20/05/2008 12:51:11:796
OnGuard: System Event Blocked
Threat Name - Trojan-Spy.Pophot.WX
Details - Spyware Doctor has blocked an application attempting to access a file.
Risk Level - High
Infection - C:\WINDOWS\SYSTEM32\RUNDLL32.EXE

This is a copy of the logfile . I am unable to open control panel items as its blocked by Spyware Doctor. When I scan my system SD doesn't find anything. I have looked at the file rundll32.exe and it doesn't not look like the other .exe files (different icon). Can I just replace rundll32.exe? But before that I need to get rid of Threat Name - Trojan-Spy.Pophot.WX. Any advice helpful. Thanks

i did a scan today, with the latest malware-definitions, and SD flagged some files on my computer that were legitimate "windows" files, "rundll32.exe" and "wmp.dll" (windows media player)..

here is part of the scan-log:

Trojan-Spy.Pophot.WX C:\WINDOWS\ServicePackFiles\i386\rundll32.exe Medium

Trojan-Dropper.Agent.BPF C:\WINDOWS\system32\dllcache\wmp.dll Medium

Trojan-Spy.Pophot.WX C:\WINDOWS\system32\rundll32.exe Medium

Trojan-Dropper.Agent.BPF C:\WINDOWS\system32\wmp.dll Medium
- end scan log

there were several hundred regkeys that were flagged, too, associated with "wmp.dll" (windows media player)..

i have attached a zipped file with the scan-log..

i am using win xpsp3, SD 4.1 and "windows media player 10"..

20/05/2008 12:51:11:796
OnGuard: System Event Blocked
Threat Name - Trojan-Spy.Pophot.WX
Details - Spyware Doctor has blocked an application attempting to access a file.
Risk Level - High
Infection - C:\WINDOWS\SYSTEM32\RUNDLL32.EXE

This is a copy of the logfile . I am unable to open control panel items as its blocked by Spyware Doctor. When I scan my system SD doesn't find anything. I have looked at the file rundll32.exe and it doesn't not look like the other .exe files (different icon). Can I just replace rundll32.exe? But before that I need to get rid of Threat Name - Trojan-Spy.Pophot.WX. Any advice helpful. Thanks

Could AChen please fix this in autoupdates. This is an error!
The same thing is happening for me and I have restored an image via Norton Ghost which, at the time and before the latest set of updates, did not show this error in Spyware Doctor...

The image I restored was 100% OK. Now I have had to add an important Windows system file to the Global Exclusion list!
:mad:

p.s. I have XP SP3 - this may be pertinent...

Just run a full scan, and despite not only having all the on-guard's enabled, the beta behavoir guard and site-guard .. as well as fully updated signature's a full scan has found lots of items including

Trojan-Spy.PopHot.WX

My laptop's been rebuild from scratch (last weekend), and spyware Doctor was the 3rd thing installed. And at no point have I disabled it

Obviously either these are false positives, yesterday's signatures didnt have this Trojan in, or On-Guards are not much use at detecting incoming spyware

A quick google reveals:

http://www.threatexpert.com/report.a...9-100db369e1c5

Showing it was

Submission received: 21 May 2008, 01:43:44

Pity today is the 20th May 2008 at 19:00 ;-)

i did a "manual on-demand scan" and SD flagged "rundll32.exe" on my computer, too.. it also flagged "wmp.dll" (windows media player) on my computer.. i am using "windows media player 10"..

i am running win xpsp3 and SD 4.1..

i got that this morning (may 20, 2008 pst)
pop up warning came up
i click yes to block it since i do not have any tech knowledge
i did not do any scan yet
is it going to effect my computer system
thanks in advance

I've personally restored again to a good image and turned SD OFF!

I will wait 'till this issue has been sorted out.
Dearie me. Do they not TEST this stuff?
:(

I've personally restored again to a good image and turned SD OFF!

I will wait 'till this issue has been sorted out.
Dearie me. Do they not TEST this stuff?
:(

I am seriously questioning the usefulness of Spyware Doctor at the moment, these false positives dont help. It certainly makes it look like they dont test.

I have one PC with Site Guard installed, that if I go to "dodgy" sites pops up the "we've blocked this", and another PC configured identically which doesnt.

I am getting to the opinion that On-Guard isnt worth the CPU it takes

i got that this morning (may 20, 2008 pst)
pop up warning came up
i click yes to block it since i do not have any tech knowledge
i did not do any scan yet
is it going to effect my computer system
thanks in advance

No, don't block it! This round of updates is a fiasco. You will be blocking Windows system files here. Not good. Go into the Global exclusions folder and delete the recent addition, or change to 'allow' at least. Then turn the guards off or switch off Spyware Doctor...
:eek:

I am seriously questioning the usefulness of Spyware Doctor at the moment, these false positives dont help. It certainly makes it look like they dont test.

