(Resolved) Keyhook.dll on new Lenovo system

I’ve just run my first full-system scan, including PUPs, on this new system which I bought 2 or 3 days ago after my old one died. The following file was flagged on this scan, but had not “tripped” any of the resident shields up to this point (all of which are set to highest sensitivity and to include PUPs):

C:\Program Files (x86)\Lenovo\Driver-App Auto Installation\Keyhook.dll. It’s identified as PUP:Win32:KeyHooker-E [PUP]. Severity: Low

I haven’t yet gone through the standard routine of testing this, but did google it. There seems to be a consensus that if the file is in a Win subfolder it’s probably a threat, but located elsewhere it’s more likely a proprietary driver from one of several mfrs, including Lenovo (formerly IBM), and most commonly used for enabling hot-keys.

Should I give this the full treatment to be sure, or is it likely relatively harmless? Thanks.

if you are suspicious…the there is virustotal. :slight_smile:

Thanks, Pondus … according to VirusTotal, avast is the only scanner picking this up as suspicious. I also scanned it with MBAM, with no negative reaction.

I wonder if submitting it as a FP candidate would confuse things … apparently there’s another file with the same name that really is a trojan, probably a key-logger. I guess I could submit it with that note included and let avast decide.

Thanks, Pondus ... according to VirusTotal, avast is the only scanner picking this up as suspicious. I also scanned it with MBAM, with no negative reaction.
Malwarebytes is now also on virustotal scan. ;)

did you click the additional info button?
did you check: first seen by virustotal?

send to avast as false positive
upload from chest…or use this. http://www.avast.com/contact-form.php?

Hike MikeBCda,

Also check here: http://www.systemlookup.com/search.php?list=&type=filename&search=Keyhook.dll&s=
and http://www.threatexpert.com/files/keyhook.dll.html
and read this: http://forum.avast.com/index.php?topic=72701.0

polonus

Polonus and Pondus:

Thanks for your specific suggestions. On the first pass at VirusTotal, I was advised that it had already been scanned fairly recently, and accepted simply reviewing the report from that. I’ve just gone back and forced a re-assessment of my copy, which again resulted in only one “hit,” from avast, again as a PUP.

As suggested, I’ve now clicked on Additional Information, and that’s showing First Seen as 2009-04-27. The full report is at https://www.virustotal.com/file/4a47495ff6eaf36ddbdb4e0a713ad1c5a6e98573c407096f396a011538fe8a13/analysis/, if that helps any.

I’ve checked out those three links from Polonus, and the third one seems to fit my situation exactly, right down to location.

Under the circumstances, I’ve now set this up for submission to the lab as a suspected false positive. Well, not exactly, it may actually be harmless but still falling into the definition of PUP.

Many thanks for your help – if I don’t hear back from you, we can probably treat this as resolved.

Pondus – got your IM, thanks, pretty much the situtation I’d/we’d guessed. Tried to reply by IM but it got messed up, insisted on treating it as a new message rather than a reply, so I’m posting here instead.

I think we can flag this as resolved now, with the understanding that it’s probably harmless only if it’s in the manufacturer’s folders and not in a Windows folder, which is more likely to be the trojan with the same name.

Thanks again and best,
Mike