Yesterday Kaspersky online scan found four "infections" on my computer (one of them being a system restore point, the other three in a Norton folder). Since the Norton files had always been classified as locked to the Kaspersky scanner before, I thought they must be false positives. But today they are showing up again so I wanted to get a more knowledgeable opinion.

Here is the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 19, 2008 10:55:42 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/05/2008
Kaspersky Anti-Virus database records: 784486
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\

Scan Statistics:
Total number of scanned objects: 8
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:00:02

Infected Object Name / Virus Name / Last Action
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst(2)(2).dll Infected: IM-Worm.Win32.Pykse.o skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst(2)(3).dll Infected: IM-Worm.Win32.Pykse.o skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlctnk.dll Infected: IM-Worm.Win32.Pykse.o skipped

Scan process completed.


Thanks in advance.

are they in the backups for norton?if they are they are copies of stuff norton has removed off your system and "backed up" in case they are files you need and so can be restored

Why not try a couple of other online scanners such as BitDefender or Eset. Just watch the Bitdefender one as it will delete a file unless the setting is changed prior to start. http://www.bitdefender.com/site/
http://www.eset.com/onlinescan/

Hi, thanks for your replies.

Steve: Those files are not backups, I think they are the registration information for Symantec, but I haven't been able to find out exactly what they are for.

The Hammer: I used the site Jotti (http://virusscan.jotti.org/) to scan the files with multiple scanners. I don't know if the results are reliable but here is what they said:

~Jotti scan results removed per Policy. (http://www.wilderssecurity.com/showthread.php?t=180057) - Ron~

I'm going to run bitdefender and eset right now.

Thanks for the tips!

Add the questionable files into a password protected archive and e-mail it to newvirus@kaspersky.com
Remember to insert the password of the archive into the main body and also remember to make the subject "false positive"

Just finished running eset, bitdefender, and trend micro housecall; all three came back clean.

Dawgg - thanks for the email, I sent the archive. Do you know if any replies are sent from Kaspersky to messages sent to that address?

Ron - my mistake about the Jotti results; apologies. I only found the site yesterday through another computer security/support board and used it just that one time. As I said in my original post I was not convinced the results were completely reliable. In any case, it was not my intention to praise or bash any of the scanners. With so many threats out there, it would be pretty amazing for just one scanner to catch everything. It's best to get a second (and third...) opinion.

-{ Quote: "
Dawgg - thanks for the email, I sent the archive. Do you know if any replies are sent from Kaspersky to messages sent to that address?" }-

I'm not Dawgg, but I think I can answer that question for you :)

Basically, yes. Viruslab should reply to your email and let you know the outcome of the analysis.

Response time varies, sometimes a few minutes, at others could be a day or two.

Thanks Baz, I'm glad they let users know of the outcome. :)

-{ Quote: "Yesterday Kaspersky online scan found four "infections" on my computer (one of them being a system restore point, the other three in a Norton folder). Since the Norton files had always been classified as locked to the Kaspersky scanner before, I thought they must be false positives. But today they are showing up again so I wanted to get a more knowledgeable opinion.

Here is the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 19, 2008 10:55:42 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/05/2008
Kaspersky Anti-Virus database records: 784486
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\

Scan Statistics:
Total number of scanned objects: 8
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:00:02

Infected Object Name / Virus Name / Last Action
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst(2)(2).dll Infected: IM-Worm.Win32.Pykse.o skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst(2)(3).dll Infected: IM-Worm.Win32.Pykse.o skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlctnk.dll Infected: IM-Worm.Win32.Pykse.o skipped

Scan process completed.


Thanks in advance." }-


I'm getting virtually the same indication of this virus with my Zone Alarm Pro. It shows up in the same location (the Symantec Shared folder) unless I have the Windows XP Restore function turned on - then the virus shows up a *.dll file in the Windows System Volume Information folder.

I certainly will be interested to see the results of your request for an analysis.

I sent the files to both Kaspersky and F-Secure for analysis earlier today. I now have their replies and both say it is a false positive and that they will update their databases soon.

Jconinc, I was also alerted that my system restore points were all infected (the 99 infections I got on the first scan yesterday nearly sent me into convulsions until I realized 96 of them were in the system volume folder). I didn't mention them because the restore points can be deleted easily.

I found this on the Zone Alarm site (http://www.zonealarm.com/store/content/support/zass/techFAQs_vista.jsp#3):
-{ Quote: "If you would like to send feedback about spyware detections or if you have detected false positive spyware (a legitimate program that ZoneAlarm classifies as spyware) please report it to ZoneAlarm at spyware-feedback@zonelabs.com" }-

What version of Norton are you using?

-{ Quote: "I sent the files to both Kaspersky and F-Secure for analysis earlier today. I now have their replies and both say it is a false positive and that they will update their databases soon.

Jconinc, I was also alerted that my system restore points were all infected (the 99 infections I got on the first scan yesterday nearly sent me into convulsions until I realized 96 of them were in the system volume folder). I didn't mention them because the restore points can be deleted easily.

I found this on the Zone Alarm site (http://www.zonealarm.com/store/content/support/zass/techFAQs_vista.jsp#3):


What version of Norton are you using?" }-

Thanks for the feedback.

I ran the Kaspersky Online sweep last night and it did not find any of the IM-Worm infections. I had just cleaned the supposedly infected files from my system though so I will run the check again after a restart (which seems to always bring back the "infected" files.

I'm not using Norton for anti-virus/internet security but I do have Symantec PC Anywhere on my system.

I'll check in with the Zone Alarm people to see what they say about this "infection".

-{ Quote: "I sent the files to both Kaspersky and F-Secure for analysis earlier today. I now have their replies and both say it is a false positive and that they will update their databases soon.

Jconinc, I was also alerted that my system restore points were all infected (the 99 infections I got on the first scan yesterday nearly sent me into convulsions until I realized 96 of them were in the system volume folder). I didn't mention them because the restore points can be deleted easily.

I found this on the Zone Alarm site (http://www.zonealarm.com/store/content/support/zass/techFAQs_vista.jsp#3):


What version of Norton are you using?" }-

The right link to report false positives to ZA is this:
http://www.zonealarm.com/store/content/forms/spyware_report.jsp

But ZA AS engine is different from KAV. So I am actually suprised you get the same 'naming convention' from ZA AS. Unless you are talking about the AV portion of ZA...

Cheers,
Fax

My problem has gone away. Never heard back from ZA Pro after reporting the problem. Just completed a final scan with no detection of the "IM-Worm" virus. I am assuming it was a false positive corrected by the most recent database update.

Kaspersky and F-Secure have also updated their databases, and the Pykse worm is no longer being detected in the Symantec folder (or elsewhere) on my computer.

I have a general question about infections if anyone knows the answer: How does (for example) an .exe file get infected with a virus/worm/etc? Do the contents of the file change? or something gets added to it? I'm sorry if this is something basic...

-{ Quote: "How does (for example) an .exe file get infected with a virus/worm/etc? Do the contents of the file change? or something gets added to it? I'm sorry if this is something basic..." }-
1) Yes, contents of the file are changed
2) Something might get added to it and/or might get removed from the .exe

Nice way to get rid of the competition. Kaspersky sure doesn't like Symantec :-)

-{ Quote: "Nice way to get rid of the competition. Kaspersky sure doesn't like Symantec :-)" }-

Another quality pot shot sponsored by the Norton Fan Club ;)