XP SP3 triggers false positives in security apps

All readers are eligible for our bonus download

You have only until June 4 to get our exclusive, FREE, 20-page excerpt from the hilarious new book Delete This At Your Peril (left). Maxim magazine says the author’s e-mail exchanges with Nigerian spammers are “brilliantly deranged.” All Windows Secrets subscribers, free and paid, are eligible to receive the bonus. Simply visit your preferences page before the deadline, update your settings, and click Save. —Brian Livingston, editorial director

To get your free download: visit your preferences page
For info on the printed book: United States / Canada / Elsewhere

XP SP3 triggers false positives in security apps

By Scott Dunn Installing Windows XP Service Pack 3 can cause your anti-malware programs to report the presence of Trojans and keyloggers that aren’t there. The false positives have blocked important system files in some cases, and in others they have misled users into reinstalling XP.

SP3 causes some malware scanners to cry “wolf”

Comments on a PC Tools forum confirm customer reports that the company’s Spyware Doctor program generates a false positive on systems with Windows XP SP3.

Similarly, at least one site claims that Symantec’s Norton Internet Security software identifies a common system file as a keylogger.

ReviewSaurus reports that XP SP3 causes Norton Internet Security to identify ctfmon.exe as a keylogger (a kind of malware that records your keystrokes to capture passwords and other important data).

In reality, the ctfmon.exe file in your WindowsSystem32 folder is a Microsoft system file that enables alternative input methods such as speech, tablet, or on-screen keyboard.

A spokesperson for Symantec was not immediately available for comment.

In the case of Spyware Doctor, the popular antispyware tool from PC Tools detects Trojan-Spy.Pophot.WX in RunDLL32.exe even if the system is uninfected. RunDLL32.exe is a system file that Windows uses to run code in dynamic link library (DLL) files.

The scan may also implicate other related system files, according to a report on the blog A Healthy Fear of Botulism.

By default, Spyware Doctor prevents any files it identifies as infected from running. If an important system file such as RunDLL32.exe is flagged incorrectly, the result can be disastrous for your PC. For example, users may be blocked from opening Windows Control Panel or using System Restore, among other operations.

One user who contacted us noted that blocking RunDLL32.exe created “an endless loop of scanning to remove the file, rebooting, finding the file again.”

“I’ve lost more than two days trying to fix something that was never broken,” he adds. “As far as mistakes go, this is pretty major.”

Other Spyware Doctor customers just gave up: “I had the same problem today,” reported Dave (screen name doz3r). “I got tired of fighting with it and just reinstalled the OS.”

For its part, PC Tools claims that a patch is in the works. “We are implementing a fix immediately,” wrote Super Moderator Anthony Chen on the PC Tools forum.

As of Wednesday evening, PC Tools has yet to make a fix available through the company’s Smart Update feature.

Until there’s a fix, there’s a workaround

In the case of the Norton Internet Security, ReviewSaurus advises users to ignore the false warning about ctfmon.exe.

Until a fix is available from PC Tools, Chen advises customers to add RunDLL32.exe to the global action list manually. The workaround consists of the following steps:

Step 1. In the Spyware Doctor window, click the Settings button on the left.

Step 2. Click Global Action List to the right of that.

Step 3. At the bottom of the window, click Add.

Step 4. In the New Rule dialog box, choose “File on disk” from the “Select data type” drop-down list.

Step 5. To the right of the text box below, click the … button to browse for a file. Locate and select RunDLL32.exe in the WindowsSystem32 folder.

Step 6. Make sure “Always allow” is selected in the drop-down list at the bottom and click the Add button.

Other XP SP3 compatibility problems may yet loom

This is not the first problem created by Microsoft’s latest (and last) service pack for Windows XP. Earlier this month, some HP PCs with an AMD processor experienced endless reboots after SP3 was installed.

These and other issues are documented by Windows Secrets columnist Susan Bradley’s Patch Watch column in the paid section of this week’s newsletter, as well as in her May 15 column. Bradley also provides advice on preparing for SP3 in the paid section of the May 1 issue.

If you are concerned about the effect the collection of patches that comprise XP SP3 will have on your PCs, wait a while before downloading and installing the service pack.

Check the support sites of the vendors of your most important products for news of compatibility issues with SP3. As the problems experienced by users of these anti-malware programs show, a collection of patches as large as SP3 may require some patches of its own.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Readers offer more ways to keep XP fresh

By Dennis O’Reilly A better way to clear out temp folders, a great all-purpose Windows cleaner, and more free online storage top your suggestions for giving XP a new lease on life. The question remains: Who benefits when Microsoft’s only real competition is with itself?