I have one PC with Site Guard installed, that if I go to "dodgy" sites pops up the "we've blocked this", and another PC configured identically which doesnt.

I am getting to the opinion that On-Guard isnt worth the CPU it takes

Are you running XP SP3 PJWilkin?
I'll bet you are. The rundll32.exe file has a date code which tells me it was part of the service pack updates...

Are you running XP SP3 PJWilkin?
I'll bet you are. The rundll32.exe file has a date code which tells me it was part of the service pack updates...

Been on SP3 since it was released

As stated in an earlier post, I rebuilt this laptop a week ago. and SD was the 3rd bit of software installed. Full scanned, no errors

This is one serious bit of failure to test the Updates by PCTools
One would honestly expect them to test against each ServicePack file set

Are you running XP SP3 PJWilkin?
I'll bet you are. The rundll32.exe file has a date code which tells me it was part of the service pack updates...
Hi, I JUST did the SP3 update, and immediately thereafter I got the Spyware Doctor block of rundll32 when doing a PROPERTIES on my computer/from Explorer. I don't know if this was because of the SP3 update, or new definition files Spy Doc installed this morning (or something).
"Shutting Down" Spy Doc resolved the block.
Does anyone know how to tell if we are actually infected with a thing called Trojan-Spy.Pophot.WX ?- or is that a joke.
Thanks for any info...

No, don't block it! This round of updates is a fiasco. You will be blocking Windows system files here. Not good. Go into the Global exclusions folder and delete the recent addition, or change to 'allow' at least. Then turn the guards off or switch off Spyware Doctor...
:eek:

thank you so much gringopig
i deleted as suggested
do i really have to turn the guards off or switch off SD

Hi, I JUST did the SP3 update, and immediately thereafter I got the Spyware Doctor block of rundll32 when doing a PROPERTIES on my computer/from Explorer. I don't know if this was because of the SP3 update, or new definition files Spy Doc installed this morning (or something).
"Shutting Down" Spy Doc resolved the block.
Does anyone know how to tell if we are actually infected with a thing called Trojan-Spy.Pophot.WX ?- or is that a joke.
Thanks for any info...

I think it's safe to say that the 'infection' is a false positive and can be ignored.
To prove whether it was JUST the updates or some unfortunate combination, someone would have to report the problem who still had SP2...

Hopefully, this issue will be resolved soon!

thank you so much gringopig
i deleted as suggested
do i really have to turn the guards off or switch off SD

The dialogue box alerting to the 'problem' gives 2 choices: 'allow' or 'block'. If you want to keep the guards on, then for the moment 'allow' any of these alerts which refer to basic Windows system components. These will be added into the Global exclusions list.
It will be necessary to delete these rules after the issue is fixed...
This is far from acceptable tho', as the casual user may mistakenly 'block' one of these files and then not be able to navigate Windows properly if the alert is 'blocked' and then forgotten about. The functionality will be broken by Spyware Doctor. I personally shudder at every system fault and like checking Event Viewer daily, so for me, I have switched Spyware Doctor off after a Norton Ghost restore without updating the latest flawed updates...

Yr one of the clued up ones, who knows about these things and knows where to go for answers! Imagine poor old Agnes with her laptop not knowing why Windows broke after that nasty box popped up!:eek:

...These will be added into the Global exclusions list.
It will be necessary to delete these rules after the issue is fixed...

thanks again gringopig i could not find the "Global exclusions list"
could you direct me where to please
thanks

thanks again gringopig i could not find the "Global exclusions list"
could you direct me where to please
thanks

Open the program and click on 'Settings' and then from the sub-menu click on 'Global Actions List'. Sorry, got the name a bit wrong! :rolleyes:
This is where you will find the results of the 'allow' or block' actions you make...

thanks again gringopig i could not find the "Global exclusions list"
could you direct me where to please
thanks

Settings -> Global Action list

thank you so much to both gringopig and PJWILKIN
for the direction

I guess I'll just allow it until it's fixed.
It's annoying that I'm getting more trouble from false positives than legitimate threats. In fact I can't remember the last time SD actually detected something legitimate; I've only had false positives for a very long time.

