Winini.exe

Discussion in 'NOD32 version 2 Forum' started by softtouch, Aug 2, 2007.

Thread Status:
Not open for further replies.
  1. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    I am running Vista Ultimate, with full updated Nod32.
    Yesterday, I got an error from Vista that winini.exe could not run properly, so I started to investigate.
    In task manager, I saw iexplore.exe running, without that I opened it.
    So I killed ie, and winini.exe tried again to run, but failed. Short after the error message, iexplore started again.
    I scanned the HD in safe mode, complete, but nod32 did not find anything wrong...

    So I restarted using another admin account, removed the registry entries, deleted winini.exe, temp folders and so on, and now all is clean.

    Why did nod32 not detect this quiet old trojan?

    It was NOT in the windows folder (because it would need admin rights to write there), it was in c:\users\<username>\appdata, it also created an addon.dat in the same location. Both re-appeared immediately after I deleted them.
     
  2. ASpace

    ASpace Guest

  3. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    winin.exe is not an unknown threat, and is detected by kis without a problem. Nod32 just kept quiet, no warning, no nothing.
    I even right clicked that winini.exe and scanned it with nod, nothing, came out clean.

    Every time I deleted it, IE started invisible and that winini.exe reappeared within seconds.

    Its the W32/Rbot-KV and for any reason, nod32 did not detect it (under Vista).

    I cleaned it up by hand, manually, by rebooting in safe mode, cleaning the registry, removing the winini.exe and the addon.dat etc.
    Now the system is back to normal, but I am not anymore trusting nod32 100%.
     
  4. ASpace

    ASpace Guest

    Hi !

    I write about threat unknown to NOD32=undetected by NOD32 , you could have sent Eset the suggested log files (the ones described in the thread created by Blackspear) and they would have contacted you with suggestion how to remove the malware .

    Just keep in mind no vendor can reach 100% detection of all threats around the world but ESET is from ones that miss less :thumb:
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    No AV is 100% perfect, each misses malware. From VT statistics, KAV misses hundreds if not thousands of threats comming from VT that are detected by NOD32 and they are not FPs. It's a matter of fact that no AV will 100% protect you from threats if you do not keep your OS up to date or visit risky sites and open uknown files/links.
     
  6. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Marcos, I did not open any risky site, the os (Vista Ultimate) has all updates possible (all I ca get via automatic update daily).
    However, I have cleaned manually the PC.
    I did not say that Nod32 is bad (if I would think so, I would not have extended my subscription just a couple of days ago). I only meant that I was very surprised how easy it was for malware to enter Vista with all security software updated...
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Just to make sure, didn't you disable UAC by chance?
     
  8. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    No, because I am developing on the Vista machine, and my software must run under the default limited and default admin accounts on any Vista machine, I have everything on default settings, as it is after a fresh install.
    Defender, firewall, UAC is on. Also all Vista updates are made.
    There are no games on this computer, just the development software I need.
    I do not browse warez sites etc., I do not need this sh..t. I browse just sites about development, M$, Borland etc.
    At the day the Winini.exe appeared, I did not even use the internet, I was busy with my developments.

    Suddenly, I got a message from Vista that "winini.exe is unable to run", and that the program will be closed.
    I checked and saw Internet Explorer running (without gui, just iexplore.exe in task manager). So I killed the process, and a second later, winini.exe tried again to run and another 2 or 3 seconds later, IE appeared again. This was a cat and mouse game.
    I deleted winini.exe (and a file addon.dat, which was always recreated by winini.exe). But short after, winini.exe was again created and tried to run.
    So I restarted under the hidden admin account of Vista, cleaned the registry entries, deleted winini.exe, addon.dat, restarted with the normal account and the problem was solved.

    Winini.exe did NOT write itself into the windows directory, it would not be able to, under the limited account. It ws created in <boot drive>\users\<username>\appdata, which is usually hidden.

    All I do NOT understand is, HOW could it write the registry entries into HKLM\software\microsoft\windows\currentversion\run? HKLM is totally protected under limited account and even under the normal admin account, UAC kicks in. I did NEVER use the hidden admin account until the moment I had to clean the system, so it is a mystery for me.

    I did not think about zipping the winini.exe and addon.dat at that time, I was happy to be able to clean it, because all my developed products are on that machine, so I did not waste any time to leave it on that machine.
     
Thread Status:
Not open for further replies.