Sign in to follow this  
Followers 0
ALM

Ad-Aware reports Win32.Trojan.Keylogger

By ALM, in Ad-Aware SE Resolved/Inactive Issues

Recommended Posts

ALM    0

ALM
Posted

Hi,

 

running Ad-Aware on my PC today led to a report of 24 critical objects. The majority were files the rest were all registry entries related to these files. All 24 objects were reported with a name of Win32.Trojan.Keylogger and a category of Keylogger. All of the files were part of various installations of the Python programming language. I have included a link to a screen grab of one of the scanning results screen tabs here:

 

Link to screenshot of Ad-Aware scan results

 

Searching the web on this issue has yielded no results. Indeed using google to query www.lavasoftsupport.com with query terms such Win32.Trojan.Keylogger has yielded nothing.

 

I have scanned the same PC and files using the latest versions of Spyware Doctor, AVG antivirus and Stinger and they have not reported any of the same files as having any problems.

 

It could well be that Ad-Aware is picking up something that the other scanners have missed. Given the serious threat level that a keylogger rpresents I do not want to ignore the warning produced by Ad-Aware. So I have 2 questions.

 

1) Can you please tell me if there is any way I can validate the results of the Ad-Aware scan?

 

2) Is it possible that Ad-Aware has picked up something that is legitimate but that matches a profile of a Trojan/Keylogger and is reporting it so to be safe?

 

Many thanks in advance,

 

Al Moran

Share this post

Link to post
Share on other sites

GRAFX    0

GRAFX
Posted

alm,

please can you clear out your cache folder ie: temporary internet folder There are some free programs that you can use that will do that for you if needed like :)

CCleaner

(Note in CCleaner: go to >options > advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours"). but see CCleaner Set up

also also in the setup of CCleaner The LS Staff would prefer if you un-tick (un-check) "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)at leat till your pc is clean of spyware/malware.

now use the WebUpDate

(to make sure you are upto date) if you want to clean your PC then scan by doing a "Full Scan" then and once the scan has finished

mark and remove the items then Reboot (ie: Re-start your PC)

Then re-scan doing a "Full Scan" and then post your logfile here by using the Add-Reply Feature .

 

GRAFX 206729.gif

Share this post

Link to post
Share on other sites

brianski    0

brianski
Posted

I'm having the same issue as alm, albeit on a lesser scale. Adaware doesn't like pywintypes24.dll or pythoncom24.dll, which were sitting in c:\program files\ABC (http://swik.net/yabc) from my ABC-win32-v3.1.1-RC1.exe install. I killed the program, cleaned them, uninstalled the program, and reinstalled, and the problem is still there. So, either A - YABC 3.1.1rc1 is infected (which I somewhat doubt, I've been running it for months with no adverse affects or detections with adaware SE personal, spybot SD, and AVG Free, and I'm pretty rigorous about scanning regularly) or B - the new adaware update is mis-identifying some python files as being viruses. I'm pretty sure at this point it's B...

 

Just to be on the safe side I'm rolling back my install of ABC to a version which happens not to include these files, but I'll be interested to see if lavasoft can confirm this is an overzealous definition file, and not a virus. I have put the two files in question available for download if it would be useful for anyone to see:

http://wuhjuhbuh.afraid.org/pythoncom24.dll

http://wuhjuhbuh.afraid.org/pywintypes24.dll

Share this post

Link to post
Share on other sites

GRAFX    0

GRAFX
Posted

brianski,

Iam sure that one of the LS Staff will let you know what is going on but could you submit your files using the

File Submission System so that the reseach department can have a look at them.

 

GRAFX 206729.gif

Share this post

Link to post
Share on other sites

leyupab    0

leyupab
Posted

I've got a similar problem. I've just installed Musicbrainz Picard software, and scanned with Ad-aware SE. It reports the same Win32.Trojan.Keylogger. The file in question is the same one mentioned by brianski, called pywintypes24.dll, and the software was partly written using Python.

 

If people could post any feedback they get from this, it would be much appreciated.

Share this post

Link to post
Share on other sites

ALM    0

ALM
Posted

Hi,

 

thanks for all the replies.

 

Since my original post I have followed the advice offered by GRAFX.

 

However I need to use the Python installation for my work. As soon as I re-install a version of Python again Ad-Aware flags the same files as being Win32.Trojan.Keyloggers.

 

I have done new scans with XoftSpy, Pestpatrol and Highjack This among others. Nothing shows up in these scans.

 

I have used six different system scanning tools from Sysinternals and none of them show up any problems.

 

I have scanned network traffic using ethereal. Nothing at all shows up.

 

I have installed Anti-keylogger and it says that nothing unusual is happening.

 

I have compared the versions of the python files in question with versions on different machines and they seem to be identical.

 

In the end I have followed the advice in GRAFX's second respone and submitted one of the files in question through the Lavasoft file submission process. So I hope that they will be able to give a definitive response.

 

It appears that, as brianski said, the Ad-Aware software is being a bit overzealous. I hope this is the case. This has already cost a fair bit of time and money. But if it turns out that the Ad-Aware scan results are accurate it could cost a lot more!

