Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I've found a keylogger file (svcinit.exe), but can't delete it, and Ad-aware isn't doing anything.
Can anyone tell me the best way to get rid of this?
Thanks.
It may be the Star key logger. Check this site for removal steps: http://www.pestpatrol.com/PestInfo/other/007_starr.asp
0 
Hi,
SB, did you manage to remove the key logger? I was alerted my ZoneAlarm that the file svcinit.exe was trying to access the internet. After alot of research, the most info I found on it was here: http://ths.gardenweb.com/forums/load/comphelp/msg1010354822111.html However, I have not managed to find removal instructions.
I downloaded the free version of Pest Patrol and ran a scan, but it did not find svcinit.exe eventhough their website said it will.
If someone can help it would be much appreciated.
Thanks,
DanteG
0
I seem to have got rid of mine.Block traffic, terminate , (does not respond) end now, then delete program on explorer.it is now in my recycle bin,where i prefer it.(used sygate personal firewall). lotsaluck.
0
Hi dav1d,
I am able to delete the file as it has already been disabled in msconfig, and is blocked my Zone Alarm. However, how do I know if this has removed the key logger completely? Does it not leave registry entries or maybe even other files?
This is something I really need to be sure of, and I think everyone else who has had this file should be too. I mean, the only thing worse than not knowing how to remove it completely, is to think that you have when in fact you have not.
I have searched alot for info on this but have yet to find removal instructions for this particular bug. If anyone could shed some light on the situation, it would be much appreciated.
Thanks,
DanteG
0
i had the same problem,, i start in safe mode (safe m. by-passes ur start up files) then click start, find files/folders,, then type in:svcinit.exe,, click search, then right click on svcinit.exe to delite it.. restart comp,,( it will tell u it cant find svcinit.exe,, click start again, find files/folders,, (same as above) then type in:win.ini file,, right click to delite that.. poof!! all gone!!,, had a similar prob. with a :MSSYS.EXE,,, well good luck,,, happy delite'ing.......none
0
Hi DanteG, that was all I managed to do,(more good luck than knowledge)Thanks to noneurbissness, for info on winit file, it came up when I swithed on tonight to see if I had beeen any help.I have now deleted this file and also checked for mssys.exe just in case. Happy Surfing Dav1d
0
Thanks for the replies guys. noneurbissness, I have deleted the file svcinit.exe, and have recieved the message you mentioned upon re-booting the machine. However, I would like to make sure of your instructions for the next step, as I am not sure I understand. Should I delete the win.ini file? Also, what about the svcinit.exe registry key found in HKEY_LOCAL_MACHINE\software\microsoft\windows\current version\RunServices- ?
Thanks for your help.
DG
0
Um, can anyone help me? From the instruction posted by noneurbissness, it seems that he says that I should delete the win.ini file which does not sound right to me. I opened win.ini which has the line "run=C:\WINDOWS\svcinit.exe" and am thinking this is the problem. Should I delete this whole line? I really dont know what to do and do not want to guess and mess up the pc, so if someone could help me out I would be most grateful.
Thanks,
DG
0
yes DanteG, in find files and folders, type in win.ini file, when the search brings it up, right click to delite it,, if u dont, everytime u start up it will tell u it cant find svcinit.exe........have a good day u all,, happy pointer trails!! :)
0
Hi again noneurbissness,
Thanks for the reply. Sorry to be a bother again, but I still am not sure of what your instructions are. So let me just make sure I am clear before I do anything. Should I:
A) Delete the actual FILE called win.ini? (doesn't the pc need this file?)
B) Should I open the file, and delete the LINE "run=C:\WINDOWS\svcinit.exe"? (If so, do I delete the whole line including the "run=" part?
I really want to make sure I do this right - I can't afford to create new problems with my pc. I am eagerly awaiting your help.
Thanks again,
DG
0
He couldn't even spell delite right. I wouldn't trust him on deleting the whole win.ini file. Only delete that svcinit line of code.
0
Also notice that noneurbissness doesn't capitalize/spell right at all. This is a sign of somone who has thoughts of screwing over other computers. Wether noneurbissness has these kinds of intentions I don't know. Just be carefull with advice from people who do not explain answeres in detail.
0
Deleting svcinit.exe is quite simple.
Re-Start computer in safe mode (press F8).
Run msconfig and and goto win.ini.
Delete the line C:\WINDOWS\svcinit.exe under run=. Do not delete run=.
Goto to Windows Explorer and find svcinit.exe and delete it.
That's all folks!
0
In my case, I didn't restart at all. ZoneAlarm notified me of this file, I renamed it to svcinit._exe, and started msconfig.exe, to see where it has registered itself. But despite that I found the lines "Run=c:\ultranos\svcinit.exe", there was no such file in the windir. Maybe it had tried to install exactly in c:\windows , and I don't have that folder. Here's what I made, so that I don't restart:
1) First, I banned it from ZoneAlarm
2) Killed the process, using ProcessViewer (comes with VC6++). You can kill it with Ctrl+Alt+Del, too.
3) run Msconfig.exe, and in all tabs there - delete/disable anything that points to that file
4) from RegEdit.exe, go to the location, specified in one of the posts above, but notice that there are entries in
"\RunServices-" , as well as in
"\RunServices" (without ending dash). Delete those values
5) open the win.ini, search for the filename, and delete only the lines that contain it.
