Take Command Build 74 - TakeCmd.DLL

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
Aug 19, 2009
17
0
#1
Hello

The 'Check for Updates' feature in Take Command downloaded and installed build 74 of TC10 this morning, and after that I was unable to start the program. On trying to start the app, Windows complained that TakeCmd.DLL was missing.

I tried manually downloading the Setup program from the web site and using that, but got the same result. On checking the folder where I had installed TC10, there was no TakeCmd.DLL

I eventually re-installed build 67, which is the next-latest build for which I still have the Setup program, and normal service was resumed.

EDIT: I've just read the previous post in this forum, about NOD32 reporting that TakeCmd.DLL contains the Win32/Induc.A virus. Like the previous poster, I too have NOD32 installed, and that turns out to be reason for the missing DLL - NOD32 has quarantined it.

Is this a known issue with the Setup program for TC10 build 74, or is NOD32 reporting a false positive?

Chris
 
Feb 12, 2009
41
0
#2
Hello

The 'Check for Updates' feature in Take Command downloaded and installed build 74 of TC10 this morning, and after that I was unable to start the program. On trying to start the app, Windows complained that TakeCmd.DLL was missing.

I tried manually downloading the Setup program from the web site and using that, but got the same result. On checking the folder where I had installed TC10, there was no TakeCmd.DLL

I eventually re-installed build 67, which is the next-latest build for which I still have the Setup program, and normal service was resumed.

Is this a known issue with the Setup program for TC10 build 74?

Chris
Maybe the same problem i have .. a virus
 
#3
leeuw013 wrote:
|Chris Wilcock:
|| TakeCmd.DLL was missing.
| Maybe the same problem i have .. a virus

Since Build 74 works fine here, without virus alarms, I suspect that each of
you has an antivirus program which caused a false alarm, and possibly
deleted or moved TakeCmd.dll. Both of you could try to reinstall TCMD 11
from scratch (i.e., first remove the previous build using Windows tools),
after you disabled your antivirus program. This may require you to
reregister TCMD. When you enable your AV, use whatever options it has to
prevent it from removing TakeCmd.dll. You should also report the false alarm
to the AV program vendor.

BTW, my AV vendor has false alarms on some older JPsoft program versions. It
is a physical impossibility for any AV software vendor to prevent false
alarms on new software from all other vendors, and it is also impossible for
JPsoft to contact all AV software vendors with each new build. It comes down
to the issue of trust - do you trust the AV software more than the JPsoft
product? Without any doubt I trust JPsoft more!

Note that foolproof virus detection (no false alarms, no false acceptance)
is theoretically impossible without millions of years of testing.
--
HTH, Steve
 
Feb 12, 2009
41
0
#4
leeuw013 wrote:
|Chris Wilcock:
|| TakeCmd.DLL was missing.
| Maybe the same problem i have .. a virus



Note that foolproof virus detection (no false alarms, no false acceptance)
is theoretically impossible without millions of years of testing.
--
HTH, Steve
Build 74 dit work until today NOd32 and Microsoft Stirling both give a virus warning today ! I will test it later with McAfee

mcafee en avast don't give a virus warning
 

rconn

Administrator
Staff member
May 14, 2008
10,101
85
#5
Chris Wilcock wrote:

> Hello
>
> The 'Check for Updates' feature in Take Command downloaded and installed build 74 of TC10 this morning, and after that I was unable to start the program. On trying to start the app, Windows complained that TakeCmd.DLL was missing.
>
> I tried manually downloading the Setup program from the web site and using that, but got the same result. On checking the folder where I had installed TC10, there was no TakeCmd.DLL
>
> I eventually re-installed build 67, which is the next-latest build for which I still have the Setup program, and normal service was resumed.
>
> Is this a known issue with the Setup program for TC10 build 74?
No; we've had several thousand downloads of build 74 and you're the only
one who's reported a problem with a missing dll.

I just downloaded & installed it again, and everything is there &
working (and virus-free, contrary to some erroneous antivirus apps).