Reports of XP’s demise are greatly exaggerated

Last week’s Top Story by Scott Dunn on keeping XP fresh until Vista’s successor is released was one of the most popular articles the newsletter has ever published. Clearly, a great number of Windows users see no need to trade in XP for Vista.

Responding to Scott’s request, several readers offered their own techniques for teaching the old OS new tricks. David M. Deitz points out that you can empty XP’s temp folder for all users by replacing the login name. “On Rule 7, ‘Clear the clutter from XP’s many cubbyholes,’ ” he writes, “the batch file could be more generic by using the userprofile variable.” This would look as follows:

del /s /q “%userprofile%Local SettingsTemp*.*”

Windows substitutes the userprofile variable with the actual location of information for all users of a machine. The quotation marks in the command are required because the command line includes a space.

The freeware cleanup alternative

Several readers echoed Ezra Riner’s recommendation for a free cleanup utility.

• “I never use Microsoft’s Disk Cleanup tool. I find the free CCleaner [from Piriform] does an excellent job of clearing caches, temp files, and the like. [The program] integrates into your Recycle Bin for ease of use and total control.”

Even more free storage available online

Scott recommended several online-storage services that offer as much as 2MB of space for your files for free. Hitman Howler wrote in to tell us about two services that trump those offerings.

• “The [services] you mention are about 1GB to 2GB free. Allow me to show you two sites that offer 5GB totally free: Microsoft’s Windows Live SkyDrive and 4Shared.”

I don’t often think of Microsoft as the kind of company that does its customers a favor, but the only two programs that really compete with Vista are the OS’s predecessor and eventual successor. Perhaps that’s some consolation for the company as it attempts to fabricate a silk purse out of the sow’s ear that is Vista.

Know of any other ways to get more use out of XP (or Vista, for that matter)? We’d love to hear about them via the Windows Secrets contact page.

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

Mobile phones have come a long, long way

Who hasn’t rummaged through their pants pocket or purse looking for their ultra-sleek, super-tiny cell phone and longed for a return to the days when using a mobile phone meant lugging around a 2-pound battery pack and holding a brick to your face? This three-minute video takes us on a nostalgic trip back to the early days of cell phones. Watch a 1985 Motorola DynaTAC morph into an Apple iPhone, with about three dozen cell models squeezed in between. The video even provides a glimpse of the cell phones of the future. Play the video

Top free tools for rooting out rootkit spies

By Scott Spanbauer An easy-to-use rootkit detector and cleaner makes trapping this sneaky spyware a snap. Whether you’re comfortable sorting through your PC’s processes and Registry keys manually or you prefer to have someone else do the sleuthing, there’s a rootkit detector for you.

Find the malware hiding on your system

Even if you use a firewall and set your antivirus software to update its virus definitions automatically, your PC may not be safe from rootkits.

By manipulating the operating system at a low level, these malware programs can install PC keyloggers and backdoor programs surreptitiously on your PC. Then their authors are able to spy on your activities and control your system remotely.

Though many antivirus vendors have added rootkit detection and removal to their programs’ arsenal of anti-malware weaponry, not all antivirus programs are rootkit-savvy. Even if your security software claims to defend against rootkits, you may benefit from a second opinion.

I tested a number of free rootkit detectors for Windows XP and Windows Vista, and my clear favorite is F-Secure’s Blacklight, which combines thorough system scanning with the familiar interface reminiscent of a standard antivirus program.

On the other hand, do-it-yourself types will find plenty to like in GMER. The utility offers fine-grained control over which files it scans, and it produces detailed reports of your system’s processes, files, Registry entries, and other rootkit-related information.

Trend Micro’s Rootkit Buster beta is similar to Blacklight, but the program’s scans are suspiciously brief.

I ran the three rootkit scanners on two different PCs: one running Windows XP and the other Vista. Since none of the programs found anything dangerous on either system, I wasn’t able to test their rootkit-removal skills, which generally involve renaming or deleting the problem files and processes they discover.

Fortunately, German research group AV-Test recently completed an exhaustive test of more than 20 rootkit-removal tools of all types. Mark Joseph Edwards’ PC-Tune-Up column in this week’s issue describes those results.

If it wasn’t for the fact that all three utilities reported the same result, I might have doubted their cheerful news. That’s why I recommend that you use more than one rootkit remover on your PC.

