hook.dll - false positive?

Viruses and worms
1

Avast 4.8 flags a file called hook.dll in the windows/system32 directory as a virus. I have tracked it as a file installed with my Trust GM-4200 Gamer mouse driver. How can I prove if it is false positive or an infected file?

Thanks for your help.

2

Can you inform the file as being a false positive? (click on the bottom right of the virus warning message).

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. VirusTotal has a file size limit of 10Mb. You can use VirScan also.
If it is indeed a false positive, send it in a password protected zip to virus@avast.com. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be careful, you should ‘exclude’ that many files that let your system in danger.

3

Here is the result of the VirusTotal

http://www.virustotal.com/analisis/e82d013585f0972c8f67bb3dbe669983

And VirScan results:
http://www.virscan.org/report/c03c4232be5c2fb240e5f617d5c2b336.html

Interesting but does it confirm it is or isn’t a virus?

In the meantime I’ve sent an email to Trust to verify that hook.dll is part of the mouse driver.

The mouse driver allows the extra buttons on the mouse to do things like Ctrl-C copy and Ctrl-P paste etc. Not sure if that could trigger the alert. It’s been on my computer for well over a year and yesterday was the first time AVG flagged it. Checking with my other computer running AVAST also flagged it as a virus.

4

It appears to be a keylogger. Not FP.

Avast says it’s Win32:Spyware-gen [trj], so it’s a pretty good detection.

5

I would also send them the URLs of the two virus scans to show them the strength of the detections. However your first link shows a different file, 467D7D_1.WRK and not hook.dll ???

Personally I believe that this could be a/or is part of your mouse driver, though why the mouse driver should need to hook in this way as it makes it look like a keylogger which most are detecting as it behaves like a keylogger.

Hooks are normally hooking keystrokes, etc. to intercept commands, though why a mouse needs to do this, even one with additional functionality, is beyond me. I use Trust Wireless Laser Mouse (Carbon Edition), and it runs wh_exec.exe on start-up for its additional functionality, but doesn’t get detected in this way.

6

I don’t think so… seems indeed a keylogger.

7

I’m not so sure as virtually all of the detections are generic/heuristic or don’t have a specific signature based malware name. It isn’t uncommon for a mouse driver to have this kind of hook, though why they need it is beyond me and it doesn’t happen in my Trust mouse.

8

Strange It told me it had been scanned before and gave me that page the first time. Here’s the proper results:

http://www.virscan.org/report/c03c4232be5c2fb240e5f617d5c2b336.html

Thanks for your help so far. I’ve written to Trust and asked if hook.dll is supposed to be part of the mouse driver and to confirm it isn’t a virus. I did open the file in notepad, and it did appear to have text that relates to the mouse. I’ll report back when I get a reply.

9

No point opening the file in notepad it is a dll not a plain language file, all you will see for the most part is code and extreme care has to be taken not to inadvertently damage the file.

Personally I still think there is a likelihood this is a false positive detection as virtually all of the detections are generic or a non specific malware name, they look like they are detection on its actions and by its name alone it is a hook tool.

When avast next detects it select submit as a false positive so they can analyse it and give a link to this topic and the virus scan links.

10

I hope Alwil team take a look on it… and the virus analysts could give us a final conclusion.
It’s a strange file for sure, if not infected.

11

I’ve sent it off to virus@avast.com to look at.

I sent it to AVG yesterday and had a reply to say it was a false positive, so hopefully avast will update thier database too.

12

Normally they are quick to correct a false positive when confirmed.