Win32:Nsag-B c:\windows\system32\wininet.dll

[JanneT]

Hello and pologies for my poor English

Avast can not erase this virus:
Win32:Nsag-B  virus  c:\windows\system32\wininet.dll

When I restart Windows and Avast check all virus before Windows starting, then Avast can erase this virus but is it safety becaus wininet.dll is important files or is it?

Last time when I erase this file, then Windows can not restart at all.

What can I do? How can I erase this virus safety?

Please help.

Regards Janne

[FreewheelinFrank]

Hi JanneT,

It's possible wininet.dll has been infected by malware. See this link:

http://www.computing.net/security/wwwboard/forum/16622.html

Apparently you can download a clean version here, but I haven't checked this out:

http://www.dll-files.com/dllindex/dll-files.shtml?wininet

This sort of infection can happen with Trojan-Spy.HTML.Smitfraud.c and variants:

The tool also detects if the system file wininet.dll is infected, and

attempts to replace it with another copy on the system. In XP and 2000, if another copy of wininet.dll is

found in one of the locations the tool looks, the tool will replace the infected file. Windows 95, 98 and

Windows Millennium do not have copies, so it’s necessary to try to clean it or replace it otherwise.

Panda ActiveScan online had been properly cleaning the infected wininet, but I recently noticed it was

instead deleting it. I hope they get this fixed, but in the meantime, if you have one of those operating

systems with an infected wininet.dll, I suggest you download the appropriate patch for your system from

Microsoft, which contains a copy of the file, before scanning with Panda, in case it does get deleted.

http://noahdfear.geekstogo.com/

It might be a good idea to run  the SmitRem removal tool available at the link above, followed by a scan with Ewido:

http://www.ewido.net/en/

[NonSuch]

That's excellent advice from FreewhellinFrank.  Unfortunately, the smitRem tool has not been updated for a while and will not be able to remove the latest variants of smitfraud.  Although there is another tool available that works just as well, SmitfraudFix, it should not be used except under the direct supervision of someone who is experienced in its use.

I suggest you go to one of the forums that specializes in removing this type of infection, and post a HijackThis log for them to analyze.  (Directions for doing that are available at the sites).  Aumha.net and MalwareRemoval.com are both excellent forums, and there are many others as well. 

[Spiritsongs]

   Hi NonSuch :

     I do not recommend the HijackThis forum at aumha.net
     because most likely there will be a 10-day wait for
     someone to review a HJT log; will get much faster
     service at www.landzdown.com .

[NonSuch]

Landzdown is excellent as is www.MalwareRemoval.com (and both have good turnaround times). 

[polonus]

Hello ye all,

Here is the description of the virus and the register alterations that should be checked. The only description I could find is in Polish, but accurate: http://wirusy.antivirenkit.pl/en/opis/Virus.Win32.Nsag.b.html


Look for 6 register modification
             11 register key modification
             14 added to the register are
             15 added values to register
             19 added values to register

At the end it says to desinfect:

+ Open the register editor by:

- click START ->  Run, and entering REGEDIT in the box. (Click OK).
The Registry Editor window will appear.

+ Open under key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and scan for the trojan files

+ Scan under: HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}

+ Open under key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer

amd scan for:

"NoActiveDesktopChanges"

+ Open under key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\System

and scan for:

"NoDispBackgroundPage"
"NoDispAppearancePage"

That's it,

polonus

[fastcars]

I am having the same problem as JanneT.

I have downloaded the software from http://www.dll-files.com/dllindex/dll-files.shtml?wininet

It has been delivered to me in a zipped file which I cant seem to open.

In my computer it has been automatically been placed in file C/documents and settings/paul smith/local settings/tempory internet files/content IES/wininet.dll

when I browse for this file using my winzip browser I cant find it. I can only get as far as C/documents and settings/paul smith/local settings/

The tempory internet files doesnt come up so i cant go any further.

Any advice would be greately appreciated...

[FreewheelinFrank]

Temporary internet files are not normally viewable. You should be able to change the download location in your browser, or if you right click the IE icon and select preferences,  then click settings under the general tab, you will have an option to view files.

[fastcars]

Temporary internet files are not normally viewable. You should be able to change the download location in your browser, or if you right click the IE icon and select preferences,  then click settings under the general tab, you will have an option to view files.

Okay Frank...  run that by me again in a language a child can understand please lol.

Firstly...  how can I change the location in my browser. When I download the software it puts it automatically it that file with no option to change.

If i right click the icon like u suggest i get a choice of open/cut/copy/delete and properties. If I click on open it tells me that the file is programmed in a form that my computer doesnt understand and gives me various options which I cant make head nor tale of. If I click on properties then it just gives me a load of information about the file but no option to change anything?

I know....  im fik lol

[FreewheelinFrank]

It's been so long since I used IE that I can't remember how to change the default download location, but you can also get to temp files by opening IE and clicking on the tools menu and selecting internet options.

EDIT: I get a save in option in the save as screen after clicking save on the IE download screen.

[fastcars]

Would it make me look really stupid if I asked what IE was lol

[FreewheelinFrank]

Sorry, IE is Internet Explorer, the big blue e, and your internet browser.

[DavidR]

What would be really stupid would be Not to have asked, welcome to the forums.

[fastcars]

thanks Dave but im in serious need of some valium here...  I aint got a fecking clue what im doing. All i wanna do is get rid of this bleddy virus grrrrrrrrrrrrrrrrrrrrr

[FreewheelinFrank]

Have you tried running this tool:

http://siri.geekstogo.com/SmitfraudFix.php

It has instructions in French and German, if those languages are better for you.

I'll post some screen shots to help you when I have time.