Info Only: Kaspersky Ate My Editor

Don't Panic! Just in case it happens to any one else....

I've had "program editor" installed for years on various PCs.
Last updated the install some time after Christmas. Had Kaspersky installed for over a year as well. OS is Vista Home Premium SP2. Kaspersky is Internet Security 2010

Yesterday ( Sun 8 Oct) Kaspersky decided that FTchipID.dll (which is apparently part of c:\windows\system32\isDigitalLibrary.ocx) is infected with "Trojan.Win32.Agent.etxw" and did something nasty to it.
Program Editor now throws up alternate error messages with Kaspersky as it starts, and eventually gets to the "Pick your PICAXE" screen. After that it locks up and after being shut down from Task Manager throws up some sort of "error in Line 5" and vanishes.

I've tried reinstalling from the original download which has been resident on my PC all this time, but that gets blacklisted and deleted. I've downloaded the latest version, and that gets the same treatment.

I'm now waiting for an eMail reply from Kaspersky but not holding my breath.
As I said at the top Info Only. There are so many variables involved it may only be my PC. I may even have caught something nasty.

But just in case anybody else is in the same boat .... you are not alone!


Peter.

There should be some option in Kaspersky which allows you to specify what to do when it thinks it has discovered a threat and there should also be some way to tell it to ignore threats it thinks it has found. I'm not familiar with Kaspersky so you will have to read the manual.

It may be worth disconnecting from the internet, disabling Kapersky and trying a Programming Editor re-install.

I haven't used Kaersky in a long time, but maybe it has an "Ignore" option.
Avira has the option to "Ignore" suspect files - but never honors that "Ignore" setting.

John

Thanks for the above.
Comms with Kaspersky ongoing. We are at the "more info" stage. As for whats happening, as Programming Editors opens it tries to "register" or something the DLL. At this point Kaspersky finds it, says its a Trojan, deletes it, replaces it from somewhere. Then prog editor tries to "register" it again and the loop repeats..... Actually now when I run Prog Editor it seems to be in "Install" mode rather than run.
The install package itself has been blacklisted (I can undo that) so it can't be run easily, and if you virus check the install package, the "Trojan" is found and the package vanishes!

At the time the "Trojan" is found there is no apparent option to skip it. I've had a quick look, but not found a "disregard this one" option - thats not to say there isn't one...

Doesn't look like anyone else has the problem so thats good news.
Maybe I've got a corrupt database or something.

I'll post any news as it comes..

Looks like my M28X1 Do-It-All-I-meter will have to wait....

There is another report of the same issue with FTchipID.DLL and BAS805 ...

http://www.picaxeforum.co.uk/showthread.php?t=15934

However, there's a distinct lack of reports about the alleged virus found by a Google search when I'd have expected more.

FTchipID.DLL should normally be found in C:\Windows\System32 but may not be shown using the Start -> Search -> For Files or Folders.

We will investigate further and keep an eye on the matter.

We are pretty certain this is a false positive mistake in the Kaspersky database.
Only 1 out of 41 vendors think there is a problem - see attachment!

False positives are described on the Kaspersky website:

http://support.kaspersky.com/faq/?qid=208279885

A virus scan today reveals that Kaspersky is no longer flagging FTchipID.DLL as a threat so it appears their database has been updated. Forcing Kaspersky and Zone Alarm to update to the latest databases should hopefully resolve any issues with FTchipID.DLL and BAS805.

Thanks to http://www.virustotal.com for their file analysis service.

Fixed!

All is back to OK.
Have been directed throught the "vanilla" cure - Download & use special Virus Checker
(only took 11 hours to do the whole machine!)- Delete Existing Kaspersky - Install latest Kaspersky etc....
Must add thanks to Kaspersky Tech Support. Daily return of eMails and clear instructions.

Can't tell for sure what was wrong, but another "version" / "copy" / "instance" of something with the same virus signature was found in the darkest depths of the Java area........

If I feel brave I'll pull an old copy of bas805.exe from archive and check that!

Have downloaded, virus checked, installed and used latest Programming Editor.
No Red Boxes!!
The withdrawal symptoms are starting to subside. ;-)

Pleased to hear everything is back to normal and despite the problem being Kaspersky's they must be thanked for fixing things promptly once they became aware of the problem.

Just updated the program editor to latest version downloaded yesterday, once I installed it and run it Kaspersky showed a new threat detected, but different virus to previously mentioned.

This one is Trojan Exploit.Win32.MS05-018.bj found in C:\Users\xx\Desktop\Downloads\vsm001.exe\PICAXE VSM.msi\Data1.cab

I assume this file was unpacked from bas805.exe?

Little info from Google etc other than a pretty new one.

Kaspersky is currently doing full scan at 3h 22min stil 2hrs to go

Tasp said:

This one is Trojan Exploit.Win32.MS05-018.bj found in C:\Users\xx\Desktop\Downloads\vsm001.exe\PICAXE VSM.msi\Data1.cab

I assume this file was unpacked from bas805.exe?

Click to expand...

I would guess it's from a PICAXE VSM download rather than from a BAS805 Programming Editor Install given the path stated.

It could be a file which was downloaded a while ago which Kaspersky has now decided is no longer benign if their heuristics or pattern matching has altered.

Any anti-virus software with heuristic matching should have the option to disable the heuristics or a way to flag "the anti-virus is paranoid" matches to be able to use valid software. A-V vendors have a nanny mentality: "We know what's bestfor you." Unfortunately, they don't know enough to always be right...

A long time ago, McAfee identified network drivers as a virus - the primary reason the company I worked for went with another product. The A-V writers still don't know all the valid software that they should recognize.

John

I found that Kaspersky was a real pain for this sort of thing even files marked to be ignored continued to be effected.
Despite conversations with the very helpful tech support, in the end I gave up and purchased ESET which so far has behaved itself once the files have been marked to be ignored

I had a similar problem a few months ago documented in this thread.

While it was a pain to have to go through this, I found that Kaspersky's response and rectification second to none. Going on my experience with Kaspersky compared with other Virus Protection vendors in past years, I will renew with Kaspersky again.