Anti-Spyware crashed my network

B

Bill R

installed and ran scan, it reported two problems. I
removed them, restarted and had no network connection. I
had to remove anti-spyware and restore to get back my
network. be carefull
 
D

Doug Allen

I had a similar problem. One item was found and, when it
was removed, I loat all network connectivity.

The item was webHancer and it said the infected file was
C:\WINDOWS\system32\sporder.dll

I have not got webHancer so far as I know. It doesn't
appear in the Add/Remove list, and it is not detected by
AdAware or SpyBot.

Hope this is relevant and useful.
 
G

Guest

This typically means a trojan or malicious program has
control of your machine and needed the deleted file to
function and is now punishing you.
 
B

Bill Sanderson

That's helpful information--do you have a third-party VPN client installed
on your machine?

What vendor information/copyright is present in the sporder.dll?
(try right-clicking on that file and look at the various information
presented)
 
B

Bill Sanderson

This is definitely a possibility, but another may be a false positive on a
file involved in network connectivity--either way, we need details to
triage.
 
G

Guest

-----Original Message-----
what exactly were the two problems reported? please post complete details.
I don't remember the two files, I think it called it a
hacker something said it was in the start up program and
to remove it there were three reg keys listed. I have a
spyware program running and when it find's thing I just
delete it and never had a problem sooo I did not pay
attention.
 
C

Chris Turner

Exactly the same thing happened to me. But in my case
Spyware Blaster, Spyware Guard and AdAware failed to
detect webHancer.

Chris Turner
 
G

Guest

Hi

I'm not the person you responded to but had exactly the
same problem as him. I followed your advice and came up
with "Copyright (C) Microsoft Corp. 1981-1996".
 
B

Bill Sanderson

Hmm....I'm not sure what you are seeing. I have no such file on my XP
machine, and all the references to it I find make it out to be spyware.
However, I do have a suggestion that may get you out of the bind.

I think that what is happening is that you have a piece of spyware that is
inserted into the networking stack.

Microsoft AntiSpyware has , in advanced tools, system explorers, a Winsock
LSP explorer tool. You might take a look at what you see there.

I'm unclear how that tool can be used to effect repairs, though.

http://www.spychecker.com/program/winsockxpfix.html

is a tool which can repair problems with the Winsock LSP's, and I'd
recommend trying it.
You may need to unload Microsoft Antispyware, because the agents may
interfere with the attempted repair.
 
D

Doug Allen

Bill,

Very interesting thread.

I do not have a third party VPN client.

I use McAfee Personal Firewall Plus and, after rebooting,
it wouldn't start and the system ran very slowly. Just
some additional information that may or may not be
relevant.

The vendor information on sporder.dll is:
WinSock2 reorder service providers
Microsoft Corporation 1981-1996
Version 4.00
Microsoft Windows NT Operating System

After downloading the spychecker.com software you
mentioned, but before running it, I reproduced the
network connectivity problem by quarantining sporder.dll
in Microsoft Antispyware. I could not connect to
anything.

Then I ran the winsockxpfix program and rebooted.
Sporder.dll is definitely not present now, and network
connectivity has been restored. Interesting. Don't know
what you make of it, and whether or not the sporder.dll
file really is a proper Microsoft file that should be
present?

By the way, I also looked in Winsock LSP tool before I
removed sporder.dll. It listed several items, but
nothing that seemed to have any relevance to the current
issue.

I'd welcome your views.
 
B

Bill Sanderson

Thanks!

I believe that the particular sporder.dll that you and most if not all
others here are referencing is a legitimate Microsoft file.

I know now of at least three third-party applications that install this DLL,
and they seem to be generally oriented to VPN, or security, in network
terms.

Reading between the lines in this thread:
http://forums.mcafeehelp.com/viewtopic.php?t=1031

leads me to believe this DLL is also used by some McAfee products--probably
including yours.

This is rather a nasty false positive, given the prevalence of this DLL in
third party network and security related software, and the effect of it's
removal! However, it should be relatively easy to fix--and I'm hoping that
we'll get some confirmation that such a fix is in the works soon.

So--at the moment, the fix sequence seems to me to be:

If you have deleted everything Microsoft Antispyware said should be deleted,
and a reboot was required, and subsequent to that reboot, network
connectivity was lost then:
(runon!)
1) download and run winsockxpfix.exe which should restore network
connectivity.
2) reinstall whatever third-party product included this .DLL--could be a VPN
client, could be Proventia Desktop, could be a Mcafee security product.

Alternatively, use System Restore to return to a Restore Point prior to
making the changes called for by the scan.
 
D

Doug allen

Thanks for the response, Bill.

So, having run the winsock fix and apparently being OK
now, do I need to restore to a point before it all
happened, or reinstall McAfee Firewall? It all appears
OK at the moment, so my preference would be to leave it
alone!

This might shed some more light on it. On the Sophos
site, there is reference to Troj/Riler-D, with aliases
Trojan.Win32.Riler.c and BackDoor-BCB. It says that it
installs 4 files - winmedl.dll, sporder.dll, winssi.exe
and SynUSB.dll. The first contains encrypted info for
web address newsg.vicp.net, the second is a clean system
file, and the last 2 contain malicious code. It also
adds registry entries such as
HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSL.

Having looked at my registry, I have the entry for
WS2IFSL, so I wonder if I have been infected at some
point in the past and the virus tool did not clear
everything up?

Just a thought. And another is that I found another
reference to suggest that sporder.dll might be installed
by McAfee Privacy Service (which I did have at one point
but no longer do).

Doug
 
B

Bill Sanderson

Doug allen said:
Just a thought. And another is that I found another
reference to suggest that sporder.dll might be installed
by McAfee Privacy Service (which I did have at one point
but no longer do).

I think that thought is probably the likely source of your file.

I don't know the details about the file of this name which is part of
malicious code packages. I sure hope that it is in fact different, in terms
of an MD5 checksum from the legitimate file used by these various
third-party products, but I don't know the details on that.
 
D

Doug Allen

Bill,

I hope you're right about the file being different!! The
name is definitely the same, and Sophos does say it's
aclean system file. The URL if you want to read the
article is:
http://www.sophos.com/virusinfo/analyses/trojrilerd.html

Thanks again for the useful interchange. Shows how
powerful these newsgroups can be, even if we haven't
quite bottomed this one out!

Doug
 
B

Bill Sanderson

Its been suggested to me that there is a different possible cause to these
issues. The question is whether there is some other component of the LSP
stack which is the result of a past malware infection which is being removed
as part of this cleanup, thus breaking things.

I suspect a comparison of several cleaner.logs from machines involved in
these threads would give useful evidence, but I'm going to wait for further
guideance before asking for more data.

(the question is whether SPORDER.DLL is an LSP, or just a piece of code used
when adding and removing LSPs.)

The other bit of information I now understand is that the break in the stack
after removal of [whatever] should be repairable using the netsh command
line tool in XP:

netsh winsock reset

However, this tool gives this help text:

netsh winsock reset /?

Usage: reset

Remarks: Resets Winsock Catalog to a clean state.
All Winsock Layered Service Providers which were previously
installed must be reinstalled.
This command does not affect Winsock Name Space Provider
entries.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top