New False Positive

[Lee Higdon]

This morning I d/l the latest def file (5709) and after a
scan, MSAS flagged C:\Program
Files\SpywareBlaster\unins000.exe as a keylogger. I will
check this out more thoroughly when I get home this evening.

Anyone else see this?

 

[Guest]

Yes, I have the same thing. It only started yesterday
after the latest MS Spyware update. Certainly don't want
to quarantine or remove the uninstall.exe for SpyBlaster.
I choose to always ignore this file. Glad to see others
have the same problem and not just me.

 

[Bill Sanderson]

I've been trying to replicate this one, and have now done so after checking
that the relevant partition was in my scan--it wasn't!

So--I think everyone with spywareblaster installed will see this.

 

[Steve Wechsler [MVP]]

Got this result from running MSAS at a Comman Prompt, Bill.
(Thanks, Steve D.

NS Keylogger Personsal Monitor Key Logger more information...
Details: NS Keylogger Personal Monitor records everything that is
entered from the keyboard, to a log file.
Status: Ignored
Moderate threat - Moderate-risk items have some potential for harm, but
may be part of a wanted service. Users may decide to ignore such
programs after review.

Infected files detected
d:\program files\spywareblaster\unins000.exe
C:\Program Files\SpywareBlaster\unins000.exe


Steve Wechsler (akaMowGreen)
MS-MVP

===============
*-343-* FDNY
Never Forgotten
===============

 

[plun]

I've been trying to replicate this one, and have now done so after checking
that the relevant partition was in my scan--it wasn't!

So--I think everyone with spywareblaster installed will see this.

Yes, they do and a lot of confused users, one comment in
DSLreports forum
from Javacool

http://www.dslreports.com/forum/remark,13231635

Javacools Forum:
http://www.wilderssecurity.com/showthread.php?t=76739

 

[Bill Sanderson]

I'm now seeing reports of two other "unins000.exe" files also flagged in
this way--that is, a total of three separate files. I don't know whether
these files are really identical, but they are associated with different
apps and live in different folders.

At this point, I'd ignore NS Keylogger ID's with a filename of unins000.exe.

 

[Bill Sanderson]

If you post elsewhere, it it worth noting that I've now seen reports of at
least three separately located "unins000.exe" files that are ID'd in this
way.

I don't have MD5 hashes for the other files, so I don't know if they are
identical--I suspect that they aren't, but will try to get those details.

So--this isn't an issue with just JavaCool's file.

 

[plun]

If you post elsewhere, it it worth noting that I've now seen reports of at
least three separately located "unins000.exe" files that are ID'd in this
way.

I don't have MD5 hashes for the other files, so I don't know if they are
identical--I suspect that they aren't, but will try to get those details.

So--this isn't an issue with just JavaCool's file.

?

Javacool = Spywareblaster

Haven´t seen this reported for other programs.

This is a really dumb mistake wich can make MSAS and MS
to look really suspicios about ruling market for antispyware
also.

 

[Jack Bauer]

Me too.

\SpywareBlaster\unins000.exe as a keylogger

I'm also getting it for extreme thumbnail generator
shareware that im trialing.
\extreme thumbnail generator\unins000.exe

I doubt this false positive is limited to simply
spyblaster but other uninstall executables that are
similarly coded.

If anyone else has this alert for other uninstallers
other than spyblasters please post it on here. That way i
know the extreme thumbnail generator uninstaller really
is not a keylogger.

Thanks

Jack

 

[Bill Sanderson]

Jack - can you compare, using Tools, Advanced File Analyzer--the two files
you have?

I'm trying to see if these really are identical files, or what's going on!

 

[Guest]

After download definition 5709, MSAS detected a Key logger
in SpywareBlaster.

UNINS000.exe is the name of the file

I look in the folder of SpywareBlaster but never find the
file (unins000.exe)

MSAS recomend to quarentine the key logger and I accepted.

After the scan, I run the search program and found the
following programs infected with unins000.exe:

A-squared
Ace Money (this program was delected months back)
ATNotes
MotherboardMonitor 5 (this was delected 6 months back)
Spybot Search & Destroy
2BrightSparks\SyncBack
PepiMKSoftware/File Alyzer
From MSAS the Cleaner.log and
Errors.log from MSAS

I delected those files, I have reboot 2 times and no more
red alerts.

I send the report to SpyNet

I hope this info help.
..

 

[OldBoy]

I have on my main system 26 occurrences of unins000.exe
On my other two systems I found 8 and 2.
None of those 36 are ID'd by MSAS as suspect and are related to:
DScaler
Taskinfo
IZarc
Everest
PC Wizard 2005
FileAlyzer
RegscrubXP
Spybot S&D
GTK
Gimp 2.0
Lexun Backaup
MBM
TimeWriter Pro
FeedReader
Kyodai Mahjongg
PDFCreator
Sandra Pro

Can it be the elsewhere detected ones are known to connect to the internet
during uninstall?

Gr. Jan

If you post elsewhere, it it worth noting that I've now seen reports of at
least three separately located "unins000.exe" files that are ID'd in this
way.

I don't have MD5 hashes for the other files, so I don't know if they are
identical--I suspect that they aren't, but will try to get those details.

So--this isn't an issue with just JavaCool's file.

 

[plun]

DScaler
Taskinfo
IZarc
Everest
PC Wizard 2005
FileAlyzer
RegscrubXP
Spybot S&D
GTK
Gimp 2.0
Lexun Backaup
MBM
TimeWriter Pro
FeedReader
Kyodai Mahjongg
PDFCreator
Sandra Pro

What a mess with million of users with all these apps in
quarantine

Waitning for new defs MS !

 

[Johan Leezer]

Yes, I got the same false positive.

 

[OldBoy]

No, my original msg stated clearly: NOT ID'd by MSAS!
Those apps are CLEAN!
Please, <plun> read again!
And also my question....
Gr. Jan

 

[plun]

No, my original msg stated clearly: NOT ID'd by MSAS!
Those apps are CLEAN!
Please, <plun> read again!
And also my question....
Gr. Jan

Im sorry......

"None" !

I think it is a mess anyway......... ;

 

[Bill Sanderson]

Have you updated to the 5709 definitions?

 

[Bill Sanderson]

Can you do a quick compare by whatever method seems easiest to you-- and see
how many of those files are identical?

 

[OldBoy]

Yep, and did a deep scan

Gr. Jan

Have you updated to the 5709 definitions?

 

[Jordan Russell]

This morning I d/l the latest def file (5709) and after a
scan, MSAS flagged C:\Program
Files\SpywareBlaster\unins000.exe as a keylogger. I will
check this out more thoroughly when I get home this evening.

Anyone else see this?

As creator of unins000.exe (the Inno Setup uninstaller), I can tell you
for a certainty that this *IS* a false positive. There is absolutely no
spyware of any kind in this executable.

As for why only some unins000.exe files are detected, the program
appears to be only be checking for a certain version or versions.

I'll be filing a vendor report (assuming MS isn't reading this thread
already).