Eliminate *PROCESS Threats?

[reddleman]

Yesterday I ran an Avast scan of my Memory and found three *PROCESS threats. Unlike most threats found by Avast, there is no option as far as I can see to deal with them (Repair, Delete, Move to Chest). Is it possible within Avast to repair these processes? If not, where can I go from here? Thanks.

If it helps, I'm running Windows XP, SP3 and the latest version of Avast. There are two infected processes. The first, mcshield.exe,  had two threats identified. I can delete McAfee if necessary, but I wondered if this might not be a false positive, since McAfee is also a virus scanner? The two threats detected are HTML:Iframe-inf and Win32:Agent-IZJ(Trj).

The second process is firefox.exe. The detected threat is Win32:DNSChanger-VJ(Trj). Does anyone know how I can clean this infection from firefox.exe?

Thank you very much!

[Jtaylor83]

Please follow essexboy's instructions. Attach MBAM and OTL logs in your next post.

[mikaelrask]

you should not run two resistent antivirus program at the same time because the will conflict and create false threats. i suggest you uninstall one of them like mcAfee and keeps avast. have you tried malwarebytes antimalware?

http://filehippo.com/download_malwarebytes_anti_malware/

another suggestion is that you try a boot scan sens avast did detect files as malware, but could also be false sens you have been running avast with macAfee.

good luck and hopes this will do for you otherwise write back so we can see what we can do further.

I'm thinking that file is a false to answer your first question and that because of me first sentence.

[Pondus]

Running two AV on the same computer can create all kind of mysterious windows errors and false detections. So you can not trust the detection before you have uninstalled one AV. You should also run a removal tool for that AV so all leftovers are gone, you can find one here http://uninstallers.blogspot.com/
A recomended program to use with avast would be Malwarebytes www.malwarebytes.org

Clash Of The Antivirus Apps:
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

Why you should never run more than one AV ( see reply from quietman7):
http://www.bleepingcomputer.com/forums/index.php?s=49db784baecf17e7b189c833aafb624d&showtopic=260844&view=findpost&p=1441638

[reddleman]

Thanks for the replies. I used McAfee a long time ago, before getting Avast, which I find is better in pretty much every way. I only kept McAfee because I figured it couldn't hurt. Now that I know better, I'll get rid of it right away. Thanks.

[DavidR]

You might also want to run its removal too to ensure all remnants are gone.

- You didn't say which McAfee version, so here are the various tools:
- McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe

Or http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html
 
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
 
Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525

[Mountaingal]

Please follow essexboy's instructions. Attach MBAM and OTL logs in your next post.

Sorry for butting into this string instead of starting a new topic, but I seem to have a similar problem as described in the original post, meaning Avast is detecting threats in PROCESSES, and there seems to be no option to delete, repair, sent to chest, or otherwise remove the infection.

I am running Avast 5.0.677, virus definitions version 100915-1 on Windows XP, Service Pack 3.
Lavasoft Ad-Aware is usually running in the background, and I manually scan with MBAM and SuperAntiSpyware once or twice a week.

The first sign of a problem occurred on Sept. 14th, when clicking links on Google search results would re-direct the browser to other websites (ad sites, gaming sites, etc).

Scanning with MBAM and SuperAntiSpyware didn't show any results then (all clean), but Avast reported a Win32:DNSChanger-VJ[Trj] in Process "svchost.exe" with no options other than the "move to chest" on the "apply to all" window, but the "Apply" button seemed disabled.

I rebooted, hoping to re-scan and perhaps fix the issue, but received a BSOD (0x0000007B) on both normal, last known good configuration, and safe mode boot attempts. Booting from an Ultimate Boot CD for Windows, showed that the C: drive letter had been changed to D:, and my secondary (storage only) hard drive was now marked as drive C:
Removing the secondary hard drive restored the correct drive letter C: to the system disc, and fixed the BSOD issue at least long enough to update all virus definition databases.

I started to re-scan, but then got hit with the "Anti-Virus 2010" pop-up, so I immediately terminated my Internet connection and set to remove all traces of the "Anti-Virus 2010".
A full MBAM scan (log available if necessary) found, quarantined and removed "C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010)", and there was no problem with rebooting.

Then I ran a full scan with Avast, and this time I received two (2) reports of the
"Win32:DNSChanger-VJ[Trj]"
The first one in Process 1088 [svchost.exe], and a second one in Process 1576 [explorer.exe]
BOTH reported in memory block 0x00000000001A0000, block size 81920, Severity: High
and again no way to delete, repair, move, etc.

I followed the instructions of essexboy (link in quote at the top), and I've attached the MBAM Quick Scan log (which is showing the SAME "C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010)" infection that was previously supposed to have been deleted under the full scan.
I also ran OTL, 3 times as a matter of fact, but it only produced an OTL.txt file (attached, and never an Extras.txt file.

To make a long story short, I really could use some help please on how to remove this "Win32:DNSChanger-VJ[Trj]" from those processes. (don't think they're false positives, because of the original browser-redirect problem).

Any kind of help or advice would be deeply appreciated.

[DavidR]

Sorry you should start your own new topic in cases like this where it is complex (always best to have your own topic), a) I believe it is slightly different, b) you don't want to hijack a topic (even though this is old) and c) would just confuse this one.

[Mountaingal]

Okay, I've started a new topic here http://forum.avast.com/index.php?topic=63997.new#new with new MBAM and OTL logs (from today) attached to it
(still can't get OTL to produce an "Extras.Txt" file however).