Well my original post seems to have caused a stir. I started the post originally on the basis that I completely rebuilt my system as I somehow contracted the VIRUT virus. Having recovered my data from the backup on the slave drive I had no applications left and only data files on which to rebuild the system from scratch. This took some four or five days to accomplish and two days ago I was fine until I came across the rundll32 problem. I went a little overboard with the protection - I used to run Comodo Firewall and Anti Virus - but not happy at contracting VIRUT so changed. I then moved to Sunbelt Firewall and AVG anti Virus with Comodo BOClean. Sunbelt caused me some issues and so I moved to PC Tools Firewall - all seemed fine - until yesterday morning. Thats when the Trojan Pophot appeared. In desperation I now have AVG Anti Virus just sitting there monitoring. I have SD scanning my system at the same time as Avira Anti Virus.

The ongoing results - still scanning - is that SD has found 3 occurrences of Trojan Pophot - the first on rundll32 in System folder and the 2nd Infection - C:\WINDOWS\ServicePackFiles\i386\rundll32.exe and 3rd
Infection - C:\WINDOWS\SoftwareDistribution\Download\65cb51275 f131ad95a646f305f973e3a\rundll32.exe

I have now added rundll32.exe to the global exception list - as suggested in an earlier post. I hope this is correct!!

My AVIRA has now finsihed and found 3 infections
the report says two were on random files - one in a zip
[DETECTION] Contains detection pattern of the Windows virus W32/Virut.W - I guess that might have been two recovered files that were treated. Anyway they have now been quarantined.

The third infection was [DETECTION] Is the Trojan horse TR/Muldrop.ZQ which I have deleted.
AVIRA found no Trojan Pophot issues.

So far SD has found no VIRUT issues - so I am now very confused and retiring for the evening.

FYI - I am also running XP Pro with SP3

I have a specific question which I hope will save me another rebuild - Can I just copy a replacement rundll32 to my sytsem or are they system specific?

I hope the above is clear as this has been a nightmare for the last seven or eight days.

Any recommendations gratefully received. Good night and thanks

Same to me. I scanned my computer with SD and the result is:

trojan-spy.Pophot.WX.

The files "infect":

C:\Windows\system32\rundll32.exe

C:\Windows\ServicePackFiles\i386\rundll32.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Acessories\Communications\New Connection Wizard.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Acessories\Communications\Network Setup Wizard.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Acessories\Communications\Wireless Network Setup Wizard.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\k_Lite Codec Pack\Configuration\DirectVobSub.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\k_Lite Codec Pack\Configuration\ffdshow audio decoder.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\k_Lite Codec Pack\Configuration\ffdshow video decoder.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\k_Lite Codec Pack\Configuration\ffdshow VFW interface.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\k_Lite Codec Pack\Configuration\Haali Media Splitter.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\k_Lite Codec Pack\Configuration\x264.lnk

C:\System Volume Information\_restore{3DFCC0E7-91C2-47C2-B1E3-9BE8CC06DFE1}\RP13\A0004849.lnk

Sincerily...it`s a joke!!!

I used Avira, ThreatFire and Comodo scaning in real time 24x7. Adaware and Advanced Windows Care running two times a day, 7 days week and only program that "discovery" this infection was SD!

False Positive...only explanation!

hi all
i am assuming that the SD team (PC Tools team) would have seen and read all these posts regarding this topic
wondering what and why are they waiting to release a fix or new database to fix as soon as possible

Hi All,

We are currently investigating this and will resolve this asap.
I'll provide an update shortly.

I`m glad I came onto this forum, as I was experiencing the same thing with:
Trojan-Spy.pophot.wx
It was driving me nuts :mad: I had just got rid of the AVG suite as it slowed my PC down to much and the start-up/shut-down took ages. I came back to SD with antivirus and all was working a treat...then I got the same as you people.
Now all is well again, and I`m a happy chappy :)
I read through all of your posts and did as you said.

Thanks gentlemen, have a drink on mehttp://bestsmileys.com/drinks/1.gif

Hi All,

We are currently investigating this and will resolve this asap.
I'll provide an update shortly.


thank you so much AChen
the faster the better and good luck

We are implenting a fix immediately.

This is a False Positive generated by Spyware Doctor, it will affect people running on Windows XP Service pack 3.
Please do not remove this file!

Workaround:

In the meantime please manually add the file into the global action list.

1. Open Spyware Doctor and select the 'Settings' button >> 'Global Action List'
2. Click the 'Add' button and the 'Add New Rule' box will appear
3. At the ' Select data type: ' dropdown box make sure you select 'File on disk'
4. Browse for rundll32.exe in C:\WINDOWS\system32\
5. Once the rundll32.exe is selected, at the bottom dropdown box make sure 'Always allow' is selected, then click the 'Add' button

The file is now added and will be ignored by all OnGuard Tools and Spyware Doctor scans.

I'll let you guys know when a fix is available via the Smart Update.

