Won't scan K-Lite or Real Alternative

[txsfrbl]

That about says it all. I ran a scan last night as Avast has let a root kit through. A Trojan was found in system volume information and I noticed after all was done along with spybot and ad-aware, Avast would not scan K-Lite or Real Alternative. Why is this?
I suspect there's something hiding in there I want to get rid of.
Thanks

[Tarq57]

1) How do you know that "Avast has let a rootkit through"?
2) System volume information is basically the data for system restore. Anything found in there can be quarantined/deleted, but will probably have the effect of rendering the associated restore point unusable.
3) What actually happens if you select the executable of either of the programs mentioned, right click, and click on "scan with Avast"?
By default, Avast will scan executable files, not all files unless you have altered the settings/commanded a thorough scan.

[txsfrbl]

What happened is that I downloaded an .avi movie in torrent form. After it was completed I scanned it with Avast and it found nothing so I opened it up and it wouldn't open. All of a sudden instead of being a 700mg .avi the file was only 5.3mgs. I then ran Avast boottime scan and it came up negative. I then ran spybot and found a rootkit lurking. So Avast let it through.
The other issue that I brought up is that after a full system scan Avast brings up files and folders that could not be scanned. It always was a crapload of files from spybot and ad-aware that it will never scan but this time it also showed that files in K-Lite and Real Alternative could not be scanned.

[txsfrbl]

Oh yah, I always run a thorough scan and scan archive files on my entire hard drive.

[txsfrbl]

Ok, I just went to program files and rightclick scanned K-Lite and Real Alternative and it seemed to work just fine and found nothing.

[DavidR]

avast doesn't just say the folder/files can't be scanned but it also gives you the reason, password protected archive, etc. However you would need to expand the column width to se all the information in some of the columns.

See http://forum.avast.com/index.php?topic=35347.msg297170#msg297170 this topic for more information on why files can't be scanned.
Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

Thorough is also by its design very thorough (it scans all files) and perhaps a little overkill for routine use, were a Standard scan without archives should be adequate. Archive (zip, rar, etc.) files are by their nature are inert, you need to extract the files and then you have to run them to be a threat. Long before that happens avast's Standard Shield should have scanned them and before an executable is run that is scanned.

I have only ever done a Through Scan with Archives once shortly after installation just to ensure a clean start state, but with XP for example avast will do a boot-time scan after installation if you select it, this I believe will be quicker and reasonably effective. Like everything in life things are a compromise.

[txsfrbl]

Thanks for the input. I should have know Downloader Beware when I picked up the torrent file from someplace other than my beloved Demonoid. I am a little disappointed that Avast didn't catch it. I've been using Avast for 3 or 4 years now and always install it in computers I set up for friends.

[Tarq57]

What happened is that I downloaded an .avi movie in torrent form. After it was completed I scanned it with Avast and it found nothing so I opened it up and it wouldn't open. All of a sudden instead of being a 700mg .avi the file was only 5.3mgs. I then ran Avast boottime scan and it came up negative. I then ran spybot and found a rootkit lurking. So Avast let it through.
The other issue that I brought up is that after a full system scan Avast brings up files and folders that could not be scanned. It always was a crapload of files from spybot and ad-aware that it will never scan but this time it also showed that files in K-Lite and Real Alternative could not be scanned.

Sorry, although I've used p2p I've not used torrents, so I can't comment on what was happening for the file size to mysteriously decrease.
Fairly interested in the name of the rootkit, the detection path etc in Spybot.
Not saying it is, and not saying it isn't, but it may be a false positive.

[txsfrbl]

let me see if I can get in and tell you what it was. When I opened the .avi it froze into a pixelated picture and said I needed to download some special player to view... which I knew what crap. I then just tried to open it in my divx converter and that's when I noticed it was not it's former size. Also after that a popup starting coming around say something like "...\system32\digest.dll is not a valid image"
I really don't believe it was digest.dll but it was a similar name. That popped up when I opened a .pdf file.
Here's what I found in last nights scan.
In Avast: Found and sent to chest
crypts.dll that was found in system32
A0096200.dll that was found in system restore.

In Ad aware: Found and quarantined
WIN32.TROJAN.SPY
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[10]=Regkey : CLSID\{53707962-6F74-2D53-2644-206D7942484F}
obj[11]=Regkey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
obj[12]=File : c:\progra~1\spybot~1\sdhelper.dll
obj[13]=File : C:\Program Files\Spybot - Search & Destroy\FPYMCNYW.scr
obj[14]=File : C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
obj[15]=File : C:\Program Files\Spybot - Search & Destroy\ZJZPSKJ.scr

[Tarq57]

Appears your AdAware has quarantined  a Spybot file, reported on the Spybot forums to be Spybots' SD helper (the TeaTimer?)
I'd say that one is a FP.
The movie was probably infected, trying to lead you to a fake codec site, as you surmised.
Just a thought: Consider replacing AdAware with Superantispyware, and/or MBAM.
Both scanners are streets ahead.

[txsfrbl]

Thanks for the advice. I don't have tea timer running and I have really grown to like Ad Aware SE Pro. It has a registry watcher similer to the tea timer and I've gotten used to it. I may have to give the others a try. Will they work in Vista 32?  I have a dual boot set up on my desktop (I'm on the laptop now) to get familiar with the operations of Vista and I have the Spybot tea timer running on that to detect registry changes. I'd like to give your suggestions a shot.

[Tarq57]

Yep, they will work in Vista32.
http://www.superantispyware.com/superantispyware.html
http://www.malwarebytes.org/mbam.php
Free versions are demand scanners. Pro (resident) available for a one payment lifetime license.