Hello and pologies for my poor English
Avast can not erase this virus:
Win32:Nsag-B virus c:\windows\system32\wininet.dll
When I restart Windows and Avast check all virus before Windows starting, then Avast can erase this virus but is it safety becaus wininet.dll is important files or is it?
Last time when I erase this file, then Windows can not restart at all.
What can I do? How can I erase this virus safety?
Please help.
Regards Janne
Hi JanneT,
It’s possible wininet.dll has been infected by malware. See this link:
http://www.computing.net/security/wwwboard/forum/16622.html
Apparently you can download a clean version here, but I haven’t checked this out:
http://www.dll-files.com/dllindex/dll-files.shtml?wininet
This sort of infection can happen with Trojan-Spy.HTML.Smitfraud.c and variants:
The tool also detects if the system file wininet.dll is infected, andattempts to replace it with another copy on the system. In XP and 2000, if another copy of wininet.dll is
found in one of the locations the tool looks, the tool will replace the infected file. Windows 95, 98 and
Windows Millennium do not have copies, so it’s necessary to try to clean it or replace it otherwise.
Panda ActiveScan online had been properly cleaning the infected wininet, but I recently noticed it was
instead deleting it. I hope they get this fixed, but in the meantime, if you have one of those operating
systems with an infected wininet.dll, I suggest you download the appropriate patch for your system from
Microsoft, which contains a copy of the file, before scanning with Panda, in case it does get deleted.
http://noahdfear.geekstogo.com/
It might be a good idea to run the SmitRem removal tool available at the link above, followed by a scan with Ewido:
That’s excellent advice from FreewhellinFrank. Unfortunately, the smitRem tool has not been updated for a while and will not be able to remove the latest variants of smitfraud. Although there is another tool available that works just as well, SmitfraudFix, it should not be used except under the direct supervision of someone who is experienced in its use.
I suggest you go to one of the forums that specializes in removing this type of infection, and post a HijackThis log for them to analyze. (Directions for doing that are available at the sites). Aumha.net and MalwareRemoval.com are both excellent forums, and there are many others as well.
Hi NonSuch :
I do not recommend the HijackThis forum at aumha.net
because most likely there will be a 10-day wait for
someone to review a HJT log; will get much faster
service at www.landzdown.com .
Landzdown is excellent as is www.MalwareRemoval.com (and both have good turnaround times).
Hello ye all,
Here is the description of the virus and the register alterations that should be checked. The only description I could find is in Polish, but accurate: http://wirusy.antivirenkit.pl/en/opis/Virus.Win32.Nsag.b.html
Look for 6 register modification
11 register key modification
14 added to the register are
15 added values to register
19 added values to register
At the end it says to desinfect:
and scan for the trojan files
Scan under: HKEY_CLASSES_ROOT\CLSID{357A87ED-3E5D-437d-B334-DEB7EB4982A3}
Open under key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer
amd scan for:
“NoActiveDesktopChanges”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\System
and scan for:
“NoDispBackgroundPage”
“NoDispAppearancePage”
That’s it,
polonus
I am having the same problem as JanneT. 
I have downloaded the software from http://www.dll-files.com/dllindex/dll-files.shtml?wininet
It has been delivered to me in a zipped file which I cant seem to open.
In my computer it has been automatically been placed in file C/documents and settings/paul smith/local settings/tempory internet files/content IES/wininet.dll
when I browse for this file using my winzip browser I cant find it. I can only get as far as C/documents and settings/paul smith/local settings/
The tempory internet files doesnt come up so i cant go any further.
Any advice would be greately appreciated…
Temporary internet files are not normally viewable. You should be able to change the download location in your browser, or if you right click the IE icon and select preferences, then click settings under the general tab, you will have an option to view files.
Okay Frank… run that by me again in a language a child can understand please lol.
Firstly… how can I change the location in my browser. When I download the software it puts it automatically it that file with no option to change.
If i right click the icon like u suggest i get a choice of open/cut/copy/delete and properties. If I click on open it tells me that the file is programmed in a form that my computer doesnt understand and gives me various options which I cant make head nor tale of. If I click on properties then it just gives me a load of information about the file but no option to change anything?
I know… im fik lol
It’s been so long since I used IE that I can’t remember how to change the default download location, but you can also get to temp files by opening IE and clicking on the tools menu and selecting internet options.
EDIT: I get a save in option in the save as screen after clicking save on the IE download screen.
Would it make me look really stupid if I asked what IE was lol
Sorry, IE is Internet Explorer, the big blue e, and your internet browser.
What would be really stupid would be Not to have asked, welcome to the forums.
thanks Dave but im in serious need of some valium here… I aint got a fecking clue what im doing. All i wanna do is get rid of this bleddy virus grrrrrrrrrrrrrrrrrrrrr
Have you tried running this tool:
http://siri.geekstogo.com/SmitfraudFix.php
It has instructions in French and German, if those languages are better for you.
I’ll post some screen shots to help you when I have time.
FRENCH AND GERMAN!!! dont u think i got enough problems lol ;D
Oops! I must’ve been hopping through different topics! Somebody was telling me that English was a problem! sorry!