6) continue having fun with the PC :)
0
Do NOT delete the WIN.INI file. You can either delete just the line with "svcinit.exe" in it or if you are not sure then you can NULL it by placing a semicolon at the front (this tells Windows to disregard it at boot up and you can always restore it later by simply removing the semicolon). One thing to note about this keylogger - check for the presence of both SVCINIT.exe and LOADER.exe in the WINDOWS folder. I received both of these simultaneously this week. LOADER.exe can be easily deleted from Windows in Normal mode but SVCINIT.exe has to be done in Safe Mode. Make sure to delete the registry "Run" key for SVCINIT.exe and then delete or NULL the WIN.INI entry. If you don't, it comes right back at next boot. Also delete the SVCINIT.exe file while in Safe Mode. Currently this keylogger opens port 53 and port 12326 for communication with the recipient. To check which of your ports are open, use the NETSTAT command from a DOS prompt in Windows. Remember to always check your Task List and anything running other than SYSTRAY and EXPLORER are suspect. I would appreciate anybody sharing their outgoing port info via my email. As of this writing, I have contacted 11 ISPs regarding 118 infections amongst their customers (based on collective firewall intrusion reports from 3 separate nodes). McAffee and Norton and Trend(online) do not detect these keyloggers. Previous information can be found under the former name SINIT. Messages should probably be sent asking them to update their definitions to include this newly modified variant. Regards- Flip
0
Thanks for the replies guys - I thought this thread was dead so I went over to the spywareinfo.com forums for some help. I knew not to delete the win.ini file, I just couldn't understand why this guy was telling me to do it - I thought he must have explained it wrong. Guess not.
Flip, regarding SVCINIT.EXE, I had already removed the file via Housecall, and have now run Hijackthis which has removed the run=C:\WINDOWS\svcinit.exe command from win.ini, but the registry key is still there under HKEY_LOCAL_MACHINE\software\microsoft\windows\current version\RunServices-. Is this safe to delete, and can it cause any harm if it is left there?
Regarding Netstat, I have just run it a few times and nothing comes up (connected to the internet a few minutes ago, have nothing running except I.E.). But just now, I got this:
tcp pc01:3717 63.211.210.221.80 established
What does this mean?
Thanks,
DG
0
Hi everybody,
"Backdoor.Sinit is a Backdoor Trojan Horse that gives an attacker unauthorized access to a compromised computer, by opening a random UDP port.
When Backdoor.Sinit is executed, it does the following:
Copies itself as %System%\Svcinit.exe, which runs in the background and deletes the original file"
if u want more INFO about "Backdoor.Sinit" read this:http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sinit.html
0
Well DanteG.. To delete the svcinit services will not hurt anything. As for that connection you just made. Looks like a web connection. Just installed Zone Alarm and using it for the first time? Port 80 is the port that is used for web servers for the most part. Just keep on alert!
Shouldn't cause any harm if it is still left there as long as svcinit.exe does not exist in that path, but you might as well delete it (SVC Service).
0
Hi all
Fernando's method worked for me as well. THANKS!
BUT I am still confused about whether i need an uninfected version of svcinit exe or not... is it a virus that replaces the original or is it just a virus?
I still find something called SVC service in my start up configuration, which shows a path to svcinit exe. I have unchecked this item. Is this all i need to do?
Any response would be much appreciated.
0
SVCINIT.EXE is the trojan program that opens hidden connections on your computer so that hackers can access your computer remotely. The file should be deleted so that you don't accidentally click on it and run it in the future. If your STARTUP folder calls for this program to start and it can't find it, then it may give you give an error at bootup. Delete the STARTUP entry and the .exe file both. The SVCINIT.exe is the dangerous program and is not always detectable by virus scanners. The installer or "dropper" program is usually the culprit caught by a scanner. A 'good' virus will delete the installer/dropper program so that you don't even know it is running in the background. :O)
0
I have the greatest way to get rid of the file...
Under Windows 98, 95, and I think ME...
1.Restart your computer in safe mode.
2.Go to where the file is located (usu. C:\Windows\System)
3.Delete it!
4. Replace it with a dummy program (ellibar7.freeyellow.com\svcinit.exe)
All this dummy program does is when Windows calls for it it will show a dialogue box that says "svcinit.exe Dummy" all you do is press ok and the file will unload leaving Windows thinking its working properly.Hope this helped you
-7H3 R341 H31P3R
0
Why would anybody want to remove the file and replace it with another copy of the trojan? This is like taking your car to a mechanic and saying "Please fix my flat tire by taking it off the front rim and putting it on the back rim." Not very L337.
0
I had the same problem...among others. I installed Norton Internet Security and found I had a number of bad things on my system. In short, everything bad was removed.
Upon startup I received the message svcinit.exe was not found. The "error" message then asked that I remove references to this program in the WIN.INI file.
I assume the actual program is gone. I then went to the startup menu in msconfig and unchecked references to svcinit. The start up messages are gone.
If this has not taken care of the entire problem, then someone please let me know. If this HAS addressed the issue..as it appears, then getting Norton Internet security may actually take care of the problem for you (getting rid of program).
Take care,
G
0  |
 Ad-aware 6 Update
|
QHOSTS file found
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
