Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kaspersky On-line Scan...does It Remove Its Findings?


  • Please log in to reply
9 replies to this topic

#1 1Bart

1Bart

  • Members
  • 263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ-Just across the Hudson from lower Manhattan
  • Local time:02:34 PM

Posted 08 November 2006 - 08:05 PM

As I am pretty diligent with my security, I heard that Kaspersky is well respected. I found the scan in one of BPs threads. I decided to run it and it said that I am infected with:

C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped

Does it remove this item (I do not see where) or does it just report it?

Where do I get instructs on how to remove?

Thanks a big bunch.... I like to keep my computer clean.....



KASPERSKY ONLINE SCANNER REPORT
06-11-08 7:42:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/11/2006
Kaspersky Anti-Virus database records: 239528


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 106603
Number of viruses found 1
Number of infected objects 1 / 0
Number of suspicious objects 0
Duration of the scan process 01:20:52

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\idb\JCMagda1\mydb.idx Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\idb\JCMagda1\toolbar.lst Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\idb\SNMaster.idx Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\organize\CACHE\jcmagd00 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\organize\jcmagda1 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\organize\jcmagda1.abi Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\organize\jcmagda1.aby Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\mcafee.com personal firewall\data\IpRules.xdb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-10262006-004535.log Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Application Data\AOL\C_America Online 9.0a\IDB\Apps.Lst Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Application Data\AOL\C_America Online 9.0a\IDB\art.idx Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Application Data\AOL\C_America Online 9.0a\IDB\sap.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Application Data\AOL\C_America Online 9.0a\IDB\spool.lst Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Application Data\AOL\C_America Online 9.0a\IDB\sysnews.lst Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\MSHist012006110820061109\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\sqlite_3XbrbUj9sbzgZYm Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\sqlite_D9ozz7ux6kGf7TE Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\sqlite_Ud3oIL6SuDqhELJ Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped [size=3]
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP278\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\tmp00006155\tmp00000000 Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

BC AdBot (Login to Remove)

 


m

#2 rlprlp

rlprlp

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 08 November 2006 - 10:24 PM

While I'll be the first to admit that I don't know exactly what it is for, KillWind is not a virus. It came pre-installed on your PC by HP when you first purchased it. This is what is known as a "false positive".

#3 buddy215

buddy215

  • BC Advisor
  • 12,615 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:34 PM

Posted 08 November 2006 - 10:44 PM

What kaspersky is telling you is that the program in question is a "risk tool". Meaning that malware can use it to install malware on your computer. But as it is an essential part of your computer you should not remove it.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#4 1Bart

1Bart
  • Topic Starter

  • Members
  • 263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ-Just across the Hudson from lower Manhattan
  • Local time:02:34 PM

Posted 09 November 2006 - 01:22 AM

Hello Out There,

Many many thanks to both!!!. There was a time when I was going to ask what a false positive was,(but figured it was self-explanatory) so NOW I really know first hand. AND, I will NOT remove it since it is an essential part of the computer. I suppose I should thank MS too, for putting such a lovely item into the intricate workings of the computer!!!!....lol

Beaucoup thanks folks!!!!!!

#5 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:01:34 PM

Posted 09 November 2006 - 07:45 AM

What is "killwind"?

Killwind - terminate TSR's (Terminate and Stay Resident) in windows.
TSR's - processes that are running in the background that don't have any visual representation.

Who_i_am
Geek
Registered: 7-2003
Post Number: 22

Posted on Saturday, July 19, 2003 - 5:41 pm:

I did a little search of my own... and came up with this...

I was assisting someone with a problem with her computer and came across these files. I contacted HP and was told that the killwind, terminator, cloaker, spawn and fondlewindow executables are part of the Backweb program that HP installs on all Pavilion PC's. Backweb enables HP to connect directly to a PC while it is online (simply connected to an ISP - doesn't matter if the browser is open or not) so that it can "push" content and program updates.

While the tech support person who wrote back to me when I emailed them said that the files were "essential" for proper system operation, further investigation using HP's own support documentation shows that you can uninstall the Backweb program through the Add/Remove Programs utility in Windows Control Panel. HP, of course, does not recommend doing this.

My take is that if your system is out of warranty, is operating properly, and Mr. Gerrans' sense of humor in naming and describing the files offends you, just uninstall Backweb. Of course, this is just my personal opinion, does not reflect HP's recommendations, etc...


MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#6 rlprlp

rlprlp

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 09 November 2006 - 08:26 AM

Very interesting, tq1911. Thank you for sharing your findings. Also, I wanted to let 1Bart know that he can navigate to any folders/files in question when he runs scans, and right-click them, and choose properties. He would see that KillWind, for example, was installed before he ever even purchased the PC, and that his PC came with that program installed by the factory. I have HP updates disabled on my Pavilion. I wonder what would happen if I deleted the files that tq1911's quote makes reference to? That's another story; not trying to hijack your thread, 1Bart!

#7 1Bart

1Bart
  • Topic Starter

  • Members
  • 263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ-Just across the Hudson from lower Manhattan
  • Local time:02:34 PM

Posted 09 November 2006 - 09:52 AM

Thank to all....Learning learning as we go along......That's the name of the game here.

riprip....Please...No worries mon.... :thumbsup: As a matter of fact, you touched on a VERY interesting point...
When I navigate to the file in "My Computer", I can right click on the file and choose "Properties". Under what tab would I find the "confort" to know that it was pre-installed or other "virus determining" info. I went there and my "untrained" eye did not see anything that I could hang my hat on. Of course, I believe all of what is being said here...But, just for future reference, it would be a tremendous help!!!!

Nice link tg1911-!!!!!!

This site is great...And it's the people who make it that way!!!!!

Edited by 1Bart, 09 November 2006 - 10:09 AM.


#8 rlprlp

rlprlp

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 09 November 2006 - 09:14 PM

Actually, I should have edited that last post. It doesn't work with folders. However, with individual files, you can find info such as "Date Created" (how long it has been on your PC), and sometimes even info like the company that wrote the program. To my knowledge, the date created cannot be faked by crackers. It's not necessarily concrete proof of anything, but it may prompt you to think to yourself: "This has been on my PC for X number of weeks/months, and now all of a sudden it's 'malware'?"

#9 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:02:34 PM

Posted 09 November 2006 - 09:52 PM

If you use Windows Explorer, and use the Details View, it will show you a last modified date (this is usually the date created unless it has been renamed, for example). Right clicking on a folder will show you under Properties/General Tab, the date the folder was created.
The point is well taken that these dates can give some helpful information that can help you make decisions.
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#10 1Bart

1Bart
  • Topic Starter

  • Members
  • 263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ-Just across the Hudson from lower Manhattan
  • Local time:02:34 PM

Posted 09 November 2006 - 10:13 PM

Ooooo-KaaaaY!!!!

Very good to both.....Thanks a GIG....THAT info will be quite helpful.....Point well taken.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users