, I don't even think reinstalling Windows would help, and I REALLY don't want to reformat. I would really hate to have to do that.

0

This is becoming sort of urgent. I have a big essay due and Word isn't working. :/ Argh.

0

Well, You are infected with Assarm: C:\WINXP\svchost.exe Boot into safe mode and delete C:\WINXP\svchost.exe You also have some file associations that were damaged by Backdoor.Beasty.F http://securityresponse.symantec.com/avcenter/venc/data/backdoor.beasty.f.html I don't see any of the files related to Beasty, they may have been removed by your antivirus. Follow Symantec's instructions above for repairing the file associations for .exe .com and .pif files. (this is why your programs won't run) Run a full virus scan when done.

0

THANK YOU SO MUCH FOR IDENTIFYING THE PROBLEM! However, i'm very sorry but I don't really understand which one of those steps i'm supposed to follow...am I supposed to run safe mode and do the registry key deletion thing, or the other steps? Also, one problem...I am not sure my computer has a safe mode.

0

Yes, this could be a problem...I just checked and on my boot menu there is only 1. Normal 2. IDE CD ROM device 3. Hard Drive 4. Diskette Drive No safe mode. I tried booting from Hard Drive, which I am in now, and it appears no different from normal.

0

Sorry I did not know that you did not know how to get into the safe mode. You click the one of F keys will you are starting the boot up sequence. Different computers use different keys F8/F5/F2 are the common ones.

0

Hi All, If you are unable to access the boot menu using the F8 key then try the following. Start, Run and type msconfig. Select the boot.ini tab at the top. Place a check next to Safeboot. Click on Apply. When prompted restart the computer. It will now start in Safemode. Go to C:\WinXP and delete the file svchost.exe Do Not delete svchost.exe located in C:\WinXP\System32. Remove the registry entries in the link provided by Tom41 in response #18. Go back and remove the check next to Safeboot in msconfig. Restart the computer. Go to Houscall and run it. HTH Best Regards, Mesich

0

Thank you very much. I am at school right now - when I get home i'll do that. (by the way, safe mode was F8... :/ i feel like an idiot...i'm used to it showing up at boot) Should I renable system restore? I turned it off.

0

After everything is up and running properly reenable system restore, but only then. I am sorry that I just assumed that you knew how to get into safe mode. It is a very handy feature as only the essential tasks are running. If you ever encounter a file that cannot be deleted because it is in use, it is the tool to use. Sometimes scan disk and defrag must be run from it, if you are constantly getting restarts. You had me worried when the instructions for assarm were not working and things were crashing before your eyes, because it is not supposed to be a destructive worm. I want to thank Tom, and especially Mesich who responded with my call for help. These are some great people who are a lot better at explaining things, they also have great knowledge and abilities to draw on. You should checkout Mesich's website, very nice, with great information! Please do yourself a favor and get a firewall, try a hardware one at least from DLink or Lyksys for 40-50 dollars if gaming is the issue. Leaving yourself completely exposed to the bad guys is not good! Take care and all the best!

0

It didn't work. What a nightmare. I was able to change the values easily, but the two keys I was supposed to delete could not be found. One thing of interest is that I was not able to open regedit through the command prompt like it said, the command prompt wouldn't accept the commands given.] Please, help, I really need to get this fixed...:(

0

Oh, I forgot. Since the command prompt wouldn't accept the commands, I just opened regedit through Run in the start menu.

0

I think maybe the trojan removal deleted the keys it added, but the registry keys i've edited simply revert back when I reboot regularly. I couldn't find a save command, am I just not saving the changes?

0

Have you disabled "SYSTEM RESTORE"? You do it by: right clicking MY Computer>Properties>System Restore>Turn Off System Restore

0

Yes, I did that a long time ago.

0

Have you tried installing one of the trojan programs you downloaded, but could not run in the normal mode? Then try using it while still in the safe mode? Do you have you Norton resue disks, or have you tried using the cd while in the safe mode?

0

Somehow I don't think that will work. It's a matter of the things I do in Safe Mode not registering in Normal mode. I tried doing these things twice - ASSARM's svchost.exe is still here and the registry remains unchanged.

0

You are right clicking the item listed in the registry, it is then highlighted, you then right click delete, and the item does not disappear? Or does it comes back later?

0

The instructions say to edit certain keys, and to delete two. The two keys I am supposed to delete are not on my machine, so I just skipped those tests. The keys i've edited don't stay edited when I reboot. They just revert to the values they were before I edited them.

0

So you cannot rename them? When you rename them the come back exactly as they were listed before?

0

Yes, that's about it. They stay renamed when i'm actually doing it, but once I reboot in Normal mode they revert.

0

I have no idea what to do! if you cannot rename or delete them? There is something big time going on. Having your antivirus software disabled, this, and not being able to do anything is not assarm. Do you use Kazaa? Have you tried to use your Norton Rescue disks? Hopefully you have backed up your important files, because things are not looking good.