What do you do if somehow the file rundll32.exe has disappeared from your PC? Do I download Service pack 3 again to resolve the stuff PC Tools has caused on my PC. I stupidly blocked the Trojan Pophot warning when it came up!!1

What do you do if somehow the file rundll32.exe has disappeared from your PC? Do I download Service pack 3 again to resolve the stuff PC Tools has caused on my PC. I stupidly blocked the Trojan Pophot warning when it came up!!1

Welcome all!! new to this forum :)

You shouldn't be able to remove the file rundll32.exe because other applications will be using this as well and will prevent you from removing it. But if however, you accidentally remove this, you can boot into your last known good configuration before Windows starts.

Great to hear that this will be resolved soon :) Thanks

What do you do if somehow the file rundll32.exe has disappeared from your PC? Do I download Service pack 3 again to resolve the stuff PC Tools has caused on my PC. I stupidly blocked the Trojan Pophot warning when it came up!!1

i had this came up twice on me
i blocked it and deleted and allowed again
i have XP Pro SP3 as well
just did a search and i found
the file rundll32 is still there as you can see attached jpg

For some reason the file rundll32.exe does not appear in my Windows/system 32 folder but it does appear in the service pack folder. Can I just copy it from the service pack folder to my system 32 folder. I tried to boot into my last known good configuration and it did nothing - just booted me into the same problem.

For some reason the file rundll32.exe does not appear in my Windows/system 32 folder but it does appear in the service pack folder. Can I just copy it from the service pack folder to my system 32 folder. I tried to boot into my last known good configuration and it did nothing - just booted me into the same problem.

i do not have the knowledge to answer you sorry
i just shown what i found and got

I copied the rundll32.exe file from my service pack folder to my system 32 folder and it looks like everything is going OK. Did this Trojan Pophot warning affect any other windows files???:confused:

when i run the updater, this morning, 05/21/08, all that i am getting is "update failed"..

monman, yes, "rundll32.exe" is the only file that has been associated with "Trojan Pophot"..

however, SD is also flagging "wmp.dll", on my computer, which is a "windows media player" file, but it is associated with something other than "Trojan Pophot"..

incidentally, if someone gets some error-message about "wmp.dll", saying to reinstall "windows media player", before doing that, i would go to the "windows updates" website and check for updates, there.. "windows updates" might replace the "wmp.dll" file so that you can avoid having to reinstall "windows media player"..

update: i am no longer getting "update failed" when i run the updater, however i have not yet gotten any update, either.. :)

ok i got the virus
and i removed it using spyware doctor
and now i can't right click and go on properties

plus i dont have rundll32.exe in my system 32 folder.

what do i do?

the update, this morning, addresses the two false-positives that i was getting.. SD is no longer flagging the "rundll32.exe" file or the "wmp.dll" file, on my computer..

ok i got the virus
and i removed it using spyware doctor
and now i can't right click and go on properties

plus i dont have rundll32.exe in my system 32 folder.

what do i do?

see if the "rundll32.exe" file was moved to SD's "quarantine", and try restoring the file from "quarantine" (that is what "quarantine" is for, so that files can be restored from there)..

if that doesn't work, you could try rebooting and see if the rundll32.exe file is automatically restored..

if that doesn't work, you could:

run "system file checker", to see if that will restore the file.. to run "system file checker" (SFC), go to "start"/"run" and type:

"sfc /scannow" (minus quotations)

if that doesn't work, try copying the "rundll32.exe" file in the "service pack folder" and then pasting it in the "c/windows/system32" folder..

to find the "rundll32.exe" file in the "service pack folder", you could use "search", on your computer, searching for files named:

"rundll32.exe" (minus quotations)

those are just some ideas..

Hi Guys,

We have released a fix for this FP. Please run a smart update :)

Thanks a lot!!!
Everything`s ok now!!!

Hi, I sent the Trojan file to the Global action list as recommended, and used smat update to download the new signatures. But what do we do with the Trojan file now? Leave it in the Global Action List? Send in to be quarrantined? Delete it altogetrher?
What do you recommend we do know with this Trojan-Spy.Pophot.WX file?

Thanks
Tony

anton, you don't actually remove the "file" from the "global action list", you remove the "RULE" for the file from the "global action list".. that is all that you need to do..

the rule, there, was for SD to ignore the file and to allow it to run normally.. since SD is no longer flagging the file, you no longer need the rule for the file in the "global action list", so you can simply remove it (the "rule")..

alwaysFound possible conflict with Windows Service pack 3 after below problem surfaced:

Full scan with Zone Alarm Security Suite fails to detect this, or list it as a problem. Full scan with Threatfire fails to detect this, or list it as a problem and Threatfire is also a PC Tools product.

