ALM 0 Report post Posted June 9, 2006 Hi, running Ad-Aware on my PC today led to a report of 24 critical objects. The majority were files the rest were all registry entries related to these files. All 24 objects were reported with a name of Win32.Trojan.Keylogger and a category of Keylogger. All of the files were part of various installations of the Python programming language. I have included a link to a screen grab of one of the scanning results screen tabs here: Link to screenshot of Ad-Aware scan results Searching the web on this issue has yielded no results. Indeed using google to query www.lavasoftsupport.com with query terms such Win32.Trojan.Keylogger has yielded nothing. I have scanned the same PC and files using the latest versions of Spyware Doctor, AVG antivirus and Stinger and they have not reported any of the same files as having any problems. It could well be that Ad-Aware is picking up something that the other scanners have missed. Given the serious threat level that a keylogger rpresents I do not want to ignore the warning produced by Ad-Aware. So I have 2 questions. 1) Can you please tell me if there is any way I can validate the results of the Ad-Aware scan? 2) Is it possible that Ad-Aware has picked up something that is legitimate but that matches a profile of a Trojan/Keylogger and is reporting it so to be safe? Many thanks in advance, Al Moran Share this post Link to post Share on other sites
GRAFX 0 Report post Posted June 10, 2006 alm, please can you clear out your cache folder ie: temporary internet folder There are some free programs that you can use that will do that for you if needed like CCleaner (Note in CCleaner: go to >options > advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours"). but see CCleaner Set up also also in the setup of CCleaner The LS Staff would prefer if you un-tick (un-check) "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)at leat till your pc is clean of spyware/malware. now use the WebUpDate (to make sure you are upto date) if you want to clean your PC then scan by doing a "Full Scan" then and once the scan has finished mark and remove the items then Reboot (ie: Re-start your PC) Then re-scan doing a "Full Scan" and then post your logfile here by using the Add-Reply Feature . GRAFX Share this post Link to post Share on other sites
brianski 0 Report post Posted June 14, 2006 I'm having the same issue as alm, albeit on a lesser scale. Adaware doesn't like pywintypes24.dll or pythoncom24.dll, which were sitting in c:\program files\ABC (http://swik.net/yabc) from my ABC-win32-v3.1.1-RC1.exe install. I killed the program, cleaned them, uninstalled the program, and reinstalled, and the problem is still there. So, either A - YABC 3.1.1rc1 is infected (which I somewhat doubt, I've been running it for months with no adverse affects or detections with adaware SE personal, spybot SD, and AVG Free, and I'm pretty rigorous about scanning regularly) or B - the new adaware update is mis-identifying some python files as being viruses. I'm pretty sure at this point it's B... Just to be on the safe side I'm rolling back my install of ABC to a version which happens not to include these files, but I'll be interested to see if lavasoft can confirm this is an overzealous definition file, and not a virus. I have put the two files in question available for download if it would be useful for anyone to see: http://wuhjuhbuh.afraid.org/pythoncom24.dll http://wuhjuhbuh.afraid.org/pywintypes24.dll Share this post Link to post Share on other sites
GRAFX 0 Report post Posted June 14, 2006 brianski, Iam sure that one of the LS Staff will let you know what is going on but could you submit your files using the File Submission System so that the reseach department can have a look at them. GRAFX Share this post Link to post Share on other sites
leyupab 0 Report post Posted June 15, 2006 I've got a similar problem. I've just installed Musicbrainz Picard software, and scanned with Ad-aware SE. It reports the same Win32.Trojan.Keylogger. The file in question is the same one mentioned by brianski, called pywintypes24.dll, and the software was partly written using Python. If people could post any feedback they get from this, it would be much appreciated. Share this post Link to post Share on other sites
ALM 0 Report post Posted June 16, 2006 Hi, thanks for all the replies. Since my original post I have followed the advice offered by GRAFX. However I need to use the Python installation for my work. As soon as I re-install a version of Python again Ad-Aware flags the same files as being Win32.Trojan.Keyloggers. I have done new scans with XoftSpy, Pestpatrol and Highjack This among others. Nothing shows up in these scans. I have used six different system scanning tools from Sysinternals and none of them show up any problems. I have scanned network traffic using ethereal. Nothing at all shows up. I have installed Anti-keylogger and it says that nothing unusual is happening. I have compared the versions of the python files in question with versions on different machines and they seem to be identical. In the end I have followed the advice in GRAFX's second respone and submitted one of the files in question through the Lavasoft file submission process. So I hope that they will be able to give a definitive response. It appears that, as brianski said, the Ad-Aware software is being a bit overzealous. I hope this is the case. This has already cost a fair bit of time and money. But if it turns out that the Ad-Aware scan results are accurate it could cost a lot more! Thanks again, Al Moran. Share this post Link to post Share on other sites
other 0 Report post Posted June 16, 2006 I've been having the same problems (ad-aware reports pythoncom24.dll and python registry entries as win32.trojan.keylogger). Spybot, Defender and Norton don't detect any probs though. Maybe Lavasoft is just a fan of the Camel... other Share this post Link to post Share on other sites
Piyono 0 Report post Posted June 16, 2006 Hi, I'm having the same problem. AdAware is marking pywintypes24.dll as a keylogger. The file is being used by PFrank, a file renaming program which, as far as I know is clean. Can I assume this is a false positive? Piyono Share this post Link to post Share on other sites
LS SteveJ 0 Report post Posted June 17, 2006 Hello. This was a false positive detection on the Win32 python libraries. However, this should be corrected with the latest release. Please perform a webupdate, and a system scan again. If you are still having problems, let us know... Thanks //Steve Share this post Link to post Share on other sites
leyupab 0 Report post Posted June 17, 2006 Hello. This was a false positive detection on the Win32 python libraries. However, this should be corrected with the latest release. Please perform a webupdate, and a system scan again. If you are still having problems, let us know... Thanks //Steve I've downloaded the latest update today but it labels the same file, pywintypes24.dll, as a keylogger. Share this post Link to post Share on other sites
LS SteveJ 0 Report post Posted June 17, 2006 I've downloaded the latest update today but it labels the same file, pywintypes24.dll, as a keylogger. Hello leyupab Please submit this file to us at http://www.lavasoftresearch.com/submit.php Label your submission as "False Positive - Python File" Thanks //Steve Share this post Link to post Share on other sites
brianski 0 Report post Posted June 18, 2006 Hello leyupab Please submit this file to us at http://www.lavasoftresearch.com/submit.php Label your submission as "False Positive - Python File" Thanks //Steve I'm still getting false positives too. I've uploaded the two files I am getting hits on. Cheers, Brian Share this post Link to post Share on other sites
bryian 0 Report post Posted June 18, 2006 I have the Picard tagger installed as well, and I haven't even executed the program in weeks. I was using my pc as normal two days ago when AVG-Free antivirus popped up and said tagger.exe was infected with some kind of generic trojan horse or something. I'm a very security-conscious user and I've never had a real virus to speak of before so I was shocked. I ran ad-aware and spybot with the latest definitions; spyhbot came up clean and ad-aware reported it as a keylogger (just like in the above post). I panicked and removed the program, but I still don't think it actually was infected. I hope somebody can shed some light on this. Was it just a vulnerability or what? Share this post Link to post Share on other sites
ALM 0 Report post Posted June 18, 2006 Hi, I downloaded the update but I am still getting the exact same result as in my first post. As recommended I have submitted 2 of the 'offending' files. Cheers, ALM. Share this post Link to post Share on other sites
LS SteveJ 0 Report post Posted June 18, 2006 Hello. Please also post an Ad-Aware scan log of these detections Thanks //Steve Share this post Link to post Share on other sites
ALM 0 Report post Posted June 18, 2006 Hi, as requested I have submitted a scan log file. Cheers, Alm Share this post Link to post Share on other sites
brianski 0 Report post Posted June 18, 2006 Hi, as requested I have submitted a scan log file. Cheers, Alm I've also re-submitted my files with a scan log. Thanks, Brian Share this post Link to post Share on other sites
leyupab 0 Report post Posted June 18, 2006 Hello leyupab Please submit this file to us at http://www.lavasoftresearch.com/submit.php Label your submission as "False Positive - Python File" Thanks //Steve done Share this post Link to post Share on other sites
fbg00 0 Report post Posted June 26, 2006 Does anyone have an update on this topic? I'm having the same problem. Moreover, I tried to quarantine the files just in case, and they are still detected (i.e. the quarantine seems to silently fail). Thanks Share this post Link to post Share on other sites
ALM 0 Report post Posted June 26, 2006 Hi, as far as I am aware there has been no update on this topic for over a week (since). Lavasoft have said that this is a false positive. But the first attempt at a fix to remove this false positive from the scan failed. So I presume they are still working on it. Cheers, ALM. Share this post Link to post Share on other sites
brianski 0 Report post Posted June 29, 2006 Hi, as far as I am aware there has been no update on this topic for over a week (since). Lavasoft have said that this is a false positive. But the first attempt at a fix to remove this false positive from the scan failed. So I presume they are still working on it. Cheers, ALM. I just updated my definitions and scanned again at 1200 GMT June 29, and the false positives are gone (for me anyway)... Thanks to the lavasoft folks, even if it took awhile, and good luck to others on this thread. Cheers, Brian Share this post Link to post Share on other sites
ALM 0 Report post Posted July 3, 2006 Hi, I have been away for a while. Returned today, and ran the latest update and all the Python keylogger stuff has disappeared. Thanks to the lavasoft folks who sorted this one out. Al Moran. Share this post Link to post Share on other sites
GRAFX 0 Report post Posted July 3, 2006 alm, Glad you ,have got it sorted GRAFX Share this post Link to post Share on other sites
jinnyj 0 Report post Posted July 13, 2006 Help! I have discovered Win32.Trojan .Keyloger on my PC and despite trying to follow your instructions, cannot even manage to download CCleaner. Am I being a bit blonde or has it hit my PC harder than it can cope with? I have earlier tried to download other anti-virus programmes and it won't let me download them either. I am at my wits end - my PC is so slow and the b/f keeps complaining he is missing backing too many winners on Betfair! Share this post Link to post Share on other sites
LS SteveJ 0 Report post Posted July 13, 2006 Help! I have discovered Win32.Trojan .Keyloger on my PC and despite trying to follow your instructions, cannot even manage to download CCleaner. Am I being a bit blonde or has it hit my PC harder than it can cope with? I have earlier tried to download other anti-virus programmes and it won't let me download them either. I am at my wits end - my PC is so slow and the b/f keeps complaining he is missing backing too many winners on Betfair! Hello jinnyj. Your problem is actually unrelated to the topic you have posted in, as this was a specific problem from a few weeks ago which is now resolved... please start a new topic. We will be closing this topic... thanks //Steve Share this post Link to post Share on other sites