I've been 'winjected'

[AndrewPaulNet]

Hey all....

Discovered a particularly nasty little thing earlier on.
I went onto Kazaa to get myself a file - upon downloading and executing the file - nothing happened? I figured ok, well dummy file - moving on. It was a very small .exe file.

Not really....the file spit another .exe file into my windows directory which I suspect to then have injected something into my wininit.exe file. Thank goodness I have firewalls up, cuz' now everyone and their mom is trying to get something from my PC - I'm not sure what they are looking up but I'm getting hits from australia, new york etc. incoming UDP and TCP connections - I'm blocking them ofcourse, but it's beginning to annoy me because they all keep repeating every few minutes or so. The second I manage to block, say a set of 5 different IP addresses, within the next hour 5 or even more try to hit.

I'm sure it's the wininit because an alien file which now starts up with my PC points to the wininit.exe file in my windows directory.
I found this out by analysing my task menu....I generally only have 1 program running all the time. Thats some keyboard software I use. This program now starts up whenever I reboot my PC and when I click on 'Go to Process' it shows the wininit.exe file in under the processes section. I close the file but the inbound traffic still manages to flood in slowly but for sure.

I've so far blocked a total of over 123 IPS....PLEASE HELP....

I guess my question is how do I replace my wininit from a clean copy from my CD?

Win98 used to be able to extract files from the CD but I don't see the option in XP Home...

I'm desparate....I can't use any file sharing programs until I clean the file.

Norton isn't picking it up as a virus, and none of my trojan scanners are picking it up either.



Help?

Thanks in Advance...

I'm using Windows XP Home - OEM

 

[NyCxSpyder]

Another victim of KaZaA (dont take that in the wrong way)
KaZaA is filled with bogus files and virii, IF you want to use a good P2P program, WinMX is the way to go. Anyways, about your problem, I can't really help but here are some things to go over. Trojan Scanner and Norton - make sure you update it DAILY so that it gets the latest definitions so it can actually find a virii when there is one because virii come out everyday, so etc... I would try and go to start - run - msconfig and see if u can find that file in the startup tab... hopefully if u can, unselect it so it doesnt start up, reboot and delete all the files. Just my 2 cents. BTW, NEVER, EVER download any *exe from ANYWHERE unless you REALLY know what it is or who's giving it to you. Good Luck.

 

[Sunner]

Try running a scan with AdAware.

 

[AndrewPaulNet]

Trojan scanners don't detect it. My only hope I'm thinking is to delete the wininit file and restart my machine...maybe windows will fix it?

 

[NyCxSpyder]

a) Adaware won't do anything because all it does is pick up spyware. That obviously is not a spyware because it is multiplying itself. Spywares don't do that. It's most likely a virii/trojan. Not sure if it's harmful or not but very annoying.

Andrew, did you try my advice about the msconfig and startup?

 

[NyCxSpyder]

I'm not sure you can delete the file JUST LIKE THAT. That's why I suggested the msconfig so it doesn't load at startup and therefore you can delete it after reboot. You will also have to delete the other files it created.

 

[MrMilney]

Have you tried rolling back to a system restore point from before you ran the suspect file?

 

[dakata24]

which trojan scanners have you used?

 

[n0cmonkey]

Originally posted by: NyCxSpyder
a) Adaware won't do anything because all it does is pick up spyware. That obviously is not a spyware because it is multiplying itself. Spywares don't do that. It's most likely a virii/trojan. Not sure if it's harmful or not but very annoying.

Andrew, did you try my advice about the msconfig and startup?

Guess you arent familiar with trickler? Similar concept, but not quite exactly what you are describing

Solution to the problem:
Do an online virus scan with something other than Norton, backup all important non-executable data, format, reinstall, patch/update, install virus scanner + updates, install firewall, connect to the net for the first time and never run untrusted executables again.

 

[drag]

The best thing I can say to you is do the Ctrl-alt-del (not reset) thing and see what background programs you have running. If you do not know what a program is. Try doing a search on the internet with the proccess name and see what you can find out about it.

Once you figure out which proccess/ background program is causing you grief, Go online a find out how to get rid of it. Or simply locate it on your computer and delete it. (of course make sure you know what you are deleting!)

 

[ziplux]

Try going to Start->Run and typing "sfc /scannow" That will refresh your system files and get rid of any infected system files you might have. Also, try moving the wininit.exe file from your system folder to your desktop.

 

[osage]

Have you tried a scan with this free scan ? HouseCall

may be worth a try......always works well for me.

 

[dakata24]

here's a list of online anti-virus scanners that i know of:

PC Pitstop Antivirus
BitDefender
Panda Software Activescan
Norton

 

[GonzoDaGr8]

Yikers!! Sounds like someone could be doing a format/re-install here in the near future. Two things other than what has been suggested allready could have prevented this..

