1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Take Command Build 74 - TakeCmd.DLL

Discussion in 'Support' started by Chris Wilcock, Aug 19, 2009.

  1. Chris Wilcock

    Joined:
    Aug 19, 2009
    Messages:
    17
    Likes Received:
    0
    Hello

    The 'Check for Updates' feature in Take Command downloaded and installed build 74 of TC10 this morning, and after that I was unable to start the program. On trying to start the app, Windows complained that TakeCmd.DLL was missing.

    I tried manually downloading the Setup program from the web site and using that, but got the same result. On checking the folder where I had installed TC10, there was no TakeCmd.DLL

    I eventually re-installed build 67, which is the next-latest build for which I still have the Setup program, and normal service was resumed.

    EDIT: I've just read the previous post in this forum, about NOD32 reporting that TakeCmd.DLL contains the Win32/Induc.A virus. Like the previous poster, I too have NOD32 installed, and that turns out to be reason for the missing DLL - NOD32 has quarantined it.

    Is this a known issue with the Setup program for TC10 build 74, or is NOD32 reporting a false positive?

    Chris
     
  2. leeuw013

    Joined:
    Feb 12, 2009
    Messages:
    41
    Likes Received:
    0
    Maybe the same problem i have .. a virus
     
  3. Steve Fabian

    Joined:
    May 20, 2008
    Messages:
    3,523
    Likes Received:
    4
    leeuw013 wrote:
    |Chris Wilcock:
    || TakeCmd.DLL was missing.
    | Maybe the same problem i have .. a virus

    Since Build 74 works fine here, without virus alarms, I suspect that each of
    you has an antivirus program which caused a false alarm, and possibly
    deleted or moved TakeCmd.dll. Both of you could try to reinstall TCMD 11
    from scratch (i.e., first remove the previous build using Windows tools),
    after you disabled your antivirus program. This may require you to
    reregister TCMD. When you enable your AV, use whatever options it has to
    prevent it from removing TakeCmd.dll. You should also report the false alarm
    to the AV program vendor.

    BTW, my AV vendor has false alarms on some older JPsoft program versions. It
    is a physical impossibility for any AV software vendor to prevent false
    alarms on new software from all other vendors, and it is also impossible for
    JPsoft to contact all AV software vendors with each new build. It comes down
    to the issue of trust - do you trust the AV software more than the JPsoft
    product? Without any doubt I trust JPsoft more!

    Note that foolproof virus detection (no false alarms, no false acceptance)
    is theoretically impossible without millions of years of testing.
    --
    HTH, Steve
     
  4. leeuw013

    Joined:
    Feb 12, 2009
    Messages:
    41
    Likes Received:
    0
    Build 74 dit work until today NOd32 and Microsoft Stirling both give a virus warning today ! I will test it later with McAfee

    mcafee en avast don't give a virus warning
     
  5. rconn

    rconn Administrator
    Staff Member

    Joined:
    May 14, 2008
    Messages:
    9,730
    Likes Received:
    80
    Chris Wilcock wrote:

    No; we've had several thousand downloads of build 74 and you're the only
    one who's reported a problem with a missing dll.

    I just downloaded & installed it again, and everything is there &
    working (and virus-free, contrary to some erroneous antivirus apps).

    Rex Conn
    JP Software
     
  6. dim

    dim Dimitry Andric

    Joined:
    May 31, 2008
    Messages:
    202
    Likes Received:
    0
    On 2009-08-20 03:18, rconn wrote:

    Okay, I'll upload the file to ESET's false positive queue.
     
  7. leeuw013

    Joined:
    Feb 12, 2009
    Messages:
    41
    Likes Received:
    0
    ESET writes this in a blog :-(

    Nowadays we see lots of malicious software that is designed to steal money and information. A new virus was recently discovered that seems to be all about proving a concept rather than blatant maliciousness.

    The Win32/Induc.A virus does not infect like most viruses do. Delphi is a programming language. Induc infected the Delphi IDE so that when the programmers compile their programs the programs are already infected.

    As far as we are able to determine at this time, this virus went undetected since April 2009. Most of the samples of infected files we have seen are other trojans, mainly those that steal bank information. So, we detected the Trojan, but didn’t know that it was also infected.

    For the average user the virus is essentially harmless. The problem is that some software development companies use Delphi, got infected, and when we added detection for Win32/Induc.A their programs were detected. Some of these companies accused ESET of having false positives when their programs were actually infected!

    In reviewing our internal malware collections our researchers have found over 4,000 infected samples. Our Threatsense.Net network has identified over 30,000 unique infected samples in the first 24 hours after we added detection.

    For a write up about this virus you can visit http://www.eset.eu/encyclopaedia/win32-induc-a-virus?lng=en

    Ironically, some other malicious software that was previously undetected by antivirus vendors will now be detected because it is infected with Induc.A!

    It’s pretty rare now to be able to talk about a widespread virus that probably won’t cause you any harm.

    Randy Abrams
    Director of Technical Education

    ===
    and Mcafee writes

    The W32/Induc virus has been in the wild for at least a year. During this period it has succeeded in infecting a lot of Delphi installations, including manufacturers of some pretty popular software packages.

    On a victim’s machine this virus searches for the presence of a specific version (4.0, 5.0, 6.0 and 7.0) of the Delphi compiler. The virus gathers this information using the registry entry below.



    If it finds one of these versions, the virus inserts its code into the file SysConst.pas, which is present in x.0\Source\rtl\sys. The virus renames the current Sysconst.dcu, which is present under the Delphi library folders, to SysConst.bak. The SysConst.pas file containing the viral code–like the one shown below–is complied using the Delphi command line compiler dcc32.exe to create an infected SysConst.dcu. The original SysConst.pas file is then deleted.



    McAfee detects all files that have been compiled with the infected Delphi program as W32/Induc. Some customers have contacted us suspecting that this result is a false positive, but this is known correct detection from McAfee.

    This virus does not have a malicious payload. It just spreads through the compiled executables.
     
  8. dim

    dim Dimitry Andric

    Joined:
    May 31, 2008
    Messages:
    202
    Likes Received:
    0
    Rex, this may be more serious than I thought at first; a check at VirusTotal shows that 6 scanners (BitDefender, Microsoft, NOD32, Panda and VirusBuster) detect TakeCmd.dll as Win32.Induc.A:

    https://www.virustotal.com/analisis...c5e6d3b857095fbe8e068d2645cb975efd-1250772168

    Since this a rather hyped-up virus, all these engines might be a bit too trigger-happy. :)
     
  9. Steve Fabian

    Joined:
    May 20, 2008
    Messages:
    3,523
    Likes Received:
    4
    leeuw013 wrote:
    | leeuw013 wrote:
    || Okay, I'll upload the file to ESET's false positive queue.

    | ESET writes this in a blog :-(

    | It’s pretty rare now to be able to talk about a widespread virus
    | that probably won’t cause you any harm.

    OK, I read the same conclusion about the specific virus elsewhere. Did ESET
    respond to your upload?

    The cumulative impression from your posts is that TakeCmd.dll 10.00.74 is
    indeed infected by a virus, which is nearly harmless. Its only action is to
    propagate itself to other programs written in Delphi or containing portions
    written in Delphi, causing very minor increase in diskspace usage and very
    slight program load time increase for each affected program. Is this
    correct?
    --
    Steve
     
  10. leeuw013

    Joined:
    Feb 12, 2009
    Messages:
    41
    Likes Received:
    0
    Your conclusion is correct, but still i don't want this kind of warnings on my system. I'am working now with build 67
     
  11. rconn

    rconn Administrator
    Staff Member

    Joined:
    May 14, 2008
    Messages:
    9,730
    Likes Received:
    80
    dim wrote:

    I still believe this is a false positive.

    I ran build 75 (which is exactly the same development environment &
    trial/registration code) through VirusTotal, and only Panda complained
    (a "suspicious file", whatever that means). The only difference between
    build 74 & 75 is a minor fix for error reporting with RD /S. But each
    build has a slightly different signature as a result of the trial /
    registration code.

    So either ESET et al were a bit overzealous in their initial report, or
    they were initially correct and they're all failing now. I think the
    former is somewhat more likely.

    I've uploaded build 75 to the web & ftp sites for those concerned (or
    annoyed) with the (probable) false positives on build 74.

    Rex Conn
    JP Software
     
  12. leeuw013

    Joined:
    Feb 12, 2009
    Messages:
    41
    Likes Received:
    0
    Thanks ! NOD32 didn't find a virus :-))
     
  13. ebbe

    Joined:
    Jun 2, 2008
    Messages:
    31
    Likes Received:
    0
    But AVG using the latest AV signatures does :(

    Edited:
    And this is the response from AVG when I submitted TakeCmd.dll for further analysis:

    ========================================
    AVG Research Lab has analyzed the file(s) you have sent from your AVG Virus Vault. Below you can find the results for each file. The final verdict on the file is either a correct detection or a false positive detection.

    Further information about the verdicts are available at our website:
    http://www.avg.com/faq-1184

    "C:\TCMD10\TakeCmd.dll" - detection is correct



    Best regards,

    AVG Customer Services
    AVG Technologies
    website: http://www.avg.com
    ========================================

    I have now logged a support incident with AVG regarding this.
     
  14. dim

    dim Dimitry Andric

    Joined:
    May 31, 2008
    Messages:
    202
    Likes Received:
    0
    On 2009-08-21 11:17, ebbe wrote:

    Please guys, we all know these DLLs are *not* infected at all. Antivirus products give many (way too many IMHO) false positives these days.

    Just put the file in your antivirus exclusion list. I have dozens of completely innocent files in mine...

    Also, if your AV vendor can be bothered, mail them a copy of the DLL and tell them it's a false positive.
     
  15. vpdura

    Joined:
    Jun 3, 2008
    Messages:
    27
    Likes Received:
    0
    On Fri, 21 Aug 2009 05:06:44 -0500, dim <> wrote
    Re RE: [Support-t-1313] Re: Take Command Build 74 - TakeCmd.DLL:


    Good advice.
    --
    At first they laugh at you, then they ignore you, then they fight you, then you win.
     
  16. Mr. Jiggs

    Joined:
    May 29, 2008
    Messages:
    37
    Likes Received:
    0
    F.Y.I. Sophos reports build 74 as infected, but build 75 is ignored...

    Mr. Jiggs
    TecDocDigital
    s o l u t i o n s
    p: (978) 567.6046
    f: (978) 562.4304

    -----Original Message-----
    From: rconn [mailto:]
    Sent: Thursday, August 20, 2009 9:27 AM
    To: Mr Jiggs
    Subject: RE: [Support-t-1313] Re: Take Command Build 74 - TakeCmd.DLL

    dim wrote:


    ---Quote---

    working (and virus-free, contrary to some erroneous antivirus apps).

    VirusTotal shows that 6 scanners (BitDefender, Microsoft, NOD32, Panda
    and VirusBuster) detect TakeCmd.dll as Win32.Induc.A:

    ---End Quote---
    I still believe this is a false positive.

    I ran build 75 (which is exactly the same development environment &
    trial/registration code) through VirusTotal, and only Panda complained
    (a "suspicious file", whatever that means). The only difference between
    build 74 & 75 is a minor fix for error reporting with RD /S. But each
    build has a slightly different signature as a result of the trial /
    registration code.

    So either ESET et al were a bit overzealous in their initial report, or
    they were initially correct and they're all failing now. I think the
    former is somewhat more likely.

    I've uploaded build 75 to the web & ftp sites for those concerned (or
    annoyed) with the (probable) false positives on build 74.

    Rex Conn
    JP Software
     
  17. ebbe

    Joined:
    Jun 2, 2008
    Messages:
    31
    Likes Received:
    0
    This is not my experience. In fact, TakeCmd.dll was the first false positive I've seen in years.

    IMHO this is treating the symptom instead of the disease.

    ...which is what I did. I'm happy to say that AVG reacted promptly. The latest version of AVG's virus database now knows that TakeCmd.dll is OK.
     
  18. Steve Fabian

    Joined:
    May 20, 2008
    Messages:
    3,523
    Likes Received:
    4
    ebbe wrote:
    | ---Quote (Originally by dim)---
    || Also, if your AV vendor can be bothered, mail them a copy of the DLL
    || and tell them it's a false positive.
    |
    | ...which is what I did. I'm happy to say that AVG reacted promptly.
    | The latest version of AVG's virus database now knows that
    | TakeCmd.dll is OK.

    Do you have a paid subscription to AVG? I have the free version, and in the
    past when I reported that an earlier version of TakeCmd.dll returned a false
    positive, they had informed me that it was a real virus. Of course, the very
    same file, still on my system, does not now trigger a virus alert.
    --
    Steve
     

Share This Page