Notice from the Spyware Doctor program; “Trojan-Spy.Pophot.WX is a threat that registers itself as a system service and collects certain essential information from the system.”

“Trojan-Spy.Pophot.WX”

Risk Level: High

Found in following eight (8) places in computer:

C:/WINDOWS/system32/rundll32.exe

C:/Documents and Settings/All Users/Start Menu/Programs/Accessories/Communications/Network Setup Wizard.Ink

C:/Documents and Settings/All Users/Start Menu/Programs/Accessories/Communications/New Connection Wizard.Ink

C:/Documents and Settings/All Users/Start Menu/Programs/Accessories/Communications/Wireless Network Setup Wizard.Ink

C:/Documents and Settings/All Users/Start Menu/Programs/DivX/Check for DivX Updates.Ink

C:/Documents and Settings/All Users/Start Menu/DivX/DivX Codec/Register Products.Ink

C:/WINDOWS/ServicepackFiles/i386/rundll32.exe

C:/WINDOWS/SoftwareDistribution/Download/dd9ab5193501484cf5e6884fa1d22f9e/rundll32.exe

Looks like an ordinary DivX Registration program, an interesting thing is that as soon as Spyware Doctor put it in Quarantine an official looking Windows notice popped up stating that necessary programs had been deleted, then prompted me to install Windows Service pack 3 CD to restore.

Believe this may be a conflict with Windows new Service pack 3 and a Spyware Doctor recent update.

Which brings us to, did any of you recently install Windows Service Pack 3 before this happened?

Cordially, Fred Tate

P.S. DO NOT ALWAYS DELETE BASED UPON RECOMMENDATIONS, YOU COULD REMOVE NEEDED PROGRAMS. ONLY QUARANTINE AT FIRST. IF WHAT HAPPENED IS A FALSE POSITIVE, YOU CAN ALWAYS RESTORE THEN. (Spyware Doctor is not the only security program that sometimes gives false positives.)

Yes, I think we all installed SP3 and that's where the problem started. I have to admit I fell into the trap, as I was half asleep this morning and clicked on block without thinking, but luckily everything is running fine here.

Yep thats when my troubles started. Using SpyDoctor i just blocked the popup like everyone else did. I didnt pay much attention to it until i wanted to open my control panel. I got frantic and began to search something to fix it.. i went to Microsofts home page typed in the trojans name and it told me how to fix it... since then all is well.

I recently had SpyDoctor + AV catch, quarantine and remove over 390 infections of the malware: Trojan-Spy.Pophot.WX and Trojan-Dropper.Agent.BPF. I was surprised and dismayed that I was not protected by SD=AV. After SD cleaned the infections I could not access anything in the Control Panel of my Windows XP SP3. The missing file in question was was C:\WINDOWS\system 32\rundll32.exe. I remember during the clean up process , SD asked for my XP install disk. I had my original XP2, but not XP3 which I recently updated to, so of course the original disk was not recognized. I proceeded anyway with the clean up, which I guess removed this important windows file. I had to pay a computer expert to fix my computer. He had to re-install windows XP2 and the new XP3 service pack. After reading posts on this forum. I see where a few others have had this problem I am a novice, but something about false positives were said. What does this mean? Do I have to not trust my SD? I really thought I had picked up a Trojan, but maybe not. A suggestion was to add to the Global Exclusions, but I am not sure how or why or what that means. If anyone could offer some feedback, I would really appreciate it. I am not sure I should continue using SD+ AV if it is for the more advanced computer user.

Hi
You should maybe check the exchanges on the other thread abt pophot. The gist is that the infection was a false positive by SD and that rundll32.exe is actually quite OK and a number of people including me got this problem after installing XP SP3. The other trojan I don't know about, sorry. Cheers.

I am a novice, but something about false positives were said. What does this mean? Do I have to not trust my SD? I really thought I had picked up a Trojan, but maybe not. A suggestion was to add to the Global Exclusions, but I am not sure how or why or what that means. If anyone could offer some feedback, I would really appreciate it. I am not sure I should continue using SD+ AV if it is for the more advanced computer user.


Well, you can NEVER fully trust ANY security programs. So that is why people are trying many combination of the security programs.

I would say that you should ALWAYS quarantine infections and keep them until you know that they are definitely a harmful or unneeded files. So if you see any unexpected behavior of your PC after quarantine, then restore the quarantined items.

You may check maliciousness (if there is a word) of the file from www.virustotal.com or www.threatexpert.com. They allow you to submit malicious file and give you a quick analysis of the file.

Hope this helps;)