Help with Wininet.dll in quarantine

Discussion in 'ewido anti-spyware forum' started by zoran, Sep 2, 2006.

Thread Status:
Not open for further replies.
  1. zoran

    zoran Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    41
    Windows XP(NT)Pro Sp2
    Ewido 4 free version(on dmend) updated regularely.

    I don't know if this is a real Trojan or not.It is in quarantine since 08.10..
    It was just when I installed Fasterfox and StumbleUpon in Firefox and went on the Web one or two times, and didn't download anything.
    I have seen some of the threads in this forum so I know even less. I know that this could be a false alarm and
    I don't know how to get to the properties of this file.

    This is from the report:


    C:\WINDOWS\$NtServicePackUninstall$\wininet.dll -> Downloader.Agent.arh : Cleaned with backup (quarantined).

    The same info is in the quarantine.
     
    Last edited: Sep 2, 2006
  2. zoran

    zoran Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    41
    Can you please help or give some advice, because it is 1.35 am here and I have to uninstall and install some programs.
     
  3. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
  4. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    If it has been in quarantine since 8/10 and your computer is running ok, I wouldn't worry about it. Don't delete it. If it is actually the winninet.dll, and you delete it, Windows will not run -it will not even open.
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Presumably you have a copy of Wininet.dll in the C:\WINDOWS\System32 folder, which would be used for running your machine.

    The ServicePackUninstall folder may contain another version - though why it is found as infected I cannot say.

    You can look at the properties of the file in the usual way, by locating it in Windows Explorer and right clicking (you may need to click Tools/Folder Options/View tab and select 'Show hidden files and folders' to find it).

    If you can, upload it to Jotti's to see if any other scanner finds it:-

    http://virusscan.jotti.org/

    If you suspect a FP submit it to ewido via:-

    http://www.ewido.net/en/malware/
     
  6. zoran

    zoran Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    41
    Thanks , sorry for the slow reply
    I will try to find it and send it to Jotti's and I will not delete it, untill I am sure what this is.
    Thanks!!!!
     
  7. zoran

    zoran Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    41
    I can't find it at all.
    Did you think to let it out of the quarantine and then try Jotti's or ....?
    Sorry , I'm not realy sure what to do
     
    Last edited: Sep 3, 2006
  8. zoran

    zoran Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    41
    Any suggestions?
     
  9. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    I still don't know why you are worried about it if it is in quarantine and your computer is running normally. However, if you really want to make sure the winninet.dll is in its proper place, open My Computer, click on Tools, Folder Options, View, put a check mark in Show Hidden folders, remove the check mark from Hide Extensions for known file types, and remove check from Hide protected operating system files. Click Ok. Click on your C drive, then Windows, then System 32. Scroll down (being careful not to delete anything). When you get to the w's, look for the winninet.dll file. If it is there, then it is your system file and it is ok (probably) to delete the one in your quarantine folder[. Be sure you reverse the process and Do not show Hidden folders, and Hide protected operating system files.
     
  10. OldRebel

    OldRebel Registered Member

    Joined:
    Jan 25, 2006
    Posts:
    153
    Location:
    South Carolina USA
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The reason you can't find it is probably because it is in ewido's quarantine section:-

    C:\Program Files\ewido anti-spyware 4.0\Quarantine

    However it would be safe to restore it, then you should be able to see it in its correct location, check its properties and submit it to jotti etc. As has been said, it is likely to be a fp. Indeed new sigs may have remedied the fp while your file was in quarantine - in which case it won't be picked up upon release!
     
  12. zoran

    zoran Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    41
    I have this file in system 32 and in service pack files,
    but I think that this one in my quarantine is also OK..

    I will try to restore it but, I need to know when submiting this to Jotti's and Virustotal, do I copy this file or do I submit it directly from Windows files.
    I haven't done this with System files.
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Restore it back from quarantine. Then locate it in Explorer and do a right click scan with ewido; if it is a fp and the sigs have been corrected in the meantime, the file will be clean and you can simply leave it at that.

    If ewido is still finding it as infected, then you can upload it to Jotti's. To do that you simply browse for the file at the Jotti site and click to upload - that is all (no need to copy it). If none of the scanners at Jotti find it as infected you can submit it to ewido as a fp. However, the fp has most likely already been corrected, leaving you with nothing to do or worry about!
     
  14. zoran

    zoran Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    41
    Thanks!!!
     
  15. zoran

    zoran Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    41
    Scaned on both sites - nothing found
    Only on Virustotal -Fortinet: Suspicious file
    Scaned again with Ewido -nothing
    Avpe - nothing

    I'll try with Blacklight, but I think that everything is clean

    Thanks!
     
Thread Status:
Not open for further replies.