paranoidal ewido, or how ewido finds downloader.agent.arh in the ORIGINAL wininet.dll

a pc was got rid of all spyware and viruses, or so we thought.
but today that computer's ewido realtime protection started to display popup windows re: c:\windows\system32\WININET.DLL is infected with Downloader.Agent.arh .

Allright, I have looked into the file with Windows Explorer and found Microsoft version information in it. Maybe there was some hidden file having the same or a very similar name? I have copied that system32\wininet.dll into a new file with some other name, and Ewido found the same Downloader.Agent.arh in this copy at the next scan run.

So maybe the file is really infected... I have copied wininet.dll from a clean computer over it and over it's restore copy in system32\dllcache . No luck here -- the original system was unupdated, no SP2, and wininet.dll replacement arrived from a PC with SP2 installed.

Allright, I have taken wininet.dl_ from the original Windows XP installation CD (without SP2), expanded it and replaced both files in system32 and system32\dllcache with it. Checked the size. Compared byte-by-byte using FC.EXE with the original expaned file. They match.

And still Ewido manages to find Downloader.Agent.arh in c:\windows\system32\wininet.dll which is identical to the original Windows XP wininet.dll, which is confirmed by byte-by-byte comparison and has the same size.

Is it a paranoidal Ewido? Or this is a very smart virus which is smarter then Ewido, which I thought was so far one of the best antispywares? Or this is me who doesn't know how to replace wininet.dll with the original version from the Windows XP installation CD?

 

Possible False Positive?

Ewido is detecting NtUninstallKB834707-IE6-20040929.115007\wininet.dll (windows update) as Downloader.Agent.arh. Has anyone else experienced this?

Best regards to all-
j/c

 

Re: paranoidal ewido, or how ewido finds downloader.agent.arh in the ORIGINAL wininet

Hi Alexvi-
Appreciate your reply. Don't know what to make of the wininet.dll puzzle--hopefully Vinzenz or another of the ewido experts will shed some light on this!

Regards-
j/c

 

Re: Possible False Positive?

%windir$\$ntuninstall... are the directories that the service packs and windows updates are backing up the libraries and other windows components that they are replacing. In your case that directory is keeping the same old wininet.dll version as mine Ewido is reporting about (size 593920).

 

Re: Possible False Positive?

http://www.bias.net/wininet.dll is the file we are both talking about.

 

Re: paranoidal ewido, or how ewido finds downloader.agent.arh in the ORIGINAL wininet

Please update the ewido software.

 

Re: paranoidal ewido, or how ewido finds downloader.agent.arh in the ORIGINAL wininet

Karl-
Latest update took care of the problem--ewido no longer detecting the file.
Thanks!

Alexvi-
Thanks for all the info you provided--very helpful. Hope your wininet.dll problem is solved as well.

Best regards-
j/c