the win32.pinfi is definitely a diehard

my xp was dragged extremely slow by a virus named win32.pinfi, which could be detected by norton 2003. But norton failed to quarantine it or delete it.

the file infected with the virus is:
C:\Documents and Settings\lb\Local Settings\Temp\db1.tmp
which is hard to delete in windows.

what should i do to eliminate this dirt?

thanks.

 

Hello lbfatcat,

Try RAV and Housecall on line scanning:
http://www.windowsbbs.com/links.php

You might also post a HijackThis log here, link from the same place as above:

Download it to it's own folder - unzip (double click on zipped folder) - click on the execute - click scan button - click save log and save to the folder you just created *DO NOT FIX ANYTHING* - copy resultant .txt file and paste into your next post.

Regards - Charles

 

That's a bad one. More info and a dedicated removal tool Here.

You could get rid of the .tmp file by downloading and using MoveOnBoot but you'd still have problems from some of the other pieces.

 

this is the hijeckthis log file

Logfile of HijackThis v1.98.2
Scan saved at 13:31:54, on 2004-10-9
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\SERV-U\SERVUD~1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-cn\msnappau.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Serv-U\ServUAdmin.exe
C:\Program Files\Serv-U\ServUTray.exe
E:\sensitive soft\antivirus\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\zh-cn\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\zh-cn\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\zh-cn\msnappau.exe "
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\Serv-U\ServUTray.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Startup: 腾讯通.lnk = C:\Program Files\Tencent\RTX\rtxc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: 导出到 Microsoft Excel(&x) - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096249053914
O17 - HKLM\System\CCS\Services\Tcpip\..\{C02A8F0F-9D2A-4BCA-81F7-421DC2F721CA}: NameServer = 202.116.64.2,202.116.64.3
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll

 

lbfatcat - did you run RAV as charles suggested or the cleaning tool from my link? If so, what results?

 

Depending on how long and how many files are infected my heart goes out to you. I dealt with this virus personally and I can't express the amount of grief it caused me.

A hyjacklog is not going to pin this down and clean it. It is code added to legitimately named files. You need the tool and you need to to follow these guidelines, meaning disabling system restore, bootup in safemode, and run scan.
http://securityresponse.symantec.com/avcenter/venc/data/w32.pinfi.html

The self standing tool works well. Your problem is going to be in the method used to clean this virus. The code is stripped from infected files on a repair or clean. It's a fifty fifty shot whether the file will function correctly even after a clean. You need to read virus log and make note of any file deleted or cleaned. It is most important that you use something that will list the name of these files. Be prepared to either uninstall/reinstall any program that the file, from noted "list of files ", came from or extract clean undamaged/modified file to replace or overwrite the deleted or repaired/cleaned files, particularly if it is a critical operating system file. In other words while your scanner may report the file is fixed, cleaned or repaired it may be damaged or corrupted in the process and will not function as expected. I see you have Norton so the log of listed files envolved should not be a problem.

Run your scans more than once. Use more than one scanner. Spread them out over a period of time. Make note of the registry Hkey that indicates this bugger is back.
Adds the registry value:

PINF
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

I checked this Hkey, myself often. I considered it a "Redflag" when the pinfi value returned and a comfort when it was not there, a Pinfi tattletail so to speak. This virus did reappear or reinfect my system a few more times. Comp was networked and the bugger would sneak back in. I also got a few burned CD's that were infected.

To complicate my life even more and having an Hp OEM with restore files stored on the harddrive, it infected more files in that partition than I care to think about. Long story short, I survived. It was tedious but it's a thing of the past. Still gives me nightmares and just the word pinfi gives me the shivers but I and my system survived.

Good luck and best wishes...

 

the ClnPinfi.exe is used

hi, newt, i used the tool you suggested and found no pinfi in my computer.

here is the result:

Initializing virus scanning engine... ok
--------------------------------------------------
Scanning memory process space...
Scanning all drives on the local system...

--------------------------------------------------

A total of 105966 files were scanned.
Instances of Win32/Pinfi virus variants were not found.

it's so weird that it is just gone. hope it will not come back.

thanks you all, Charles, Newt, and Ann.

 

On a side note, in the future, try booting to safe mode to delete files in the temp folder. Most easily done by clicking start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Empty all temp folders, including the ones in C:\Documents and settings\username\Local Settings\temp. Do this for all usernames. **Note that the Local Settings folder is a hidden folder. Also open C:\Windows\Prefetch, select all and delete. Then open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.