{"id":415,"date":"2008-05-25T16:45:02","date_gmt":"2008-05-25T21:45:02","guid":{"rendered":"http:\/\/alsplace.aldenbaker.com\/alsplace\/opsys\/os-xp\/415\/xp-sp3-triggers-false-positives-in-security-apps\/"},"modified":"2008-05-25T16:55:24","modified_gmt":"2008-05-25T21:55:24","slug":"xp-sp3-triggers-false-positives-in-security-apps","status":"publish","type":"post","link":"http:\/\/alsplace.info\/?p=415","title":{"rendered":"XP SP3 triggers false positives in security apps"},"content":{"rendered":"\n\n

<\/p>\n

\n\n\n
\"Scott<\/td>\nBy Scott Dunn<\/p>\n

Installing Windows XP Service Pack 3 can cause your anti-malware programs to report the presence of Trojans and keyloggers that aren't there.<\/strong><\/p>\n

The false positives have blocked important system files in some cases, and in others they have misled users into reinstalling XP. <\/td>\n<\/tr>\n<\/table><\/div>\n

SP3 causes some malware scanners to cry "wolf" <\/strong><\/p>\n

Comments<\/a> on a PC Tools forum confirm customer reports that the company's Spyware Doctor program generates a false positive on systems with Windows XP SP3.<\/p>\n

Similarly, at least one site claims that Symantec's Norton Internet Security software identifies a common system file as a keylogger.<\/p>\n

ReviewSaurus reports<\/a> that XP SP3 causes Norton Internet Security to identify ctfmon.exe<\/strong> as a keylogger (a kind of malware that records your keystrokes to capture passwords and other important data).<\/p>\n

In reality, the ctfmon.exe<\/strong> file in your Windows\\System32 folder is a Microsoft system file that enables alternative input methods such as speech, tablet, or on-screen keyboard.<\/p>\n

A spokesperson for Symantec was not immediately available for comment.<\/p>\n

In the case of Spyware Doctor, the popular antispyware tool from PC Tools detects Trojan-Spy.Pophot.WX<\/strong> in RunDLL32.exe<\/strong> even if the system is uninfected. RunDLL32.exe<\/strong> is a system file that Windows uses to run code in dynamic link library (DLL) files.<\/p>\n

The scan may also implicate other related system files, according to a report<\/a> on the blog A Healthy Fear of Botulism.<\/p>\n

By default, Spyware Doctor prevents any files it identifies as infected from running. If an important system file such as RunDLL32.exe<\/strong> is flagged incorrectly, the result can be disastrous for your PC. For example, users may be blocked from opening Windows Control Panel or using System Restore, among other operations.<\/p>\n

One user who contacted us noted that blocking RunDLL32.exe<\/strong> created "an endless loop of scanning to remove the file, rebooting, finding the file again."<\/p>\n

"I've lost more than two days trying to fix something that was never broken," he adds. "As far as mistakes go, this is pretty major."<\/p>\n

Other Spyware Doctor customers just gave up: "I had the same problem today," reported<\/a> Dave (screen name doz3r). "I got tired of fighting with it and just reinstalled the OS."<\/p>\n

For its part, PC Tools claims that a patch is in the works. "We are implementing a fix immediately," wrote<\/a> Super Moderator Anthony Chen on the PC Tools forum.<\/p>\n

As of Wednesday evening, PC Tools has yet to make a fix available through the company's Smart Update feature.<\/p>\n

Until there's a fix, there's a workaround <\/strong><\/p>\n

In the case of the Norton Internet Security, ReviewSaurus advises users to ignore the false warning about ctfmon.exe<\/strong>.<\/p>\n

Until a fix is available from PC Tools, Chen advises customers to add RunDLL32.exe<\/strong> to the global action list manually. The workaround consists of the following steps:<\/p>\n

Step 1.<\/strong> In the Spyware Doctor window, click the Settings button on the left.<\/p>\n

Step 2.<\/strong> Click Global Action List to the right of that.<\/p>\n

Step 3.<\/strong> At the bottom of the window, click Add.<\/p>\n

Step 4.<\/strong> In the New Rule dialog box, choose "File on disk" from the "Select data type" drop-down list.<\/p>\n

Step 5.<\/strong> To the right of the text box below, click the … button to browse for a file. Locate and select RunDLL32.exe<\/strong> in the Windows\\System32 folder.<\/p>\n

Step 6.<\/strong> Make sure "Always allow" is selected in the drop-down list at the bottom and click the Add button.<\/p>\n

Other XP SP3 compatibility problems may yet loom <\/strong><\/p>\n

This is not the first problem created by Microsoft's latest (and last) service pack for Windows XP. Earlier this month, some HP PCs with an AMD processor experienced endless reboots after SP3 was installed.<\/p>\n

These and other issues are documented by Windows Secrets columnist Susan Bradley's Patch Watch<\/a> column in the paid section of this week's newsletter, as well as in her May 15<\/a> column. Bradley also where to buy viagra without a prescription<\/a> provides advice on preparing for SP3 in the paid section of the May 1<\/a> issue.<\/p>\n

If you are concerned about the effect the collection of patches that comprise XP SP3 will have on your PCs, wait a while before downloading and installing the service pack.<\/p>\n

Check the support sites of the vendors of your most important products for news of compatibility issues with SP3. As the problems experienced by users of these anti-malware programs show, a collection of patches as large as SP3 may require some patches of its own. <\/p>\n

\n

After the release of Windows XP SP3<\/strong> there are thousands of people who are facing various problems. The problems are from installation of SP 3<\/strong>, to post installation problems. All these problems occur because people really don’t follow the correct way of installing the service pack :<\/p>\n

In order to ensure that you don’t face such a problem please follow these steps<\/strong> –<\/p>\n

1. Download the service pack 3 from here (official microsoft download)<\/a> (direct link).
2. Restart the computer and boot the computer in safe mode.
3. Install the SP 3 from there.<\/p>\n

Note<\/strong> : If you don’t know how to boot in safe mode, then simply exit all the third party software and especially antivirus, firewall, anti-spyware etc.<\/p>\n

Please note<\/strong> : Some people who are using Norton internet security are reporting that it’s giving false positives after they install SP3. It’s telling ctfmon.exe as a keylogger. It’s just a false positive and you should ignore that alert from Norton internet security.<\/p>\n\n

\nBookmark to:<\/em><\/strong><\/a>\n
\n
\n
\n
\nHide Sites<\/a>\n<\/div>\n<\/div>\n\n