0

Oh, no... :( I really need my computer working again... I do use Kazaa, which is where, I assume, I got the virus(es) in the first place. I foolishly never made rescue disks because I haven't had any security problems for so long. Does anyone know what to do? I'm pretty desperate...

0

Since you do not have a firewall, have you tried doing all these actions with your computer disconnected from the internet? Perhaps the system has been completely taken over by a hacker and now is a bot.

0

There must be an infected file hiding somewhere and when you reboot, it 'runs' when Windows starts. Try doing the registry editing in normal mode without rebooting and then try to run your antivirus or try an online scan here: www.ravantivirus.com/scan

0

Making the registry changes in Normal mode without rebooting did nothing except now Windows Media Player works. However, I started the online scan, and... It found two file infected with W32.Parite.B. One it failed to cure, so i'm going to delete it. The scan's still going.

0

Ok: Scan results - Found viruses File: C:\Program Files\netquartz ez-platform 2\ez-pad\zip.exe Virus: Win32/Parite.B Status: Cured File: C:\Documents and Settings\infinight\Local Settings\Temp\yma1.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\svchost.exe Virus: Backdoor:Win32/Beasty Status: Failed to cure File: C:\WINXP\system32\shell32.pif Virus: Backdoor:Win32/Beasty Status: Failed to cure File: C:\WINXP\system32\ñbßm\øb.Ýoç Virus: Backdoor:Win32/Beasty Status: Failed to cure File: C:\WINXP\system32\Com\mscom32.com Virus: Backdoor:Win32/Beasty Status: Failed to cure File: C:\WINXP\Temp\kla1.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\fla2.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\hla3.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\gla1.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\ola2.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\tla3.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\nra4.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\rra5.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\moa1.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\gla2.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\vjc43.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\vla1.tmp Virus: Win32/Parite.B Status: Failed to cure File: C:\WINXP\Temp\uma1.tmp Virus: Win32/Parite.B Status: Failed to cure Do I go through and delete all of these? Some of them must be running, so I can't really do that, so I guess I can boot in safe mode and do it? I guess I don't even have Assarm. By the way, shell32.pif was the file name that was added to those registry keys. I dunno what to do, so i'll just wait for instructions...

0

Delete your temp internet and off line files. Then try using your Norton CD as a recovery disk, by installing and getting the scan to work?

0

I can't use my Norton CD because my CD ROM drives aren't working. And i'm not sure what you mean by temp internet and offline files, sorry...

0

In INTERNET EXPLOYER at the top of the screen you will see TOOLS>open it>INTERNET OPTIONS>open it>DELETE TEMPORARY INTERNET FILES. Please go to the TREND MICRO website and use their virus encyclopedia. The two problems that you have are listed there with the complete removal instrucions. They are very long and detailed, and I am afraid I might make a mistake in relaying them to you.You need to delete the Pariteb files, the beasty files are in the registry and in your task manager. Perhaps if we can stop it in the task manager you can get some other things to work. Use the CTRL+SHIFT+ESC keys click the proccesses tab, select the name "explri.exe and press end task or end proccesses button. To make sure the proccess is terminated close the task manage and open it again and check for it to be running, if not close the task manager.

0

I'm really sorry, but could you link to the solution(s)? The ones I find on Trend just tell me to scan, which i've done and have been useless except for telling me that I have the viruses. Sorry to bother you again, but I really just want my stuff working..:(

0

See these instructions: (try to do everything in safe mode) http://securityresponse.symantec.com/avcenter/venc/data/w32.pinfi.html You will have to remove the W32.Pinfi (Parite) registry entry first before you can delete all those files. Then check these two registry locations for any entries for any of the Backdoor.Beasty files: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Delete any entries that are found. Also repair the file association entries. Delete all the files listed as infected. Reboot and run another scan.

0

If you need virus deletion procedures or other information use the virus encyclopedias at Trend Micro or Symantec. Trend Micro> http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=beasty&alt=beasty

0

I'm in way over my head here. I can't even find some of the added registry keys or the PINF value that W32.Pinfi added. Can I just reformat my C drive or something? Or re install Windows?

0

Also, explri.exe isn't running in my Task Manager processes.

0

Yeah, i've been looking since Tom41's post. The symantec page says: a. Click Start, and then click Run. (The Run dialog box appears.) b. Type regedit, and then click OK. (The Registry Editor opens.) c. Navigate to the key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer d. In the right pane, delete the value: PINF e. Exit the Registry Editor. There does not seem to be a PINF value anywhere there. Also, in the Beasty instructions there are two keys I am supposed to delete - they don't seem to exist either. I'm really sorry to be a bother...

0

There must be some of those listed in the registry. Can you still download programs from the internet? Since you could use the scan that Tom told you about, go to the srnmicro website and download SOLO and see if you can install it and use its scan to repair your files, if it is possible to do a download.

