Dee, Pollux and Tuntankamon found a false positive in this thread:
http://www.wilderssecurity.com/showthread.php?t=42414

I agree with you guys !
Kudos to the three of you for finding this one !!! :D

What is it all about:

TDS-3 with Radius-file from Friday 23-July-2004 gave a positive warning that rundll32.exe was infected with Adware.Cydoor.

This is a false positive from TDS-3.

I too started a full system scan by TDS-3.
As soon as I saw a warning from TDS-3 on my D-partition, I let it stop scanning D and my other partitions, and let TDS-3 only further scan C.

My scandump by TDS-3:

Scan Control Dumped @ 01:25:11 24-07-04
Positive identification (in archive): Adware.Cydoor
File: rundll32.exe (In d:\ers9x\zipped\vitalw1.zip)

Positive identification (in archive): Adware.Cydoor
File: rundll32.exe (In d:\ers9x\zipped\vitalw2.zip)

Positive identification: Adware.Cydoor
File: c:\windows\rundll32.exe

Positive identification: Adware.Cydoor
File: c:\program files\greatis\regrunsuite\files\rundll32.exe

- end scandump -

Just to tell you a bit more:
I run W 98 SE.
ERS9X is a software backup program (giving you the capability to backup the most important parts of your OS on a FAT32-system; Paul and Snap will know what I'm talking about; the program is mentioned on the Wilders-org site ;) ).
RegRun does not need any further introduction : a great program for your registry.

The mere fact that TDS-3 gave alerts on rundll32.exe in the "archives" of those programs, proves already more or less that this is a false positive.

Later I'll run my other scanners to give more prove; but I'm already sure that this is a false positive by TDS-3.

OK, I scanned with several of my other scanners (and I do have a lot of them ;)):
nothing has been found on that file ;)

Want another prove?
Here is what my NISFileCheck tells me about it:

Application: c:\windows\rundll32.exe
Status: Unchanged
Version old: 4.10.1998
Size old: 24576
Date old: 1999-05-05 22:22:00
RMD160 Hash old: C09ACD2F85740F06D1BA085D9DBB7263F80F1677

Never one of my scanners found anything on that file.
According to NISFileCheck that file hasn't been changed !
I never ever found anything that could fool my much beloved NISFileCheck !!!
And it is run with my usual AV and AT resident.
Later I will do another scan with ADinf32 Pro, using its so-called BIOS-call (completely by-passing Windows !!!), to check again whether that file has been changed. But in fact I'm already sure that it will not find a change on that file.

Oh, you want let check the CRC32-test in TDS-3 whether that file has been changed: then add it (with its full path) to your file crcfiles.txt in the subdir config of your TDS-3 directory.

Diamondcs appears to be checking this out. I'd renamed rundll32.exe to rundll32.bak - & today TDS3 said at once that file rundll32.exe didnt exist, but brought up a warning dialogue about File trace trojan filename Worm, please submit, so I did that.

Now I've renamed the file to what it was originally. And as soon as I started a TDS3 scan, its interface informed me that a background upload of rundll32.exe to DiamondCS Labs had started.

-{ Quote: "Diamondcs appears to be checking this out. I'd renamed rundll32.exe to rundll32.bak - & today TDS3 said at once that file rundll32.exe didnt exist, but brought up a warning dialogue about File trace trojan filename Worm, please submit, so I did that.

Now I've renamed the file to what it was originally. And as soon as I started a TDS3 scan, its interface informed me that a background upload of rundll32.exe to DiamondCS Labs had started." }-

Hi Dee,

Please leave that file rundll32.exe as it was.
In my humble opinion (but I'm only human and can make mistakes like everyone else) it is a false positive from TDS-3.
We have to wait for the DiamondCS-guys to jump in.

You yourself did already a great job !!!
So please be a little patient and wait for the DiamondCS-guys to give you further advice.

Regards, Jan.

OK, I'll keep is as rundll32.exe like it was originally. At least it has already been submitted to DiamondXS as rundll32.exe in that "background upload".

Just run a full scan here. No alarms - XP Pro SP1 fully patched.
So is this a W9* problem?

*\winnt\system32\rundll32.exe 31KB, Version 5.1.2600.0

06:08:55 [Init] • Systems Initialised [36097 references - 14238 primaries/10056 traces/11803 variants/other]
06:08:55 [Init] Radius Systems loaded. <Databases updated 23-07-2004>

Maybe when it is located in windows\system in stead of system32 :) or in windows.
I got the alarm as well on win98se, so let's await other comments of not-98 users.

Well, I must say that it's interesting to have encountered this potential false positive during my very first use of TDS-3.

rundll32.exe is located in different directories in different versions of Windows. See Merijn's collection of backup Windows system files (http://www.spywareinfoforum.com/%7Emerijn/winfiles.html#rundll32), for example:

-{ Quote: "
rundll32.exe
Located in:
Windows 95/98/98SE/ME: C:\WINDOWS
Windows NT4/2000: C:\WINNT\System32
Windows XP: C:\WINDOWS\System32
" }- I compared file size of the XP version of rundll32.exe (downloaded from Merijn.org) with that of my own Windows 98 version. The XP version is 31,744 bytes; the Windows 98 version is 24,576 bytes.

