Urgent-virus question

Hi,
I recently upgraded my Norton from 2000 to 2002. I don't normally enable auto-protect, but when you first install, it is enabled. Evidently, during a routine background check of the system, Norton finds a virus in a windows file: Winini.exe. It is the only file affected, and it says it cannot fix it with current definitions. I update the definitions, and still no luck. A scan of the whole system shows no other infection. I quarenteed the file and sent it to Semantic (The pop up says Norton already knows this virus, and do not need to send-i did anyway). Sooo, it is known, but apparently unfixable. My Questions:
1. What does this file do: Winini.exe Is it somehow important to the Win. ini itself?
2. Is it possible it is just somehow corrupted and not have a virus which is why Norton cannot fix it. It states the file either has a virus, or some other malicous code.
3. I checked another system I have with Win98SE, it has the same file, the same size. Could I not just delete the original and
copy the one over from the other system, or is the file somehow
related to the specific specs of my system-win.ini or someting.
Thankyou-Milt

 

Milt

I would advise against deleting it for the time being. Why not store it somewhere and try the replacement before deleting it?

This all begs the question, what was the name of the virus. Since Norton is aware of it, they must have a name for it.

 

Hi Milt
Maybe put your mind at ease and try one of the free online virus scanners then?

Grisoft
Housecall
Panda
Symantec

And for Trojans.....might I suggest:
Tauscan

Daizy

 

Milt, after doing a search at Microsoft, found nothing on winini.exe. However, a Google search provided this tidbit of info on remote access/keylogger trojans.

Name: Hack Office
Aliases:
Ports:
Files: Keyboard.dll - Icqxdef.dll - Uninquecex.dll - Tyrant.exe - Kensho.exe - Shenglong.exe - Sysedits.exe - Regedits.exe - Winini.exe -
Created: 1999
Requires:
Actions: Remote Access / Keylogger
Hack Office can be used to install other trojans or viruses.
Versions:
Registers:
Notes:
Country:
Program:

 

Hey guys,
The name of the affected file is Wininit.exe, not winini.exe.
The name of the associated virus was (can't remember all)
xxx32.bymer. Does this change anything for anyone? I run Win98se, and it is on both other systems I have with the same OS. It is apparently a Windows file.

Milt

 

Hi again Milt
That makes a world of difference.
You might want to do some reading here and here .

Daizy

 

Milt, here is some information at Microsoft that I found on this:

http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q299332

 

Hi,
I have been checking the links suggested here today for the Bymer virus, and the microsoft site for the Wininit.exe file. Seems
to be a fairly documented worm, with ways to remove.
Microsoft states that the wininit.exe is an ini file that lists all the changes made to Windows when you restart after installing programs. I have been rebuilding my computer, and I work off disc images where I in effect, save my work with an image at a certain level. It also gives a place to go back if I want to. I have put a lot of work into about 4 sets of images, and have formatted and gone back to the first of these, to check, and found the virus resident.

My Question is: Does this mean that perhaps the changes I have made through successive program uninstalls, and installs, may have not the proper win.ini settings because of the virus. If so,
then, even if I rid the system of it, there may be lingering problems if it effected the way programs were installed. Anyone have information on this? See the link to Miscrosoft above. BTW. a thourough scan of the whole system shows no other infection other than this one file.

Milt

 

Update-Urgent Virus question

Here's the deal;
I have followed all the removal instructions from Norton for the
Bymer virus I have. I have found no other entries or affected areas after checking:
1. Thorough scan of all files
2. Win.ini entries recommended by Norton to remove
3. Registry entires recommended by Norton to remove in Run Services.

The only affected file seems to be the Wininit.exe, which is in the Windows System folder. There is a Wininit.exe in the Windows folder, which Microsoft and Norton indicate is the file that launches the changes made to win.ini after program installs.
My questions are:
1. (Asked previously) Am I to assume this virus may have caused
problems in proper Win.ini entries of programs that have been installed since resident? Again, I have installed quite a few before detecting the virus. There as been some error messages
and irratic behavior after installing. I had some issues regarding
the behavior of Windows explorer after installing I.E.6 (reported in
BB on internet)
2. If #1 is correct, will the problems be healed with virus removal,
or do I need to reinstall programs.
3. How does this virus enter a system-I have not opened any attachments during the time it entered.
4. I cannot seem to find what the exact effect the virus is supposed to have on a system-not sure about the effect on Win.ini entries after program install, since it is a different file from
the one in Windows.

Would appreciate any insight on these questions;

Milt

 

There should be no WININIT.EXE in C:\Windows\System. It's a DOS-type file located in C:\Windows.

Suggested: rename it to WININIT.BAD or whatever (as long as it's no longer EXE), and see what happens.

As for WIN.INI, it's a holdover from the Win3.1x days. Most (but not all) programs write to the registry, not to the WIN.INI and SYSTEM.INI files. If your programs are fairly recent, chances are they added nothing to the INI files.

 

Thanks Dr.
Your right, there is no 'native' wininit.exe in windows\system-
the wininit.exe in windows main is the system file, but the BYMER
file puts a wininit.exe file in windows\system-that is how the virus is launched.
Anyway, part of the instruction to repair includes removal of this file from the windows\system folder, not the one from windows main-they are very specific about avoiding this confusion.
Thats good to know-most recent programs probably don't record much infor to win.ini. What about these programs: upgrade to IE6.0, Roxio full vs 5.0, USB Printer and Scanner software ?

Milt