win32:ctx found and put in chest

can anyone read the following HJT report and tell me if i need to do anything?

the two were found here:

05/11/2006 18:53:19 Chris 3260 Sign of “Win32:CTX” has been found in “C:\WINDOWS\system32\ActiveScan\pskavs.dll” file.

05/11/2006 19:18:34 Chris 3260 Sign of “Win32:CTX” has been found in “C:\System Volume Information_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP161\A0029385.dll” file.

(edit: ps - should I install MS Defender?)

Logfile of HijackThis v1.99.1
Scan saved at 19:44:02, on 05/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM..\Run: [TFNF5] TFNF5.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [NDSTray.exe] “C:\Program Files\Toshiba\ConfigFree\NDSTray.exe”
O4 - HKLM..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM..\Run: [Dit] Dit.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM..\Run: [000StTHK] 000StTHK.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

any advice appreciated - doesn’t seem to affect the running of my system
chris

Submit the file to JOTTI http://virusscan.jotti.org/ or
VirusTotal http://www.virustotal.com/en/indexx.html

you have to remove it from the chest to submit

If it shows clean, then it’s a false positive and you don’t have any thing to worry about.

If it shows infected by a number of other scanners, then do the following.

move the file to the chest
disable system restore (the second instance you posted is in the system restore)
schedule a boot time scan
reboot

edited to add: you have to remove it from the chest to submit
As for the hjt log, I’ll leave that to other’s more in the know.

HTH

Hello and Welcome :slight_smile:

This is well known problem of Panda Active Scan not encrypting it’s definitions file, and thus making avast! to detect viruses in ActiveScan folder - for more info see HERE , so don’t worry :wink:

But I don’t think I’ve got PandaActive ???

This is the online scanner of Panda - Panda Active Scan. Did you used it in the past?

Why have you posted the HJT log ?

05/11/2006 18:53:19 Chris 3260 Sign of "Win32:CTX" has been found in "C:\WINDOWS\system32\ActiveScan\pskavs.dll" file.

05/11/2006 19:18:34 Chris 3260 Sign of “Win32:CTX” has been found in “C:\System Volume Information_restore{71382ED1-8AF5-4E0D-9A67-D8BFBFAA55F9}\RP161\A0029385.dll” file.

  1. This is caused because Panda doesn’t encrypt its virus signatures and avast will detect them. I suggest you delete the active scan directory, I hate it when Panda puts this junk in the systems folders where it is harder to get rid of. A forums search for pskavs.dll would have returned many hits on this detection.

  2. The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
    Win XP-ME - How to disable System Restore

I suggest that you disable system restore before deleting the active scan folder otherwise it will be saved by system restore.

I just had a look at the pand active scan website, and yes, I think I did use that once in the past :-[

Does that mean I don’t have to do anything :slight_smile: If so, do I leave them in the chest where they are?

(ps should I download MS Defender? - How can I double check I don’t have it already?)

thanks for help BTW

These are false detections due to Panda active scan: http://forum.avast.com/index.php?topic=12432.msg104932#msg104932

IMSCAN.DLL
PAVDLL.DLL
PAV.SIG
APVXD.VX2
APVXD.VXD

C:\windows\system32\active scan\pskavs.dll
C:\system volume information _restore{ … }*.dll

This is related to false detections due to Panda active scan: http://forum.avast.com/index.php?topic=12432.msg104932#msg104932
Unfortunatelly, a well-known problem of Panda not encrypting its signatures :stuck_out_tongue:

Every virus can be identified, because it contains some unique signatures. Antiviral programs have their own database of that signatures. We call this database the "virus definition file". When an antiviral program scans a file for viruses, it compares all the signatures (of all viruses) in the database with the signatures in that file. If the signatures match (they are the same), the file is marked as infected. For an antivirus program, it is important to hide this database of signatures somehow - e.g. by encrypting it. Panda Antivirus does not encrypt its virus database - the signatures inside are clearly "visible" to other antiviral programs, so they detect this file as infected (but there is actually no virus inside - only the signatures are the same).

DavidR - how will I delete the active scan dir once I’ve disabled the sys restore?

You may need to go to Windows Explorer, Tools, Folder Options and show Hidden Files and Folders, see image then navigate to the ActiveScan folder and delete it (you may need to delete the contents of the folder first). Allow the deletion to send the deleted folder to the recycle bin just in case you make a slip and delete a different folder, if no problems with the deletion you can then delete it from the Recycle Bin.