Since rundll32.exe file is both in a different location and of a different size in different versions of Windows, it would not be surprising to me if the possible false positive were detected only in a particular version, in this case Windows 9x.

pollux

Addendum:

As I said in my post in the other thread, when TDS-3 flagged rundll32.exe as adware.Cydoor, I replaced the file from my Windows 98 installation disks (after renaming the original version). I then immediately scanned the brand new rundll32.exe file, and it was once again detected as adware.Cydoor.

That's what makes me think it is a false positive, along with the fact that TDS-3 and the rest of my secuity layers show nothing amiss. I don't think dee needs to worry about having replaced that particular file (although rundll32.exe could be involved somehow in the other truly nasty thing dee's encountered - here's another article about the Hackarmy trojan (http://zdnet.com.com/2100-1105_2-5281604.html?tag=zdfd.newsfeed)).

pollux

OH dear, someone tell me what to think!

My machine booted normally after I'd renamed that file. Now that the file has been uploaded to DiamondCS, I feel I should again rename the file just in case. I'm only a garden-variety computer user after all.

dee, anyone who's as involved in keeping their computer secure as you obviously are is more than "garden-variety user"! :)

I didn't say what I intended very clearly, even after editing my post. Here's my opinion on your situation (and it's just an opinion!) :

I think it would be useful for you to separate the Hackarmy detection from the rundll32.exe detection at this point. (In fact, I think FanJ was implying the same idea when he made this new thread, and I'm sorry if I muddied the waters). It is clear that the Hackarmy detection is not good; it seems like the rundll32.exe detection is a false positive.

Concerning the Hackarmy detection, there are some things you can do, as Jooske has already indicated in your other thread (I'm going to go post over there in a minute myself). Concerning rundll32.exe, I don't think there's anything more to be done. As I understand it, you've already replaced rundll32.exe with a fresh copy of the file. It seems that now we'll just need to wait and see if we receive confirmation that the adware.Cydoor is a false positive.

Sorry if I added to the confusion. (See you over in your other thread!)

pollux

I've seen both Wayne and Jason in the meanwhile logged on here on the board.

May I ask an explanation?

Thanks, Jan.

Just thought I'd mention - TDS3 updated this arvo, still shows "File trace:default Trojan file name - Worm, please submir - C:\Rundll32.exe"

So that part hasn't changed. But I just received an email from DiamondCS saying -

"Re YDS3 File submission from Scan console
Hi,

This was probably created by Execution Protection, a 0 byte file cant be anything
Just delete it or ignore the alarm"

This is an interesting thread from the point of view that not many others have reported this???

I completed a scan last night [Sunday night here] and still had Fri 23/07 data base.

I got no alerts at all apart from my usual 3 "dual extensions" and the GRC's LeakTest app.

@ dee... have you looked in your TDS folder and deleted the 0 bytes files? then rescan.

Cheers, TAS

The only 0KB file in any of the TDS folders is scanregw, 0KB, last modified 25/07/04.

Can I safely delete this?

Jan, the Radius databases are Gavin's field.

In a windows search/find i found several rundll32.exe files of 0 bytes in various locations and of different dates, those indeed one can ignore, but TDS alarmed on the real original files only, of course.

On a win9x system 0 bytes files are always 0 bytes, only on XP/NT/2000/2003 systems there might be a doubt if they are really 0 bytes or contain possible invisible NTFS ADS Streams.

So you can delete them occasionally. The only annoynance such 90 bytes files create that the system might not do all you want it to do:
for instance, many users see a notepad.exe and/or wordpad.exe of 0 bytes in the TDS directory. When you try to use notepad or wordpad windows looks in the path back from where you are, say you try to run a notepad function in TDS, so windows (which created those 0 bytes file itself in the first place for reason unknown) tries to start that 0 bytes version in the TDS directory, which doesn't run of course. It seems to forget notepad and wordpad are global files which should work everywhere, but ok, one can delete the 0 bytes version each time again, or copy the original notepad.exe and wordpad.exe files --which are only small anyway-- into the TDS directory and now windows can create as many times 0 bytes copies as it wants, your notepad and wordpad keep functioning.
So with that you don't need to hunt for 0 bytes files all time, just occasionally when you feel to.


How a scanreg 0 bytes comes in the TDS directory? Can only that you had TDS running and tried to run scanreg i guess?

Sorry I didn't get a chance to report here sooner, yes as posted by Jan (thanks!) this is a false alarm. The detection has been completely removed and a new database will be available by the time most read this

-{ Quote: "Jan, the Radius databases are Gavin's field.

In a windows search/find i found several rundll32.exe files of 0 bytes in various locations.....


How a scanreg 0 bytes comes in the TDS directory? Can only that you had TDS running and tried to run scanreg i guess?" }-


I have an extra rudll32.exe file, 0KB, modified 24/07/04, in C:\windows, maybe to do with TDS3's false positive?

I never do a manual scanregw before everything else is shut down, so dunno how the 0KB one came to be in TDS folder. I think I'll leave those 0KB files alone!

