Keylogger found by MS Anti-Spyware?

J

Jeff Brunn

I recently downloaded MS AS and ran my first scan. It
found what it recognizes as a keylogger in the folder with
my Magix MP3 Maker Deluxe software. Another scanner has
recognized this same file as a keylogger. I scanned the
installation CD for spyware and came up with nothing.
When I uninstall the software and run a scan it picks up
nothing. When I reinstall the software and scan, it picks
it up again. Here are the locations of the suspected
keylogger on my system:
c:\magix\media_manager\unzdll.dll
c:\magix\mp3_maker_2005_deluxe\unzdll.dll
c:\magix\mp3_maker_2005_deluxe\cdr_mediamanager\unzdll.dll

Does anyone have any info on this .dll file that seems to
be causing the problem? Is this a legitimate key logger
or not?
 
B

Bill Sanderson

Jeff- I believe you have done a good job of demonstrating that this is a
case of a false positive.

I don't believe this file is a keylogger--others have posted similar
information, and the testing you've done clearly indicates the source fo the
file and that the file is uncorrupted.

As you can see--this is more of an art than a science

As another test, you could submit one of the files to an antivirus testing
mechanism such as:

http://www.virustotal.com/flash/index_en.html

(in the upper right)
 
G

Guest

Thanks very much for the response. I was really leaning
toward this being a false positive just based on what I
have seen after doing a Google search. It makes me uneasy
when two spyware scan engines are telling me I have a
keylogger installed on my system. I guess they both need
to do a better job of keeping their signature files
updated. Thanks again for the reply.
 
D

DanR

I am one of the others who posted about this dll. I don't see how removing the
program in question and doing a scan and NOT being alerted... and then
reinstalling the program and then the alert is back... demonstrates that this is
a false positive. Seems the opposite to me. Note that this same dll file lives
in the Spybot folders and is not detected as a positive. The keylogger in
question, ACTMON PC INTERNET MONITORING, prides itself on being nearly
impossible to detect. (kernel based etc.) On the other hand if the key logger
was so easily removed by un-installing the program in question then maybe that
does indicate it being a false positive.
I personally hope it is a false positive... otherwise I've been keylogged for a
couple of years.
 
B

Bill Sanderson

Well--I'm counting on this:

1) the install is being done from original media from a reputable
vendor--ideally read-only media such as a CD.

2) that the reputable vendor cares enough about their reputation not to
include a keylogger in their application.

I guess to be really certain, you could contact tech support for the vendor
and verify through MD5 hashes or other means that the file in question is
one that they distribute, and that they stand behind the safety of using
(i.e. guarantee it isn't a keylogger.)

You've got a reasonable point--if such a thing is in place it is a BIG
problem. The question is what lengths do you need to go to in deciding
whether what you are seeing is a false positive, or real. It's really up to
Jeff or yourself what level of verification you feel is needed--I thought
that his testing gave a reasonable assurance that the file on his system
came off install media for a reputable commercial app that he had knowingly
installed--and I didn't think that app would include a keylogger.
 
D

DanR

I see your logic.

Bill Sanderson said:
Well--I'm counting on this:

1) the install is being done from original media from a reputable
vendor--ideally read-only media such as a CD.

2) that the reputable vendor cares enough about their reputation not to
include a keylogger in their application.

I guess to be really certain, you could contact tech support for the vendor
and verify through MD5 hashes or other means that the file in question is
one that they distribute, and that they stand behind the safety of using
(i.e. guarantee it isn't a keylogger.)

You've got a reasonable point--if such a thing is in place it is a BIG
problem. The question is what lengths do you need to go to in deciding
whether what you are seeing is a false positive, or real. It's really up to
Jeff or yourself what level of verification you feel is needed--I thought
that his testing gave a reasonable assurance that the file on his system
came off install media for a reputable commercial app that he had knowingly
installed--and I didn't think that app would include a keylogger.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

MS Anti-Spyware cannot detect Advanced Keylogger in my PC 4
Usefullness of ANY Anti-Spyware Software?? 2
Strange Keylogger Problem (I found the key log) 0
Possible spyware/keylogger in outlook 18
Task Manager KEEPS on disabling 1
Removed Spyware accidentally 3
BlazingTools.PerfectKeylogger 5
Continued spyware problems 5

Top