AVG keeps popping up that I have this trojan. It has affected my internet filter. I keep getting a sporder.dll error. Was just my pc, but today it showed up on my laptop.

I'm computer illiterate, so be gentle with me...:-/

I downloaded hijackthis and here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 3:57:05 PM, on 10/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\RENEAT~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199-1.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server224.smartbotpro.net/7search/?002-nhp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.srh.noaa.gov/sjt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003-nhp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Help is greatly appreciated!

I also found this Trojan horse downloader.agent.gpz on my avg scan last night. It did not delete it. I ran Spybot Search and Destroy, AdAware, Spyware Doctor, and Ewido and none of these picked it up. I also ran the avg virus cleaner program in safe mode and nothing came up. It is in a Temporary file that I do not recognize (unfortunately I am at work at the moment and do not have the file path on me but will possibly post it later). Looking at the files it appeared to be a zip moto.cab file or something and was with another file that was from the Panda software firm. There were 2 such infected files. I do not remember operating my Panda online scan recently and this file does not look familiar. However it could be that it is a safe file? Might try deleting the files and see what happens. I also did an internet search on the downloader.agent.gpz last night but came up empty.

Great News!

I contacted my internet filter company and they sent me this email:

AVG Virus protection developed a glitch, in there new version, in which it incorrectly identified and removed a Microsoft file called sporder.dll They are freaking out and trying to develop a fix for their service. In the meantime we have developed a patch which is the following:


PROCEDURE ONE

Download the AVG Patch for FilterPak
http://www.aimconnect.com/downloads/avgpatch.exe or click on the attached file

Install the AVG Patch for FilterPak

REBOOT


PROCEDURE TWO

If you are unable to establish Internet access you must first uninstall AVG Anti-Virus

Go to Add/Remove Programs and Repair the FilterPak

Download the AVG Patch for FilterPak

Install the AVG Patch for FilterPak

5) REBOOT

Install AVG Anti-Virus


This worked like a charm...no more problems! Both computers were fixed in less than 10 minutes....

Hope this helps!

back,

AVG Version 7.1.409 Virus base 268.13.22/512 did detect and delete C:\WINNT\SYSTEM32\ActiveScan\sporder.dlll

It didn't delete

C:\Documents and Settings\Administrator\Local
Settings\Temp\_AS15.tmp\motor.cab:\sporder.DLL (infected, embedded object)

C:\Documents and Settings\Administrator\Local Settings\Temp\_AS15.tmp\motor.cab (infected, archive)

C:\Documents and Settings\Administrator\Local Settings\Temp\_AS1C.tmp\motor.cab:\sporder.Dll (infected, embedded object)

C:\Documents and Settings\Administrator\Local Settings\Temp\_AS1C.tmp\motor.cab (infected, archive)


The two infected archives are zip files with digital signatures from Panda Software. The few posts I've read around so far seem to say that these files are ok and that they are AVG false positives. I imagine it would be ok to delete them, then try and run Panda Active Scan again. Worst thing could happen is it wont work and you will have to download it again (I think - somewhat computer illiterate here too). I have noticed a few more posts on the net today about the downloader.agent.gpz. Maybe the latest AVG updates are only picking them up. Any ideas anyone? Do a google search on downloader.agent.gpz and see what comes up or keep an eye on the AVG forums http://forum.grisoft.cz/freeforum/index.php?0

Hi,

Please help.
My PC was infected by: trojan.QQRob.gi
Everytime i turn on my PC, AVG will find the virus above.
Today is the no 4 times. i'd Quarantine it.
How can i remove it permently?

Thank you
Johnny

back,

AVG Version 7.1.409 Virus base 268.13.22/512 did detect and delete C:\WINNT\SYSTEM32\ActiveScan\sporder.dlll

It didn't delete

C:\Documents and Settings\Administrator\Local
Settings\Temp\_AS15.tmp\motor.cab:\sporder.DLL (infected, embedded object)

C:\Documents and Settings\Administrator\Local Settings\Temp\_AS15.tmp\motor.cab (infected, archive)

C:\Documents and Settings\Administrator\Local Settings\Temp\_AS1C.tmp\motor.cab:\sporder.Dll (infected, embedded object)

C:\Documents and Settings\Administrator\Local Settings\Temp\_AS1C.tmp\motor.cab (infected, archive)


The two infected archives are zip files with digital signatures from Panda Software. The few posts I've read around so far seem to say that these files are ok and that they are AVG false positives. I imagine it would be ok to delete them, then try and run Panda Active Scan again. Worst thing could happen is it wont work and you will have to download it again (I think - somewhat computer illiterate here too). I have noticed a few more posts on the net today about the downloader.agent.gpz. Maybe the latest AVG updates are only picking them up. Any ideas anyone? Do a google search on downloader.agent.gpz and see what comes up or keep an eye on the AVG forums http://forum.grisoft.cz/freeforum/index.php?0