C:\Program Files\ESET\sporder.dll was flagged as malware by the AA update just released.

I updated AdAware tonight (Reference Number 01R21223.08.2003, Internal build 85)

I found that malware called "Webhancer" uses this dll file.

Explanation please?

Recently Installed NOD32 v2 on Microsoft Windows XP Pro, sporder.dll isn’t located in the NOD32 directory but it is located in C:\WINDOWS\system32, and I had updated my Ad-aware referencefile(01R21223.08.2003) and Scanned my Entire HDD and it didn’t flag that file…

WebHancer modifies the Windows Sockets configuration, binding itself to Winsock so that all packets are passed through WebHancer. sporder.dll that comes bundled with WebHancer is an separate version of that file.

Thanks. I'm running Win98SE, so that may explain the different location.

I know I don't have any "malware" but posted this to another forum and was told that if you have that "dll" file then the application is using spyware.

Marti, i have win98se and that same file is located
in my Eset folder. but it did not get flagged with the new Ad-Aware update today after i ran a scan??
i wonder??

-{ Quote: " quoting: hayc59 link=board=39;threadid=12776;start=0#msg81958 date=1061611969]
Marti, i have win98se and that same file is located
in my Eset folder. but it did not get flagged with the new Ad-Aware update today after i ran a scan??
i wonder??
" }-

That is strange. Is your file version 5.00.2134.1?

yes same version as yours. i will do another scan just to make sure

I had the file placed in the "ignore" area. I removed it from "ignore," rebooted and ran the scan again. Same result. I have AdAware set for "deep scan."

scanned once again and no problem with that file

This is a mystery.

my scan settings

i will try it with your settings??
and let you know.... ;) ;)

nada,nothing all clear!!
sorry i could not help ya Marti?? ???

thanks for the try. I know that my sporder.dll file is valid and is not malware.

Marti i also posted your thread over at AA forum?
hope you dont mind. :)

That's fine. I posted a similar thread in the DSLR Security forum.

I'm using AdAware free version. Not the purchased version.

sorry i edited my post over at AA

Marti.....here are two threads that have discussions regarding the sporder.dll file. Maybe they might help too.

i do believe this is a false-positive by Ad-Aware and you should not delete it. Hopefully other's more knowledgable in this area will add to the mystery and help us understand that dll better. :)

http://www.wilderssecurity.com/showthread.php?t=1088;start=msg8184#msg8184

http://www.wilderssecurity.com/showthread.php?t=5554;start=msg36501#msg36501

regards,

snap

There is a 2nd update today for AdAware (01R21323.08.2003) and i scanned again, but the sporder.dll i have (version 5.0.1980.1 now) was not flagged.

i noticed from one of my previous posts in the links above, that i had had a newer version of that dll...and it seems now i have an older version. hummm...not sure why that is, or what program took it back to an older version, but all is working fine and i do not have any spyware on my system.

Wish i could be of more help marti.

snap
(just adding...XP-Home using NOD32 version 1, with POP3 scanner too) :)

Snap,

No way would I delete that file! I told Ad Aware to ignore it. Thanks for the links. Sounds like the file is used by many "good guy" programs.

Marti...did you say that the sporder.dll you have is in your ESET folder? You are using NOD32 version 2 yes? i am using NOD32 version 1 (with POP3 scanner)..and i do not have the sporder.dll in my ESET folder. i have it in my C-->Windows-->System32 folder.

i am thinking NOD32 version 2 must be using the newest version of the sporder.dll and Ad-Aware hasn't removed detection of the newer version for that dll.

And you are right, MANY "Good Guy" programs DO use that dll.

snap

-{ Quote: " quoting: snapdragin link=board=39;threadid=12776;start=15#msg81990 date=1061616384]
Marti...did you say that the sporder.dll you have is in your ESET folder? You are using NOD32 version 2 yes? i am using NOD32 version 1 (with POP3 scanner)..and i do not have the sporder.dll in my ESET folder. i have it in my C-->Windows-->System32 folder.

i am thinking NOD32 version 2 must be using the newest version of the sporder.dll and Ad-Aware hasn't removed detection of the newer version for that dll.

And you are right, MANY "Good Guy" programs DO use that dll.

snap
" }-Snap,

Yes the file is in the ESET folder (Win98SE). NOD32 version info:

NOD32 Antivirus System information
Virus signature database version:***1.491 (20030821)
Dated:***21 August, 2003
Virus signature database build:***3869

Information on other scanner support parts
Advanced heuristics module version:***1.003 (20030703)
Extended heuristic module build:***1031
Archive support module version:***1.001 (20030526)
Archive support module build version:***1032

Information on installed components
NOD32 For Windows 95/98- Base
Version:***2.000.5
NOD32 for Windows 95/98- Standard component
Version:***2.000.5
NOD32 For Windows 95/98- Internet support
Version:***2.000.5

Operating system information
Platform:***Windows 98
Version:***4.10.2222 A
Version of common control components:***5.81.4916
RAM:***384 MB
Processor:***x86 Family 6 Model 8 Stepping 6

To all...

This issue has been corrected with the second Reference File that I had announced earlier...
If you had removed this file, restore the Quarantine of the event.
...Or....
If you have placed this file in your Ignore List, restore it.
Then....
Please run the Webupdate feature and rescan.

We are sorry for any inconveniance this may have caused.

Thanks...

Marti posted by Paul at AA forum
-{ Quote: "C:\Program Files\ESET\sporder.dll being flagged is a confirmed false positive - and a dangerous one as well for NOD32 v2.0 users. It's recommended to put this one in the exclusion list until Lavasoft has fixed this issue.
Aaron?

regards.
Paul Wilders
" }-

-{ Quote: " quoting: IAMSKINZ link=board=39;threadid=12776;start=15#msg81995 date=1061616804]
To all...

This issue has been corrected with the second Reference File that I had announced earlier...
If you had removed this file, restore the Quarantine of the event.
...Or....
If you have placed this file in your Ignore List, restore it.
Then....
Please run the Webupdate feature and rescan.

We are sorry for any inconveniance this may have caused.

Thanks...
" }-

thank you Skinz ;D

Yeah!!!!!!!!!


Thanks to all of you for the help.

Marti sorry if i hijacked your thread ;)

You didn't highjack the thread.

Thank you IAMSKINZ for your quick response to this... :D

warm regards,

snap :)

Good to know the problem has been solved 8)

regards.

paul