Issue Dealing With A Detected Win32/Pinit

Discussion in 'ESET NOD32 Antivirus' started by peterdevlin, May 5, 2009.

Thread Status:
Not open for further replies.
  1. peterdevlin

    peterdevlin Registered Member

    Joined:
    May 5, 2009
    Posts:
    6
    I'm a new NOD32 Business user (60 seats) and I've just found an AV issue within a few hours of installing. The problem is summarised below:

    I have made multiple scan and remove attempts with NOD32 and even MalwareBytes' Anti Malware. No luck removing (and the latter won't even detect it). It appears as though NOD32 cannot deal with this file.

    As this is a live production server I have limited options for taking the server down.

    Could this be a false positive? Any recommendations as to next steps?
     
  2. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Highly unlikely. I'm affraid you won't avoid booting to safe mode and replacing the file with a clean copy. You can also try using the system tool sfc.exe to check system files for consistency.
     
  4. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    I would still do my due diligence before deleting or making any changes.
     
  5. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    If it is launching with the winlogon process, then the trojan should only be active when a user is logged in unless it also hooked in to processes running with system credentials. Try logging out and replacing the user32.dll file with a non-trojaned one from another machine using the administrative share \\custard\c$\ as that may get the malicious code out of memory and clear out the file locks. If it is hooked in to other processes, you could try using process explorer to view the active threads in those processes and killing off the ones that shouldn't be hooked there, but this can be risky and cause processes to crash.
     
Thread Status:
Not open for further replies.