Rex Conn
JP Software
 

dim

Dimitry Andric
May 31, 2008
203
0
Netherlands
#6
On 2009-08-20 03:18, rconn wrote:

> I just downloaded & installed it again, and everything is there &
> working (and virus-free, contrary to some erroneous antivirus apps).
Okay, I'll upload the file to ESET's false positive queue.
 
Feb 12, 2009
41
0
#7
On 2009-08-20 03:18, rconn wrote:



Okay, I'll upload the file to ESET's false positive queue.
ESET writes this in a blog :-(

Nowadays we see lots of malicious software that is designed to steal money and information. A new virus was recently discovered that seems to be all about proving a concept rather than blatant maliciousness.

The Win32/Induc.A virus does not infect like most viruses do. Delphi is a programming language. Induc infected the Delphi IDE so that when the programmers compile their programs the programs are already infected.

As far as we are able to determine at this time, this virus went undetected since April 2009. Most of the samples of infected files we have seen are other trojans, mainly those that steal bank information. So, we detected the Trojan, but didn’t know that it was also infected.

For the average user the virus is essentially harmless. The problem is that some software development companies use Delphi, got infected, and when we added detection for Win32/Induc.A their programs were detected. Some of these companies accused ESET of having false positives when their programs were actually infected!

In reviewing our internal malware collections our researchers have found over 4,000 infected samples. Our Threatsense.Net network has identified over 30,000 unique infected samples in the first 24 hours after we added detection.

For a write up about this virus you can visit http://www.eset.eu/encyclopaedia/win32-induc-a-virus?lng=en

Ironically, some other malicious software that was previously undetected by antivirus vendors will now be detected because it is infected with Induc.A!

It’s pretty rare now to be able to talk about a widespread virus that probably won’t cause you any harm.

Randy Abrams
Director of Technical Education

===
and Mcafee writes

The W32/Induc virus has been in the wild for at least a year. During this period it has succeeded in infecting a lot of Delphi installations, including manufacturers of some pretty popular software packages.

On a victim’s machine this virus searches for the presence of a specific version (4.0, 5.0, 6.0 and 7.0) of the Delphi compiler. The virus gathers this information using the registry entry below.



If it finds one of these versions, the virus inserts its code into the file SysConst.pas, which is present in x.0\Source\rtl\sys. The virus renames the current Sysconst.dcu, which is present under the Delphi library folders, to SysConst.bak. The SysConst.pas file containing the viral code–like the one shown below–is complied using the Delphi command line compiler dcc32.exe to create an infected SysConst.dcu. The original SysConst.pas file is then deleted.



McAfee detects all files that have been compiled with the infected Delphi program as W32/Induc. Some customers have contacted us suspecting that this result is a false positive, but this is known correct detection from McAfee.

This virus does not have a malicious payload. It just spreads through the compiled executables.
 

dim

Dimitry Andric
May 31, 2008
203
0
Netherlands
#8
I just downloaded & installed it again, and everything is there & working (and virus-free, contrary to some erroneous antivirus apps).
Rex, this may be more serious than I thought at first; a check at VirusTotal shows that 6 scanners (BitDefender, Microsoft, NOD32, Panda and VirusBuster) detect TakeCmd.dll as Win32.Induc.A:

https://www.virustotal.com/analisis...c5e6d3b857095fbe8e068d2645cb975efd-1250772168

Since this a rather hyped-up virus, all these engines might be a bit too trigger-happy. :)
 
#9
leeuw013 wrote:
| leeuw013 wrote:
|| Okay, I'll upload the file to ESET's false positive queue.

| ESET writes this in a blog :-(

| It’s pretty rare now to be able to talk about a widespread virus
| that probably won’t cause you any harm.

OK, I read the same conclusion about the specific virus elsewhere. Did ESET
respond to your upload?

