PDA

View Full Version : "Phoenix" False Positive



Elandril
2005-11-27, 20:01
Since the 2005-11-25 update, Spybot identifies a file "C:\Windows\setup1.exe" on my computer as "Phoenix", but I'm reasonably sure that I don't have any keylogger on my system (as I scan daily with spybot, ad-aware and two antivirus apps). The file itself has a version information that says something like "Microsoft Visual Basic 6.0 Setup Toolkit" (Version 6.0.0.8171, Size 286.720 Bytes).

After some searching around, I'm fairly sure now, that this is an false positive!:cool:
Have a look at here (http://www.dslreports.com/forum/remark,14879377), where they describe exactly the same file that was found on my computer.
I also scanned it via virusscan.jotti.org and every scanner reported a clean file!

What criteria is the Phoenix detection based upon?
Are there any documents describing this keylogger?

the.basement
2005-11-27, 20:22
I deleted the file, but want to know the outcome of this topic.



sorry for me English.
it is not my mother language.
:p

Buster
2005-11-28, 12:58
@ Elandril:
Thanks for reporting this false positive. It will be fixed in the next update.

@ the.basement:
If you want to restore the file, you can do this by using Spybot´s recovery feature. Just run Spybot and select "recovery" on the left. Now open "Phoenix", select "setup1.exe" and click on "recover selected items".

the.basement
2005-11-28, 13:43
I know the way, but thank you for the support.:bigthumb:
the file is also clean and i will restore the file.

I hope that the update restore the file by it self.
Many people use this programm and don't know this "problem".

sorry for me English.
it is not my mother language.
:p

GladToBeGrey
2005-12-01, 11:12
I've hit this problem with the Shareware Earthwatch software (http://www.elanware.com/) installation. Again, I'm reasonably sure this software is clean.

If this false positive is going to be fixed in the new release, when's that due out? (Currently running S&D 1.4). Been very happy with Spybot to date, and recommended it to others.

Buster
2005-12-01, 11:46
The next update will be available tomorrow!:D

GladToBeGrey
2005-12-02, 18:15
Hi, I've updated SSD with today's update, run a (clean) scan, but I'm still getting the positive when I try to run the Earthwatch setup.exe. Error message below:

http://www.jamesfamily.vispa.com/other images/sdd.png

:(

Yodama
2005-12-05, 09:49
found and removed remaining entry in database, that made teatimer identify the visualbasic setup as phoenix,
expect teatimer to not detect this false positive with the next update scheduled for the end for the week.

Mike_F
2005-12-05, 18:58
We have a program called Phoenix - http://www.completesoft.com/vs-phoenix-pos.htm - and the update will remove the whole folder. This folder contains a database file that houses all of the financial data for the store running the program. Phoenix is a actually a Point Of Sale software. I'm not sure if there is another software called Phoenix that is a keylogger but this Point Of Sale software is not. It is a Video Point Of Sale Software. It tracks rentals and returns along with sales.

Is there any way to remove Phoenix from the list or make it only remove it if it is actually a keylogger?

Just wondering.

Thanks for the help.

Mike

Buster
2005-12-06, 11:44
@ Mike_F
Does Spybot still flag the Phoenix directory with the latest detection updates dated on 2005-12-02 installed?

Mike_F
2005-12-06, 19:42
It does still flag the folder and a registry entry for the start menu. I do know that on the 2005-11-25 release it flagged one more directory (Which was the Start Menu folder) than with the 2005-12-2 release.

But it is still flagging the Phoenix folder in Program Files and the registry entry HKEY_USERS\S-1-5-21-183062753-716789552-782984527-1054\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Phoenix.

mustbethedecaf
2005-12-08, 21:46
(12/8/05) I just want to be clear on this before I continue ignoring the popup (because I'm reinstalling a computer and it's programs, and I can't reinstall a program if I keep deleting it's 'setup' SS&D-flagged-Phoenix file.)

Again, the public should still believe this is definitely a false positive, if a Setup.exe or a Setup1.exe is being flagged post 11/25 as Phoenix by an up-to-date install of SS&D (which *same exact file* was not flagged prior on the same system, and while at the same time all other current day security software today does not flag the same file), am I correct ?

Thanks for the clarification.


(Update 12/10/05) Just a quick note: as of just now, both a full scan and Resident no longer flag this. Appreciate all the hard work you do, and wishing you all a wonderful weekend!

Mike_F
2005-12-09, 21:24
With the new release from 2005-12-09 it is still flagging the Phoenix folder in Program Files and a registry entry.

Just letting you know.

md usa spybot fan
2005-12-09, 22:19
Mike_F:

Please post the actual detection(s) that you are receiving and perhaps Buster (http://forums.spybot.info/member.php?u=3) can figure out what’s wrong with the detections and get the problem fixed with the next update.

Run another scan. After you are done, right click on the results list and select "Copy results to clipboard" then paste the clipboard into a new post.

Buster
2005-12-12, 11:19
@Mike_F
I just send you a pm!

Mike_F
2005-12-12, 23:26
I sent you out a PM Buster.

GladToBeGrey
2005-12-14, 11:12
Yesterday I tried again to install Earthwatch 4.01 (see earlier entries in this thread), and again SSD Resident flagged the Setup as Phoenix and killed it. :(

Got the same popup message as given in the earlier thread entry - #7.

The properties of the 'offending' program are given as

Description: Setup Bootstrap for Visual Basic Setup Toolkit
Version: 6.0.81.69
Copyright: Copyright © 1987-1998 Microsoft Corp.

The program name is : setup.exe.

Disabling SSDR allowed the setup to run. Subsequent SSD (2005-12-9 update), Ad-Aware and AVG scans report no problems :confused:

Buster
2005-12-15, 09:45
I finally found the entry which is responsible for the fp with earthwatch. It will be fixed in the next update going to be released tomorrow.

GladToBeGrey
2005-12-19, 01:01
Buster, just to confirm that I have reinstalled Earthwatch successfully - the false positive has gone :bigthumb:

Thanks