NS Keylogger in Spywareblaster?

Discussion in 'SpywareBlaster & Other Forum' started by TOADFROG, Apr 22, 2005.

Thread Status:
Not open for further replies.
  1. TOADFROG

    TOADFROG Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    16
    Top rated Anti-spyware program Giant [the one Microsoft bought] just found Unins000.exe in Spywareblaster to be/contain "NS Keylogger personal Monitor"
    I've been using Spywareblaster for over a year and have found it to be a great program. When I googled ["NS Keylogger" Spywareblaster], I found no confirming comments. OTOH Giant is highly rated http://spywarewarrior.com/asw-test-guide.htm so I'm tossing this observation out for comment.
    Meanwhile I've temporarily renamed the Unins000.exe file until I need to uninstall which is what I presume it's primarly function is.
    Thanks for comments.

    Update-Summary: There's no NS Keylogger in Spywareblaster. It's a false positive
    Javacool Has clearly stated this and many thread participants have run over a dozen spy detectors with no detections other than Giant/MS-AS. If anyone quarantined the Unins000.exe, they can either un-quarantine or reinstall SWB to correct that. This false positive has been reported to Microsoft.

    Update2 Looks like update 5711 has fixed the false positive in 5709
    Thanks to all participants for responses.
    Toadfrog
     
    Last edited: Apr 23, 2005
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I believe this is a false positive that has been reported by other users who have downloaded the latest MS AS (and Giant) updates.

    Rich
     
  3. TOADFROG

    TOADFROG Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    16
    I agree it's a likely FP[to be an effective keylogger, it would need to be running - taskmanager doesn't show it on the system where I haven't renamed Unins000.exe], but given the widespread use of MS anti-spyware, it may result in a lot of damage to spywareblaster [the uninstall is necessary for a program update]. Giant/MS anti-spyware have depended on user reports to locate malware. Perhaps someone in that user group wished to defame spywareblaster with a false report. In any event, javacool needs to make a case to Microsoft the correct this.
     
  4. stealth063kb

    stealth063kb Guest

    I had the same problem using Microsoft AntiSpyware Version:1.0.501. The antispyware scan ran the day before with no threats. I updated to SpywareBlaster V3.3 on April 21, 2005. The threat was discovered during the scheduled scan on April 22, 2995.

    Detected Threats
    NS Keylogger Personal Monitor Key Logger
    Details: NS Keylogger Personal Monitor records everything that is entered from the keyboard, to a log file.

    Status: Removed

    Infected files detected
    c:\program files\spywareblaster\unins000.exe
     
  5. vettecoupe

    vettecoupe Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    2
    Location:
    Ontario, Canada
    We picked up the same thing on a number of computers this morning with Microsoft Antispyware and we immediately deleted the Spyware Blaster Uninstaller.

    We had no indication of a problem with with Spyware Blaster 3.3 two days ago so it had to be defined with the very latest updates to Microsoft Antispyware (Today and yesterday). This Microsoft program we trust very much and presumably they went through the uninstaller code carefully.

    While this may indeed be a false positive, it is not worth playing around with so JavaCool had better do something very fast.
     
  6. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Javacool isn't able to fix Micosoft's Antispyware. I am rather sure they won't let him play with or fix their definitions, so MS will have to fix their own false positive just like every other company does.
     
  7. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
  8. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    OK I'm closing all the other threads on this same subject - let's keep the discussion in this one.

    So you can take a look at those other threads, here are the closed threads on same subject
    That's not to say there's nothing of value in those threads, but should I merge them things would be out of order and very confusing. I'll redirect any new threads on the subject to here.
     
    Last edited: Apr 22, 2005
  9. vettecoupe

    vettecoupe Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    2
    Location:
    Ontario, Canada
    Please don't assume that this is a false positive until it is proven otherwise. What I thought I said was Javacool had better go through their uninstaller fast and get hold of MS AS PDQ.
     
  10. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Actually this is what you said.
     
  11. kayjay1

    kayjay1 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    10
    so is it better to send this file to quarantine or not or should we all just rename the file??
     
  12. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Well, you won't hurt anything doing either of those so long as you know where it is when the time comes should you choose to uninstall SWB at some point. Even then, I imagine you could reinstall SWb over itself to get the uninstall file back.

    But on the topic of FP or not, admittedly I cannot be 100% sure but let's look at things so far.

    File has been scanned by other posters using NAV, KAV, Trojan Hunter, SpyCop, and I have scanned with Nod32, TDS-3, probably everyone's scanned with Ad-Aware and Spybot (including me) and none of these applications have found any problems. In my opinion, this is enough to make me lean pretty hard toward the "FP" side.
     
  13. kayjay1

    kayjay1 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    10
    I have also run the following:

    Microsoft Antispyware V1.0.509
    Adaware SE Personal V1.05
    Spybot S&D V1.3
    Spyware Blaster V3.3
    HJT V1.99.1
    Norton Internet Security 2004 V7.0.6.17
    Norton Antivirus V10.0.1.13
    CCleaner V1.18.101
    CW Shredder V2.13
    McAfee AVERT Stinger V2.5.3


    And none except for Microsoft Antispyware, as far as I can see, actually have this file showing as a problem.
     
  14. TOADFROG

    TOADFROG Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    16
    Furthering the FP case, I ran Spysweeper, Bitdefender, Anti-vir, Avast and Trojan hunter with no detections registered. If the uninst000.exe file were a keylogger, I would think it would have to be running which it isn't on the computer where I didn't rename the file.
    Still, I would like to see a firm unequivocal denial here by javacool that there's no keylogger or other spyware in spywareblaster. That way several of us can forward that to microsoft so they can take a closer look. This denial could also be quoted on other threads where the issue is discussed.
     
  15. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    The file isn't running here either, nor is anything in SWB trying to access the internet.

    I am sure we will get such a response from Javacool, but he isn't on line right now and we must keep in mind he is only one man ;) As soon as he comes to the forum and sees this the investigation will surely begin in earnest. In the meantime, I personally feel pretty safe with the FP theory, but it won't hurt anyone to rename or quarantine the file until we hear from him should they feel the need.
     
  16. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Toadfrog, I can assure you Javacool does not put keyloggers or any other spyware in any of his programs.
    No need to wait for a response here, you can go ahead and submit the file to: http://www.spynet.com/falsepositive.aspx
    I am sure Javacool will address everyone's concerns here, as he has in this thread over on another board. Please do take time-frames into consideration for all replies. ;)

    In the meantime, it would help to know what operating systems people are using as detection can/might be different on various operating systems (MSAS is still in beta, so false/positives do happen with beta programs)

    Regards,

    snap
     
  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Ran Ewido. No problems. Security Task Manager reports no keyloggers on my system. Of course, I also have ProcessGuard which never alerted.

    FPs are quite common. I've had more than my fair share with Giant AS in the past - so this is not at all a surprise. Of course, PestPatrol is famous for them. I guess this FP may be getting a little more visibility, because more users, who are new to Anti-Spyware are encountering a FP for the first time.

    Rich
     
  18. Jack Bauer

    Jack Bauer Guest

    I have also got the same alert from MSAS about spyware blasters uninstaller.

    Worryingly though, i also have the same alert for extreme thumbnail generator, a shareware program i've been trialling!

    Has anyone else had an alert about the NS keylogger, for another apps uninstaller, other than spywareblasters?

    Infected files:
    C:\program files\extreme thumbnail generator\unins000.exe
    C:\program files\spyware blaster\unins000.exe

    For now i'm assuming that this is a false positive for both and is not just limited to spyware blaster but all uninstallers that are similarly coded!

    Jack
     
  19. Hard Rocker

    Hard Rocker Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    258
    Location:
    Quebec, CANADA
    :D I have had SWB 3.3 installed for some time now and have run Ewido, Trojan Hunter, SpyCop, SpySweeper, and CounterSpy with no keylogger detections. Sounds like a F/P to me and I fully trust Javacool as well.
     
  20. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Well this is good that it looks to be a false positive. (Thanks for the linky snapdragin. ;)

    I found this on my system today as well with MS Antispyware. Ad-Aware, Spybot S&D, and NOD32 found no such animal.

    I am running Windows XP Pro w/SP2 and all latest critical patches.

    Regards,

    Jag
     
  21. JRosenfeld

    JRosenfeld Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    117
    This has been reported to MSAS Spynet and on the MSAS newsgroups several times already.
     
  22. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    This is a false-positive from Microsoft Anti-Spyware - that's just the SpywareBlaster uninstall file.
    If you used Microsoft/Giant Anti-Spyware to remove the uninstaller, you should probably reinstall SpywareBlaster over-the-top to replace the file.

    This is also another good example of why you should examine every detection anti-spyware products make, and if something doesn't look right - take it with a grain of salt. This certainly isn't the first time an anti-spyware product has made a false-detection, and I doubt it'll be the last.

    I'm just rather disappointed that this didn't get caught in whatever "quality-control" the MS AS definitions go through.

    Best regards,

    -Javacool
     
  23. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Javacool,

    Thanks for your prompt attention to this matter. It just goes to show that you have a great product and that you are a stand up guy. :)

    Kind Regards,

    Jag
     
  24. JohnBurns

    JohnBurns Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    454
    Location:
    Oklahoma City
    Would like some advice - I have the same problem - Microsoft AntiSpyware most recent update when run, shows: "Infected files detected: c\program files\spywareblaster\unins000.exe". I quarantined this on both my home computers. Should I now un-quarintine them? Or should I go ahead and run a new installation of SpywareBlaster? If I do, and this keeps coming up on Ms AntiSpyware, shall I choose "ignore", or "always ignore"? Appreciate any help you can provide in this area. I want to keep SpywareBlaster AND MS AntiSpyware - and need to know the best way to handle this. Thanks.
     
  25. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
Loading...
Thread Status:
Not open for further replies.