PDA

View Full Version : Please PLEASE help me!! Is this a real keylogger or a "false positive"?



soconfused
2007-09-03, 02:58
I've had this show up in SpyBot every time I run it. A couple years ago, I actually did delete it...only to find out when I did, it wiped out or registration key for or billing/payable program!!! So we assumed it has something to do with that program, and left it alone when it reappeared.

But now Im wondering again.......is it a "false positive" like it says? The only thing it does is wipe out that registration key when we delete it..and then we have to call and get a new one! So I was wondering if it recognizes this program as a "keylogger"....when its really not???
Basicly, when I do delete this out of Spybot, our program doesn't run...PERIOD!! Which really leads me to think its the false pos......
We aren't some big company with an "IT" dept. or anything...its just me and my boss. So I can't really see him spying on me........!!! We get along great and BOTH use our computers for work AND personal stuff...so its not like a big secret or anything!

any ideas????
*************


Codename Alwin: Global Settings
HKEY_LOCAL_MACHINE\Software\Nelco

"More Information"
Company: Coding Workshop
Product: Codename Alwin
Threat: KEYLOGGER

**Also says "Registry Key" to the right of the description.


Company URL: http://www.codingworkshop.com/
Company product URL:
http://www.codingworkshop.com/alvin/

Description
A product of the same company, Coding Workshop, is now using the same folder, possibly causing a false positive....

Yodama
2007-09-03, 12:57
hello,

this is very likely a false positive but to verify this, we will need some more information.
First make another scan with Spybot S&D, if it finds this
Codename Alwin: Global Settings
HKEY_LOCAL_MACHINE\Software\Nelco
again, do the following:
Doubleclick on the blue icon to the right of the scan result. This will open the registry editor and browse to the location of this registry key. Then, within regedit, rightclick on the Nelco Key (Keys are displayed as folders), and choose export. Save the file and sent it to detections-at-spybot.info (replace -at- with @)

It would also be helpful if you could tell us which of your programs does not work anymore if Spybot fixes this.

soconfused
2007-09-03, 15:38
well, Im not at that particular computer at the moment, but I will update on what I did last night...which fixed things......I *think*...

I hadn't "updated" spybot since...I don't know?....2004!? It was still on a 1.2 version and I'd never "downloaded" any updates. I know...DUH!

So I did that, and after it installed the new version, did the updates, that "codename alwin" was ALREADY in the Recovery bin....like it had already been scanned and "fixed".....

The program and registration key it was wiping out, was kind of a "homemade" program that we run all our business stuff on. That was the ONLY thing it did before when I'd delete it, was wipe out that program's registration key, making the entire program unuseable, till we called for a new key. Its like it was recognizing this programs "key" as a match for a keylogger???

Anyway, after it found it last night, and I deleted it, I held my breath and tried to get into the program it usually messes up. And it LET ME!!!!!!! It didn't wipe out the registration key this time like it had before!!

So Im assuming...just guessing....that maybe this was a glitch in Spybot YEARS ago, and with me not updating for a long LONG time, it just kept finding it every time I'd scan?? Now after the update, I was able to delete it, without a problem.

Hopefully that makes sense?

Yodama
2007-09-04, 09:45
hello,

yes it does make sense since. Spybot S&D has been constantly upgraded since version 1.2 and the detection rules were changed also to be more specific. Old rules for the 1.2 version may have been too general thus causing this false positive.