Avast 4.8 Pro - Infections detected but no way of repairing/deleting?

[gameboyz]

I have never had a problem running a Full Scan on C:\. But when I tried 4.8 Pro Enhanced User Interface and created a task to scan Rootkits (Full scan), Operating memory of the system, QuickStartup, and Selection in run-time (C:\) I got a whole list of infections and errors.



As you can see the 4th one says Unable to scan because I right clicked and Scan for Malware.

P/S: Oh and I think I found a bug. Under the task "Resident protection" I went through all the individual providers and click "High". However when I clicked the Avast icon and clicked "Details... >>", every provider is set to High (that's good) except Script Blocking which says "Custom". But I didn't do any customization. I think this is a bug, right?

[gameboyz]

Here's another screenshot. This should be clearer.

[Lisandro]

Which are the other antivirus or antispyware that you have in your computer?
MSE? ClamAv? Webroot?
Sometimes they let unencrypted signatures into memory.

Although, I'm not sure this is your case.

[gameboyz]

Only SUPERAntiSpyware.

Update: I tried to install Avast Pro on Windows Vista but it got stuck at downloading the setup files. I got the "Connection terminated, retrying..." message. Then I tried running this scan in safe mode; I guessed perhaps the processes were in use. Same errors though. Could it be faulty memory?

[gameboyz]

Ran a full scan on C:\ in Malwarebytes' Anti-Malware.

Code: [Select]

Malwarebytes' Anti-Malware 1.41
Database version: 2794
Windows 6.1.7600

14/9/2009 6:17:25 PM
mbam-log-2009-09-14 (18-17-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 191133
Time elapsed: 11 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Note that it says no infections in memory processes. Yet Avast Pro reports 4 infections. So somebody please help and advise. Thanks!

[Lisandro]

Download the full setup (setupeng.exe) and not only the online-setup from CNET.

[gameboyz]

Download the full setup (setupeng.exe) and not only the online-setup from CNET.

That worked perfectly, however the 4 infections in the memory still exist. Now this is kinda strange: 4 identical infections both in Windows Vista and Windows 7? I take security very seriously, I have a firewall and an anti-virus. 4 infections is shocking enough, but 4 identical ones in both OSes? Now that is weird.

[Lisandro]

You can try also RootRepeal.

[gameboyz]

You can try also RootRepeal.

But it is the memory not the rootkit? So should I still give RootRepeal a go?

Update: This should help. I googled and found this: http://forum.avast.com/index.php?topic=45228.0 So I re-ran the scan, and opened up Task Manager. However instead of process, I went into Services and looked for the PID (960 in this case). It's "WinDefend", description "Windows Defender", group "secsvcs". Below is a detailed report on every process/service listed in Avast's scan result and the details from Task Manager.

Process 496, Result "Unable to scan: File is offline - it is currently not available.", Not found in Task Manager.
Same for Process 532, 552
Process 960, Result "Unable to scan: File is offline - it is currently not available.", Name "WinDefend", Description "Windows Defender", group "secsvcs"
Four more lines of Process 960, with results "Infection: JS:Agent-AU [Expl]", "Infection: Win32:Small-HUF [Trj]", "Infection: Win32:Small-gen2 [Trj]", "Infection: Win32:Zbot-AVH[Trj]"
3 lines of Process 1124, Result "Unable to scan: File is offline - it is currently not available.", Not found in Task Manager.
2 lines of Process 1452, Result "Unable to scan: File is offline - it is currently not available.", Name "avast! Antivirus", Description "avast! Antivirus", Group "N/A"
10 lines of Process 1476, Result "Unable to scan: File is offline - it is currently not available.", Not found in Task Manager.
2 lines of Process 2384, Result "Unable to scan: File is offline - it is currently not available.", Not found in Task Manager.
4 lines of Process 2444, Result "Unable to scan: File is offline - it is currently not available.", Not found in Task Manager.
4 lines of Process 2472, Result "Unable to scan: File is offline - it is currently not available.", Not found in Task Manager.
3 lines of Process 2596, Result "Unable to scan: File is offline - it is currently not available.", Not found in Task Manager.
2 lines of Process 2704, Result "Unable to scan: File is offline - it is currently not available.", Not found in Task Manager.
5 lines of Process 2712, Result "Unable to scan: File is offline - it is currently not available.", Not found in Task Manager.
Process 3188, Result "Unable to scan: File is offline - it is currently not available.", Not found in Task Manager.
Process 3840, Result "Unable to scan: File is offline - it is currently not available.", Name "PNRPsvc", "p2psvc", "p2pimsvc", Description "Peer Name Resolution Protocol", "Peer Networking Grouping", "Peer Networking Identity Manager", Group "LocalServicePeerNet"

[YoKenny]

Vista SP1 has been available since April 15, 2008 and SP2 is now available.

That Registry Data Items Infected is due to a setup of Vista that you changed and can either be ignored or corrected by MBAM.

Try RootRepeal if you want a second opinion.

[gameboyz]

Vista SP1 has been available since April 15, 2008 and SP2 is now available.

That Registry Data Items Infected is due to a setup of Vista that you changed and can either be ignored or corrected by MBAM.

Try RootRepeal if you want a second opinion.

When you say "corrected by MBAM", are you referring to the one MBAM detected or the one Avast detected?

Oh and I updated the post with a LOT of details.

[YoKenny]

The one MBAM detected.

[gameboyz]

So is the offline thing something I should be worried about?

[gameboyz]

So is the offline thing something I should be worried about?

bump

[YoKenny]

Did you try Rootrepeal?

Did you let MBAM fix the detected item?

Did youinstall Vista SP2?