bcool
Premium
join:2000-08-25
The Ozarks
| NAV2003 & PWSteal.Banpaes
1.)When NAV alerts of virus found and indicates that the file was automatically deleted does NAV also place the file in Quarantine without saying so?
2.) NAV2003 cites a .dll file @ x:\program files\softes\windows cleaner 2005\hooklib.dll as infected with a catch-all PWSteal variant. Kaspersky labels it Trojan-Spy.win32.keySend.b of which there is no specific description.
3.)After a battery of scans and technical diagnoses: I'm confident my system exhibits not one single attribute of any kind of infection at all! My HJT log is pristine! So my question is this? Does anyone know if hooklib.dll is a legitimate file in the Softes "Windows Cleaner 2005" installation for Windows XP?
4.)I had just run LiveUpdate yesterday and this morning Giant AntiSpyware was running a system-wide scan when I believe while scanning the hooklib.dll, NAV2003 was triggered and gave the virus alert. It's the only explanation in my mind for the sudden alert in auto-protect when there is no (I repeat) no trace of any nefarious code anywhere (registry or not) to execute or support this hooklib.dll. And besides, there's no documentation that any variant of this password stealing trojan would pick the "Windows Cleaner 2005" folder to drop a nasty .dll into.
5.)I've read reports that Symantec NAV has been issuing some false positives on this variant. I regret that I don't have the hooklib.dll file anymore. First, NAV2003 indicated that it had deleted the file. Not even thinking to check Quarantine, I proceeded to run a standalone virus scanner that uses Kaspersky definitions. It detected a trojan in the NAV2003 Quarantine folder(Trojan-Spy.win32.keySend.b) and immediately deleted it. So there you have it.
What a nuisance these false positives can be sometimes.
--
"in flagrante delicto" |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| It can be a legitimate dll. I think NAV is flagging it because:
»securityresponse.symantec.com/av···@mm.html
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
bcool
Premium
join:2000-08-25
The Ozarks
| Thanks. I can tell you now that the file in question, hooklib.dll was installed by Windows Cleaner 2005. What its actual function is - I don't know. For now I'm keeping the .dll off of my machine until more is revealed.
I'm headed over to Softes Windows Cleaner 2005 forum to see what's up.
--
"in flagrante delicto" |
|
bcool
Premium
join:2000-08-25
The Ozarks
| reply to bcool
The hooklib.dll library in the Softes Windows Cleaner 2005 installation is a legitimate component of a global keyboard hook procedure which implements the usage of hotkey shortcuts in the application. However, there is something in the makeup of the .dll file that triggers two(2) antiVirus scanners to tag it a PWSteal variant.
I suppose the Windows Cleaner 2005 author can contact Symantec, for instance, about the false positive?
Oh well, I've disabled the Global hotkey feature so that I can keep the hooklib.dll off of my computer just for good measure.
FWIW
--
"in flagrante delicto" |
|
