病毒一問???????????????}{}{}{{}}{{}{}{}{}{}{}{}

老兄我前幾天也中了，
是不是生成c:\winnt\temp,xp是c:\windows\temp
卡巴會提示無法清除*
-------
1.打開卡巴
2.結束explorer.exe這個進程
3.打開任務管理器→新任務→流覽
把這個當流覽器→刪除c:\windows\temp
4.注意卡巴的按扭.掃描完成之後暫停會變成處理
雖然顯示無法清除，你點處理就OK了
有空去病毒吧
或
W32.Pinfi=Virus.Win32.Parite Family
會感染全電腦的EXE 同SCR檔

下載〔Parite Removal Tool〕放到桌面

http://www.bitdefender.com/bd/downloads/removaltools/Antiparite-en.exe

進入安全模式Safe Mode(開機不停按F8→安全模式Safe Mode)

執行 Antiparite-en.exe
掃描完成後點 Select Path
選擇 C: 點 OK 點 scan
順序掃描其他盤

Symantec提供的資料。
W32.Pinfi
Discovered on: October 11, 2001
Last Updated on: July 31, 2003 10:50:46 AM

W32.Pinfi is a memory-resident polymorphic virus that will infect the .EXE and .SCR files. This virus can also spread via mapped drives and network shares.

Also Known As: Win32.Parite.a [KAV], W32/Pate.a [McAfee], Win32.Pinfi.A [CA], PE_PARITE.A [Trend], W32/Parite-A [Sophos], Win32/Parite.A [RAV]

Type: Virus
Infection Length: ~177,917 bytes



Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

Virus Definitions (Intelligent Updater) *
October 12, 2001

Virus Definitions (LiveUpdate™) **
October 17, 2001

*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Moderate
Removal: Moderate
Threat Metrics


Wild:Low
Damage:Low
Distribution:Medium
Distribution
Shared drives: Copies across mapped drives and network shares.

Upon executing a file infected with W32.Pinfi, the virus will perform the following:

1.Adds the registry value:

PINF

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

2. Appends itself to Explorer.exe to remain memory-resident.
Appends itself to all the .EXE and .SCR files that it finds on all the local and mapped drives. The virus contains an algorithm to slow the infection, so the virus will only infect a few files at a time.

3.W32.Pinfi will create a tempfile in the temporary folder. It will get the temporary folder by using a Windows API. The tempfile that this virus creates will always have the following name:

[3 random letters][4 random hexadecimal digits].tmp


The file that the virus creates is a UPX-packed executable file. The virus will execute the temporary file, and it is this file that will attempt to infect files over network shares.

網上找的解決方法，請參考。
防止WIN32.Parite.a和Win32.Parite.a.dll

1.將d:\system\windows目錄下的所有exe文件不包括（flcess.exe 和sysexplorer.exe）
設為讀取，將d:\bar目錄下的exe文件設為讀取;

2.將e:\profiles目錄下的歷史記錄目錄設為讀取；

3.禁用文件系統對象FileSystemObject
　　
方法：直接查找scrrun.dll文件刪除或者改名。

4.略。
5.在服務器安裝防火牆（呵呵，不要認為不可能，選擇一個無盤專用防火牆）；

以下為變態方法,作為殺毒方法的後續，如果想要安全可以加入：

6.專殺工具spant，可以加到啟動組中，工作站啟動隨時可以殺病毒；

7.將所有文件設為只讀（不包括網絡遊戲的EXE文件）；

8.刪除IE瀏覽器，暫時避過WIN32病毒風頭
權限控制

A Sample CACLS script to lockdown the filesystem permissions on new servers:

cacls c:\ /g administrators:f system:f users:r
cacls c:\*.* /t /c /g administrators:f system:f users:r
cacls c:\temp /e /p users:c
xcacls c:\winnt /e /t /g users:ex;ewx "creator owner":c
xcacls c:\winnt\repair /e /r users "creator owner"
xcacls c:\winnt\system32 /e /g users:ex;ewx "creator owner":c
xcacls c:\winnt\system32\spool /e /g "creator owner":f
xcacls c:\winnt\cookies /e /g users:c
xcacls c:\winnt\forms /e /g users:c
xcacls c:\winnt\history /e /g users:c
xcacls c:\winnt\occache /e /g users:c
xcacls "c:\winnt\temporary internet files" /e /g users:c
xcacls "c:\program files\microsoft office\office" /e /g users:ewxd;ewx
xcacls "c:\program files\microsoft office\templates" /e /g users:ewxd;ewx