Do I restore a "non-virus?"

system · 2007-01-28T06:39:30.000Z

A couple of weeks ago I moved a virus to the chest. Then two days ago, I rescanned the virus in the chest and now the status is that it’s no longer a virus. Below is the information after the rescan.

Original file name: sporder.dll
Original folder: C:\WINDOWS\SYSTEM32
Category: Infected files
Virus description: No virus

Do I click the restore button or should I delete the file? Thanks, Megaman

oldman960 · 2007-01-28T09:00:26.000Z

It sounds like it is a legitimate file. Restore it. A copy will remain in the chest.

http://www.bleepingcomputer.com/files/sporder.php

Lisandro · 2007-01-28T12:33:11.000Z

sporder.dll could be a WinSock2 reorder service providers (a module associated with Windows 2000) or a Backdoor Trojan.Riler.B.
It is a system file that does NOT contain the malicious code but it’s used by the trojan in order to work.

Are you using Windows 2k? I have XP and don’t have this file in my computer…

Which other security applications do you use?
If you Google you’ll find some false positives related to sporder.dll.

It will be good if you download, install, update and run other trojan remover tools: a-squared, Free AVG Antispyware or SUPERantispyware (trojan removers). Some users recommend Spyware Terminator.

system · 2007-01-28T19:54:23.000Z

Tech post:3:

Are you using Windows 2k? I have XP and don’t have this file in my computer…

Which other security applications do you use?

I’m using XP and I installed Ad-Aware SE, Spybot-Search & Destroy, and CWShredder.

In a previous post, oldman said to restore it and supplied a website. I checked the website and it encouraged re-installation. Should I re-install sporder.dll? I was thinking of deleting it from the chest. Thanks, Megaman

Lisandro · 2007-01-28T19:58:56.000Z

megaman04 post:4:

Should I re-install sporder.dll? I was thinking of deleting it from the chest. Thanks, Megaman

Restore the file to a new folder created by you.
From there, test the file against on-line scanners. Submit the file to:
Virustotal
or Jotti

system · 2007-02-05T03:40:26.000Z

Tech post:5:

megaman04 post:4:

Should I re-install sporder.dll? I was thinking of deleting it from the chest. Thanks, Megaman

Restore the file to a new folder created by you.
From there, test the file against on-line scanners. Submit the file to:
Virustotal
or Jotti

What happens if I delete it instead from the chest? Will it affect my computer in a negative way? Thanks, Megaman

DavidR · 2007-02-05T14:23:26.000Z

With a file in the chest if it were essential your system could already be working in a negative way because the file isn’t where is should be and because the chest is a protected area, nothing can run inside there or access files stored there (other than avast).

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

system · 2007-02-06T06:53:57.000Z

DavidR post:7:

With a file in the chest if it were essential your system could already be working in a negative way because the file isn’t where is should be and because the chest is a protected area, nothing can run inside there or access files stored there (other than avast).

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

In my avast chest, I have three files that are no longer infected (no virus status) and they are:

A0000116.exe (C:\System Volume Information_restore…)
leaktest.exe (C:\Documents and Settings.…)
sporder.dll (C:\WINDOWS\SYSTEM32)

Eight days have passed, so should I restore them now or wait another six days? To be frank, I’m cautious about restoring the above files; I’d rather delete them instead. I’ve never restored a file from the chest. The ones that remained infected after two weeks I’ve always deleted - that’s understandable. But the ones that have changed to a “no virus” status I’ve deleted those too. Thanks, Megaman

DavidR · 2007-02-06T13:22:38.000Z

I suggested a few weeks in my reply, before rescanning them ‘in the chest’ the ones still infected should be fine to delete, but there is no requirement to do so, they can do no harm there and the longer you leave them, a month or more even, before rescanning and deletion if necessary.

There really is no rush, my suggestion of three weeks was basically to stop some people who would send something to the chest and virtually delete it from the chest right away. Had they left it there for a reasonable time it might turn out to be declared np-virus on rescan.

The ones with no virus were most likely a false positive detection that has either been checked at virustotal or jotti and found that only avast detected it, that sample then got submitted as a possible FP and the VPS corrected. So you decide what to do there shouldn’t be a problem in restoring those after further investigation.

I wouldn’t have worried about this one at all as part of the C:\System Volume Information, I would probably have disabled system restore and rebooted, clearing ALL restore points. So I wouldn’t put it back, I would delete it.
You know what the purpose of the leaktest.exe was so there is no problem in restoring it, assuming you want to keep it.
sporder.dll as google searches found there were multiple different hits some saying it was a legit program others that it may be malware, again this would have been submitted and after analysis the VPS was corrected.

Announcements