locked
Is it spyware a vrus or??? RRS feed

  • Question

  • Good Morning all,

     I'm running RC-1 64 bit edition. I loaded Spyware Doctor and ran a scan. It found 2 files #1 bitsprx4.dll and

    #2 wininit.exe and flagged them both as threats. PC-cillin and Avast did not find them. And Adaware and Spybot didn't find them. In the MS KB site, it lists similar dll's and nothing on wininit.exe. The web shows that both are backdoors/trojans. Anyone know of these? If you do, any ideas how to get rid of them? Spyware Dr can't seem to remove or quaranteen them. Any help is appreciated. John Smith 

    Monday, September 25, 2006 12:08 PM

Answers

  • BITSPRX4.DLL:

    On my 32-bit Windows Vista, this file is located in the C:\WINDOWS\SYSTEM32 folder,and is part of the Background Intelligent Transfer Service proxy.

    To quote Microsoft:

    "BITS transfers files using leftover bandwidth. For example, if you are currently using 60 percent of your bandwidth, BITS will only use the remaining 40 percent. BITS also maintains file transfers when a network disconnection occurs, or a computer needs to be restarted: When the network connection is re-established, BITS will continue where it left off."

    WININIT.EXE:

    This, again on my 32-bit Windows Vista, is located within the C:\WINDOWS\SYSTEM32 folder, and is used to kick off Windows processes upon power-up. if you viewed your process list, you'd find this was the parent for SERVICES, which called SVCHOST/LSASS/etc.

    You can add the "commandline" column in Task Manager to identify where this is being executed from. If you are lucky it will have a fully qualified path, or if it doesm't it was ran from the current folder or somwhere on your path. Again, I only found one reference in C:\WINDOWS\SYSTEM32.

    OVERALL COMMENT:

    I'd say that these were valid files, and running as processes from valid locations, then you would have little to worry about. If you were truely worried then I'd upload to WEBIMMUNE.NET, where they will analyse your files for malware and send you an email in response. Again, I'd say you have little to worry about - apart from Spyware Doctors' false detection. There's no mention of Vista support on the vendor's web page, so it may just through a spanner in the works when you've got it running inside Vista.

    Joe.

    Monday, September 25, 2006 9:43 PM

All replies

  • BITSPRX4.DLL:

    On my 32-bit Windows Vista, this file is located in the C:\WINDOWS\SYSTEM32 folder,and is part of the Background Intelligent Transfer Service proxy.

    To quote Microsoft:

    "BITS transfers files using leftover bandwidth. For example, if you are currently using 60 percent of your bandwidth, BITS will only use the remaining 40 percent. BITS also maintains file transfers when a network disconnection occurs, or a computer needs to be restarted: When the network connection is re-established, BITS will continue where it left off."

    WININIT.EXE:

    This, again on my 32-bit Windows Vista, is located within the C:\WINDOWS\SYSTEM32 folder, and is used to kick off Windows processes upon power-up. if you viewed your process list, you'd find this was the parent for SERVICES, which called SVCHOST/LSASS/etc.

    You can add the "commandline" column in Task Manager to identify where this is being executed from. If you are lucky it will have a fully qualified path, or if it doesm't it was ran from the current folder or somwhere on your path. Again, I only found one reference in C:\WINDOWS\SYSTEM32.

    OVERALL COMMENT:

    I'd say that these were valid files, and running as processes from valid locations, then you would have little to worry about. If you were truely worried then I'd upload to WEBIMMUNE.NET, where they will analyse your files for malware and send you an email in response. Again, I'd say you have little to worry about - apart from Spyware Doctors' false detection. There's no mention of Vista support on the vendor's web page, so it may just through a spanner in the works when you've got it running inside Vista.

    Joe.

    Monday, September 25, 2006 9:43 PM
  • Something more.

    Even IOLO System Mechanic 6 defines wininit.exe as a "dangerous threat" (high risk spyware, part of WOLLF.16 virus).

    They're not alone in this. Even Symantec, describes here wininit.exe as a spyware son of wollf.16 activity.

    IOLO System Mechanic 7, however, doesn't alarm the user about wininit.exe presence, anymore.

    Sometimes, a slow boot or other normal OS backup activities (among the others, regback, for example that's able to make a machine boot last 4 or 5 minutes) put the IT pros in a paranoia state. These "helping" softwares and spy killers, do the rest....

    Stefania

    Sunday, March 25, 2007 11:07 PM
  • Not surprising.... not only can and does MS put out a totally inept OS like Vista but is now creating executables and DLLs with filenames similar if not the same as all the *** that can infect their wonderful OS...

     

    As with Windows ME - maybe it is time to run for the hils MS and rewrite an NEW OS - get rid of Hasta La Vista baby!

     

    I thinks it probably legit - though I had to spend 30 minutes to feel OK about it after reading from the Web - thanks for all the thought put into your new OS MS!

     

    Friday, October 19, 2007 4:08 PM
  • A malware can be named anything !

     

    bitsprx4.dll IF situated in system32 folder is the lgit MS file; else its malware. You can also rt-click on the file to check up its Properties, so that you know what it actually is Smile

     

    If in doubt one can always get a single filed checked with multiple AV engines at http://virusscan.jotti.org/

    Saturday, October 20, 2007 3:41 PM