Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sporder.exe


  • Please log in to reply
6 replies to this topic

#1 aido

aido

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 26 August 2008 - 02:21 PM

Hello,

I scanned today my Computer at first time with CounterSpy and he found an (Backdoor.Win32.Prorat.19) in the file sporder.exe (C:\Windows\sporder.exe). But I know that is the original File from Microsoft. I upload the file to Virustotal http://www.virustotal.com/de/analisis/b22b...c2f5bf364ddaa5f
and get this Information from the site.

sporder.exe File Date: 18-Sep-1997 Version 5.00.1641.1


What should I do ?

EDIT: Database information > http://www.bleepingcomputer.com/filedb/spo....exe-23026.html

Greetings,

aido

Edited by aido, 26 August 2008 - 02:39 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 PM

Posted 26 August 2008 - 07:50 PM

Your PC also had a Backdoor trojan,(Backdoor.Win32.Prorat.19)
Technical Details
This Trojan allows for its author to control a computer by using Internet Relay Chat (IRC). The Trojan can update itself by checking for newer versions on the Internet.

Your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Even though the infection has been identified and quarantined all financial,password and account numbers that were stored on this PC should be considered stolen.

When Should I Format, How Should I Reinstall?

We will help you clean this PC but that would be a decision you have to make and there is no promise of future security without the format. Let us know how you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 aido

aido
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 27 August 2008 - 01:18 AM

Hello,

thank you for reply. :thumbsup:

No of that threats above about the link you gave me, have I found on my computer. My Host-File is clear also the temp-dir have not the threats that are descripted above. Also the Registry entries does not exists on my System. I used the Online Armor Firewall they have no connections to point the show in the threat.
Are you sure that I infected by this trojan ?

greetings,

aido

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 PM

Posted 27 August 2008 - 09:28 AM

I was going with the Counterspy reference. It may not exist. Please run another tool for a second opinion.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:43 PM

Posted 27 August 2008 - 11:43 AM

In XP, sporder.exe (WinSock2 reorder - v5.00.1980.1, 8KB) is located in C:\Windows\system32

The BC database you linked to shows it also located in C:\Program Files\Microsoft SDK\Bin\winnt\
If using MS Visual Studio 8 its also found in C:\Program Files\microsoft visual studio 8\common7\tools\bin\winnt\

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file.

Are you sure about the location you are finding it? What info do you get when right-clicking and choosing properties? Is it showing in Task Manager?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 aido

aido
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 27 August 2008 - 12:02 PM

Here is the Log of Malwarebytes I have translate the Entries in English because I use a german Version :thumbsup:

Malwarebytes' Anti-Malware 1.25
Datenbank Version: 1089
Windows 5.1.2600 Service Pack 3

18:37:37 27.08.2008
mbam-log-08-27-2008 (18-37-37).txt

Scan-Method: Quick-Scan
Scanning Objects: 59050
Runtime: 3 minute(s), 0 second(s)

Infected Memory processes: 0
Infected Memory moduls: 0
Infected Registry entries: 0
Infected Registry values: 0
Infected fileobjects in the Registry: 0
Infected directories: 0
Infected Files: 0

Infected Memory processes:
(None malicious objects found)

Infected Memory moduls:
(None malicious objects found)

Infected Registry entries:
(None malicious objects found)

Infected Registry values:
(None malicious objects found)

Infected fileobjects in the Registry:
(None malicious objects found)

Infected directories:
(None malicious objects found)

Infected Files:
(None malicious objects found)


I feel me I hunted an Ghost. I think my PC is clear I remember to install for a few weeks ago the SDK from Technet Microsoft with the Debugger and all the Symbols for debugging. I dont know but I think that the sporder.exe installed at this time. I have got the package directly from MS Development Site.

Greetings,

aido

#7 aido

aido
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 27 August 2008 - 12:10 PM

This is the original sporder.exe. The file doesnt have an start entry e.g. it never starts during bootime.

Sporder.exe (size 8 KB)

File Version: 5.00.1641.1
Firma: Microsoft Corporation
Internal Name: sporder.exe
Product: Microsoft® Windows NT® Operating System
Product Version: 5.00.1641.1
Language: Englisch (USA)

Before I ran CounterSpy I did not know about sporder.exe. Only CounterSpy gave this as an infected file. All other programms that I startet they never found any malicious entry in this file.

the sporder.dll found in both C:\windows and C:\windows/system32 only sporder.exe is in C:\Windows. I cant remember if I moving the file to C:\Windows or not ?

They are not showinig in TaskManager.

Edited by aido, 27 August 2008 - 12:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users