The application has failed to start because wininet.dll was not found

Earlier this afternoon I had to help a student with a typical spyware/ virus issue. At least that’s what I initially thought the service call would entail. Boy was I wrong. The problems started with the error message “The application has failed to start because wininet.dll was not found” and led to the Task Manager not loading and various Windows XP services not loading.

To work around this problem I had to find a copy of WinInet.dll (The file contains components for Internet related operations) and then re-register the file to ensure that Windows XP would recognize the new file.

Below is a summary of the steps I took to resolve the problem:

1) Download WinInet.dll from an online source or computer. Thanks to the wonderful service of Dll-files, I was able to find a compressed version of WinInet.dll However, part of the problem is that the shell extensions for Compressed Folders was also disabled.

2) From another computer I extracted the WinInet.dll file and then saved the file to an external disk. The extracted WinInet.dll file was then copied to \Windows\System32\

3) Press Ctrl+Alt+Del and select Task Manager.

4) Click on File and then on New Task and then type regsvr32 C:\Windows\System32\WinInet.dll

After running the above steps I was able to restart the computer. Obviously, the above error was caused by some variant of spyware. After further research the problem appears to be fairly common and various removal tools such as SmitRem can help with the removal of the spyware and also replace the WinInet.dll file.

Microsoft Windows Defender

Windows Defender Beta 2 is now available for download directly from Microsoft Antispyware. At this point Microsoft now offers 5 levels of consumer and business protection against viruses and spyware:

- Windows Defender

- Windows Live Safety Center

- Malicious Software Removal Tool

- Windows OneCare Live

- Microsoft Client Protection

Windows Defender improves on the currently known and widely used Microsoft Antispyware by including an improved detection and removal engine, a simplified user interface, non-administrator priviledges to scan your computer using the program and most of all Windows Defender definition updates delivered via Automatic Updates. The product also now works natively on Windows XP 64 bit versions and also offers greater accessibility support.

StopBadware

You know spyware has become a bane to society when someone founds an organization to watch the spread of it. From StopBadware, the organization is:

A Neighborhood Watch campaign aimed at fighting badware. We will seek to provide reliable, objective information about downloadable applications in order to help consumers to make better choices about what they download on to their computers. We aim to become a central clearinghouse for research on badware and the bad actors who spread it, and to become a focal point for developing collaborative, community-minded approaches to stopping badware. Harvard Law School’s Berkman Center for Internet & Society and Oxford University’s Oxford Internet Institute are leading this initiative with the support of several prominent tech companies, including Google, Lenovo, and Sun Micro systems. Consumer Reports WebWatch is serving as an unpaid special advisor.

As usual there’s a standard set of recommended tools and applications (e.g Ad-aware, Microsoft AntiSpyware, Pest Patrol, Spy Sweeper, Spyware Doctor) for removing spyware and other malware. Looking over this list, it seems the recommended tools are slightly outdated or won’t do the best job for most of the malware that I encounter at work. Similar to Don’s Top 10 Free Computer Cleaners, I think members of StopBadware need to compile a list of free tools that people can use without worrying about subscription costs or fear that they’re running a tool with outdated definitions.

Windows Update Keeps Turning Off

This post is a simple reminder to Don to start blogging. Earlier this week a student had asked for advice on how to prevent Windows Update from turning off. I asked the student to run Microsoft Antispyware and call back, hoping that this would give me enough time to research the issue ( a.k.a Google the solution ). Spyware detection programs like Spybot are now able to detect if services in the Windows Security Center are turned off and can effectly re-enable the service. It turns out that the student decided to stop by in person and was able to obtain the LSP-Fix tool from Don. After running the LSP-Fix the problem appears to be resolved.

What’s weird to me is that the LSP-Fix typically resolves problems with the Layered Service Provider. Enabling Windows Update is a simple registry switch controlled by the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU key. Infact, LSP integrates with the TCP/ IP stack to manipulate data sent across it, so how can running the LSP-Fix tool resolve this problem?

Related Links:

How to configure automatic updates by using Group Policy or registry settings

Ewido

Earlier this week Don told me about Ewido as ‘the’ product to use for spyware/ virus removal. For some reason Symantec Antivirus could not remove a trojan called Vundo. The Ewido tool worked great but what annoys me is that you now have to use an umpteen number of products just to disinfect a computer. So now you have the standard, Ad-Aware, Spybot, Microsoft Antispyware and Zone Labs has also decided to spice up this mix by introducing a new spyware removal application called ZoneAlarm Anti-Spyware. Talk about choices.

How to remove Aurora

I’m trying to get a honey-pot machine setup to test infection and document steps to remove Aurora, but until then based on past experience below is a rough draft of the various typical steps:

1) Perform all removal attempts in Safe Mode

2) End or kill the System Startup Service that is listed as C:\Windows\svcproc.exe

3) End or kill the executable that I referred to as a sign that indicates that you may have Aurora (e.g. C:\Windows\nail.exe)

4) End or kill the explorer.exe process and then proceed to start the removal process using HijackThis or one of the other spyware programs.

5) If all else fails, try the Best Offers Uninstaller provided by Direct Revenue. Why they don’t let you remove this directly from Add/ Remove Programs is totally beyond me.

How to detect Aurora Spyware

The easiest way to detect if your computer is infected with Aurora spyware is to look for occasional windows that pop-up outside of the browser with an Aurora title bar. However, if you use HijackThis, MSConfig, Regedit or Sysinternals Process Explorer or Sysinternals Autoruns the processes listed below are typical indicators of the Aurora spyware:

1. Nail.exe
2. WindowsNail.exe
3. Aurora.exe
4. Buddy.exe
5. ceres.dll
6. svcproc.exe

What is Aurora Spyware?

Short of calling Aurora the worst nightmare when dealing with spyware it helps to see the product in the eyes of the public relations contact at Direct Revenue – creators of the Aurora network.

Direct Revenue today announced the launch of its newest ad client, Aurora�. The Aurora ad client is designed to improve product visibility and consumer services. The roll out of the upgrade to the DR behavioral network began on April 5th by replacing outdated ad clients in an effort to improve consumer awareness. Like other DR ad client brands such as “SolidPeer”, released in September ‘04 and “Ceres” released in November ‘05, the Aurora Ad Client is compliant with the branding and removal standards of all major proposed Federal legislation relating to online contextual ads such as HR 2929.

Direct Revenue CTO Dan Doman said, “From a technology standpoint, Aurora represents a leap forward in connecting consumers to advertisers.” The Aurora launch follows the January debut of Direct Revenue’s MyPCTuneUp�, a technical support feature that helps Direct Revenue customers with technical issues including removing software from their PC.

Direct Revenue CEO Joshua Abram said, “Aurora and MyPCTuneUp demonstrate our commitment to providing advertising partners, clients and consumers the best possible experience in behavioral marketing and search.”

Source: Direct Revenue Launches Aurora

However, after spending a number of hours trying to remove Aurora from a client’s computer I struggle to see how this product can be perceived with the same view or vision. My hours of frustration with Aurora lead me to believe that the so-called customer ends up being a hapless victim and the hours of frustration I experienced is directly proportional to the financial gain for Direct Revenue.