Possible false positives and unsure of how to read log

Viruses and worms
1

I have received alerts when updating SuperAntiSpyware and downloading Panda scan. Other warnings are shown on the log but I’m not certain of what they mean. Please help.

Here is the log:

3/15/2008 5:50:42 AM Deb 1524 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\BroadJump\Client Foundation\CFD.exe (C:\Program Files\BroadJump\Client Foundation\CFD.exe) returning error, 00000005.
3/15/2008 5:52:10 AM Deb 1524 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Support.com\bin\tgcmd.exe (C:\Program Files\Support.com\bin\tgcmd.exe) returning error, 00000005.
3/15/2008 6:44:45 AM Deb 1568 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\BroadJump\Client Foundation\CFD.exe (C:\Program Files\BroadJump\Client Foundation\CFD.exe) returning error, 00000005.
3/15/2008 6:47:57 AM Deb 1568 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Support.com\bin\tgcmd.exe (C:\Program Files\Support.com\bin\tgcmd.exe) returning error, 00000005.
3/15/2008 8:03:17 AM Deb 1512 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\BroadJump\Client Foundation\CFD.exe (C:\Program Files\BroadJump\Client Foundation\CFD.exe) returning error, 00000005.
3/15/2008 8:06:44 AM Deb 1512 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Support.com\bin\tgcmd.exe (C:\Program Files\Support.com\bin\tgcmd.exe) returning error, 00000005.
3/15/2008 9:13:28 AM Deb 1564 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Support.com\bin\tgcmd.exe (C:\Program Files\Support.com\bin\tgcmd.exe) returning error, 00000005.
3/15/2008 9:43:58 AM Deb 1608 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\BroadJump\Client Foundation\CFD.exe (C:\Program Files\BroadJump\Client Foundation\CFD.exe) returning error, 00000005.
3/15/2008 9:48:19 AM Deb 1608 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Support.com\bin\tgcmd.exe (C:\Program Files\Support.com\bin\tgcmd.exe) returning error, 00000005.
3/16/2008 1:52:24 PM Deb 1628 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Support.com\bin\tgcmd.exe (C:\Program Files\Support.com\bin\tgcmd.exe) returning error, 00000005.
3/16/2008 1:57:06 PM Deb 1628 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE (C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE) returning error, 00000005.
3/16/2008 3:18:35 PM Deb 1632 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\BroadJump\Client Foundation\CFD.exe (C:\Program Files\BroadJump\Client Foundation\CFD.exe) returning error, 00000005.
3/16/2008 3:22:49 PM Deb 1632 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Support.com\bin\tgcmd.exe (C:\Program Files\Support.com\bin\tgcmd.exe) returning error, 00000005.
3/16/2008 3:31:24 PM Deb 1628 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\BroadJump\Client Foundation\CFD.exe (C:\Program Files\BroadJump\Client Foundation\CFD.exe) returning error, 00000005.
3/16/2008 3:35:24 PM Deb 1628 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Support.com\bin\tgcmd.exe (C:\Program Files\Support.com\bin\tgcmd.exe) returning error, 00000005.
3/16/2008 8:34:08 PM SYSTEM 1628 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
3/16/2008 8:34:10 PM SYSTEM 1628 An error has occured while attempting to update. Please check the logs.
3/26/2008 9:32:29 PM SYSTEM 1480 Sign of “Win32:TrojanSim [Tool]” has been found in “http://us2.download.comodo.com/securitytests/TrojanSimulator.zip\TrojanSimulator.exe” file.
4/11/2008 5:48:13 AM Deb 1640 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\Program Files\BroadJump\Client Foundation\CFD.exe” file.
4/12/2008 4:34:22 AM Deb 1640 Sign of “Win32:Trat-D [Drp]” has been found in “C:\Documents and Settings\Deb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN” file.
4/12/2008 4:36:19 AM Deb 1640 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE” file.
4/12/2008 10:30:30 AM SYSTEM 1660 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak (C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak) returning error, 00000005.
4/12/2008 10:30:30 AM SYSTEM 1660 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst (C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst) returning error, 00000005.
4/14/2008 12:44:20 PM SYSTEM 1536 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP46\A0012148.EXE” file.
4/14/2008 1:12:04 PM SYSTEM 1536 Sign of “Win32:CTX” has been found in “http://acs.pandasoftware.com/activescan/cabs/as2guiie.cab\pskavs.dll” file.
4/14/2008 1:17:07 PM SYSTEM 1536 Sign of “Win32:CTX” has been found in “C:\Program Files\Panda Security\ActiveScan 2.0\SET95C.tmp” file.
4/15/2008 12:18:41 AM SYSTEM 1536 Sign of “Win32:Trat-D [Drp]” has been found in “C:\Documents and Settings\Deb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\PROCESSLIST.BIN” file.
4/15/2008 10:32:41 AM SYSTEM 1536 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak (C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak) returning error, 00000005.
4/15/2008 10:33:01 AM SYSTEM 1536 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst (C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst) returning error, 00000005.
4/16/2008 10:34:17 AM SYSTEM 1580 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak (C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak) returning error, 00000005.
4/16/2008 10:34:31 AM SYSTEM 1580 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst (C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst) returning error, 00000005.
4/17/2008 10:35:51 AM SYSTEM 1628 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak (C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak) returning error, 00000005.
4/17/2008 10:36:08 AM SYSTEM 1628 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst (C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst) returning error, 00000005.