There are other on-line scanners that encrypt their signatures, don’t dump this c**p in the system folders. On-line Virus Scanners and other useful Links Security-Ops.eu.tt

I am also having this problem. I do not recall ever using Panda.
I did a Virustotal scan. I will attach what it found…

Antivirus Version Update Result
AntiVir 7.3.1.41 03.07.2007 Frisk #2
Authentium 4.93.8 03.07.2007 no virus found
Avast 4.7.936.0 03.07.2007 Win32:CTX
AVG 7.5.0.447 03.07.2007 no virus found
BitDefender 7.2 03.08.2007 no virus found
CAT-QuickHeal 9.00 03.07.2007 no virus found
ClamAV devel-20060426 03.08.2007 Sirius.Annihilator.272
DrWeb 4.33 03.07.2007 no virus found
eSafe 7.0.14.0 03.07.2007 no virus found
eTrust-Vet 30.6.3463 03.07.2007 no virus found
Ewido 4.0 03.07.2007 no virus found
FileAdvisor 1 03.08.2007 no virus found
Fortinet 2.85.0.0 03.08.2007 suspicious
F-Prot 4.3.1.45 03.07.2007 no virus found
F-Secure 6.70.13030.0 03.07.2007 no virus found
Ikarus T3.1.1.3 03.07.2007 no virus found
Kaspersky 4.0.2.24 03.08.2007 no virus found
McAfee 4979 03.07.2007 no virus found
Microsoft 1.2204 03.08.2007 no virus found
NOD32v2 2101 03.07.2007 no virus found
Norman 5.80.02 03.07.2007 no virus found
Panda 9.0.0.4 03.07.2007 no virus found
Prevx1 V2 03.08.2007 no virus found
Sophos 4.15.0 03.07.2007 W95/Sledge-A
Sunbelt 2.2.907.0 03.07.2007 no virus found
Symantec 10 03.08.2007 no virus found
TheHacker 6.1.6.072 03.07.2007 no virus found
UNA 1.83 03.07.2007 no virus found

I currently have the file sitting on my desktop. Should I delete it? Is it required for anything else?
Once deleted, what should I do? I have been having problems with my computer telling me I have an error, and do I want to send an error report? Can this “virus” cause these issues?

Many thanks!

Is the file name the same (pskavs.dll) or different?

Did you put it on your desktop or did it just show up there? If it was in a different directory what was the original path?

Hi,
I don’t know the original path. Avast caught in during a scan earlier today. I put it in the chest until I researched it further. Then I found this thread which suggested transmitting to virustotal, so I took it out of the chest and onto my desktop to send to virustotal. I have since put it back into the chest, and ran a boot scan. It seems okay now. Do you think I can get my restore points turned back on now? Or is there something else I need to do?
Thanks!

I forgot to mention that the file was the same.
Thanks again!

The chest should show the original file location, or right click the a-icon and open the Log Viewer. It should be shown in Warnings.

It says it was found in
C:\WINDOWS\system32\ActiceScan\pskavs.dll.
Does that help?
Thanks!

I believe you mean C:\WINDOWS\system32\ActiveScan\pskavs.dll which is where Panda stores their ‘unencrypted’ signature files, this is a detection of these signatures and not a true infection.

At some point you probably used the Panda on-line scanner, that isn’t important, the folder is there, whilst it might be effective I revommend you don’t use it again because.

  1. because of the unencrypted signatures that any other AV can examine.
  2. I hate the way they put this trash in your windows ‘system’ folder.
  3. there are plenty of other scanners that don’t do this. On-line Virus Scanners and other useful Links Security-Ops.eu.tt

I suggest you remove the activescan folder to get rid of this, see my previous post, http://forum.avast.com/index.php?topic=24706.msg202438#msg202438.

By removing the active scan folder, do you just mean to delete it from the chest? If not, how do I do this?
Thanks again!

Just looked up Panda on the internet. I really don’t recall using it. I don’t know why I would.
I did scan clear last week with Avast. I was having problems with programs not starting (ie OE and IE), and getting the message asking whether I wanted to send an error report, so I ran a spyware scan followed by my avast. Neither detected anything too significant, but I was still having trouble, so I brought the computer into the computer doctor. Fifty dollars later, its still doing the same thing from time to time. Bottom line, perhaps they used Panda when it was there, if Avast didn’t find this file last week?
Thank you!

The activescan folder isn’t in the chest only the pskavs.dll that you sent there.

Delete the complete C:\WINDOWS\system32\ActiveScan\ folder in windows explorer, but before doing so you need to disable system restore and reboot or windows will save a copy as a restore point and avast will detect it there instead.

Once you have deleted the folder you can enable system restore and reboot.