Virus BKDR_SINIT.A Don't seem to be able to remove

  diode 19:41 02 Nov 2003
Locked

I have three computers(networked) Running Win 98se with Trend PCcillin 2000 installed (with updated virus pattern). One of the computers that
the boys use has detected the Virus BKDR_SINIT.A in C:Windows\System\svcinit.exe and is unable to delete or quaratine. the Trend website gives instructions on dealing with the problem but it is for Windows NT,2000,and XP. I have tried to modify the procedure for 98se. By starting in safe mode using regedit to remove the svcinit.exe in The Run Services folder and tried to find it in the Winlogon file but I can find no entry to delete. I ran the virus checker again but ti is still there. Can anyone help please
Thanks in anticipation

  diode 19:42 02 Nov 2003

That the other two computers are virus free

  VoG II 19:47 02 Nov 2003

According to click here it runs on Win NT/2K/XP (so presumably it won't do anything on a 98 machine?)

  diode 19:55 02 Nov 2003

Thanks for the reply. I appeciate what it says, This is the website I got the instrucions from to remove it, but I am not sure If they have just stopped supporting Win98se. Will it do any damage? It would be nice to remove it, so it doesn't keep generating a warning each time virus scan opperates

  keith-236785 19:57 02 Nov 2003

doing a search on google i found this entry from another forum, sorry its so big but it does explain how to get rid of it.

as Vog says there is no mention of windows98.

good luck.

click here
Installation and Autostart Technique

Upon execution, this memory-resident backdoor program copies itself using the file name SVCINIT.EXE in the default system folder. It then attempts to add the following registry entry so that this copy runs at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\RunServices
SVC Service="%System%\svcinit.exe"

(Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

This copy proceeds to delete the original malware file.

Registry Modifications

To achieve memory residency, this malware also creates the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NTCurrentVersion\Winlogon
from Userinit="%system%\userinit.exe,%system%\svcinit.exe"
to
Userinit="%system%\userinit.exe"

This effectively executes the backdoor when a user logs into an infected system. The following registry entry is also added:

HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlugin
EngineName="C:\WINDOWS\System32\DirectPlugin.installed"

Backdoor Routine

Once it is already running in the system, it opens Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports and awaits commands from a remote user.


click here

Description:

This memory-resident backdoor malware opens random Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports and awaits commands from a remote user.

It runs on Windows NT, 2000 and XP.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

1. Scan your system with your Trend Micro antivirus product.
2. NOTE all files detected as BKDR_SINIT.A.

Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro?s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

1. Open Windows Task Manager. Press
CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs, locate the malware file or files detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

To remove the malware autostart entries:

1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>RunServices
3. In the right panel, locate and delete the entry:
SVC Service="%System%\svcinit.exe"
Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NTCurrentVersion\Winlogon
5. In the right panel, locate and delete the entry:
from Userinit="%system%\userinit.exe,%system%\svcinit.exe"
to
Userinit="%system%\userinit.exe"
6. In the left panel, locate and delete the following:
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlugin
7. Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as BKDR_SINIT.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro?s free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

  diode 20:03 02 Nov 2003

This is the site I got the instructions from. I tried as I said to follow the delete instructions I did items 1,2,3 but item 4 in the Winlogon file i couldn't find the svcinit.exe file. I managed to delete item 6. But as I said it still detects the virus

  VoG II 20:10 02 Nov 2003

Removal instructions for W98 click here

  diode 20:14 02 Nov 2003

I will give this a try, and will report back. hopefully shouldn't take too long.
Thanks again, talk soon.

  diode 20:55 02 Nov 2003

This seems to have got rid of the problem thanks. The only thing is now on boot up I get the "Could not load or run svcinit.exe specified in the win.ini file make sure the file exists on your computer or remove the reference to it in the win.ini file" Will I continue to get this warning as I know I have deleted it as per instructions. The instructions don't mention about removing reference in the win.ini file. If that is what I should do, can you suggest the best way.

  VoG II 21:01 02 Nov 2003

Start, run and enter

win.ini

in the Open box.

Find and delete the line that refers to svcinit.exe

  diode 21:13 02 Nov 2003

I'll do that hopefully it is not a required program. Cheers

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Xiaomi Mi Mix 2 review

What went wrong at the Designs of the Year 2017

iPhone X news: Release date, price, new features & specs

Comment utiliser Live Photos ?