1. Drive image. Make a backup of your HDD in case of just such an emergency. Could have had the whole thing restored in a matter of minutes.

2. This is just such the reason I have a removeable HDD rack and a seperate HDD just for using those types of programs. If the Kazaa/limewire/WinMX drive gets hosed, A quick restore with drive image CD's and I am back up again..Main drive sits in a drawer safely out of harms way

 

[TheOmegaCode]

The plural for virus is viruses. As for Windows, it's is easilly infected, that's one of the perks to owning the largest % of the market and not sharing it's source
I recently installed NAV on my Win box after getting a little worried after some interesting numbers popping up after doing a netstat -a. Norton didn't find anything, and I'm fairly certain I'm not infected (I sit behind a firewall which runs NAT).
Personally, I think that virus scan's are a crock. They waste a huge amount of system recourses and a lot of the time they don't do any good. A friend of mine who has used norton religiously recently got a nastly little worm in IE, and at work, we keep getting infected by random viruses while running NAV and Exchange. The best way not to get a virus, is to not put yourself in a situation where you might get one...

 

[AndrewPaulNet]

I fixed it...kindaish?

Hey fellas. I fixed the problem earlier today. Fact is, I don't think XP has a wininit.exe; at least not in the system directory (can't really find an instance of it anywhere actually) - Thank GOD. I remembered someone telling me that a long time ago; so today when the thought of redoing everything I've done to make my windows, look, run, feel perfect - I swallowed lots and lots of spit and deleted the wininit.exe file and before giving myself a chance to change my mind flushed it from the recycle bin and restarted my pc.

It boot back up. I still had the pesky tcp and udp calls for a while, but they're down drastically. Now there's maybe 1 or 2 per 2 hours - apparently since there's no file to bounce a signal back, whatever program was sending signals from whosoevers PCs that have the other end to this little um' thing....is obviously seeing that it's not there anymore - or something. My norton is all calm now.

This was bad....whatever this program was is completely undetectable by nortons stuff so far, as well as a host of trojan and other virus scanners.
It's not a virus because it didn't cause any harm (well, not that I can see right now anyway) and hopefully it didn't leave a payload on my PC, but it was obviously a trojan and it must be fresh if norton hasn't gotten it yet. I should have submitted to sarc; but in all the mess all I could think of was deleting stuff. Blah!

Thanks anyway for your help.

 

[Sunner]

Originally posted by: NyCxSpyder
a) Adaware won't do anything because all it does is pick up spyware. That obviously is not a spyware because it is multiplying itself. Spywares don't do that. It's most likely a virii/trojan. Not sure if it's harmful or not but very annoying.

Andrew, did you try my advice about the msconfig and startup?

Well, indeed I've never seen a piece of spyware that does, but they get uglier by the day, so I figured it might be worth a shot.
Heck when programs(Radlight) start uninstalling other programs(AdAware) just cause that other program can detect all the junk that the first program installs, it's gone quite far.

 

[AndrewPaulNet]

Hey Sunner,

I had tried that all already. I had tried looking at all the processes and such. Thats how I figured out that the file wininit was 'affected' - what I didn't remember/know for sure was that wininit.exe is no longer a part of windows. So basically from there it solved itself - all I did was delete it.

Apparently the file I got spit the wininit out as well as a decoy file that was called temp0007.exe. I saw the temp0007.exe and killed it, but to my horror the file called dosn3.exe was still being run EVERY time I startup - before it had pointed to temp0007.exe but now it was pointing to wininit.exe. That REALLY worried me because at this point I thought it had injected something into the file. Thats how the name 'winjected' came about

Ofcourse, had I known wininit wasnt a part of XP, it wouldnt have become a problem at all. Actually, I'm thinking now that this problem could have been alot worse. If I had open the file in Win98; is there a possibility that it would have overwritten the wininit file?

I don't remember what directory wininit is in, in 95/98. The file set itself up in Windows/System - which is mostly a dll directory.

Well .... Thanks again for your help and stuff.

 

[Fisher999]

You've already gotten a lot of good advice; including the advice to use a good virus scanner, keep definition files up-to-date, avoid downloading any .exe files from unknown sources, etc....

I don't know if this will be of any help or interest to you but you may want to check out these articles over at The Register concerning KaZaA and their recent worm and trojan situations.

Article 1

Article 2

Article 3

I hope you resolve your dilemma and I hope these articles, and their links, may be of some benefit to you.

 

[AndrewPaulNet]

Heya.

Well I'm on a DSL and receive updates to my Norton programs as soon as they are released.

I also have scheduled scans for daily and weekly use. I consider myself very safe when it comes to stuff that's already known by norton...

It's the unknown stuff I would have problems with.

Sigh...

Well, Thanks again.

I know about all stuff Kazaa. I keep up on it since I'm a user...but thanks for the articles anyway.