Doing so is easy, since all three of the programs I tested are only about 1MB in size. Also, they require no installation or registration, and — unlike running multiple antivirus programs — the rootkit scanners don’t conflict with one another.

The simple, secure way to check for rootkits

Antivirus maker F-Secure was one of the first vendors to offer a standalone rootkit detector and remover. In fact, the rootkit-rooting capabilities in F-Secure’s Blacklight utility are also found in the company’s U.S. $80 F-Secure Internet Security 2008 suite as well as in its free online virus scanner.

Blacklight is about as easy to use as a program can be: just download and run, no installation necessary. By default, Blacklight scans for hidden processes, files, and folders. Although not listed, the utility also checks the hard disk’s master boot record.

Figure 1. F-Secure’s free Blacklight rootkit-scanning utility is a snap to use.

The program’s scan took only three minutes to complete on my lightly used and relatively fast Vista test system. On the slower Windows XP laptop, however, the scan lasted a good half-hour.

When Blacklight identifies a hidden file or process, it prompts you to rename the interloper to prevent it from functioning in the future. You can also run Blacklight in a more aggressive mode, although the company says doing so could produce false-positive results.

A complete — albeit slow — rootkit scanner

GMER may be the most thorough rootkit detector and cleaner available. The program scans for hidden processes, files, NTFS alternate data streams, services, Registry keys, drivers, and suspicious hooks into drivers.

Like the other two free rootkit scanners I tested, GMER requires no registration or installation — just download the program, extract it from its zip archive, and run the scan.

GMER’s scans take nearly as long as Blacklight’s to complete, which may indicate that GMER is doing a very thorough search. Hidden processes that the program thinks are malware of some kind are highlighted in red. GMER then adds a delete command to its context menu.

When a fast scanner may be too fast

Like the Blacklight and GMER rootkit detectors, Trend Micro’s Rootkit Buster is a download-unzip-run affair. The program’s few scanning options are straightforward: files and master boot record, Registry, processes, and drivers. To rid your system of the rootkits it finds, simply select the detected items and click the Delete button.

My only concern regarding Rootkit Buster is that the program’s scans took almost no time to complete on the Vista test system, and only a few minutes to finish on the XP test machine, compared to Blacklight’s 30-minute-plus perusal. While the quick scans could simply be the result of better programming, I suggest that you use Rootkit Buster as an adjunct to another rootkit detector.

Scott Spanbauer frequently writes for PC World, Business 2.0, CIO, Forbes ASAP, and Fortune Small Business. He has contributed to several books and was technical reviewer of PC Hacks.

Testing the effectiveness of rootkit removers

By Mark Joseph Edwards Several new anti-rootkit tools have been released recently, and existing security tools have been enhanced to protect your PC from rootkit infection. Now third-party tests reveal which rootkit removers do the best job of protecting your system.

Security suites vs. specialty rootkit defenders

Rootkits are malware programs that provide their authors with direct access to your computer without your knowledge or permission. The programs typically gain administrative-level access to your system and avoid detection by standard antivirus scans. (See Scott Spanbauer’s review of three free rootkit removers in this week’s Best Software column.)

Some security vendors have recently broadened their definition of a rootkit to include any program that allows unauthorized access or stealth activity to occur. For example, if a program hides any files on your computer, a vendor might call it a rootkit. So be aware that what constitutes a rootkit is no longer consistent among security vendors.

Blurry definitions aside, there are a number of malware packages that do, in fact, fit the historic definition of a rootkit. First, you need to find out whether your PC is already infected by a rootkit and, if it is, how to disinfect it. Then you need to make sure that these programs are prevented from making their way into your computer.

There are currently at least 14 standalone anti-rootkit tools, six Web-based tools, and seven security suites that claim to detect and/or remove rootkits. What’s needed is a way to determine which ones are best at preventing a rootkit infection and removing the buggers when they make their way onto your machine.

German research group AV-Test recently conducted an analysis (PDF) to determine how well anti-rootkit tools detect and remove the pests. The company’s tests were conducted using Windows XP SP2 and were begun on Oct. 25, 2007. Granted, that was over half a year ago, but rootkit testing takes quite a long time. For example, AV-Test points out that testing just one product against 60 rootkit samples can take as much as 20 to 30 hours.

The organization’s tests determined how well the tools prevented initial rootkit infiltrations as well as their ability to detect and remove a rootkit already present on the test machine, along with any malware installed by the rootkit.

