Ewido finds malware in KeyHook.dll ??

[PlatinumCS]

I ran Ewido the other day, and it found the malware; "logger.mulin.a", in the KeyHook.dll file.

What is this, and is it a known issue? Is it safe?


Thanks in advance.

[mouser]

ugh.. im really getting tired of these overagressive scanners that are flagging more and more software and malware, etc.
keyhook.dll is a simple dll that is used by screenshot captor in the new redbox capture mode, so that it can detect when you hit escape or hold down the control key while in any app.  it's absolutely 100% not malware or "logger.mulin.a" or whatever it reports.  its probably triggering on the fact that the dll is doing low level keyboard access in the same way that a keylogger would.  if other scanners other than "ewido" get upset over this i may go through the painful effort of trying to recompile and change the code enough so that the scanner stops it's whining.  it is a false positive.  note all the dll is loaded into memory by screenshot captor ONLY while redbox capture is actually in use and that screenshot captor has no abilities whatsover to connect to the internet, and installs and modifies no system files.

[mouser]

these scanning programs really have to be much more up front about when they are guessing.  i've already comlained to eset about nod32 which is an anotherwise great antivirus.  but it has this very iffy heuristic mode and when it detects something it just blithely reports it as a virus, when chances are it isnt.  it's good to report stuff that the program thinks is suspicious so the user can investigate but these programs absolutely need to make clear when it is a guess, and help the user figure out what is real and what isnt.

another hint on how to distinguish between real malware and false alarm:
naming a dll "keyhook.dll" is not a very good disguise for a keylogger

[PhilKC]

Well...

I expect that a script kiddy has used the same DLL as you, but in a more malicious program, hence the anti-virus' picking up on it.

Public keylogging DLL's are often used this way, and are blacklisted for it.

PhilKC

[tinyvillager]

 I used to have Ewido,and it would give me false positives every now and again,once it gave a false positive
for SDP, a stream recorder i used,http://sdp.ppona.com/securityissue.html,another time it gave me a false
positive for RealProducer,Ewido is good stuff but every security app flips out now again,my f-prot anti-virus
went nuts on Google Talk,during a scan and the real-time protection flipped out when i even opened the folder
it was in,i emailed f-prot and they confirmed it was a false positive.It short,don't be shy letting Ewido know
about it,email them and post it in their forum so it's documented.

[tinyvillager]

 

Just got another false positive with f-prot and the files created by BB FlashBack Express.I email f-prot.

[mouser]

"archive bomb!"
 oh lord these companies are really getting carried away.

[PlatinumCS]

Mouser, thanks for the info. Appreciate it. I didn't think it was a problem.

TinyVillager, I have sent the info on to Ewido. I hope to hear back from them.

Again, great job with this screen capture program guys, really impressive!