BleepingComputer.com: A Sheep In Wollfs Clothing?

HI!! Nice to be here. I am a bit of a newbee, and this is my first post here - so please bear with me!

In a nutshell; I did a process scan and came up with a suspect process: wininit.exe, supposedly added to the system as a result of the WOLLF.16 virus. Then I checked Symantic, and they're talking about all these nasties! - Will allow unauthorized access to computer, is a keylogger, and the like! Then I came across someone saying that it's a normal part of windows vista, now I'm all confused .
So I started my process explorer (I do know enough to have one!) and checked out wininit.exe. I asked it to verify the process and this was the result:

Windows Start-Up Application
(Verified) Microsoft Windows
C:\Windows\system32\wininit.exe

Now don't tell me that muckrosoft named a vista app. after a known virus!! Even if they didn't I've nearly had it with microsoft anyhow, I should not have ventured back out of my little Ubuntu Linux world (I run a duel boot system), it was peaceful there. Maybe a full Linux install is in order...

Quote

from a malware expert

Just for more information:

>>> 'wininit.exe' (C:\Windows\System32\wininit.exe)- This is an undesirable program
BleepingComputer

>>> Microsoft TechNet

Another link: http://forums.majorgeeks.com/showthread.php?p=1128093

This post has been edited by Juha: 26 March 2008 - 06:08 AM

from your link

For Vista wininet.exe is valid if in the system32 folder.

Now I am getting a clue. From just following up on the two replies so far I have deduced that wininit.exe in sys32 is not malware on Vista. There was a false positive due to apparent misinformation: http://www.bleepingcomputer.com/startups/w....exe-14276.html. This links to a vendor trying to sell/expose their software and of course is suspect in my book. Weather or not it used to be malware - like winnit.exe is -, well, I'll let others decide. I hope to hear more about this as it is proving to be a fascinating topic for me!
I'm glad I found this site!

Your geek-in-training
David

In general, the wininit.exe file (exact spelling is important) that's located in the C:\Windows\System32 folder is legitimate. To verify this you can either run SFC.EXE /SCANNOW, or you can submit a copy to http://virusscan.jotti.org for analysis.

Malware writers have several options to fool you tho':
1) they can slightly misspell the name (such as winnit.exe)
2) they can put it elsewhere (such as in the C:\Windows directory)
3) they can replace your legitimate copy of wininit.exe with their bad copy (not very easy to do, but it is possible).
4) they can "hook" into the legitimatewininit.exe process and cause it to launch other malware (such as replacing explorer.exe with their own version).
5) and I'm sure there are other ways that I'm not familiar with.