"Phoenix" False Positive

[Elandril]

Since the 2005-11-25 update, Spybot identifies a file "C:\Windows\setup1.exe" on my computer as "Phoenix", but I'm reasonably sure that I don't have any keylogger on my system (as I scan daily with spybot, ad-aware and two antivirus apps). The file itself has a version information that says something like "Microsoft Visual Basic 6.0 Setup Toolkit" (Version 6.0.0.8171, Size 286.720 Bytes).

After some searching around, I'm fairly sure now, that this is an false positive!
Have a look at here, where they describe exactly the same file that was found on my computer.
I also scanned it via virusscan.jotti.org and every scanner reported a clean file!

What criteria is the Phoenix detection based upon?
Are there any documents describing this keylogger?

[the.basement]

I deleted the file, but want to know the outcome of this topic.



sorry for me English.
it is not my mother language.
:p

[Buster]

@ Elandril:
Thanks for reporting this false positive. It will be fixed in the next update.

@ the.basement:
If you want to restore the file, you can do this by using Spybot´s recovery feature. Just run Spybot and select "recovery" on the left. Now open "Phoenix", select "setup1.exe" and click on "recover selected items".

[the.basement]

I know the way, but thank you for the support.
the file is also clean and i will restore the file.

I hope that the update restore the file by it self.
Many people use this programm and don't know this "problem".

sorry for me English.
it is not my mother language.
:p

[GladToBeGrey]

I've hit this problem with the Shareware Earthwatch software (http://www.elanware.com/) installation. Again, I'm reasonably sure this software is clean.

If this false positive is going to be fixed in the new release, when's that due out? (Currently running S&D 1.4). Been very happy with Spybot to date, and recommended it to others.

[Buster]

The next update will be available tomorrow!:D

[GladToBeGrey]

Hi, I've updated SSD with today's update, run a (clean) scan, but I'm still getting the positive when I try to run the Earthwatch setup.exe. Error message below:



:(

[Yodama]

found and removed remaining entry in database, that made teatimer identify the visualbasic setup as phoenix,
expect teatimer to not detect this false positive with the next update scheduled for the end for the week.

[Mike_F]

We have a program called Phoenix - http://www.completesoft.com/vs-phoenix-pos.htm - and the update will remove the whole folder. This folder contains a database file that houses all of the financial data for the store running the program. Phoenix is a actually a Point Of Sale software. I'm not sure if there is another software called Phoenix that is a keylogger but this Point Of Sale software is not. It is a Video Point Of Sale Software. It tracks rentals and returns along with sales.

Is there any way to remove Phoenix from the list or make it only remove it if it is actually a keylogger?

Just wondering.

Thanks for the help.

Mike

[Buster]

@ Mike_F
Does Spybot still flag the Phoenix directory with the latest detection updates dated on 2005-12-02 installed?