0

Ok, I used Solo to delete all the files it found deleted with W32/Parite.B, but that didn't fix my problems.

0

Now go to the Agnitum website and download Tauscan to see if it can fix all the trojans.

0

Won't run...argh!!!

0

Do you still have TDS from diamondc from the time you downloaded it before, if you do try it.

0

No, I just deleted it after trying to make it run again.

0

Won't run...argh!!!

0

Whoops, disregard that last one. TDS wouldn't run.

0

OK we got SOLO to install, but no antitrojan programs. Did you have 2002 or 2003? If it was 2002, go to the Symantec website a try the trial version of 2003, before you install it, uninstall 2002. I know Norton is not working properly, but to get 2003 to work all of 2002 must be removed. According to Symantec 2003 is supposed to be good at detecting and cleaning trojans. I sure hope so!

0

2003...do you want me to uninstall it and get the trial version? But I thought I got rid of the viruses themselves, and just had to fix the registry? I dunno.

0

Windows media player isn't working again! oh my god this is ridiculous!!! why can't i fix it??!

0

Since you cannot find the problems in your registry, I am trying to find a program that will detect and repair the trojan(trojans) that is in your system. We know you have beasty, but you cannot find any files or registry keys for it. Dealing with the registry is not fun, and it is intimidating, and a mistake can cause all kinds of problems when you are deleting things. I am trying to get a program to assist you. I thought you might have a backdoor trojan that is allowing a hacker complete access to all you files and computer controls. Your cd drives are not working, usually they just jack you around by randomly opening the drive, mess with your settings, sounds, icons and mouse to have some fun. This is why I was suggesting disconnecting the machine from the internet. Since 2003 was disabled, and you cannot install it from the cd, a trial is the only option left. Since it was 2003 that failed you had I am not sure it will resolve the problem, but it about all we have to try. The only other programs I know that might work is ESET's NOD32 or Kapersky. Let's try them first and then Norton. Uninstall Norton just to make sure there is no program conflicts. Antivirus programs sometimes do not get a long at the same time.

0

Ok, i'll try those now. Maybe I should make another post, since people that may be able to help might not look at this one because it only says assarm? Also, thank you SO much for not giving up on me yet. :)

0

I'm downloading NOD32 right now, but I wasn't able to find a trial for Kapersky.

0

I'm not sure that NOD32 is going to be very helpful, since it's in Italian...

0

Italian? Yes, please repost state clearly all the symtoms you have, what has been detected, any registry cahanges etc. and ask for special attention from the real experts Tank, Mesich, TheKid, Tom, EC in your heading!

0

Open regedit and click 'Edit' then 'Find' and type in PINF and click 'Find Next' or hit F3. Let it search for the registry entry. When it finds an entry, remove the entry and hit F3 again. Keep doing this until you receive the 'Finished searching registry' message. Then delete the entire contents of C:\WINXP\Temp. and also this File: C:\Documents and Settings\infinight\Local Settings\Temp\yma1.tmp Then do the same for the Beasty file names.

0

I think i'm going to reformat my C drive in the morning. The few important files I have that I am sure are not infected I just moved to my F drive. Just, tell me, will this work? Will it reset the registry and everything? If not, I will just continue trying to navigate the registry with Tom41's suggestions.

0

I searched the registry like you suggested, but the keys are simply not there.

0

Sounds like you have (had?) what I got. My drives stopped working about two months ago, and 2 days ago, I tried running a program. In return it gave me an error saying the prog could have been infected with a virus. I installed nortons2k3 and found 1123 cases of infection by w32.Pinfi (aka w32.Pate, w32.PirateB)-heres step by step of what i did 1. I installed NAV2k3 and searched my entire machine, only to find 1123 infected files, and 1122 fixed files. The one last file that wasnt fixed was a .tmp (which NAV2k3 CANNOT download no matter how up-to-date your virus def. are) 2. I rebooted in safe mode and scanned again. Found a few more files infected, along with just about every EXE found on my machine. I found out that, it generates random .tmp files that hold the code to the virus inside. These viruses have a random 3 character name, followed by a number. (I had mna1.tmp and ouj6.tmp) I went into my Temp folder c:/docs and settings/*USERS*/local settings/temp and I deleted the entire folder, not just the files inside, but everything. I went into my other users folders and deleted their temp to. It seems it really only stores itself inside the Temp folder. 3. I checked online and found that it adds a registry key called PINF inside HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer i used regedit and deleted that as well. 4. I rebooted in safe mode once again, and scanned my machine for a final time. No infection, no unfixed files, gone I did notice side efffects. My taskmgr.exe stopped working, so I had to go into c:/windows/lastgood and grab the good one there. I also had a problem with my Windows Messenger starting back up (even though I shut it off when I first installed XP) - so I went into the registry and turned that off too. I still havent gotten my drives to work yet , but im glad everything else is ship shape

0