can anyone read the following HJT report and tell me if i need to do anything?
the two were found here:
05/11/2006 18:53:19 Chris 3260 Sign of “Win32:CTX” has been found in “C:\WINDOWS\system32\ActiveScan\pskavs.dll” file.
05/11/2006 19:18:34 Chris 3260 Sign of “Win32:CTX” has been found in “C:\System Volume Information_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP161\A0029385.dll” file.
(edit: ps - should I install MS Defender?)
Logfile of HijackThis v1.99.1
Scan saved at 19:44:02, on 05/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
This is well known problem of Panda Active Scan not encrypting it’s definitions file, and thus making avast! to detect viruses in ActiveScan folder - for more info see HERE , so don’t worry
05/11/2006 18:53:19 Chris 3260 Sign of "Win32:CTX" has been found in "C:\WINDOWS\system32\ActiveScan\pskavs.dll" file.
05/11/2006 19:18:34 Chris 3260 Sign of “Win32:CTX” has been found in “C:\System Volume Information_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP161\A0029385.dll” file.
This is caused because Panda doesn’t encrypt its virus signatures and avast will detect them. I suggest you delete the active scan directory, I hate it when Panda puts this junk in the systems folders where it is harder to get rid of. A forums search for pskavs.dll would have returned many hits on this detection.
The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
Win XP-ME - How to disable System Restore
I suggest that you disable system restore before deleting the active scan folder otherwise it will be saved by system restore.
Every virus can be identified, because it contains some unique signatures. Antiviral programs have their own database of that signatures. We call this database the "virus definition file". When an antiviral program scans a file for viruses, it compares all the signatures (of all viruses) in the database with the signatures in that file. If the signatures match (they are the same), the file is marked as infected. For an antivirus program, it is important to hide this database of signatures somehow - e.g. by encrypting it. Panda Antivirus does not encrypt its virus database - the signatures inside are clearly "visible" to other antiviral programs, so they detect this file as infected (but there is actually no virus inside - only the signatures are the same).
You may need to go to Windows Explorer, Tools, Folder Options and show Hidden Files and Folders, see image then navigate to the ActiveScan folder and delete it (you may need to delete the contents of the folder first). Allow the deletion to send the deleted folder to the recycle bin just in case you make a slip and delete a different folder, if no problems with the deletion you can then delete it from the Recycle Bin.
There are other on-line scanners that encrypt their signatures, don’t dump this c**p in the system folders. On-line Virus Scanners and other useful Links Security-Ops.eu.tt
I am also having this problem. I do not recall ever using Panda.
I did a Virustotal scan. I will attach what it found…
Antivirus Version Update Result
AntiVir 7.3.1.41 03.07.2007 Frisk #2
Authentium 4.93.8 03.07.2007 no virus found
Avast 4.7.936.0 03.07.2007 Win32:CTX
AVG 7.5.0.447 03.07.2007 no virus found
BitDefender 7.2 03.08.2007 no virus found
CAT-QuickHeal 9.00 03.07.2007 no virus found
ClamAV devel-20060426 03.08.2007 Sirius.Annihilator.272
DrWeb 4.33 03.07.2007 no virus found
eSafe 7.0.14.0 03.07.2007 no virus found
eTrust-Vet 30.6.3463 03.07.2007 no virus found
Ewido 4.0 03.07.2007 no virus found
FileAdvisor 1 03.08.2007 no virus found
Fortinet 2.85.0.0 03.08.2007 suspicious
F-Prot 4.3.1.45 03.07.2007 no virus found
F-Secure 6.70.13030.0 03.07.2007 no virus found
Ikarus T3.1.1.3 03.07.2007 no virus found
Kaspersky 4.0.2.24 03.08.2007 no virus found
McAfee 4979 03.07.2007 no virus found
Microsoft 1.2204 03.08.2007 no virus found
NOD32v2 2101 03.07.2007 no virus found
Norman 5.80.02 03.07.2007 no virus found
Panda 9.0.0.4 03.07.2007 no virus found
Prevx1 V2 03.08.2007 no virus found
Sophos 4.15.0 03.07.2007 W95/Sledge-A
Sunbelt 2.2.907.0 03.07.2007 no virus found
Symantec 10 03.08.2007 no virus found
TheHacker 6.1.6.072 03.07.2007 no virus found
UNA 1.83 03.07.2007 no virus found
I currently have the file sitting on my desktop. Should I delete it? Is it required for anything else?
Once deleted, what should I do? I have been having problems with my computer telling me I have an error, and do I want to send an error report? Can this “virus” cause these issues?
Hi,
I don’t know the original path. Avast caught in during a scan earlier today. I put it in the chest until I researched it further. Then I found this thread which suggested transmitting to virustotal, so I took it out of the chest and onto my desktop to send to virustotal. I have since put it back into the chest, and ran a boot scan. It seems okay now. Do you think I can get my restore points turned back on now? Or is there something else I need to do?
Thanks!
I believe you mean C:\WINDOWS\system32\ActiveScan\pskavs.dll which is where Panda stores their ‘unencrypted’ signature files, this is a detection of these signatures and not a true infection.
At some point you probably used the Panda on-line scanner, that isn’t important, the folder is there, whilst it might be effective I revommend you don’t use it again because.
because of the unencrypted signatures that any other AV can examine.
I hate the way they put this trash in your windows ‘system’ folder.
there are plenty of other scanners that don’t do this. On-line Virus Scanners and other useful Links Security-Ops.eu.tt
Just looked up Panda on the internet. I really don’t recall using it. I don’t know why I would.
I did scan clear last week with Avast. I was having problems with programs not starting (ie OE and IE), and getting the message asking whether I wanted to send an error report, so I ran a spyware scan followed by my avast. Neither detected anything too significant, but I was still having trouble, so I brought the computer into the computer doctor. Fifty dollars later, its still doing the same thing from time to time. Bottom line, perhaps they used Panda when it was there, if Avast didn’t find this file last week?
Thank you!
The activescan folder isn’t in the chest only the pskavs.dll that you sent there.
Delete the complete C:\WINDOWS\system32\ActiveScan\ folder in windows explorer, but before doing so you need to disable system restore and reboot or windows will save a copy as a restore point and avast will detect it there instead.
Once you have deleted the folder you can enable system restore and reboot.