According to AV-Test’s results, the best-performing security suite is BitDefender Internet Security 2008, which recorded near-perfect scores across the board. The second-best rootkit-detecting suite is Kaspersky Internet Security 7.

The best Web-based rootkit-removal tools are F-Secure Online Virus Scanner and Panda Security ActiveScan.

Topping the list of specialized rootkit detectors is AVG Anti-Rootkit Free (which is now available only in commercial versions of AVG 8), followed closely by Rootkit Unhooker LE; this program has since been acquired by Microsoft.

Keep in mind that AV-Test did not call out specific winners in any category. Instead, the group lists the test results broken down by areas of functionality. The tools I named as the best were chosen by me based on their scores across all of the tests.

While most of the tests involve Windows XP SP2, the report includes a much smaller set of test results for systems running 32-bit Vista Ultimate Edition. These tests used only six rootkit samples. Their results indicate a three-way tie for first place: F-Secure Antivirus 2008, Norton AntiVirus 2008, and Panda Security Antivirus 2008. Each achieved perfect scores in detection and removal of active and inactive rootkits.

If you’re wondering what other rootkit-removal tools might be available beyond those included in the tests, head over to Antirootkit.com, where you’ll find a list of 32 such tools, the majority of which are free.

SQL injection attacks on the rise

During the past few months, SQL injection attacks have been used to break into hundreds of thousands of Web sites powered by Microsoft’s Internet Information Server (IIS) and SQL Server. The attacks pass unauthorized SQL queries to backend database servers, where they perform any of number of actions, such as deleting entire databases or tables and modifying various types stored data, including text and HTML.

Microsoft, SANS, Shadow Server, Trend Micro, F-Secure, and numerous other organizations have written about the ongoing problem, which has been occurring since at least last March.

In a nutshell, the bad guys are exploiting flaws in ASP.NET applications to inject unwanted HTML code into database records. That HTML eventually winds up in Web pages. When you browse to the page, the HTML code tries to exploit security vulnerabilities in browsers and related tools to install a variety of malware onto your PC.

These attacks are possible because of security bugs in various ASP.NET-based applications. Apparently, many developers have overlooked the need to properly sanitize input supplied by Web users.

For example, a Web form might ask people to enter their name and e-mail address to sign up for a newsletter. Along with that information, a hacker could add some special characters and a valid SQL query statement. If that input isn’t properly sanitized before it’s sent to the SQL server, the server might be tricked into executing the query supplied by the bad guy.

The solution is to audit your Web applications to make sure they sanitize user-supplied input. Microsoft’s article entitled “How To: Protect From SQL Injection in ASP.NET” explains the required steps.

OpenOffice.org 3 is ready for beta testing

The beta version of OpenOffice.org 3 is available for download. The increasingly popular productivity suite adds some important new features in this release.

For example, the new version supports Microsoft Office 2007 file formats, including the XML formats used by Word 2007, Excel 2007, and PowerPoint 2007. OpenOffice.org 3 is also guaranteed to run just fine on Vista PCs.

OpenOffice.org’s Calc spreadsheet adds the Solver component that helps calculate a cell value based on the factors related to other cells. Also, a new collaboration feature lets several people work on a single spreadsheet. The program now supports as many as 1024 spreadsheet columns; the previous release was limited to a maximum of 256 columns.

Another big change in the suite is its support for OS X, which will no longer require the X11 window environment. Version 3 comes with native support for the OS X’s Aqua graphical environment. OpenOffice.org’s developers say the new version runs on OS X the same as any other Aqua application.

Five vulnerabilities fixed in PHP 5.2.6

Many of you undoubtedly use PHP to drive some aspects of your Web sites. The developers of PHP recently released version 5.2.6, which contains five important security fixes. Be sure to upgrade your systems as soon as possible.

Note that official support for the PHP 4.x branch is about to end. In July 2007, the PHP development team said, “We will continue to make critical security fixes available on a case-by-case basis until 2008-08-08.” So there’s your cutoff deadline. Make plans to upgrade to PHP 5.x no later than August 8!

Looking ahead, PHP 6 is on the horizon, and that version might break some of your Web applications. For example, several long-standing features, including Register Globals, Magic Quotes, and Safe Mode, will be removed in PHP 6, as will support for Freetype 1.x and the GD 1.x graphics library.

While the release date for PHP 6 has not yet been set, I checked the program’s status on May 15 and learned that the development cycle was about 62% complete.