2

Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

These are false detections due to Panda active scan: http://forum.avast.com/index.php?topic=12432.msg104932#msg104932
Read: http://www.avast.com/eng/virus_detection_and.html#idt_1554

IMSCAN.DLL
PAVDLL.DLL
PAV.SIG
APVXD.VX2
APVXD.VXD

C:\windows\system32\active scan\pskavs.dll
C:\system volume information _restore{ … }*.dll

I think this is related to false detections due to Panda active scan: http://forum.avast.com/index.php?topic=12432.msg104932#msg104932
Unfortunatelly, a well-known problem of Panda not encrypting its signatures :stuck_out_tongue:

Every virus can be identified, because it contains some unique signatures. Antiviral programs have their own database of that signatures. We call this database the "virus definition file". When an antiviral program scans a file for viruses, it compares all the signatures (of all viruses) in the database with the signatures in that file. If the signatures match (they are the same), the file is marked as infected. For an antivirus program, it is important to hide this database of signatures somehow - e.g. by encrypting it. Panda Antivirus does not encrypt its virus database - the signatures inside are clearly "visible" to other antiviral programs, so they detect this file as infected (but there is actually no virus inside - only the signatures are the same).

Panda removal tool: http://www.pandasoftware.com/resources/sop/UNINST_v1012.exe

3

Tech, for me the pskavs.dll of Panda Active Scan Online Scanner is the ONLY Panda file that ever gives me a Positive from AVAST!. Even when I place pskavs.dll in the AVAST! Exclusion Lists AVAST! STILL sounds the Alarm about this file. Why, after all these years is this one miserable file still causing problems? I just don’t get it. ???

I really like to use Panda’s Online Scan as a backup check of my files, along with ESET NOD32, TrendMicro Housecall and several other Online Scanners. It is just a little frustrating that this same problem over this same file continues to exist for years. Is the pskavs.dll REALLY a Trojan? I have been told for years that it is a False Positive. I believe that it is a false positive. But if it isn’t a Real Trojan, why is it the ONLY file of PandaScan that triggers AVAST!

Please pardon my confusion on this subject. :-[

4

Because this one miserable file contains unencrypted virus signatures, which is downright lazy on the part of Panda and that is where the true villain is.

As you have found with the other on-line scanners, they don’t dump unencrypted signature files in your system folders, just another thing I think is crazy as when you remove them system restore saves them as a restore point and avast will detect them in the system volume information folders. Any downloaded files should be in temporary folders of folders specific to panda in the program files folder (so this system restore doesn’t do this), but most certainly not in the system folders.

avast is a signature based AV, you can choose to exclude it and I don’t think you have excluded it in the standard shield so it isn’t truly a false positive detection as it has found a signature that matches a virus. You can’t expect avast to cater for the failings of others and exclude a file name as a) that file name can be faked, b) the location could be in more than one location depending on the OS.

Sorry but my choice is not to use Panda as there are many good on-line scanners out there that don’t dump unencrypted signature files in your system folders.

5

What did you write down there?
Did you use wildcards?

I’ll ask the same for why doesn’t Panda encrypt its signatures?
Besides, there are quite better on-line scanners than Panda :wink:

6

I guess part of my confusion is that most other Anti-Virus Scanners do not seem to flag the pskavs.dll as a virus. I agree though, it is confusing as well why Panda does not fix this problem either. Do I detect a clash of the Wills between these two giants? :slight_smile:

Here is my exclusion “C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll”

I use other online scanners as well. I do prefer those that will clean as well as detect like Panda, ESET NOD32, BitDefender. If there are others you think are very good please advise. I am a little paranoid about virus on my main computer that I use for online purchases etc.

I use Kaspersky and F-Secure, but F-Secure always finds the same 9 instances of Dialer.gen14 in my temp fiolder, and no other antivirus flags these as dangerous. So I lost some faith in F-Secure…

And as always, please know that I am very grateful for AVAST! Free Home no matter what else occurs. (Here is where I would use the “Clapping Hands” icon if it were available)

7

Your exclusion seems fine, however as I said where did you put it, if it isn’t in the standard shield exclusions then it will be picked up/detected when it is used.

The Program Settings, Exclusions is only only for the on-demand scanners, e.g. ashQuick.exe and the Simple User Interface scans.

8

Thanks David. I re-applied the Main Interface (settings) exclusion using the “Browse” and then “Check Box” options and the file seems to be ignored now. Thanks again for all of the help from all of the people here at AVAST! Forums…

9

Aaaarrrrgghhhh. I spoke too soon! The darn thing just Triggered yet another Standard Shield Alert!!!

To heck with it. I will just delete the darn thing and kiss Panda goodbye!

10

Do as I said before, twice, exclude it in the standard shield, the on-access scan.

Standard Shield, Customize, Advanced, Add and paste the above path into it.

11

Maybe you have to add the short path, something like C:\Program~1\Panda~1\Active~1\pskavs.dll

12

The problem is not having the exclusion in the standard shield, which is what is detecting it.

13

David, I have included the file in the Standard Shield Exclusion for the last 3 days. So - pskavs.dll is Excluded in Main Program + Excluded in Standard Shield and makes zero difference. AVAST! still picks it up for some reason. I just went ahead and deleted Panda.What are some other favored online Scanners? Thanks. ;D

14

Full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

15

Thank you Tech. These are all in my rotation already. I was hoping I had missed a few somehow.