 

Thanks again,

 

Al Moran.

Share this post

Link to post
Share on other sites

other    0

other
Posted

I've been having the same problems (ad-aware reports pythoncom24.dll and python registry entries as win32.trojan.keylogger). Spybot, Defender and Norton don't detect any probs though.

 

Maybe Lavasoft is just a fan of the Camel...

 

other

Share this post

Link to post
Share on other sites

Piyono    0

Piyono
Posted

Hi, I'm having the same problem.

AdAware is marking pywintypes24.dll as a keylogger. The file is being used by PFrank, a file renaming program which, as far as I know is clean.

 

Can I assume this is a false positive?

 

Piyono

Share this post

Link to post
Share on other sites

LS SteveJ    0

LS SteveJ
Posted

Hello. This was a false positive detection on the Win32 python libraries. However, this should be corrected with the latest release.

 

Please perform a webupdate, and a system scan again. If you are still having problems, let us know...

 

Thanks

 

//Steve

Share this post

Link to post
Share on other sites

leyupab    0

leyupab
Posted
Hello. This was a false positive detection on the Win32 python libraries. However, this should be corrected with the latest release.

 

Please perform a webupdate, and a system scan again. If you are still having problems, let us know...

 

Thanks

 

//Steve

 

I've downloaded the latest update today but it labels the same file, pywintypes24.dll, as a keylogger.

Share this post

Link to post
Share on other sites

bryian    0

bryian
Posted

I have the Picard tagger installed as well, and I haven't even executed the program in weeks. I was using my pc as normal two days ago when AVG-Free antivirus popped up and said tagger.exe was infected with some kind of generic trojan horse or something. I'm a very security-conscious user and I've never had a real virus to speak of before so I was shocked. I ran ad-aware and spybot with the latest definitions; spyhbot came up clean and ad-aware reported it as a keylogger (just like in the above post). I panicked and removed the program, but I still don't think it actually was infected. I hope somebody can shed some light on this. Was it just a vulnerability or what?

Share this post

Link to post
Share on other sites

ALM    0

ALM
Posted

Hi,

 

I downloaded the update but I am still getting the exact same result as in my first post. As recommended I have submitted 2 of the 'offending' files.

 

Cheers,

 

ALM.

Share this post

Link to post
Share on other sites

brianski    0

brianski
Posted
Hi,

 

as requested I have submitted a scan log file.

 

Cheers,

 

Alm

 

I've also re-submitted my files with a scan log.

 

Thanks,

Brian

Share this post

Link to post
Share on other sites

fbg00    0

fbg00
Posted

Does anyone have an update on this topic? I'm having the same problem. Moreover, I tried to quarantine the files just in case, and they are still detected (i.e. the quarantine seems to silently fail).

 

Thanks

Share this post

Link to post
Share on other sites

ALM    0

ALM
Posted

Hi,

 

as far as I am aware there has been no update on this topic for over a week (since). Lavasoft have said that this is a false positive. But the first attempt at a fix to remove this false positive from the scan failed. So I presume they are still working on it.

 

Cheers,

 

ALM.

Share this post

Link to post
Share on other sites

brianski    0

brianski
Posted
Hi,

 

as far as I am aware there has been no update on this topic for over a week (since). Lavasoft have said that this is a false positive. But the first attempt at a fix to remove this false positive from the scan failed. So I presume they are still working on it.

 

Cheers,

 

ALM.

 

I just updated my definitions and scanned again at 1200 GMT June 29, and the false positives are gone (for me anyway)...

 

Thanks to the lavasoft folks, even if it took awhile, and good luck to others on this thread.

 

Cheers,

Brian

Share this post

Link to post
Share on other sites

ALM    0

ALM
Posted

Hi,

 

I have been away for a while. Returned today, and ran the latest update and all the Python keylogger stuff has disappeared. Thanks to the lavasoft folks who sorted this one out.

 

Al Moran.

Share this post

Link to post
Share on other sites

jinnyj    0

jinnyj
Posted

Help! I have discovered Win32.Trojan .Keyloger on my PC and despite trying to follow your instructions, cannot even manage to download CCleaner. Am I being a bit blonde or has it hit my PC harder than it can cope with? I have earlier tried to download other anti-virus programmes and it won't let me download them either. I am at my wits end - my PC is so slow and the b/f keeps complaining he is missing backing too many winners on Betfair!

Share this post

Link to post
Share on other sites

LS SteveJ    0

LS SteveJ
Posted
Help! I have discovered Win32.Trojan .Keyloger on my PC and despite trying to follow your instructions, cannot even manage to download CCleaner. Am I being a bit blonde or has it hit my PC harder than it can cope with? I have earlier tried to download other anti-virus programmes and it won't let me download them either. I am at my wits end - my PC is so slow and the b/f keeps complaining he is missing backing too many winners on Betfair!

 

Hello jinnyj. Your problem is actually unrelated to the topic you have posted in, as this was a specific problem from a few weeks ago which is now resolved... please start a new topic. We will be closing this topic... thanks

 

//Steve

Share this post

Link to post
Share on other sites
Sign in to follow this  
Followers 0
Go To Topic Listing