Right, there have been Pif virus's going round on msn for the last month, someone sends you something (but they don't realise) and when you accept it changes a script in windows.

Basically it's the W32.Brophia worm i think.

However, I have aquired it, without knowing, My anti-spyware popped up and asked me if i wanted to block the script change, before i could click no, the yes box had been clicked. And it's sent the link out to everyone on my msn. something along the lines of

omg this is funny! omg this is funny! 4.home.att.net/cute.pif


i've posted only half the page link to stop people clicking on it.

i've checked MSconfig and i can't find anything, so i'm trying to work out how to get rid of it. i should beable to come up with a solution soon

So if anyone gets sent this, ignore it, and close the message box ! And if you've got it, i'l try and sort out a fix.

Anyone with any suggestions would be great help as i'm runing out of things to try !

nick

Tried hacking the registry?

no i've just ran through mountains of virus programs so far.. but i thnk i'm gonna have to start looking for it manually !

this must be a pretty severe version, as i have aquired it unwillingly, and didn't click on any links...

i use avg and it killed it b4 it did ne damage dnt know if that helps

i use AVG and it hasn't picked anything up.

Have you tried looking through the registry for the filename?

Just received this but didn't accept! What does it Actually do to your com???

Theres a few of them going round. Stinger (http://vil.nai.com/vil/stinger/) will catch it.

i'm running stinger now...

so far i've run

mcafee
Spybot SD
Trojan Hunter
Trohan Seeker
Microsoft Anti-Spyware
AVG
ADware SE

And i've found nothing

however i do happen to Keep on finding random spawning shortcuts to a MSDOS program called "Cute"

the file going around is a link to a file Called "Cute.Pif"

Have you tried looking through the registry for the filename?

i've searched through using Regedit and it doesn't come up with anything matching Cute, or Pif, everything looks legit there.

I've looking in Hkeyrootclasses section and under PIF subfolder there isn't anything out of the ordinary either

search for a specific removal tool for the worm rather than a general virus scanner

generally a virus scanner will stop it getting infected in the first place but once its in there it can normally only detect the active part - most will have some dormat part which runs when u first boot the pc which re-enables the virus and the virus scanner wont always pick these up

never accept pif files ;)

or exe unless u know the user well enough :D

i didn't a complete idot of a friend of mine accepted it when he was using my machine last night...

i got my revenge, as it then sent itself out in a IM to his computer when he logged on to msn later (when he went home) he then clicked on the link as well, so he's got it.

I can't find any specific removal tools, that's the problem. I think this is either a fresh varient or completly new trojan,worm, virus .

I think it does the following

It copies itself to C:\Windows\Kernel32.exe.

It adds the value

Windows C:\WINDOWS\KERNEL32.EXE

to the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices

It then changes a line in the System.ini file from

shell=Explorer.exe

to

shell=explorer.exe C:\WINDOWS\KERNEL32.EXE

It also changes a line in the Win.ini file from

load=

to

load=C:\WINDOWS\KERNEL32.EXE

So i'm going to try and revert this now, just don't click on this link .

LMFAO. I would never click/accept a piff file!!!

even funnier, what's a Piff file ?

i didn't accept it, a friend using my comp did.

Anyways, all sorted i found the reg keys, and reverted them. the'ye introduced a beta update for Mcafee and AVG and Symantec so you should be able ot get rid of it all now.

It stands for Program information file. Really not worth even using this file type