Remember you changed the name and back to the original name on that day?
Gavin removed detection from the radius, so it won't bother us win9x users anymore, even though it's most probably one of the worst windows secrets of all times. ;D

Look in your autostart, didn't you have there an entry for scanning your registry for intigrity on a daily basis or at each reboot so in case of failure the last working registyry is put back? Didn't you never look in the system properties and check for registry intigrity or errors or asking it for an extra save copy?

I kinda guessed that might have had a bit to do with me renaming the file after that false positive.

You're blinding a lamer with science, Jooske! A little free DOS utility, WRP, runs a batchfile so that I always have 10 registry backups. As long as Win98 boots, I do nothing, but if it doesn't, I can choose which of the 10 to restore. WRP doen't check for integrity, & as long as Win boots, I'm happy, also WRP backs up certtain files [natch I'm not sure which, though it does display them]. I look in WRP's folder each day to check whether system.dat & user.dat are the same size as before.

Occasionally I restart in MS-DOS, & fix/opt the registry, that's about my limit, sorry, but I prefer not to confuse my ambitions with my capabilities.

Now that I'm sure my computer's clean [if that's confirmend in my other thread re were these trojans], I'll tidy up a few unnecessaries on this machine, & image Windows again, cos I can handle imaging/restoring, whereas the registry scares me!

Dee & Jooske, Amazing, you must keep your PC's very tidy, most ppl I know running W98 have to reformat every 6 - 12 months just to get rid of all the rubbish! ;D

Jooske's smart & experienced & knows far far more than me, I just follow instructions.

Nearly 2 yrs ago I decided that I never ever wanted to do another clean install again, so I wrestled with fdisk [several times to get it right!] then I progressed to imaging/restoring.

I do custom installs of everything, & these are monitored with the free Total uninstall, & I do a tiny bit with the free Regclnr.exe - Plus regular imaging! My win98 registry's just above 5MB. No BSOD's since that last clean install.

-{ Quote: "Sorry I didn't get a chance to report here sooner, yes as posted by Jan (thanks!) this is a false alarm. The detection has been completely removed and a new database will be available by the time most read this" }-

Thanks a lot Gavin ! :)

Keep up the good work !

Most warmest regards, Jan.

-{ Quote: " Sorry I didn't get a chance to report here sooner, yes as posted by Jan (thanks!) this is a false alarm. The detection has been completely removed and a new database will be available by the time most read this. " }-
Hello, all.

I've finally had the opportunity to download the new database and completely scan my Windows 98 system. I'm happy to confirm that the adware.Cydoor rundll32.exe false positive has been fixed.

Thanks for your quick response!

pollux

-{ Quote: "Hello, all.

I've finally had the opportunity to download the new database and completely scan my Windows 98 system. I'm happy to confirm that the adware.Cydoor rundll32.exe false positive has been fixed.


" }-

I'm still waiting for this to happen! though it's not worrying me now, I thought someone might be interested to know that, despite daily radius updates, TDS3 still gives the same message -

"File Trace: Default Trojan filename Worm pease submit C\:Rundll32.exe

So do submit the file as it was deleted from detection many days ago.
I suppose you did update the radius file each day? With that it can't even be detected anymore, so either you didn't update properly each day or something else is the matter.

Yes, the radius updates have been done faithfully every day yet TDS3 displays the same alarm. NOD 32 has found nothing & I haven't d/loaded anything.

But when I get TDS3 to scan C drive, it finds nothing, & the alarm then disappears from the interface. I'm sure my radius update is bound to catch up with this false positive and I just wonder why I'm so "blessed".

Hi Dee,

Are you sure that your TDS-3 is showing you this:

19:17:52 [Init] • Systems Initialised [36478 references - 14495 primaries/10141 traces/11842 variants/other]
19:17:52 [Init] Radius Systems loaded. <Databases updated 04-08-2004>


What is exactly the alert from TDS-3?
Please post a scandump.

Yes, those are exactly the same figures shown in TDS3 here.
Scandump txt:-

Scan Control Dumped @ 08:20:24 05-08-04
File Trace: Default trojan filename: Worm please submit.

But the "problem" is solved, hopefully permanently. I'd deleted the extra [0 KB] rundll32.exe - but it's back ! Closed TDS3, deleted that pesky file & emptied Recycle Bin AGAIN, sacrificed a virtual white chicken, then fired up TDS3 & no alarm now.


File: C:\Rundll32.exe

-{ Quote: "Yes, those are exactly the same figures shown in TDS3 here.
Scandump txt:-

Scan Control Dumped @ 08:20:24 05-08-04
File Trace: Default trojan filename: Worm please submit.

But the "problem" is solved, hopefully permanently. I'd deleted the extra [0 KB] rundll32.exe - but it's back ! Closed TDS3, deleted that pesky file & emptied Recycle Bin AGAIN, sacrificed a virtual white chicken, then fired up TDS3 & no alarm now.


File: C:\Rundll32.exe" }-

Hi Dee,

I'm really happy that you managed to solve it ! :)

It must be that "sacrificed a virtual white chicken" that did the trick ;) ;)

Please keep us informed in case that alert might return...

Regards, Jan.