NS Keylogger in Spywareblaster?

Top rated Anti-spyware program Giant [the one Microsoft bought] just found Unins000.exe in Spywareblaster to be/contain "NS Keylogger personal Monitor"
I've been using Spywareblaster for over a year and have found it to be a great program. When I googled ["NS Keylogger" Spywareblaster], I found no confirming comments. OTOH Giant is highly rated http://spywarewarrior.com/asw-test-guide.htm so I'm tossing this observation out for comment.
Meanwhile I've temporarily renamed the Unins000.exe file until I need to uninstall which is what I presume it's primarly function is.
Thanks for comments.

Update-Summary: There's no NS Keylogger in Spywareblaster. It's a false positive
Javacool Has clearly stated this and many thread participants have run over a dozen spy detectors with no detections other than Giant/MS-AS. If anyone quarantined the Unins000.exe, they can either un-quarantine or reinstall SWB to correct that. This false positive has been reported to Microsoft.

Update2 Looks like update 5711 has fixed the false positive in 5709
Thanks to all participants for responses.
Toadfrog

 

I believe this is a false positive that has been reported by other users who have downloaded the latest MS AS (and Giant) updates.

Rich

 

I agree it's a likely FP[to be an effective keylogger, it would need to be running - taskmanager doesn't show it on the system where I haven't renamed Unins000.exe], but given the widespread use of MS anti-spyware, it may result in a lot of damage to spywareblaster [the uninstall is necessary for a program update]. Giant/MS anti-spyware have depended on user reports to locate malware. Perhaps someone in that user group wished to defame spywareblaster with a false report. In any event, javacool needs to make a case to Microsoft the correct this.

 

I had the same problem using Microsoft AntiSpyware Version:1.0.501. The antispyware scan ran the day before with no threats. I updated to SpywareBlaster V3.3 on April 21, 2005. The threat was discovered during the scheduled scan on April 22, 2995.

Detected Threats
NS Keylogger Personal Monitor Key Logger
Details: NS Keylogger Personal Monitor records everything that is entered from the keyboard, to a log file.

Status: Removed

Infected files detected
c:\program files\spywareblaster\unins000.exe

 

We picked up the same thing on a number of computers this morning with Microsoft Antispyware and we immediately deleted the Spyware Blaster Uninstaller.

We had no indication of a problem with with Spyware Blaster 3.3 two days ago so it had to be defined with the very latest updates to Microsoft Antispyware (Today and yesterday). This Microsoft program we trust very much and presumably they went through the uninstaller code carefully.

While this may indeed be a false positive, it is not worth playing around with so JavaCool had better do something very fast.

 

Javacool isn't able to fix Micosoft's Antispyware. I am rather sure they won't let him play with or fix their definitions, so MS will have to fix their own false positive just like every other company does.

 

More info. Definitely looks like an FP which is not altogether unusal for AS programs. Their algorithms need to be tweaked a bit:

http://www.dslreports.com/forum/remark,13231635

Rich

 

OK I'm closing all the other threads on this same subject - let's keep the discussion in this one.

So you can take a look at those other threads, here are the closed threads on same subject

That's not to say there's nothing of value in those threads, but should I merge them things would be out of order and very confusing. I'll redirect any new threads on the subject to here.

 

Please don't assume that this is a false positive until it is proven otherwise. What I thought I said was Javacool had better go through their uninstaller fast and get hold of MS AS PDQ.

 

Actually this is what you said.

 

so is it better to send this file to quarantine or not or should we all just rename the file??

 

Well, you won't hurt anything doing either of those so long as you know where it is when the time comes should you choose to uninstall SWB at some point. Even then, I imagine you could reinstall SWb over itself to get the uninstall file back.

But on the topic of FP or not, admittedly I cannot be 100% sure but let's look at things so far.

File has been scanned by other posters using NAV, KAV, Trojan Hunter, SpyCop, and I have scanned with Nod32, TDS-3, probably everyone's scanned with Ad-Aware and Spybot (including me) and none of these applications have found any problems. In my opinion, this is enough to make me lean pretty hard toward the "FP" side.

 

I have also run the following:

Microsoft Antispyware V1.0.509
Adaware SE Personal V1.05
Spybot S&D V1.3
Spyware Blaster V3.3
HJT V1.99.1
Norton Internet Security 2004 V7.0.6.17
Norton Antivirus V10.0.1.13
CCleaner V1.18.101
CW Shredder V2.13
McAfee AVERT Stinger V2.5.3


And none except for Microsoft Antispyware, as far as I can see, actually have this file showing as a problem.

 

Furthering the FP case, I ran Spysweeper, Bitdefender, Anti-vir, Avast and Trojan hunter with no detections registered. If the uninst000.exe file were a keylogger, I would think it would have to be running which it isn't on the computer where I didn't rename the file.
Still, I would like to see a firm unequivocal denial here by javacool that there's no keylogger or other spyware in spywareblaster. That way several of us can forward that to microsoft so they can take a closer look. This denial could also be quoted on other threads where the issue is discussed.

 

The file isn't running here either, nor is anything in SWB trying to access the internet.

I am sure we will get such a response from Javacool, but he isn't on line right now and we must keep in mind he is only one man As soon as he comes to the forum and sees this the investigation will surely begin in earnest. In the meantime, I personally feel pretty safe with the FP theory, but it won't hurt anyone to rename or quarantine the file until we hear from him should they feel the need.

 

Toadfrog, I can assure you Javacool does not put keyloggers or any other spyware in any of his programs.

No need to wait for a response here, you can go ahead and submit the file to: http://www.spynet.com/falsepositive.aspx

I am sure Javacool will address everyone's concerns here, as he has in this thread over on another board. Please do take time-frames into consideration for all replies.

In the meantime, it would help to know what operating systems people are using as detection can/might be different on various operating systems (MSAS is still in beta, so false/positives do happen with beta programs)

Regards,

snap

 

Ran Ewido. No problems. Security Task Manager reports no keyloggers on my system. Of course, I also have ProcessGuard which never alerted.

FPs are quite common. I've had more than my fair share with Giant AS in the past - so this is not at all a surprise. Of course, PestPatrol is famous for them. I guess this FP may be getting a little more visibility, because more users, who are new to Anti-Spyware are encountering a FP for the first time.

Rich

 

I have also got the same alert from MSAS about spyware blasters uninstaller.

Worryingly though, i also have the same alert for extreme thumbnail generator, a shareware program i've been trialling!

Has anyone else had an alert about the NS keylogger, for another apps uninstaller, other than spywareblasters?

Infected files:
C:\program files\extreme thumbnail generator\unins000.exe
C:\program files\spyware blaster\unins000.exe

For now i'm assuming that this is a false positive for both and is not just limited to spyware blaster but all uninstallers that are similarly coded!

Jack

 

I have had SWB 3.3 installed for some time now and have run Ewido, Trojan Hunter, SpyCop, SpySweeper, and CounterSpy with no keylogger detections. Sounds like a F/P to me and I fully trust Javacool as well.

 

Well this is good that it looks to be a false positive. (Thanks for the linky snapdragin.

I found this on my system today as well with MS Antispyware. Ad-Aware, Spybot S&D, and NOD32 found no such animal.

I am running Windows XP Pro w/SP2 and all latest critical patches.

Regards,

Jag

 

This has been reported to MSAS Spynet and on the MSAS newsgroups several times already.

 

This is a false-positive from Microsoft Anti-Spyware - that's just the SpywareBlaster uninstall file.
If you used Microsoft/Giant Anti-Spyware to remove the uninstaller, you should probably reinstall SpywareBlaster over-the-top to replace the file.

This is also another good example of why you should examine every detection anti-spyware products make, and if something doesn't look right - take it with a grain of salt. This certainly isn't the first time an anti-spyware product has made a false-detection, and I doubt it'll be the last.

I'm just rather disappointed that this didn't get caught in whatever "quality-control" the MS AS definitions go through.

Best regards,

-Javacool

 

Javacool,

Thanks for your prompt attention to this matter. It just goes to show that you have a great product and that you are a stand up guy.

Kind Regards,

Jag

 

Would like some advice - I have the same problem - Microsoft AntiSpyware most recent update when run, shows: "Infected files detected: c\program files\spywareblaster\unins000.exe". I quarantined this on both my home computers. Should I now un-quarintine them? Or should I go ahead and run a new installation of SpywareBlaster? If I do, and this keeps coming up on Ms AntiSpyware, shall I choose "ignore", or "always ignore"? Appreciate any help you can provide in this area. I want to keep SpywareBlaster AND MS AntiSpyware - and need to know the best way to handle this. Thanks.

 

Hi - please read post #22 (Yours is #24) or the announcement at the top of this forum section.