http://www.dslreports.com/forum/r13437872 en Thu, 10 Dec 2009 05:15:39 EDT Thu, 10 Dec 2009 05:15:39 EDT http://www.dslreports.com/forum/remark,13442730 bcool : The hooklib.dll library in the Softes Windows Cleaner 2005 installation is a legitimate component of a global keyboard hook procedure which implements the usage of hotkey shortcuts in the application. However, there is something in the makeup of the .dll file that triggers two(2) antiVirus scanners to tag it a PWSteal variant.

I suppose the Windows Cleaner 2005 author can contact Symantec, for instance, about the false positive?

Oh well, I've disabled the Global hotkey feature so that I can keep the hooklib.dll off of my computer just for good measure.

FWIW
--
"in flagrante delicto"]]> http://www.dslreports.com/forum/remark,13442730 Thu, 19 May 2005 00:22:36 EDT http://www.dslreports.com/forum/remark,13438112 bcool : Thanks. I can tell you now that the file in question, hooklib.dll was installed by Windows Cleaner 2005. What its actual function is - I don't know. For now I'm keeping the .dll off of my machine until more is revealed.
I'm headed over to Softes Windows Cleaner 2005 forum to see what's up.
--
"in flagrante delicto"]]> http://www.dslreports.com/forum/remark,13438112 Wed, 18 May 2005 14:34:55 EDT http://www.dslreports.com/forum/remark,13437910 John2g : It can be a legitimate dll. I think NAV is flagging it because:

»securityresponse.symantec.com/av···@mm.html
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,13437910 Wed, 18 May 2005 14:10:22 EDT http://www.dslreports.com/forum/remark,13437872 bcool : 1.)When NAV alerts of virus found and indicates that the file was automatically deleted does NAV also place the file in Quarantine without saying so?

2.) NAV2003 cites a .dll file @ x:\program files\softes\windows cleaner 2005\hooklib.dll as infected with a catch-all PWSteal variant. Kaspersky labels it Trojan-Spy.win32.keySend.b of which there is no specific description.

3.)After a battery of scans and technical diagnoses: I'm confident my system exhibits not one single attribute of any kind of infection at all! My HJT log is pristine! So my question is this? Does anyone know if hooklib.dll is a legitimate file in the Softes "Windows Cleaner 2005" installation for Windows XP?

4.)I had just run LiveUpdate yesterday and this morning Giant AntiSpyware was running a system-wide scan when I believe while scanning the hooklib.dll, NAV2003 was triggered and gave the virus alert. It's the only explanation in my mind for the sudden alert in auto-protect when there is no (I repeat) no trace of any nefarious code anywhere (registry or not) to execute or support this hooklib.dll. And besides, there's no documentation that any variant of this password stealing trojan would pick the "Windows Cleaner 2005" folder to drop a nasty .dll into.

5.)I've read reports that Symantec NAV has been issuing some false positives on this variant. I regret that I don't have the hooklib.dll file anymore. First, NAV2003 indicated that it had deleted the file. Not even thinking to check Quarantine, I proceeded to run a standalone virus scanner that uses Kaspersky definitions. It detected a trojan in the NAV2003 Quarantine folder(Trojan-Spy.win32.keySend.b) and immediately deleted it. So there you have it.

What a nuisance these false positives can be sometimes.
--
"in flagrante delicto"]]> http://www.dslreports.com/forum/remark,13437872 Wed, 18 May 2005 14:05:24 EDT