The cumulative impression from your posts is that TakeCmd.dll 10.00.74 is
indeed infected by a virus, which is nearly harmless. Its only action is to
propagate itself to other programs written in Delphi or containing portions
written in Delphi, causing very minor increase in diskspace usage and very
slight program load time increase for each affected program. Is this
correct?
--
Steve
 
Feb 12, 2009
41
0
#10
leeuw013 wrote:
| leeuw013 wrote:
|| Okay, I'll upload the file to ESET's false positive queue.

| ESET writes this in a blog :-(

| It’s pretty rare now to be able to talk about a widespread virus
| that probably won’t cause you any harm.

OK, I read the same conclusion about the specific virus elsewhere. Did ESET
respond to your upload?

The cumulative impression from your posts is that TakeCmd.dll 10.00.74 is
indeed infected by a virus, which is nearly harmless. Its only action is to
propagate itself to other programs written in Delphi or containing portions
written in Delphi, causing very minor increase in diskspace usage and very
slight program load time increase for each affected program. Is this
correct?
--
Steve
Your conclusion is correct, but still i don't want this kind of warnings on my system. I'am working now with build 67
 

rconn

Administrator
Staff member
May 14, 2008
10,101
85
#11
dim wrote:

> ---Quote (Originally by rconn)---
> I just downloaded & installed it again, and everything is there & working (and virus-free, contrary to some erroneous antivirus apps).
> ---End Quote---
> Rex, this may be more serious than I thought at first; a check at VirusTotal shows that 6 scanners (BitDefender, Microsoft, NOD32, Panda and VirusBuster) detect TakeCmd.dll as Win32.Induc.A:
>
> https://www.virustotal.com/analisis/81a62fb8c8b622e6647f1d1a12fc84c5e6d3b857095fbe8e068d2645cb975efd-1250772168
>
> Since this a rather hyped-up virus, all these engines might be a bit too trigger-happy. :)
I still believe this is a false positive.

I ran build 75 (which is exactly the same development environment &
trial/registration code) through VirusTotal, and only Panda complained
(a "suspicious file", whatever that means). The only difference between
build 74 & 75 is a minor fix for error reporting with RD /S. But each
build has a slightly different signature as a result of the trial /
registration code.

So either ESET et al were a bit overzealous in their initial report, or
they were initially correct and they're all failing now. I think the
former is somewhat more likely.

I've uploaded build 75 to the web & ftp sites for those concerned (or
annoyed) with the (probable) false positives on build 74.

Rex Conn
JP Software
 
Feb 12, 2009
41
0
#12
dim wrote:



I still believe this is a false positive.

I ran build 75 (which is exactly the same development environment &
trial/registration code) through VirusTotal, and only Panda complained
(a "suspicious file", whatever that means). The only difference between
build 74 & 75 is a minor fix for error reporting with RD /S. But each
build has a slightly different signature as a result of the trial /
registration code.

So either ESET et al were a bit overzealous in their initial report, or
they were initially correct and they're all failing now. I think the
former is somewhat more likely.

I've uploaded build 75 to the web & ftp sites for those concerned (or
annoyed) with the (probable) false positives on build 74.

Rex Conn
JP Software
Thanks ! NOD32 didn't find a virus :-))
 
Jun 2, 2008
31
0
#13
Thanks ! NOD32 didn't find a virus :-))
But AVG using the latest AV signatures does :(

Edited:
And this is the response from AVG when I submitted TakeCmd.dll for further analysis:

========================================
AVG Research Lab has analyzed the file(s) you have sent from your AVG Virus Vault. Below you can find the results for each file. The final verdict on the file is either a correct detection or a false positive detection.

Further information about the verdicts are available at our website:
http://www.avg.com/faq-1184

"C:\TCMD10\TakeCmd.dll" - detection is correct



Best regards,

AVG Customer Services
AVG Technologies
website: http://www.avg.com
========================================

I have now logged a support incident with AVG regarding this.
 

dim

Dimitry Andric
May 31, 2008
203
0
Netherlands
#14
On 2009-08-21 11:17, ebbe wrote:

> ---Quote (Originally by leeuw013)---
> Thanks ! NOD32 didn't find a virus :-))
> ---End Quote---
> But AVG using the latest AV signatures does :(
Please guys, we all know these DLLs are *not* infected at all. Antivirus products give many (way too many IMHO) false positives these days.

