MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
August
Sun Mon Tue Wed Thu Fri Sat
 
13
     
2005
Months
Aug


Sat, Aug 13, 2005 11:03 pm

Cydoor cd_clint.dll False Positive

While checking a system for adware/spyware, SpyCop Spyware Remover reported that cd_clint.dll, which was in c:\windows\system32 was part of "ADWARE: Cydoor". Bazooka Spyware Scanner also reported the file as being part of Cydoor.

Though cd_clint.dll is part of Cydoor, this particular file with an MD5 checksum of 65fd7ea79f626f7b57f4d6ced6339f32 is not. Instead it is a dummy file from CEXX Labs, which is intended to allow you to execute a spyware-dependent program without fear that the program is impeding the system's performance with adware/spyware. The dummy file can be downloaded from "Dummy files for neutering spyware".

The CEXX.Org webpage providing the download states that Pest Patrol 4 also gives a false positive result for this file.

For more information on Cydoor and CD_Clint.dll see Advertising Spyware: CyDoor CD_Load.exe and CD_Clint.dll"

In addition to differences in size and MD5 checksums, you can also easily distinguish the CEXX dummy version of cd_clint.dll from the Cydoor adware version by right-clicking on the file and choosing Properties and then Version. The differences between the files are listed below. It is possible Cydoor has released multiple versions of cd_clint.dll, so the size, checksum, and version information may differ for other versions of the Cydoor cd_clint.dll Dynamic Link Library (DLL) file.

 CEXX Dummy VersionCydoor Adware Version
Filenamecd_clint.dllcd_clint.dll
Size48.0 KB (48,640)151 KB (154,624 bytes)
MD5 Checksum:65fd7ea79f626f7b57f4d6ced6339f32 8ca847eba88f8f6505956b0069983811
Download Site #1 CEXX.Org Moonpoint Support
Download Site #2 Moonpoint Support  
Properties
File Version1.0.0.03.2.1.0
DescriptionDLL (GUI)Cydoor Technologies ad-system
CopyrightCEXX Labs + Mike DombrowskiCopyright (C) Cydoor Technologies, Inc. 1999
Comments"For that EXTRA comfort and protection" This is a module of Cydoor's ad system. Additional information is available at http://www.cydoor.com
CompanyCEXX Labs - www.cexx.orgCydoor Technologies, Inc.
File Version1.0.03,2,1,0
Internal NameProjectOneCD_clint.dll
LanguageEnglish (United States)English (United States)
Legal TrademarksCYDOOR is a trademark of CYDOOR Technologies. CEXX.ORG is not affiliated with CYDOOR Technologies Cydoor Technologies(tm)
Original File Nameproject1.dllCD_Clint.dll
Product NameCEXX.ORG Spyware Condom (CYDOOR-Compatible) Cydoor Technologies ad-system
Product Version1.0.0.03,2,1,0
Special Build Description 14

Some antispyware software will report a false positive for the CEXX cd_clint.dll, identifying it as being part of Cydoor adware, apparently from the name alone. Programs I've found report a false positive and those I've found not to report it as malware are listed below.

ProgramProgram VersionDatabase/Definitions Version
False Positive Detection as Cydoor
Bazooka Scanner 1.13.03 8/8/2005
SpyCop 6.21 08-11-2005
Spy Sweeper 4.0.4 (Build 430) 492 (Updated on August 12, 2005)
No False Positive Detection
Ad-Aware SE Personal Build 1.06r1 SE1R61 10.08.2005
ClamWin 0.86.2 19:39 08 Aug 2005 (main: 33; daily 1010)
Microsoft AntiSpyware Beta1 1.0.615 5743 (8/8/2005 8:01:19 PM)
Spybot Search & Destroy 1.4 2005-08-04
Symantec AntiVirus 9.0.0.338 8/10/2005 rev. 4

I also submitted the file to Jotti's Online Malware Scan, which scanned the file with 14 different antivirus programs all of which reported "found nothing" for the file.

References:

  1. Advertising Spyware CyDoor CD_Load.exe and CD_Clint.dll
  2. Dummy files for neutering spyware
  3. Cydoor - Adware removal instructions

[/security/spyware/cydoor] permanent link

Sat, Aug 13, 2005 9:39 pm

Norton Internet Security Network Access Problem

I've spent a few days trying to resolve a problem on a system where there was no web access, but I could ping IP addresses, except for the IP address of the system itself. I finally traced the problem to the Norton Internet Security 2002 firewall software running on the system.

[ More Info ]

[/os/windows/software/security/firewall] permanent link

Sat, Aug 13, 2005 1:06 pm

Registry P3P History Key

While troubleshooting an Internet access problem on a system, I noticed a lot of entries for dubious sites in the registry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\. There were a lot of keys for domain names I know are associated with adware/spyware, such as 180solutions.com, brilliantdigital.com, and exactsearchbar.com. There were a lot of other dubious sounding domain names, such as casinoking.com, casinolasvegas.com, and casinodelrio.com. When I checked the values of the keys, I noticed they were all set as follows:

NameTypeData
(Default)REG_DWORD0x00000005 (5)

At Microsoft's WinInet Registry settings webpage, I found the following:

Per Site Cookie Handling

To handle site-by-site cookies, per-domain cookie decisions are stored under the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\<domain> key. The domains are added to the registry by WinInet when the user adds sites by using the Per Site Privacy Actions dialog box.

The default value of the <domain> key stores the decision value. The following table shows the possible values.

ValueDescription
REG_DWORD: 1 (COOKIE_STATE_ACCEPT) Accept all cookies from this site.
REG_DWORD: 5 (COOKIE_STATE_REJECT) Reject all cookies from this site.

So a value of five in the key will block cookies from a site listed with that value. The values were probably placed there by one of the antispyware programs I previously installed on the system.

Internet Explorer 6 apparently checks the P3P keys to determine whether to allow a site to place a cookie on the system as described in IE6 and cookies. P3P stands for Platform for Privacy Preferences.

References:

  1. WinInet Registry Settings
  2. IE6 and cookies
  3. P3P Public Overview

[/os/windows/registry] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo