Jump to content


Photo

Ad-Aware reports Win32.Trojan.Keylogger


  • Please log in to reply
24 replies to this topic

#1 alm

alm

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 09 June 2006 - 03:57 PM

Hi,

running Ad-Aware on my PC today led to a report of 24 critical objects. The majority were files the rest were all registry entries related to these files. All 24 objects were reported with a name of Win32.Trojan.Keylogger and a category of Keylogger. All of the files were part of various installations of the Python programming language. I have included a link to a screen grab of one of the scanning results screen tabs here:

Link to screenshot of Ad-Aware scan results

Searching the web on this issue has yielded no results. Indeed using google to query www.lavasoftsupport.com with query terms such Win32.Trojan.Keylogger has yielded nothing.

I have scanned the same PC and files using the latest versions of Spyware Doctor, AVG antivirus and Stinger and they have not reported any of the same files as having any problems.

It could well be that Ad-Aware is picking up something that the other scanners have missed. Given the serious threat level that a keylogger rpresents I do not want to ignore the warning produced by Ad-Aware. So I have 2 questions.

1) Can you please tell me if there is any way I can validate the results of the Ad-Aware scan?

2) Is it possible that Ad-Aware has picked up something that is legitimate but that matches a profile of a Trojan/Keylogger and is reporting it so to be safe?

Many thanks in advance,

Al Moran

#2 GRAFX

GRAFX

    Advanced Member

  • Members
  • PipPipPip
  • 515 posts

Posted 10 June 2006 - 11:13 PM

alm,
please can you clear out your cache folder ie: temporary internet folder There are some free programs that you can use that will do that for you if needed like :)
CCleaner
(Note in CCleaner: go to >options > advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours"). but see CCleaner Set up
also also in the setup of CCleaner The LS Staff would prefer if you un-tick (un-check) "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)at leat till your pc is clean of spyware/malware.
now use the WebUpDate
(to make sure you are upto date) if you want to clean your PC then scan by doing a "Full Scan" then and once the scan has finished
mark and remove the items then Reboot (ie: Re-start your PC)
Then re-scan doing a "Full Scan" and then post your logfile here by using the Add-Reply Feature .

GRAFX Posted Image
press Enter then have a Brandy then if the problem is still there have another Brandy
Q: does it work
A: It does seem to for a few hours at least
LandzDown

#3 brianski

brianski

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 14 June 2006 - 11:10 AM

I'm having the same issue as alm, albeit on a lesser scale. Adaware doesn't like pywintypes24.dll or pythoncom24.dll, which were sitting in c:\program files\ABC (http://swik.net/yabc) from my ABC-win32-v3.1.1-RC1.exe install. I killed the program, cleaned them, uninstalled the program, and reinstalled, and the problem is still there. So, either A - YABC 3.1.1rc1 is infected (which I somewhat doubt, I've been running it for months with no adverse affects or detections with adaware SE personal, spybot SD, and AVG Free, and I'm pretty rigorous about scanning regularly) or B - the new adaware update is mis-identifying some python files as being viruses. I'm pretty sure at this point it's B...

Just to be on the safe side I'm rolling back my install of ABC to a version which happens not to include these files, but I'll be interested to see if lavasoft can confirm this is an overzealous definition file, and not a virus. I have put the two files in question available for download if it would be useful for anyone to see:
http://wuhjuhbuh.afr...pythoncom24.dll
http://wuhjuhbuh.afr...ywintypes24.dll

#4 GRAFX

GRAFX

    Advanced Member

  • Members
  • PipPipPip
  • 515 posts

Posted 14 June 2006 - 04:06 PM

brianski,
Iam sure that one of the LS Staff will let you know what is going on but could you submit your files using the
File Submission System so that the reseach department can have a look at them.

GRAFX Posted Image
press Enter then have a Brandy then if the problem is still there have another Brandy
Q: does it work
A: It does seem to for a few hours at least
LandzDown

#5 leyupab

leyupab

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 15 June 2006 - 11:56 AM

I've got a similar problem. I've just installed Musicbrainz Picard software, and scanned with Ad-aware SE. It reports the same Win32.Trojan.Keylogger. The file in question is the same one mentioned by brianski, called pywintypes24.dll, and the software was partly written using Python.

If people could post any feedback they get from this, it would be much appreciated.

#6 alm

alm

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 16 June 2006 - 10:36 AM

Hi,

thanks for all the replies.

Since my original post I have followed the advice offered by GRAFX.

However I need to use the Python installation for my work. As soon as I re-install a version of Python again Ad-Aware flags the same files as being Win32.Trojan.Keyloggers.

I have done new scans with XoftSpy, Pestpatrol and Highjack This among others. Nothing shows up in these scans.

I have used six different system scanning tools from Sysinternals and none of them show up any problems.

I have scanned network traffic using ethereal. Nothing at all shows up.

I have installed Anti-keylogger and it says that nothing unusual is happening.

I have compared the versions of the python files in question with versions on different machines and they seem to be identical.

In the end I have followed the advice in GRAFX's second respone and submitted one of the files in question through the Lavasoft file submission process. So I hope that they will be able to give a definitive response.

It appears that, as brianski said, the Ad-Aware software is being a bit overzealous. I hope this is the case. This has already cost a fair bit of time and money. But if it turns out that the Ad-Aware scan results are accurate it could cost a lot more!

Thanks again,

Al Moran.

#7 other

other

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 16 June 2006 - 03:06 PM

I've been having the same problems (ad-aware reports pythoncom24.dll and python registry entries as win32.trojan.keylogger). Spybot, Defender and Norton don't detect any probs though.

Maybe Lavasoft is just a fan of the Camel...

other

#8 Piyono

Piyono

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 16 June 2006 - 04:08 PM

Hi, I'm having the same problem.
AdAware is marking pywintypes24.dll as a keylogger. The file is being used by PFrank, a file renaming program which, as far as I know is clean.

Can I assume this is a false positive?

Piyono

#9 LS SteveJ (former LS employee)

LS SteveJ (former LS employee)

    Newbie

  • Members
  • Pip
  • 0 posts

Posted 17 June 2006 - 03:00 PM

Hello. This was a false positive detection on the Win32 python libraries. However, this should be corrected with the latest release.

Please perform a webupdate, and a system scan again. If you are still having problems, let us know...

Thanks

//Steve

#10 leyupab

leyupab

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 17 June 2006 - 09:38 PM

Hello. This was a false positive detection on the Win32 python libraries. However, this should be corrected with the latest release.

Please perform a webupdate, and a system scan again. If you are still having problems, let us know...

Thanks

//Steve


I've downloaded the latest update today but it labels the same file, pywintypes24.dll, as a keylogger.

#11 LS SteveJ (former LS employee)

LS SteveJ (former LS employee)

    Newbie

  • Members
  • Pip
  • 0 posts

Posted 18 June 2006 - 12:28 AM

I've downloaded the latest update today but it labels the same file, pywintypes24.dll, as a keylogger.


Hello leyupab

Please submit this file to us at http://www.lavasoftr....com/submit.php

Label your submission as "False Positive - Python File"

Thanks

//Steve

#12 brianski

brianski

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 18 June 2006 - 01:15 AM

Hello leyupab

Please submit this file to us at http://www.lavasoftr....com/submit.php

Label your submission as "False Positive - Python File"

Thanks

//Steve


I'm still getting false positives too. I've uploaded the two files I am getting hits on.

Cheers,
Brian

#13 bryian

bryian

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 18 June 2006 - 02:51 AM

I have the Picard tagger installed as well, and I haven't even executed the program in weeks. I was using my pc as normal two days ago when AVG-Free antivirus popped up and said tagger.exe was infected with some kind of generic trojan horse or something. I'm a very security-conscious user and I've never had a real virus to speak of before so I was shocked. I ran ad-aware and spybot with the latest definitions; spyhbot came up clean and ad-aware reported it as a keylogger (just like in the above post). I panicked and removed the program, but I still don't think it actually was infected. I hope somebody can shed some light on this. Was it just a vulnerability or what?

#14 alm

alm

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 18 June 2006 - 11:19 AM

Hi,

I downloaded the update but I am still getting the exact same result as in my first post. As recommended I have submitted 2 of the 'offending' files.

Cheers,

ALM.

#15 LS SteveJ (former LS employee)

LS SteveJ (former LS employee)

    Newbie

  • Members
  • Pip
  • 0 posts

Posted 18 June 2006 - 11:21 AM

Hello. Please also post an Ad-Aware scan log of these detections

Thanks

//Steve

#16 alm

alm

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 18 June 2006 - 11:36 AM

Hi,

as requested I have submitted a scan log file.

Cheers,

Alm

#17 brianski

brianski

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 18 June 2006 - 03:44 PM

Hi,

as requested I have submitted a scan log file.

Cheers,

Alm


I've also re-submitted my files with a scan log.

Thanks,
Brian

#18 leyupab

leyupab

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 18 June 2006 - 08:33 PM

Hello leyupab

Please submit this file to us at http://www.lavasoftr....com/submit.php

Label your submission as "False Positive - Python File"

Thanks

//Steve


done

#19 fbg00

fbg00

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 26 June 2006 - 01:26 AM

Does anyone have an update on this topic? I'm having the same problem. Moreover, I tried to quarantine the files just in case, and they are still detected (i.e. the quarantine seems to silently fail).

Thanks

#20 alm

alm

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 26 June 2006 - 02:59 PM

Hi,

as far as I am aware there has been no update on this topic for over a week (since). Lavasoft have said that this is a false positive. But the first attempt at a fix to remove this false positive from the scan failed. So I presume they are still working on it.

Cheers,

ALM.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users