EDIT3

It is now confirmed by Kapersky, Avira and Avast that alerts about the following are FALSE POSITIVES
- CK_Host_BPM.sep
- CK_Warp.sep
- CK_polyphony_control.sep

This means there is no trojan/virus and Kapersky/Avira/Avast is alerting in error. All 3 companies inform me that they will be removed from the list in future updates.

Now that these 3 companies have all confirmed it is false positve reporting, it is probably safe to assume that any other AV program which alerts is also finding a false positive


For clarification, these .sep files are modules that are used in Synthedit VST plugins. When you install and scan the .dll file in your host, it automatically extracts the needed modules into a folder with the same name as the .dll
If you delete them, the plugin will automatically re-extract them again into the folder on next scan/run. Until Kapersky/Avira/Avast update their software, you can safely ignore the trojan alerts on these modules



-------------------------------original post----------------------------
Looking for some help to get to the bottom of an issue that is being reported recently

A number of users of Kapersky and Avira anti-virus programs are informing me that some CK modules are coming up as containing trojans.

I have Eset NOD on one computer and Sophos on another, neither of which give any alert for trojans on CK modules

So I'm thinking it is a false positive, but I'd like some second opinions

If you have CK_Warp.sep on your hardrive, could you run the Kapersky online scan on it and report results here?

http://www.kaspersky.co.uk/scanforvirus

I get the following;

CK_Warp.sep - infected by Trojan-PSW.Win32.QQPass.ssg


Also if you have another anti-virus program installed, or know another online scanner, please report the results too.


cheers
Last edited by de la Mancha on Mon May 17, 2010 4:38 am; edited 5 times in total

http://virusscan.jotti.org/en-GB/scanresult/2997c9233f106ba4 7e891f24b1f5328cf3f44f45
here's jotti's results...just 3 reports.

Anti-virus software causes more problems with computers than viruses ever have. CK's modules are very unlikely virus free, it's likely that there's some sort of pattern in them that some anti-virus software recognizes.

Here's an online scanner that will run a file through 41 anti-virus software packages. If only a couple of them tell you the file is a virus you can be pretty certain it's just another false positive.

http://www.virustotal.com/

yes,it's bound to be a false positive ,i get them all the time with avira,bloody nuisance.

Thanks guys, here's the results from virustotal, only 3 out of 41 show the trojan, I'm calling false positive on those results

Antivirus     Version     Last Update     Result
a-squared   4.5.0.50   2010.05.07   -
AhnLab-V3   2010.05.07.00   2010.05.06   -
AntiVir   8.2.1.236   2010.05.07   TR/PSW.QQpass.ssg
Antiy-AVL   2.0.3.7   2010.05.07   Trojan/Win32.QQPass.gen
Authentium   5.2.0.5   2010.05.07   -
Avast   4.8.1351.0   2010.05.07   -
Avast5   5.0.332.0   2010.05.07   -
AVG   9.0.0.787   2010.05.07   -
BitDefender   7.2   2010.05.07   -
CAT-QuickHeal   10.00   2010.05.07   -
ClamAV   0.96.0.3-git   2010.05.07   -
Comodo   4786   2010.05.07   -
DrWeb   5.0.2.03300   2010.05.07   -
eSafe   7.0.17.0   2010.05.06   -
eTrust-Vet   35.2.7473   2010.05.07   -
F-Prot   4.5.1.85   2010.05.07   -
F-Secure   9.0.15370.0   2010.05.07   -
Fortinet   4.1.133.0   2010.05.07   -
GData   21   2010.05.07   -
Ikarus   T3.1.1.84.0   2010.05.07   -
Jiangmin   13.0.900   2010.05.07   -
Kaspersky   7.0.0.125   2010.05.07   Trojan-PSW.Win32.QQPass.ssg
McAfee   5.400.0.1158   2010.05.07   -
McAfee-GW-Edition   2010.1   2010.05.07   -
Microsoft   1.5703   2010.05.07   -
NOD32   5094   2010.05.07   -
Norman   6.04.12   2010.05.07   -
nProtect   2010-05-07.01   2010.05.07   -
Panda   10.0.2.7   2010.05.06   -
PCTools   7.0.3.5   2010.05.07   -
Prevx   3.0   2010.05.07   -
Rising   22.46.04.04   2010.05.07   -
Sophos   4.53.0   2010.05.07   -
Sunbelt   6274   2010.05.07   -
Symantec   20091.2.0.41   2010.05.07   -
TheHacker   6.5.2.0.277   2010.05.07   -
TrendMicro   9.120.0.1004   2010.05.07   -
TrendMicro-HouseCall   9.120.0.1004   2010.05.07   -
VBA32   3.12.12.4   2010.05.06   -
ViRobot   2010.5.7.2306   2010.05.07   -
VirusBuster   5.0.27.0   2010.05.06   -

I've sent the file to Kapersky and Avira false positive reporting service, waiting to hear their analysis...