Just put the file in your antivirus exclusion list. I have dozens of completely innocent files in mine...

Also, if your AV vendor can be bothered, mail them a copy of the DLL and tell them it's a false positive.
 
Jun 3, 2008
27
0
#15
On Fri, 21 Aug 2009 05:06:44 -0500, dim <> wrote
Re RE: [Support-t-1313] Re: Take Command Build 74 - TakeCmd.DLL:


>Please guys, we all know these DLLs are *not* infected at all. Antivirus products give many (way too many IMHO) false positives these days.
>
>Just put the file in your antivirus exclusion list. I have dozens of completely innocent files in mine...
>
>Also, if your AV vendor can be bothered, mail them a copy of the DLL and tell them it's a false positive.
Good advice.
--
At first they laugh at you, then they ignore you, then they fight you, then you win.
 
#16
F.Y.I. Sophos reports build 74 as infected, but build 75 is ignored...

Mr. Jiggs
TecDocDigital
s o l u t i o n s
p: (978) 567.6046
f: (978) 562.4304

-----Original Message-----
From: rconn [mailto:]
Sent: Thursday, August 20, 2009 9:27 AM
To: Mr Jiggs
Subject: RE: [Support-t-1313] Re: Take Command Build 74 - TakeCmd.DLL

dim wrote:


---Quote---

> ---Quote (Originally by rconn)---
> I just downloaded & installed it again, and everything is there &
working (and virus-free, contrary to some erroneous antivirus apps).

> ---End Quote---
> Rex, this may be more serious than I thought at first; a check at
VirusTotal shows that 6 scanners (BitDefender, Microsoft, NOD32, Panda
and VirusBuster) detect TakeCmd.dll as Win32.Induc.A:

>
> https://www.virustotal.com/analisis/81a62fb8c8b622e6647f1d1a12fc84c5e6
> d3b857095fbe8e068d2645cb975efd-1250772168
>
> Since this a rather hyped-up virus, all these engines might be a bit
> too trigger-happy. :)
---End Quote---
I still believe this is a false positive.

I ran build 75 (which is exactly the same development environment &
trial/registration code) through VirusTotal, and only Panda complained
(a "suspicious file", whatever that means). The only difference between
build 74 & 75 is a minor fix for error reporting with RD /S. But each
build has a slightly different signature as a result of the trial /
registration code.

So either ESET et al were a bit overzealous in their initial report, or
they were initially correct and they're all failing now. I think the
former is somewhat more likely.

I've uploaded build 75 to the web & ftp sites for those concerned (or
annoyed) with the (probable) false positives on build 74.

Rex Conn
JP Software
 
Jun 2, 2008
31
0
#17
Please guys, we all know these DLLs are *not* infected at all. Antivirus products give many (way too many IMHO) false positives these days.
This is not my experience. In fact, TakeCmd.dll was the first false positive I've seen in years.

Just put the file in your antivirus exclusion list. I have dozens of completely innocent files in mine...
IMHO this is treating the symptom instead of the disease.

Also, if your AV vendor can be bothered, mail them a copy of the DLL and tell them it's a false positive.
...which is what I did. I'm happy to say that AVG reacted promptly. The latest version of AVG's virus database now knows that TakeCmd.dll is OK.
 
#18
ebbe wrote:
| ---Quote (Originally by dim)---
|| Also, if your AV vendor can be bothered, mail them a copy of the DLL
|| and tell them it's a false positive.
|
| ...which is what I did. I'm happy to say that AVG reacted promptly.
| The latest version of AVG's virus database now knows that
| TakeCmd.dll is OK.

Do you have a paid subscription to AVG? I have the free version, and in the
past when I reported that an earlier version of TakeCmd.dll returned a false
positive, they had informed me that it was a real virus. Of course, the very
same file, still on my system, does not now trigger a virus alert.
--
Steve