Yesterday whilst carrying out an Avast virus scan I received a report of an infection as follows :-

C:_RESTORE\ARCHIVE\FS406.CAB\A0220867.CPY

The recommended action was “move to chest” but this has not happened according to the unable to scan list.

I have since run a Panda Activescan which has not located any type of virus. My OS is Windows ME.

I have tried to check the file with JOTTI but the upload is not accepted when entered as detailed above. A search of my system also fails to find the file.

Does anyone have any suggestions as to what I should do next?

If a virus is replicant (coming and coming again), you should:

1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
2. Clean your temporary files.
3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4. Use a-squared or ewido (trojan removers).

Other option is scanning in SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222

Other good thing is disable System Restore, boot, enable it again. If you find a virus keeps coming back after you delete it, it’s most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. Enable/Disable System restore on Windows ME: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887

Hope this helps 8)

The c:_Restore folder is a part of the system restore function and as such is protected by windows, that is why you can’t do anything with it. The only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points.

As Tech mentioned, once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

Thanks very much for your advice DavidR and Tech. I have followed this and there is now no trace of the reported infection on the latest Avast scan. However, a different virus was reported which is a bit of a puzzle given that it contains “ActiveScan” which was the online virus scanner I used to check out the first one!

C:\WINDOWS\SYSTEM\ActiveScan\pskavs.dll

The above was reported as Win32:CTX and I have successfully moved it to the chest so I presume all is well again. Just seems odd that a virus scanner has introduced a virus to my system.

I have now found references to the problem with Panda ActiveScan elsewhere on this forum. It is a known problem resulting in a False Positive due to Panda’s encryption procedures.

Yeah… Shame on Panda…
These are false detections due to Panda active scan: http://forum.avast.com/index.php?topic=12432.msg104932#msg104932

IMSCAN.DLL
PAVDLL.DLL
PAV.SIG
APVXD.VX2
APVXD.VXD

C:\windows\system32\active scan\pskavs.dll
C:\system volume information _restore{ … }*.dll

I also don’t like the way Panda’s on-line scan dumps this junk in the system folders, so if you eventually remove it windows will create a restore point so it can be restored. I would advise removing the activescan folder and its contents, as I said you will probably have to disable system restore to ensure it doesn’t get saved.

There are plenty of other on-line scanners that you can use as a back-up scan.
On-line Virus Scanners and other useful Links Security-Ops.eu.tt

You could also use an on-line scanner to confirm, established connection to the on-line scanner of your choice and just before you do the scan, pause Standard Shield (to avoid possible conflict or detection of signatures), enable after completion.

Thanks again guys. I got rid of Panda ActiveScan via Add/Remove Programs before I re-enabled system restore so hopefully it should not appear again.

Thanks also for other tips about online scanning.

No problem, glad we could help.