I think you're probably right about the false positive, but in case it means anything, virustotal.com now shows five out 41 (the WARP.SEP file I uploaded this time was from my FMMF folder; results below).

The WARP.SEP from my Majken Chimera folder gets 0/41 and didn't/doesn't trigger Avira.

Similar story with CK_POLYPHONY_CONTROL.SEP -- 5/51 from the one in the Dirty Harry folder, 0/41 from the one in the Adonis Pro folder (and no alert from Avira on the latter).

An older/newer module thing? I don't know anything about it, but figure more information can't hurt.

Malwarebytes doesn't find anything in any of them.














File CK_WARP.SEP received on 2010.05.07 10:56:56 (UTC)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.07 -
AhnLab-V3 2010.05.07.00 2010.05.06 -
AntiVir 8.2.1.236 2010.05.07 TR/PSW.QQpass.ssg
Antiy-AVL 2.0.3.7 2010.05.07 Trojan/Win32.QQPass
Authentium 5.2.0.5 2010.05.07 -
Avast 4.8.1351.0 2010.05.07 -
Avast5 5.0.332.0 2010.05.07 -
AVG 9.0.0.787 2010.05.07 -
BitDefender 7.2 2010.05.07 -
CAT-QuickHeal 10.00 2010.05.07 -
ClamAV 0.96.0.3-git 2010.05.07 -
Comodo 4786 2010.05.07 -
DrWeb 5.0.2.03300 2010.05.07 -
eSafe 7.0.17.0 2010.05.06 -
eTrust-Vet 35.2.7473 2010.05.07 -
F-Prot 4.5.1.85 2010.05.07 -
F-Secure 9.0.15370.0 2010.05.07 -
Fortinet 4.1.133.0 2010.05.07 -
GData 21 2010.05.07 -
Ikarus T3.1.1.84.0 2010.05.07 -
Jiangmin 13.0.900 2010.05.07 -
Kaspersky 7.0.0.125 2010.05.07 Trojan-PSW.Win32.QQPass.ssg
McAfee 5.400.0.1158 2010.05.07 -
McAfee-GW-Edition 2010.1 2010.05.07 Artemis!04C7D6EDA57E
Microsoft 1.5703 2010.05.07 -
NOD32 5094 2010.05.07 -
Norman 6.04.12 2010.05.07 -
nProtect 2010-05-07.01 2010.05.07 -
Panda 10.0.2.7 2010.05.06 Suspicious file
PCTools 7.0.3.5 2010.05.07 -
Prevx 3.0 2010.05.07 -
Rising 22.46.04.04 2010.05.07 -
Sophos 4.53.0 2010.05.07 -
Sunbelt 6274 2010.05.07 -
Symantec 20091.2.0.41 2010.05.07 -
TheHacker 6.5.2.0.277 2010.05.07 -
TrendMicro 9.120.0.1004 2010.05.07 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.07 -
VBA32 3.12.12.4 2010.05.06 -
ViRobot 2010.5.7.2306 2010.05.07 -
VirusBuster 5.0.27.0 2010.05.06 -

Thanks for that. I just scanned an older version of CK_Warp and got 0/41 too, so it seems related to the most recent version of CK_Warp

AHA! just got this back from Kapersky

My Avira did the same thing with the old Exciter plugin. Said a .sep file had a trojan.

W/Avast, the only virus hit I've had is Xoxos volts to scale.

More confirmation that it is a false positive from Avira

File ID     Filename     Size (Byte)    Result
25696542     CK_Warp.sep     65.5 KB     FALSE POSITIVE


Please find a detailed report concerning each individual sample below:
 Filename    Result
 CK_Warp.sep     FALSE POSITIVE

so good news

Thanks to everyone for your input

thanks for the report dlm.

CK_Polyphony_Control detected as malware here since today (AVAST, report sent)

Yesterday I was still getting alerts from Avira for three CK files from my FMMF folder. Submitted FP report, got back confirmation.

Thanks for that report, very helpful
I also reported all 3 modules to Kapersky and got back confirmation that they are false positives.

I have updated the original post to summarise the situation