Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.Pinfi Virus: Can't remove with Norton


  • Please log in to reply
5 replies to this topic

#1 carsokk

carsokk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 03 April 2010 - 11:57 PM

Hi. I am a Norton Security Suite customer via Comcast.

Whenever I start my computer in Windows 7, I get the alert from Norton stating the following: Norton Security Suite – Action Required – Norton Security Suite has detected threats that need your attention. Threat Details – Risk High, Title: W32.Pinfi Remove Failed Access Denied – Status: Remove Failed, Action: Rescan*. I then hit OK, to rescan. After rescan, the Status again states Remove Failed. So, I use the arrow key next to rescan to change the option to Get Help and select OK.

At this point, two things happen: (1) I get taken to a Norton web page that gives me instructions on how to remove a virus, and (2) The Norton warning page changes to state “All detected security risks have been resolved. Risk: blank, Title: There are no items that require attention, Status: blank, Action: Blank. (But, whenever I start Windows 7, I still get the warning message regarding the Win32.Pinfi virus.)

The website I get taken to is the following: http://securityresponse.symantec.com/secur...-011708-2030-99 .

The removal instructions from the above web page is:
1. Disable System Restore.
2. Update the virus definitions.
3. Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) of VGA mode (Windows NT).
4. Run a full system scan and repair all the files detected as W32.Pinfi.
5. Reverse the value that the virus added to the registry.

I follow these instructions. However, when I run a full system scan in Safe mode, Norton does not detect W32.Pinfi. The instruction (#5) instructs me to do the following:

a. Click Start, and then click Run. (The Run dialog box appears.)
b. Type regedit, and then click OK. (The Registry Editor opens.)
c. Navigate to the key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

d. In the right pane, delete the value: PINF
e. Exit the Registry Editor.


However, there is no value PINF at this location. I searched all of Registry Editor for the value PINF and it does not exist.

When I go to Norton Security History after I open Windows normally and I get the error message, get sent to the webpage, get the “All detected security risks have been resolved” message, I get the following information: Norton Security Suite, Security History, Severity: High, Activity: W32.Pinfi detected by Auto-Protect, Status: Attention Required, Date & Time: 3/31/2010 9:08:40 AM. Alert Details – Risk Name W32.Pinfi, Risk Category: Virus, Severity: High (one red dot), Component: Auto-Protect, Risk Status: Removal Failed (access denied), Recommended Action: Remove This Security Risk Now.

I have run Windows Defender and Windows OneCare Safety Scan (http://onecare.live.com/site/en-us/center/howsafe.htm) and they do not detect the Win32.Pinfi virus.

What can I do to get rid of this virus? When I go to Norton Online Chat, they tell me all they can do is charge me $99 to have my PC cleaned by experts. However, I don’t think I should have to pay $99 to get your software to work. Y

If anyone can help, I greatly appreciate it. Let me know if you need any additional info.

Thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:34 PM

Posted 04 April 2010 - 12:26 AM

Hello,let's do this.

Please download the Brontok Disinfection Tool and follow the instructions posted by Sophos.

When done, please download the Brontok Worm Removal Tool by sUBs and save it to your Desktop.
Disconnect the computer from the Internet and close all other programs.
Double-click CleanX-II.exe and follow the prompts.
The tool will begin scanning your machine. Because this worm names it's files randomly, there are a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task.
Once the scan is complete it will provide a text log of the results. If the log shows any files remaining in the bottom portion under "POST RUN ANALYSIS" run the entire scan a second time.


When that is clear: Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.45) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 carsokk

carsokk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 04 April 2010 - 03:21 PM

First of all, thank you very much for your detailed reply. First, the good news. I successfully followed all the steps you provided.

Below is the contents of that report from MBAM.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3954

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/4/2010 2:01:24 PM
mbam-log-2010-04-04 (14-01-24).txt

Scan type: Quick scan
Objects scanned: 106097
Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Now, the bad news. I restarted my computer and I again got the message " I get the alert from Norton stating the following: Norton Security Suite – Action Required – Norton Security Suite has detected threats that need your attention. Threat Details – Risk High, Title: W32.Pinfi Remove Failed Access Denied – Status: Remove Failed, Action: Rescan*. I then hit OK, to rescan. After rescan, the Status again states Remove Failed. So, I use the arrow key next to rescan to change the option to Get Help and select OK. "

However, I went back to the SOPHOS website and searched W32.Pinfi and eventually found a webpage titled "Removing PE executables" (http://www.sophos.com/support/disinfection/pedis.html). It provides instructions. Should I follow these? Or, is there something from the report I provided that indicates a different course of action?

Thanks again for any advice anyone can provide.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:34 PM

Posted 04 April 2010 - 04:43 PM

Ok, those look good. Yes run that and let us know.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 carsokk

carsokk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 07 April 2010 - 03:21 PM

Here's my update for anyone else having the same problem.

I ran the instructions I found that I referred to in my previous email. Sophos found viruses and advised me to delete them (so I deleted them). When I rebooted, the keyboard did not respond. So, I figured I deleted some vital Windows 7 files. So, I reinstalled windows. After installation, the Norton message came up again. So, I removed Norton from my system, removed all the other Virus software I downloaded, and reinstalled Norton.

Now, everything works fine and I no longer get the message from Norton. I think Norton was giving me an inaccurate message that I had a virus.

For all you other not-so-technical folks out there, my experience with Sophos is that it is probably great for advanced users, but for the not so knowledgeable (like myself), it can be a dangerous tool to use.

But, thanks to boopme for your help. This is a great site.

#6 emc2guru

emc2guru

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 26 November 2013 - 05:01 AM

Unfortunately all you had to do was clear the entire history in Norton and restart. This type of an event usually occurs when Norton detects a threat that requires a restart to clean the system but you manually delete part of the threat in windows before Norton has processed it internally.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users