Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>XP SP3 triggers false positives in security apps

Windows Secrets Newsletter • Issue 154 • 2008-05-22 • Circulation: over 400,000

Table of contents 
  • Bonus: All readers are eligible for our bonus download
  • Top Story: XP SP3 triggers false positives in security apps
  • Known Issues: Readers offer more ways to keep XP fresh
  • Wacky Web Week: Mobile phones have come a long, long way
  • Best Software: Top free tools for rooting out rootkit spies
  • PC Tune-Up: Testing the effectiveness of rootkit removers
  • Patch Watch: HP recommends against installing Windows XP SP3
 
Bonus

All readers are eligible for our bonus download

You have only until June 4 to get our exclusive, FREE, 20-page excerpt from the hilarious new book Delete This At Your Peril (left). Maxim magazine says the author’s e-mail exchanges with Nigerian spammers are “brilliantly deranged.” All Windows Secrets subscribers, free and paid, are eligible to receive the bonus. Simply visit your preferences page before the deadline, update your settings, and click Save. —Brian Livingston, editorial director

 To get your free download: visit your preferences page
For info on the printed book: United States / Canada / Elsewhere
 
Top Story

XP SP3 triggers false positives in security apps

Scott dunn By Scott Dunn

Installing Windows XP Service Pack 3 can cause your anti-malware programs to report the presence of Trojans and keyloggers that aren’t there.

The false positives have blocked important system files in some cases, and in others they have misled users into reinstalling XP.

SP3 causes some malware scanners to cry “wolf”

Comments on a PC Tools forum confirm customer reports that the company’s Spyware Doctor program generates a false positive on systems with Windows XP SP3.

Similarly, at least one site claims that Symantec’s Norton Internet Security software identifies a common system file as a keylogger.

ReviewSaurus reports that XP SP3 causes Norton Internet Security to identify ctfmon.exe as a keylogger (a kind of malware that records your keystrokes to capture passwords and other important data).

In reality, the ctfmon.exe file in your WindowsSystem32 folder is a Microsoft system file that enables alternative input methods such as speech, tablet, or on-screen keyboard.

A spokesperson for Symantec was not immediately available for comment.

In the case of Spyware Doctor, the popular antispyware tool from PC Tools detects Trojan-Spy.Pophot.WX in RunDLL32.exe even if the system is uninfected. RunDLL32.exe is a system file that Windows uses to run code in dynamic link library (DLL) files.

The scan may also implicate other related system files, according to a report on the blog A Healthy Fear of Botulism.

By default, Spyware Doctor prevents any files it identifies as infected from running. If an important system file such as RunDLL32.exe is flagged incorrectly, the result can be disastrous for your PC. For example, users may be blocked from opening Windows Control Panel or using System Restore, among other operations.

One user who contacted us noted that blocking RunDLL32.exe created “an endless loop of scanning to remove the file, rebooting, finding the file again.”

“I’ve lost more than two days trying to fix something that was never broken,” he adds. “As far as mistakes go, this is pretty major.”

Other Spyware Doctor customers just gave up: “I had the same problem today,” reported Dave (screen name doz3r). “I got tired of fighting with it and just reinstalled the OS.”

For its part, PC Tools claims that a patch is in the works. “We are implementing a fix immediately,” wrote Super Moderator Anthony Chen on the PC Tools forum.

As of Wednesday evening, PC Tools has yet to make a fix available through the company’s Smart Update feature.

Until there’s a fix, there’s a workaround

In the case of the Norton Internet Security, ReviewSaurus advises users to ignore the false warning about ctfmon.exe.

Until a fix is available from PC Tools, Chen advises customers to add RunDLL32.exe to the global action list manually. The workaround consists of the following steps:

Step 1. In the Spyware Doctor window, click the Settings button on the left.

Step 2. Click Global Action List to the right of that.

Step 3. At the bottom of the window, click Add.

Step 4. In the New Rule dialog box, choose “File on disk” from the “Select data type” drop-down list.

Step 5. To the right of the text box below, click the … button to browse for a file. Locate and select RunDLL32.exe in the WindowsSystem32 folder.

Step 6. Make sure “Always allow” is selected in the drop-down list at the bottom and click the Add button.

Other XP SP3 compatibility problems may yet loom

This is not the first problem created by Microsoft’s latest (and last) service pack for Windows XP. Earlier this month, some HP PCs with an AMD processor experienced endless reboots after SP3 was installed.

These and other issues are documented by Windows Secrets columnist Susan Bradley’s Patch Watch column in the paid section of this week’s newsletter, as well as in her May 15 column. Bradley also provides advice on preparing for SP3 in the paid section of the May 1 issue.

If you are concerned about the effect the collection of patches that comprise XP SP3 will have on your PCs, wait a while before downloading and installing the service pack.

Check the support sites of the vendors of your most important products for news of compatibility issues with SP3. As the problems experienced by users of these anti-malware programs show, a collection of patches as large as SP3 may require some patches of its own.

Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.
 
Known Issues

Readers offer more ways to keep XP fresh

Dennis o'reilly By Dennis O’Reilly

A better way to clear out temp folders, a great all-purpose Windows cleaner, and more free online storage top your suggestions for giving XP a new lease on life.

The question remains: Who benefits when Microsoft’s only real competition is with itself?

Reports of XP’s demise are greatly exaggerated

Last week’s Top Story by Scott Dunn on keeping XP fresh until Vista’s successor is released was one of the most popular articles the newsletter has ever published. Clearly, a great number of Windows users see no need to trade in XP for Vista.

Responding to Scott’s request, several readers offered their own techniques for teaching the old OS new tricks. David M. Deitz points out that you can empty XP’s temp folder for all users by replacing the login name. “On Rule 7, ‘Clear the clutter from XP’s many cubbyholes,’ ” he writes, “the batch file could be more generic by using the userprofile variable.” This would look as follows:

del /s /q “%userprofile%Local SettingsTemp*.*”

Windows substitutes the userprofile variable with the actual location of information for all users of a machine. The quotation marks in the command are required because the command line includes a space.

The freeware cleanup alternative

Several readers echoed Ezra Riner’s recommendation for a free cleanup utility.
  • “I never use Microsoft’s Disk Cleanup tool. I find the free CCleaner [from Piriform] does an excellent job of clearing caches, temp files, and the like. [The program] integrates into your Recycle Bin for ease of use and total control.”
Even more free storage available online

Scott recommended several online-storage services that offer as much as 2MB of space for your files for free. Hitman Howler wrote in to tell us about two services that trump those offerings.
  • “The [services] you mention are about 1GB to 2GB free. Allow me to show you two sites that offer 5GB totally free: Microsoft’s Windows Live SkyDrive and 4Shared.”
I don’t often think of Microsoft as the kind of company that does its customers a favor, but the only two programs that really compete with Vista are the OS’s predecessor and eventual successor. Perhaps that’s some consolation for the company as it attempts to fabricate a silk purse out of the sow’s ear that is Vista.

Know of any other ways to get more use out of XP (or Vista, for that matter)? We’d love to hear about them via the Windows Secrets contact page.

Readers David, Ezra, and Hitman will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.
 
Wacky Web Week

Mobile phones have come a long, long way

cell phones  Who hasn’t rummaged through their pants pocket or purse looking for their ultra-sleek, super-tiny cell phone and longed for a return to the days when using a mobile phone meant lugging around a 2-pound battery pack and holding a brick to your face?

This three-minute video takes us on a nostalgic trip back to the early days of cell phones. Watch a 1985 Motorola DynaTAC morph into an Apple iPhone, with about three dozen cell models squeezed in between. The video even provides a glimpse of the cell phones of the future. Play the video
 
Best Software

Top free tools for rooting out rootkit spies

Scott spanbauer By Scott Spanbauer

An easy-to-use rootkit detector and cleaner makes trapping this sneaky spyware a snap.

Whether you’re comfortable sorting through your PC’s processes and Registry keys manually or you prefer to have someone else do the sleuthing, there’s a rootkit detector for you.

Find the malware hiding on your system

Even if you use a firewall and set your antivirus software to update its virus definitions automatically, your PC may not be safe from rootkits.

By manipulating the operating system at a low level, these malware programs can install PC keyloggers and backdoor programs surreptitiously on your PC. Then their authors are able to spy on your activities and control your system remotely.

Though many antivirus vendors have added rootkit detection and removal to their programs’ arsenal of anti-malware weaponry, not all antivirus programs are rootkit-savvy. Even if your security software claims to defend against rootkits, you may benefit from a second opinion.

I tested a number of free rootkit detectors for Windows XP and Windows Vista, and my clear favorite is F-Secure’s Blacklight, which combines thorough system scanning with the familiar interface reminiscent of a standard antivirus program.

On the other hand, do-it-yourself types will find plenty to like in GMER. The utility offers fine-grained control over which files it scans, and it produces detailed reports of your system’s processes, files, Registry entries, and other rootkit-related information.

Trend Micro’s Rootkit Buster beta is similar to Blacklight, but the program’s scans are suspiciously brief.

I ran the three rootkit scanners on two different PCs: one running Windows XP and the other Vista. Since none of the programs found anything dangerous on either system, I wasn’t able to test their rootkit-removal skills, which generally involve renaming or deleting the problem files and processes they discover.

Fortunately, German research group AV-Test recently completed an exhaustive test of more than 20 rootkit-removal tools of all types. Mark Joseph Edwards’ PC-Tune-Up column in this week’s issue describes those results.

If it wasn’t for the fact that all three utilities reported the same result, I might have doubted their cheerful news. That’s why I recommend that you use more than one rootkit remover on your PC.

Doing so is easy, since all three of the programs I tested are only about 1MB in size. Also, they require no installation or registration, and — unlike running multiple antivirus programs — the rootkit scanners don’t conflict with one another.

