Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Sheep In Wollfs Clothing?


  • Please log in to reply
5 replies to this topic

#1 David H.

David H.

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 26 March 2008 - 05:38 AM

HI!! Nice to be here. I am a bit of a newbee, and this is my first post here - so please bear with me!

In a nutshell; I did a process scan and came up with a suspect process: wininit.exe, supposedly added to the system as a result of the WOLLF.16 virus. Then I checked Symantic, and they're talking about all these nasties! - Will allow unauthorized access to computer, is a keylogger, and the like! Then I came across someone saying that it's a normal part of windows vista, now I'm all confused :huh: .
So I started my process explorer (I do know enough to have one!) and checked out wininit.exe. I asked it to verify the process and this was the result:

Windows Start-Up Application
(Verified) Microsoft Windows
C:\Windows\system32\wininit.exe

Now don't tell me that muckrosoft named a vista app. after a known virus!! Even if they didn't I've nearly had it with microsoft anyhow, I should not have ventured back out of my little Ubuntu Linux world (I run a duel boot system), it was peaceful there. Maybe a full Linux install is in order...

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:30 AM

Posted 26 March 2008 - 05:46 AM

The file winnit.exe is associated with RBot infections and is found in this location C:\Windows\System32\winnit.exe (for XP and Vista).

Note the two names are very similar wininit.exe and winnit.exe This is no coincidence, Malware writers often choose file names which are very similar to the names of legitimate files in the hope that they will be overlooked.


from a malware expert
Chewy

No. Try not. Do... or do not. There is no try.

#3 Juha

Juha

  • Members
  • 512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:10:30 AM

Posted 26 March 2008 - 06:04 AM

Just for more information:

>>> 'wininit.exe' (C:\Windows\System32\wininit.exe)- This is an undesirable program
BleepingComputer

>>> Microsoft TechNet

Another link: http://forums.majorgeeks.com/showthread.php?p=1128093

Edited by Juha, 26 March 2008 - 06:08 AM.


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:30 AM

Posted 26 March 2008 - 08:40 AM

from your link

For Vista wininet.exe is valid if in the system32 folder.
Chewy

No. Try not. Do... or do not. There is no try.

#5 David H.

David H.
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 26 March 2008 - 09:46 AM

Now I am getting a clue. From just following up on the two replies so far I have deduced that wininit.exe in sys32 is not malware on Vista. There was a false positive due to apparent misinformation: http://www.bleepingcomputer.com/startups/w....exe-14276.html. This links to a vendor trying to sell/expose their software and of course is suspect in my book. Weather or not it used to be malware - like winnit.exe is -, well, I'll let others decide. I hope to hear more about this as it is proving to be a fascinating topic for me!
I'm glad I found this site!

Your geek-in-training
David

#6 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:30 AM

Posted 27 March 2008 - 06:54 AM

In general, the wininit.exe file (exact spelling is important) that's located in the C:\Windows\System32 folder is legitimate. To verify this you can either run SFC.EXE /SCANNOW, or you can submit a copy to http://virusscan.jotti.org for analysis.

Malware writers have several options to fool you tho':
1) they can slightly misspell the name (such as winnit.exe)
2) they can put it elsewhere (such as in the C:\Windows directory)
3) they can replace your legitimate copy of wininit.exe with their bad copy (not very easy to do, but it is possible).
4) they can "hook" into the legitimatewininit.exe process and cause it to launch other malware (such as replacing explorer.exe with their own version).
5) and I'm sure there are other ways that I'm not familiar with.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users