For a complete rundown on PHP 6’s major differences, head over to the COREPHP site. Checking into the upcoming changes for PHP 6 now will give you a head start on making sure your applications will work right later.

If you’re interested in trying PHP 6 while it’s still in development, head over to PHP’s snapshot page to download a copy.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and regularly writes for its Security Matters blog. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

HP recommends against installing Windows XP SP3

By Susan Bradley Both HP and Microsoft are working to fix problems causing AMD-based PCs to reboot repeatedly after XP Service Pack 3 is loaded. In the meantime, security expert Dr. Jesper Johansson has beaten the companies to the punch by devising a tool that ensures AMD machines can be patched.

I repeat: don’t be in a hurry to install XP SP3

As I described in last week’s column, HP recommends that its customers put their XP Service Pack 3 installation plans on hold. According to the Microsoft Update Product Team blog, Microsoft plans to block the service pack from being offered to users of the systems affected by the reboot bug.

If you prefer not to wait, Dr. Jesper Johansson has created a fix that can be downloaded from his blog. In fact, Dr. Johansson’s site is probably the best resource for tracking issues associated with XP SP3.

In addition to the many readers who have e-mailed me to describe problems they’ve encountered after installing XP SP3, a second and larger group of people ask whether they even need the update if they’ve been applying security and other XP patches as they become available.

Given that every analyst — including me — is telling them the service pack’s most noteworthy enhancements involve networking and other IT-related matters, many ask whether they need XP SP3 at all.

You needn’t hurry to install XP SP3 right now, but there will be a time to do so. According to the Microsoft Support Lifecycle page, old Office service packs are supported for only one year after a new one is released, but Windows service packs receive a full 24 months of support following the delivery of their successors.

You’re safe as long as you plan to install XP SP3 prior to Apr. 14, 2009, which is the date Microsoft’s free, unlimited support will end for XP SP2 (although security patches will still be offered). Microsoft will provide free “installation and compatibility” support for SP3 until that same date, as stated on the company’s XP SP3 support site.

For me, the wait time before installing a Windows service pack is typically from two to six months after its initial release. By that time, the kinks have likely been worked out of the service pack, and you can bring all your XP systems up to date.

Foxit Reader flagged as vulnerable

We recently recommended Foxit Reader as a free alternative to Acrobat Reader for viewing PDF files. If you use Foxit Reader, keep an eye out for an important security update.

Secunia advises that Foxit Reader version 2.3 build 2825 is vulnerable to a buffer overflow that allows a remote attack on your system. The problem will be fixed in the upcoming build 2912.

If you are running Foxit and use the Secunia Software Inspector scanner (which we have also recommended), be aware that at this time the service will flag Foxit Reader as vulnerable.

Vista SP1 conflicts with IDT audio drivers

Some audio drivers continue to block Vista Service Pack 1 from installing, although this week the Vista systems affected by the glitch may receive new audio drivers automatically via Windows Update.

In a post on TechNet, Microsoft forum manager Anthony Mann indicates that new drivers for OEM machines that need updated IDT audio drivers will be offered on Windows Update beginning this week. My sister’s Dell PC runs Vista and has this audio driver, but she hasn’t yet been served up Vista Service Pack 1.

Knowledge Base article 948343 details the reasons that these systems are still not being offered Vista SP1 via Windows Update. In my sister’s case, the IDT/SigmaTel audio drivers on her PC continue to block Vista SP1 from being included in the automatic updates.

This week Intel updated the video drivers that were blocking Vista SP1, so if you’re still waiting for the service pack to be included in your updates, your wait may be over.

Office 2007 SP1 will auto-update in June

According to the Office Sustained Engineering blog, Microsoft will begin to install Office 2007 Service Pack 1 automatically around June 16, 2008. You’ll receive the patch at that time if you have enabled automatic updates on your PC.

In my office, the only problem has occurred when both Office 2003 SP3 and Office 2007 SP1 were deployed together. I had to ensure that Office 2007 SP1 was installed last, as I noticed some issues relating to SharePoint when I installed Office 2003 SP3 after Office 2007 SP1 was in place.

Mozilla unveils Firefox 3 release candidate

The Mozilla Foundation has released a candidate for version 3 of its Firefox browser. The new version reportedly prevents infection when you visit sites that are known to host malware (or suspected of doing so).

The Firefox 3 site indicates that the new version will inform you when a site you visit contains malware. I’m not sure whether the browser uses filtering software from a third party or some other technique to identify risky sites. I’ll report on this feature once Firefox 3 is officially released.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.