Cydoor cd_clint.dll False Positive

While checking a system for adware/spyware, SpyCop Spyware Remover reported that cd_clint.dll, which was in c:\windows\system32 was part of "ADWARE: Cydoor". Bazooka Spyware Scanner also reported the file as being part of Cydoor.

Though cd_clint.dll is part of Cydoor, this particular file with an MD5 checksum of 65fd7ea79f626f7b57f4d6ced6339f32 is not. Instead it is a dummy file from CEXX Labs, which is intended to allow you to execute a spyware-dependent program without fear that the program is impeding the system's performance with adware/spyware. The dummy file can be downloaded from "Dummy files for neutering spyware".

The CEXX.Org webpage providing the download states that Pest Patrol 4 also gives a false positive result for this file.

For more information on Cydoor and CD_Clint.dll see Advertising Spyware: CyDoor CD_Load.exe and CD_Clint.dll"

In addition to differences in size and MD5 checksums, you can also easily distinguish the CEXX dummy version of cd_clint.dll from the Cydoor adware version by right-clicking on the file and choosing Properties and then Version. The differences between the files are listed below. It is possible Cydoor has released multiple versions of cd_clint.dll, so the size, checksum, and version information may differ for other versions of the Cydoor cd_clint.dll Dynamic Link Library (DLL) file.

	CEXX Dummy Version	Cydoor Adware Version
Filename	cd_clint.dll	cd_clint.dll
Size	48.0 KB (48,640)	151 KB (154,624 bytes)
MD5 Checksum:	65fd7ea79f626f7b57f4d6ced6339f32	8ca847eba88f8f6505956b0069983811
Download Site #1	CEXX.Org	Moonpoint Support
Download Site #2	Moonpoint Support
Properties
File Version	1.0.0.0	3.2.1.0
Description	DLL (GUI)	Cydoor Technologies ad-system
Copyright	CEXX Labs + Mike Dombrowski	Copyright (C) Cydoor Technologies, Inc. 1999
Comments	"For that EXTRA comfort and protection"	This is a module of Cydoor's ad system. Additional information is available at http://www.cydoor.com
Company	CEXX Labs - www.cexx.org	Cydoor Technologies, Inc.
File Version	1.0.0	3,2,1,0
Internal Name	ProjectOne	CD_clint.dll
Language	English (United States)	English (United States)
Legal Trademarks	CYDOOR is a trademark of CYDOOR Technologies. CEXX.ORG is not affiliated with CYDOOR Technologies	Cydoor Technologies(tm)
Original File Name	project1.dll	CD_Clint.dll
Product Name	CEXX.ORG Spyware Condom (CYDOOR-Compatible)	Cydoor Technologies ad-system
Product Version	1.0.0.0	3,2,1,0
Special Build Description		14

Some antispyware software will report a false positive for the CEXX cd_clint.dll, identifying it as being part of Cydoor adware, apparently from the name alone. Programs I've found report a false positive and those I've found not to report it as malware are listed below.

Program	Program Version	Database/Definitions Version
False Positive Detection as Cydoor
Bazooka Scanner	1.13.03	8/8/2005
SpyCop	6.21	08-11-2005
Spy Sweeper	4.0.4 (Build 430)	492 (Updated on August 12, 2005)
No False Positive Detection
Ad-Aware SE Personal	Build 1.06r1	SE1R61 10.08.2005
ClamWin	0.86.2	19:39 08 Aug 2005 (main: 33; daily 1010)
Microsoft AntiSpyware Beta1	1.0.615	5743 (8/8/2005 8:01:19 PM)
Spybot Search & Destroy	1.4	2005-08-04
Symantec AntiVirus	9.0.0.338	8/10/2005 rev. 4

I also submitted the file to Jotti's Online Malware Scan, which scanned the file with 14 different antivirus programs all of which reported "found nothing" for the file.

References:

1. Advertising Spyware CyDoor CD_Load.exe and CD_Clint.dll
2. Dummy files for neutering spyware
3. Cydoor - Adware removal instructions

[/security/spyware/cydoor] permanent link

Norton Internet Security Network Access Problem

I've spent a few days trying to resolve a problem on a system where there was no web access, but I could ping IP addresses, except for the IP address of the system itself. I finally traced the problem to the Norton Internet Security 2002 firewall software running on the system.

[ More Info ]

[/os/windows/software/security/firewall] permanent link

Registry P3P History Key

While troubleshooting an Internet access problem on a system, I noticed a lot of entries for dubious sites in the registry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\. There were a lot of keys for domain names I know are associated with adware/spyware, such as 180solutions.com, brilliantdigital.com, and exactsearchbar.com. There were a lot of other dubious sounding domain names, such as casinoking.com, casinolasvegas.com, and casinodelrio.com. When I checked the values of the keys, I noticed they were all set as follows:

Name	Type	Data
(Default)	REG_DWORD	0x00000005 (5)

At Microsoft's WinInet Registry settings webpage, I found the following:

Per Site Cookie Handling

To handle site-by-site cookies, per-domain cookie decisions are stored under the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\<domain> key. The domains are added to the registry by WinInet when the user adds sites by using the Per Site Privacy Actions dialog box.

The default value of the <domain> key stores the decision value. The following table shows the possible values.

Value	Description
REG_DWORD: 1 (COOKIE_STATE_ACCEPT)	Accept all cookies from this site.
REG_DWORD: 5 (COOKIE_STATE_REJECT)	Reject all cookies from this site.

So a value of five in the key will block cookies from a site listed with that value. The values were probably placed there by one of the antispyware programs I previously installed on the system.

Internet Explorer 6 apparently checks the P3P keys to determine whether to allow a site to place a cookie on the system as described in IE6 and cookies. P3P stands for Platform for Privacy Preferences.

References:

1. WinInet Registry Settings
2. IE6 and cookies
3. P3P Public Overview

[/os/windows/registry] permanent link