The simple, secure way to check for rootkits

Antivirus maker F-Secure was one of the first vendors to offer a standalone rootkit detector and remover. In fact, the rootkit-rooting capabilities in F-Secure’s Blacklight utility are also found in the company’s U.S. $80 F-Secure Internet Security 2008 suite as well as in its free online virus scanner.

Blacklight is about as easy to use as a program can be: just download and run, no installation necessary. By default, Blacklight scans for hidden processes, files, and folders. Although not listed, the utility also checks the hard disk’s master boot record.

F-Secure blacklight rootkit scanner
Figure 1. F-Secure’s free Blacklight rootkit-scanning utility is a snap to use.

The program’s scan took only three minutes to complete on my lightly used and relatively fast Vista test system. On the slower Windows XP laptop, however, the scan lasted a good half-hour.

When Blacklight identifies a hidden file or process, it prompts you to rename the interloper to prevent it from functioning in the future. You can also run Blacklight in a more aggressive mode, although the company says doing so could produce false-positive results.

A complete — albeit slow — rootkit scanner

GMER may be the most thorough rootkit detector and cleaner available. The program scans for hidden processes, files, NTFS alternate data streams, services, Registry keys, drivers, and suspicious hooks into drivers.

Like the other two free rootkit scanners I tested, GMER requires no registration or installation — just download the program, extract it from its zip archive, and run the scan.

GMER’s scans take nearly as long as Blacklight’s to complete, which may indicate that GMER is doing a very thorough search. Hidden processes that the program thinks are malware of some kind are highlighted in red. GMER then adds a delete command to its context menu.

When a fast scanner may be too fast

Like the Blacklight and GMER rootkit detectors, Trend Micro’s Rootkit Buster is a download-unzip-run affair. The program’s few scanning options are straightforward: files and master boot record, Registry, processes, and drivers. To rid your system of the rootkits it finds, simply select the detected items and click the Delete button.

My only concern regarding Rootkit Buster is that the program’s scans took almost no time to complete on the Vista test system, and only a few minutes to finish on the XP test machine, compared to Blacklight’s 30-minute-plus perusal. While the quick scans could simply be the result of better programming, I suggest that you use Rootkit Buster as an adjunct to another rootkit detector.

Scott Spanbauer frequently writes for PC World, Business 2.0, CIO, Forbes ASAP, and Fortune Small Business. He has contributed to several books and was technical reviewer of PC Hacks.
 
PC Tune-Up

Testing the effectiveness of rootkit removers

Mark edwards By Mark Joseph Edwards

Several new anti-rootkit tools have been released recently, and existing security tools have been enhanced to protect your PC from rootkit infection.

Now third-party tests reveal which rootkit removers do the best job of protecting your system.

Security suites vs. specialty rootkit defenders

Rootkits are malware programs that provide their authors with direct access to your computer without your knowledge or permission. The programs typically gain administrative-level access to your system and avoid detection by standard antivirus scans. (See Scott Spanbauer’s review of three free rootkit removers in this week’s Best Software column.)

Some security vendors have recently broadened their definition of a rootkit to include any program that allows unauthorized access or stealth activity to occur. For example, if a program hides any files on your computer, a vendor might call it a rootkit. So be aware that what constitutes a rootkit is no longer consistent among security vendors.

Blurry definitions aside, there are a number of malware packages that do, in fact, fit the historic definition of a rootkit. First, you need to find out whether your PC is already infected by a rootkit and, if it is, how to disinfect it. Then you need to make sure that these programs are prevented from making their way into your computer.

There are currently at least 14 standalone anti-rootkit tools, six Web-based tools, and seven security suites that claim to detect and/or remove rootkits. What’s needed is a way to determine which ones are best at preventing a rootkit infection and removing the buggers when they make their way onto your machine.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Patch Watch

HP recommends against installing Windows XP SP3

Susan bradley By Susan Bradley

Both HP and Microsoft are working to fix problems causing AMD-based PCs to reboot repeatedly after XP Service Pack 3 is loaded.

In the meantime, security expert Dr. Jesper Johansson has beaten the companies to the punch by devising a tool that ensures AMD machines can be patched.

I repeat: don’t be in a hurry to install XP SP3

As I described in last week’s column, HP recommends that its customers put their XP Service Pack 3 installation plans on hold. According to the Microsoft Update Product Team blog, Microsoft plans to block the service pack from being offered to users of the systems affected by the reboot bug.

If you prefer not to wait, Dr. Jesper Johansson has created a fix that can be downloaded from his blog. In fact, Dr. Johansson’s site is probably the best resource for tracking issues associated with XP SP3.

In addition to the many readers who have e-mailed me to describe problems they’ve encountered after installing XP SP3, a second and larger group of people ask whether they even need the update if they’ve been applying security and other XP patches as they become available.

Given that every analyst — including me — is telling them the service pack’s most noteworthy enhancements involve networking and other IT-related matters, many ask whether they need XP SP3 at all.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb