Anti-Spyware crashed my network

[Bill Sanderson]

Thanks. I'm trying to recall exactly why I am associating this issue with
the particular DLL involved in this thread--does the language you can see in
the logs explain what else was cleaned in relation to WebHancer in addition
to sporder.dll?

 

[Guest]

Hi all

Problem solved.

1. I changed the name of sporder.dll and lost all
connectivity.
2. I ran WinSock XP Fix and got my connectivity back but
McAfee Privacy Service wouldn't load, complaining that it
was missing components.
3. I reinstalled Privacy Service, which reinstalled
sporder.dll, and got my connectivity back. Reinstalling it
triggered three security alerts from AntiSpyware -- I
should have written these down, but if memory serves there
was one about adding new programs to the Start menu, one
about changes to WinSock and one about changes to LSPs,
all of which I OKed.
4. I ran a compete scan with AntiSpyware and sporder.dll
wasn't picked up as spyware -- but maybe only because I
OKed it in the previous step.

I'm wondering now if I couldn't have achieved the same
thing simply by telling AniSpyware to ignore sporder.dll
in the first place...

Chris

 

[Chris]

Hi Bill

And thanks to you! Cleaner.log tells me the following
(none of which seems particulalry revealing):

7/01/2005 9:53:39 AM::-------------------------------------
-----------------------------
7/01/2005 9:53:39 AM::Initializing Clean - (ScanID:
90947F38-550C-4830-8DFB-2A0C89)
7/01/2005 9:53:39 AM::Remove Threat (ID:14127)
7/01/2005 9:53:39 AM::Clean Threat webHancer (ID:14127)
7/01/2005 9:53:41 AM::Removing file c:\winxp\system32
\sporder.dll
7/01/2005 9:53:45 AM::Removing shared dll registry entry
for c:\winxp\system32\sporder.dll
7/01/2005 9:53:45 AM:isable file c:\winxp\system32
\sporder.dll and quarantine to C:\Program Files\Microsoft
AntiSpyware\Quarantine\C045517D-E4A7-4B7F-B831-
EEF71F\997C445C-7F9A-454B-975A-CC7A4D
7/01/2005 9:53:45 AM::Removing file c:\winxp\system32
\sporder(2).dll
7/01/2005 9:53:47 AM:isable file c:\winxp\system32
\sporder(2).dll and quarantine to C:\Program
Files\Microsoft AntiSpyware\Quarantine\C045517D-E4A7-4B7F-
B831-EEF71F\A9F0A091-2363-48A3-996A-9DAB4B
7/01/2005 9:53:48 AM::Clean Threat webHancer (ID:14127)
Complete
7/01/2005 9:53:51 AM::Remove Threat (ID:14127) Complete
7/01/2005 9:53:51 AM::Remove Threat (ID:14804)


Ciao.

Chris

 

[Bill Sanderson]

Great news.

I'm tending in the direction of definition updates having removed the
detection, rather than your oking the install, but I'll watch the groups and
see how things go.

I'm not seeing any flood of new reports of this issue.

I'm really thrilled about those alerts you got in the course of the install.
Those kinds of actions need alerts, from my perspective anyway. Now we need
to set the settings to "average guy" and see whether the alerts are going to
make sense to our friends and neighbors who think of the computer as a
means, rather than an end.

 

[Bill Sanderson]

I think I learned a couple of new things from looking at that:

1) it looks as though it had quarantined the DLL rather than straight
deleting it. That presumably means that you could, in fact, have put it
back from the quarantine. There is UI on the Spyware Scan page to view what
is in the quarantine, and, presumably, to put it back--I can't tell, 'cause
I haven't got anything in.

The other interesting item is that you appear to have had two of that file.
if I'm reading correctly--I don't know whether that's significant or not.

Additionally--WebHancer, and sporder.dll were the only thing cleaned, at
least in this particular run. So it seems to pin the network breakage
directly on this removal.

 

[Chris]

Hi Bill

Maybe there were two sporder.dll files because I had a
trial version of McAfee Privacy Service (ages ago) and
recently installed the McAfee Security Suite, which
included the latest version of Privacy Service. Possibly
the older of the two sporder.dll files was left over from
the trial installation. This wouldn't surprise me since
McAfee programs do seem to leave bits and pieces of
themselves on your computer even after uninstalling them.

Hope this is useful.

Chris

 

[Bill Sanderson]

Thanks very much for responding and keeping us posted about how your system
is faring. If they've fixed the detection issue, I guess this will all
become academic--which would be terrific.