I use what I believe is a popular and reputable media player called Zoom Player, from Inmatrix.  They offer several versions, and while the version I use ("Premium") has not been sold for awhile, Inmatrix still offers updates for it.  The executable is zplayer.exe.  I had been using update 811 of Zoom Player Premium for months, and NIS never had any problem with it, either in virus scans or when I used it.  But tonight, shortly after I started playing a video file Sonar detected zplayer.exe as a high risk file,  supposedly due to suspicious behavior -- keylogging attempts --  and deleted it.

So I downloaded and installed the latest update of Zoom Player Premium from Inmatrix (v 816), and again as soon as I started playing a file Sonar flagged and deleted the latest update of zplayer.exe for the same reason.  It said "very few users" (less than five), but that's probably because it is a just-released update of a legacy version of the product.

This smells like a "false positive" to me.  Or is it possible that version 811 suddenly became infected with a keylogger after months with no problems, and version 816 was keylogging immediately upon installation?

Any thoughts or advice?  I have used Zoom Player for years and definitely trust it.  It seems odd that a media player would suddenly be the target of infection by a keylogger.  Windows XP SP3, NIS 2011.  Thanks