Is WININIT.EXE a Virus??? It looks like one!

[MWink]

Today when I rebooted my system as soon as Windows ME loaded it tried to dial my Internet connection. After doing some investigating I found a file called C:\WINDOWS\SYSTEM\WININIT.EXE loading at startup. It is described as "BYMER.SCANNER". I also noticed that the Distributed.net client was no longer loading at startup. And, it would not start even if I tried to start it manually. I tried disabling the WININIT.EXE and after restarting it tried to load again. I looked in sys configuration utility again and it was in there twice now. I checked the properties of the file itself and it had nothing under the description (name, version, etc). The other worrying thing is that there is another WININIT.EXE in C:\WINDOWS. It looks like part of Windows. I managed to get rid of the bad one by booting to a DOS disk and renaming the file. I scanned it with my virus scanner and found nothing. What do you think? Where could it have come from? I don't think I installed anything new recently. Thanks.

 

[The Stigenator]

delete or rename it.. if its something that can get you into windows without it.. delete/rename it..
if it gives you errors on boot you know its a system file.
then run a virus scan with updated drives.. or search symantec for it.

 

[oro]

i am pretty sure it is not a virus, found it in this article on microsoft.com.

Text

 

[MWink]

The_good_guy: I removed it and got no errors.

oro: Very interesting. But, I still think it is a virus/trojan meant to look like WININIT.EXE. As I said, my system has 2 very different WININIT.EXEs. One looks like what you are talking about, the other looks like a virus/trojan. The bad one also has a WININIT.LOG file which lookes like this:
Started at 0:19 6.10.2000
Stopped (scanned 0, found 0) at 0:19 6.10.2000
Started at 0:19 6.10.2000
Stopped (scanned 272, found 0) at 0:20 6.10.2000
Started at 0:21 6.10.2000
Stopped (scanned 4584, found 0) at 0:33 6.10.2000
Started at 0:34 6.10.2000
Stopped (scanned 890, found 0) at 0:44 6.10.2000
Started at 0:45 6.10.2000
Stopped (scanned 609, found 0) at 0:47 6.10.2000
Started at 0:48 6.10.2000
Stopped (scanned 3537, found 0) at 0:55 6.10.2000
Stopped (scanned 1168, found 0) at 0:58 6.10.2000
Started at 0:59 6.10.2000
Stopped (scanned 912, found 0) at 1:00 6.10.2000
Started at 1:01 6.10.2000
Stopped (scanned 2496, found 0) at 1:07 6.10.2000

It looks a lot like something like Distributed.net. I find it interesting that my Distribute.net client (and only it) stopped working when this showed up. I still think it is a trojan/virus.

 

[MWink]

^

 

[XL]

It's possible.I did a search in my system and only found one Wininit.exe 46 Kb application

 

[BFG10K]

I don't see what the issue is here. Just run the latest updated Norton antivirus on your computer (or some other up to date virus scanner) and remove it if is a virus.

 

[The Wildcard]

That's strange, i don't even have a wininit.log file on my system...

 

[MWink]

I ran 2 up to date virus scanners and neither found it. (I would not touch Norton with a 50 foot pole. It causes MAJOR problems with my system). The guys in Distributed Computing Forum got it right away. It IS a trojan. It had me cracking for someone else. I was able to remove it. Now everything is back to normal.

 

[slpaulson]

Somebody wrote a virus that forces you to crack for them. I find that kind of pathetic hehe.

 

[BFG10K]

I would not touch Norton with a 50 foot pole. It causes MAJOR problems with my system

What sort of problems are you getting with it? I find it works great.

 

[MWink]

Anyone who has a UPS with a serial interface knows not to run Norton. I have tried version 2 through 5. I have seen the same problem with an APC UPS and a Viewsonic UPS. It makes the system lockup on shutdown/restart (in any verions of Windows). I have not been able to find any solution that works.