Hi All,

I am new to posting on PCtools, so you may have to bear with me.

I recently bought a brand new samsung laptop and managed to get a trojan.fakealert infection. I used Malwarebytes to remove this but was concerned there may be other malicious software on my laptop due to this trojan.

A friend suggested spyware doctor, so I scanned with that and it picked up 15 infections as a stealth keylogger all in the following location HKEY_LOCAL_MACHINE/SOFTWARE/ASK. I was concerned that this was sending sensitive information such as log on details to someone. So I did a system restore to out of box settings using Samsung System Recovery 4. I spoke to samsung and apparently this recovery image is on a heading partition which even Windows cannot detect designed to restore the system in just such a case as virus infection.

One the system had restored I checked the registry before installing anything and sure enough this HKEY_LOCAL_MACHINE/SOFTWARE/ASK entry is present. After speaking to Samsung we agreed that this must have come on the original build of the laptop, they suggested it may be something to do with the ASK toolbar?

Can you help me with this and see whether it really is a malicious key logger or a false positive?

Many thanks in advance

What some do to check out false positives is to use a site like virustotal (do a search on this site to get exact url) that scans the file using a zillion different anti -malware programs

Thanks tigertheboo,

I'll do that. This virus is in my registry, how do I make it a file to upload to virustotal?

Thanks

sorry if this is a duplicate but can't find my response

I don''t know how to find the file, hopefully more expert people will jump in.

Also this forum is absolutely first rate with the one down side that some of the experts are not on during the weekend so be patient

(i only post when i think the more expert folk won't for a while. I have only modest computer knowledge on my own, but do remember what folk on this bulletin board say

If you want us to check the file in question, you'll need to export the reg key being detected and also a history file from SD (see below for instructions).

Go to Start-> Run-> type regedit-> locate the key that is detected-> right click on the key-> Export-> save the file to your desktop-> zip up this file and attach it to your next reply.

Also provide a history file from SD (settings-> history-> highlight the latest history file-> save to file.

Once we receive the above, we'll be able to check it out further.

Dear AChen,

Thanks very much for your reply. I've attached a zip file for the exported registry entry that was flagged as a keylogger, along with a zip of the Spyware Doctor Log.

Thanks in advance for the help

Thanks for the files. We are currently investigating this and will get back to you shortly.

Hi AChen,

I was just wondering if you'd been able to get to the bottom of the file attachments I sent you? Just checking you hadn't forgotten about me.

Cheers

Hi AChen,

I was just wondering if you'd been able to get to the bottom of the file attachments I sent you? Just checking you hadn't forgotten about me.

Cheers

Sorry for not providing an update sooner. This should now be resolved.

Hi AChen,

Thanks for the prompt reply, but you haven't really answered my original question which was is this registry entry that I sent you a false positive?

I realise that in the spywaredoctor log I sent you it shows that I have removed this entry.

The reason that I want to know whether or not it is a false positive is because it appears that the brand new laptop I bought from Samsung had this reg entry pre-loaded onto it out of the box!!

I want to know if it is malicious software as I had to go through a lot of trouble after finding what spywaredoctor detected as a stealth keylogger.

Would you be able to let me know if this is a false positive or not?

Thanks again.

Hi AChen,

Thanks for the prompt reply, but you haven't really answered my original question which was is this registry entry that I sent you a false positive?

I realise that in the spywaredoctor log I sent you it shows that I have removed this entry.

The reason that I want to know whether or not it is a false positive is because it appears that the brand new laptop I bought from Samsung had this reg entry pre-loaded onto it out of the box!!

I want to know if it is malicious software as I had to go through a lot of trouble after finding what spywaredoctor detected as a stealth keylogger.

Would you be able to let me know if this is a false positive or not?

Thanks again.

I think Stealth KeyLogger 5.0 is a false positive because it is offered on a reputable site such as CNET downloads.

http://download.cnet.com/Stealth-KeyLogger/3000-2162_4-10355248.html

Samsung must have installed that trial software on your laptop and SD has detected it as a threat based on the name.

All the best!

A Friend of mine pourchased an new Samsung Laptop and spybot identified a key logger

Emails to Samsung came up with the resonse listed below


Now as he wont join I though I may assist with the answer he received I hope this helps

I think if the said files relating to the driver were put in the " ignore file folder " of Spybot this would do it or indeeed comunicet with Spybot what ever OK


Reply from SAMSUNG

Dr Mr F.........

With regards to your recent email, Spybot S&D is giving a false positive when it reports the one registry entry as Stealth Keylogger. It is detecting part of the Atherous driver install.



This is why no other registry entries or files are located by Spybot S&D. Also when Spybot S&D fixes the registry and then Atherous driver is updated or reinstalled the registry entry will reappear and Spybot S&D will flag it up again on next scan. It's not a threat to your notebook, it's just capturing wrong information.[QUOTE]

As I said hope this helps Guys de Trig

Trig,

You will have to post the false positive on the Spybot forum.

This forum is for Spyware Doctor.

Hi Trig,

Thank you very much for posting this information regarding your friends communication with Samsung, it is really helpful.

Actually I just re-scanned my laptop with spywaredoctor and it no longer picks up this registry entry when it scans, even though the reg entry is still there.

Could someone from pctools confirm that this has been added to the list of exceptions in one of the recent updates?

Thanks

Yes, this was a FP and has been fixed.