# Win32/ Pinit virus



## [email protected] (Jan 9, 2006)

Brother rang to say he has a virus on his with the above title, now he has eset av installed with the latest definitions and it sees the virus but you cant quarantine/delete or do anything with it.

Ive sent him a link to an online trojan scanner and trends online virus scanner to see what they bring up fingers x'd.

Has anyone else had this and have managed to get round it without having to reinstall?

thanks. Graham.


----------



## NickP (Nov 20, 2005)

Has he turned system restore off?


----------



## [email protected] (Jan 9, 2006)

doubtful, what would that achieve other than deleting all previous restore points?


----------



## Guest (Dec 7, 2008)

Depending where the virus is install this, find the location of the virus using the ESET AV program (click virus details or whatever) and then manually go to the location and delete the virus, if access is denied unlocker will allow you to delete it during next bootup.


----------



## Guest (Dec 7, 2008)

[email protected] said:


> doubtful, what would that achieve other than deleting all previous restore points?


if the virus is in system restore folder, due to the complicated nature of how it works, the AV program cannot selectivly delete the virus within the system recovery folder, disabling it and then rebooting purges the virus within the recovery folder. Though in most cases the virus will do no harm if it is in the system restore folder anyway


----------



## [email protected] (Jan 9, 2006)

G220 said:


> Depending where the virus is install this, find the location of the virus using the ESET AV program (click virus details or whatever) and then manually go to the location and delete the virus, if access is denied unlocker will allow you to delete it during next bootup.


Hmmmm that might be good if its a running process that cant be deleted, have emailed him to turn off system restore too

Just phoned him, hes going to turn off system restore, reboot, download and run unlocker and then rescan his system, no joy regarding trend and online trojan scanner


----------



## [email protected] (Jan 9, 2006)

none of the above worked


----------



## Guest (Dec 7, 2008)

In what way did it not work? 

The common situation: virus.exe is a running process and virus.exe is stored in c:\virusfolder\, the AV can't detete "virusfolder" for whatever reason, using unlocker, you kill virus.exe and then forcibly remove virusfolder... virus.exe no longer exists on the hard disk and fails to startup on next bootup (however some registry or startup traces may remain).

If he deletes the virus file, then it is unlikely the virus will be able to recreate the file in the identical place, contrary to popular belief *most* viruses aren't actually that clever at resisting removal, it is spyware which is the difficult one to remove. He needs to do it all in one hit though, he must make sure he kills the process then deletes all the virus files in one hit, else it will try respawning.

He may be better just downloading and running an AV product which will deal with it if he cannot sort the virus out, but before that ask him what folder the virus is in, and exacly what the AV program is saying, then come and post it here


----------



## [email protected] (Jan 9, 2006)

right well ive been into his pc using remote assistance and the win32 virus screen from eset is there it says amon can clear this and points to an issue with googleupadter so ive uninstalled that am currntly running a malware bytes scan but have disconnected from remote, my own fault.

Waiting to get back in


----------



## [email protected] (Jan 9, 2006)

apparently its windows/system32/user32.ll


----------



## leviathan_uk (Dec 4, 2008)

did not really read the whole thread but it might be a good idea to start the pc in safe mode (by keep pressing f8 as soon as the computer is turned on and if it does not come keep pressing it repeatedly) and then run a virus scan in safe mode this could help solve the problem as safe uses your pc with the bear minimum it needs to run and with any luck the virus will not initiate on startup

hope this helps:thumb:


----------



## Guest (Dec 7, 2008)

I would be inclined to say possible false-positive, its probably harmless for the most part so I would wait till tomorrow for the next AV update and see if it continues to persist. After then, you will need to restore user32.dll (i assume you made a type without the d) by a recovery disk possibly.


----------



## [email protected] (Jan 9, 2006)

yep meant .dll


----------



## Guest (Dec 7, 2008)

Thanks for the screenshot - that is useful 

There happens to be a post today about this virus here which to me suggests it may be a false positive, either that or the virus is circulating fast. I would wait till the next AV update to see what happens, and then if it has not gone away by then, you may need to use the recovery console to replace user32.dll 

I wouldnt worry too much about it for the time being to be honest


----------

