Sporder.dll in NOD32 Directory

Discussion in 'NOD32 version 2 Forum' started by marti, Aug 22, 2003.

Thread Status:
Not open for further replies.
  1. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    C:\Program Files\ESET\sporder.dll was flagged as malware by the AA update just released.

    I updated AdAware tonight (Reference Number 01R21223.08.2003, Internal build 85)

    I found that malware called "Webhancer" uses this dll file.

    Explanation please?
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Recently Installed NOD32 v2 on Microsoft Windows XP Pro, sporder.dll isn’t located in the NOD32 directory but it is located in C:\WINDOWS\system32, and I had updated my Ad-aware referencefile(01R21223.08.2003) and Scanned my Entire HDD and it didn’t flag that file…

    WebHancer modifies the Windows Sockets configuration, binding itself to Winsock so that all packets are passed through WebHancer. sporder.dll that comes bundled with WebHancer is an separate version of that file.
     
  3. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Thanks. I'm running Win98SE, so that may explain the different location.

    I know I don't have any "malware" but posted this to another forum and was told that if you have that "dll" file then the application is using spyware.
     
  4. hayc59

    hayc59 Guest

    Marti, i have win98se and that same file is located
    in my Eset folder. but it did not get flagged with the new Ad-Aware update today after i ran a scan??
    i wonder??
     
  5. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    That is strange. Is your file version 5.00.2134.1?
     
  6. hayc59

    hayc59 Guest

    yes same version as yours. i will do another scan just to make sure
     
  7. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    I had the file placed in the "ignore" area. I removed it from "ignore," rebooted and ran the scan again. Same result. I have AdAware set for "deep scan."
     
  8. hayc59

    hayc59 Guest

    scanned once again and no problem with that file
     

    Attached Files:

    • AA.jpg
      AA.jpg
      File size:
      64.9 KB
      Views:
      789
  9. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    This is a mystery.
     
  10. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    my scan settings
     

    Attached Files:

  11. hayc59

    hayc59 Guest

    i will try it with your settings??
    and let you know.... ;) ;)
     
  12. hayc59

    hayc59 Guest

    nada,nothing all clear!!
    sorry i could not help ya Marti?? o_O
     
  13. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    thanks for the try. I know that my sporder.dll file is valid and is not malware.
     
  14. hayc59

    hayc59 Guest

    Marti i also posted your thread over at AA forum?
    hope you dont mind. :)
     
  15. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    That's fine. I posted a similar thread in the DSLR Security forum.
     
  16. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    I'm using AdAware free version. Not the purchased version.
     
  17. hayc59

    hayc59 Guest

    sorry i edited my post over at AA
     
  18. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Marti.....here are two threads that have discussions regarding the sporder.dll file. Maybe they might help too.

    i do believe this is a false-positive by Ad-Aware and you should not delete it. Hopefully other's more knowledgable in this area will add to the mystery and help us understand that dll better. :)

    http://www.wilderssecurity.com/showthread.php?t=1088;start=msg8184#msg8184

    http://www.wilderssecurity.com/showthread.php?t=5554;start=msg36501#msg36501

    regards,

    snap
     
  19. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    There is a 2nd update today for AdAware (01R21323.08.2003) and i scanned again, but the sporder.dll i have (version 5.0.1980.1 now) was not flagged.

    i noticed from one of my previous posts in the links above, that i had had a newer version of that dll...and it seems now i have an older version. hummm...not sure why that is, or what program took it back to an older version, but all is working fine and i do not have any spyware on my system.

    Wish i could be of more help marti.

    snap
    (just adding...XP-Home using NOD32 version 1, with POP3 scanner too) :)
     
  20. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Snap,

    No way would I delete that file! I told Ad Aware to ignore it. Thanks for the links. Sounds like the file is used by many "good guy" programs.
     
  21. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Marti...did you say that the sporder.dll you have is in your ESET folder? You are using NOD32 version 2 yes? i am using NOD32 version 1 (with POP3 scanner)..and i do not have the sporder.dll in my ESET folder. i have it in my C-->Windows-->System32 folder.

    i am thinking NOD32 version 2 must be using the newest version of the sporder.dll and Ad-Aware hasn't removed detection of the newer version for that dll.

    And you are right, MANY "Good Guy" programs DO use that dll.

    snap
     
  22. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    Snap,

    Yes the file is in the ESET folder (Win98SE). NOD32 version info:

    NOD32 Antivirus System information
    Virus signature database version:   1.491 (20030821)
    Dated:   21 August, 2003
    Virus signature database build:   3869

    Information on other scanner support parts
    Advanced heuristics module version:   1.003 (20030703)
    Extended heuristic module build:   1031
    Archive support module version:   1.001 (20030526)
    Archive support module build version:   1032

    Information on installed components
    NOD32 For Windows 95/98[me=marti]- Base[/me]
    Version:   2.000.5
    NOD32 for Windows 95/98[me=marti]- Standard component[/me]
    Version:   2.000.5
    NOD32 For Windows 95/98[me=marti]- Internet support[/me]
    Version:   2.000.5

    Operating system information
    Platform:   Windows 98
    Version:   4.10.2222 A
    Version of common control components:   5.81.4916
    RAM:   384 MB
    Processor:   x86 Family 6 Model 8 Stepping 6
     
  23. IAMSKINZ

    IAMSKINZ Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    9
    To all...

    This issue has been corrected with the second Reference File that I had announced earlier...
    If you had removed this file, restore the Quarantine of the event.
    ...Or....
    If you have placed this file in your Ignore List, restore it.
    Then....
    Please run the Webupdate feature and rescan.

    We are sorry for any inconveniance this may have caused.

    Thanks...
     
  24. hayc59

    hayc59 Guest

    Marti posted by Paul at AA forum
     
  25. hayc59

    hayc59 Guest

    thank you Skinz :D
     
Thread Status:
Not open for further replies.