Kaspersky online scan - false positive?

Discussion in 'other anti-virus software' started by CelestialTeardrop, May 19, 2008.

Thread Status:
Not open for further replies.
  1. CelestialTeardrop

    CelestialTeardrop Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    30
    Yesterday Kaspersky online scan found four "infections" on my computer (one of them being a system restore point, the other three in a Norton folder). Since the Norton files had always been classified as locked to the Kaspersky scanner before, I thought they must be false positives. But today they are showing up again so I wanted to get a more knowledgeable opinion.

    Here is the log:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Monday, May 19, 2008 10:55:42 AM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 19/05/2008
    Kaspersky Anti-Virus database records: 784486
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - Folders:
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\

    Scan Statistics:
    Total number of scanned objects: 8
    Number of viruses found: 1
    Number of infected objects: 3
    Number of suspicious objects: 0
    Duration of the scan process: 00:00:02

    Infected Object Name / Virus Name / Last Action
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst(2)(2).dll Infected: IM-Worm.Win32.Pykse.o skipped
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst(2)(3).dll Infected: IM-Worm.Win32.Pykse.o skipped
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlctnk.dll Infected: IM-Worm.Win32.Pykse.o skipped

    Scan process completed.


    Thanks in advance.
     
    Last edited: May 19, 2008
  2. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    are they in the backups for norton?if they are they are copies of stuff norton has removed off your system and "backed up" in case they are files you need and so can be restored
     
  3. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
  4. CelestialTeardrop

    CelestialTeardrop Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    30
    Hi, thanks for your replies.

    Steve: Those files are not backups, I think they are the registration information for Symantec, but I haven't been able to find out exactly what they are for.

    The Hammer: I used the site Jotti (http://virusscan.jotti.org/) to scan the files with multiple scanners. I don't know if the results are reliable but here is what they said:

    ~Jotti scan results removed per Policy. - Ron~

    I'm going to run bitdefender and eset right now.

    Thanks for the tips!
     
    Last edited by a moderator: May 19, 2008
  5. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Add the questionable files into a password protected archive and e-mail it to newvirus@kaspersky.com
    Remember to insert the password of the archive into the main body and also remember to make the subject "false positive"
     
  6. CelestialTeardrop

    CelestialTeardrop Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    30
    Just finished running eset, bitdefender, and trend micro housecall; all three came back clean.

    Dawgg - thanks for the email, I sent the archive. Do you know if any replies are sent from Kaspersky to messages sent to that address?

    Ron - my mistake about the Jotti results; apologies. I only found the site yesterday through another computer security/support board and used it just that one time. As I said in my original post I was not convinced the results were completely reliable. In any case, it was not my intention to praise or bash any of the scanners. With so many threats out there, it would be pretty amazing for just one scanner to catch everything. It's best to get a second (and third...) opinion.
     
  7. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    I'm not Dawgg, but I think I can answer that question for you :)

    Basically, yes. Viruslab should reply to your email and let you know the outcome of the analysis.

    Response time varies, sometimes a few minutes, at others could be a day or two.
     
  8. CelestialTeardrop

    CelestialTeardrop Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    30
    Thanks Baz, I'm glad they let users know of the outcome. :)
     
  9. jconinc

    jconinc Registered Member

    Joined:
    May 19, 2008
    Posts:
    3

    I'm getting virtually the same indication of this virus with my Zone Alarm Pro. It shows up in the same location (the Symantec Shared folder) unless I have the Windows XP Restore function turned on - then the virus shows up a *.dll file in the Windows System Volume Information folder.

    I certainly will be interested to see the results of your request for an analysis.
     
  10. CelestialTeardrop

    CelestialTeardrop Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    30
    I sent the files to both Kaspersky and F-Secure for analysis earlier today. I now have their replies and both say it is a false positive and that they will update their databases soon.

    Jconinc, I was also alerted that my system restore points were all infected (the 99 infections I got on the first scan yesterday nearly sent me into convulsions until I realized 96 of them were in the system volume folder). I didn't mention them because the restore points can be deleted easily.

    I found this on the Zone Alarm site:
    What version of Norton are you using?
     
  11. jconinc

    jconinc Registered Member

    Joined:
    May 19, 2008
    Posts:
    3
    Thanks for the feedback.

    I ran the Kaspersky Online sweep last night and it did not find any of the IM-Worm infections. I had just cleaned the supposedly infected files from my system though so I will run the check again after a restart (which seems to always bring back the "infected" files.

    I'm not using Norton for anti-virus/internet security but I do have Symantec PC Anywhere on my system.

    I'll check in with the Zone Alarm people to see what they say about this "infection".
     
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    The right link to report false positives to ZA is this:
    http://www.zonealarm.com/store/content/forms/spyware_report.jsp

    But ZA AS engine is different from KAV. So I am actually suprised you get the same 'naming convention' from ZA AS. Unless you are talking about the AV portion of ZA...

    Cheers,
    Fax
     
  13. jconinc

    jconinc Registered Member

    Joined:
    May 19, 2008
    Posts:
    3
    My problem has gone away. Never heard back from ZA Pro after reporting the problem. Just completed a final scan with no detection of the "IM-Worm" virus. I am assuming it was a false positive corrected by the most recent database update.
     
  14. CelestialTeardrop

    CelestialTeardrop Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    30
    Kaspersky and F-Secure have also updated their databases, and the Pykse worm is no longer being detected in the Symantec folder (or elsewhere) on my computer.

    I have a general question about infections if anyone knows the answer: How does (for example) an .exe file get infected with a virus/worm/etc? Do the contents of the file change? or something gets added to it? I'm sorry if this is something basic...
     
  15. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    1) Yes, contents of the file are changed
    2) Something might get added to it and/or might get removed from the .exe
     
  16. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Nice way to get rid of the competition. Kaspersky sure doesn't like Symantec :)
     
  17. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Another quality pot shot sponsored by the Norton Fan Club ;)
     
Loading...
Thread Status:
Not open for further replies.