Today I discovered the following virus alert on a Windows 7 workstation under windows\system32\config\regback\system: Win32:Agent-XIE[trj]. Avast suggested a boot time scan, which I ran; it flagged the same file, but it was unable to do anything to the file, simply telling me the file is locked. I googled win32:agent-xie, finding very little information, but the info I did find suggested it’s a rootkit. I have had some success finding and removing rootkits using malwarebytes full scan in safe mode; I did this; it found nothing. Beginning to get concerned, I tried a brute force method: boot into safe mode, back up the file, and delete it. Not surprisingly, the file was locked in safe mode as well. I know I could probably get at the file if I boot into safe mode with cmd prompt and use the attrib command, but I’m still somewhat hesitant to attempt this; I guess one workstation not being able to backup its registry isn’t the end of the world, but it certainly isn’t ideal. I considered running F-Secure boot disk, but I was somewhat concerned that, if it worked, it might damage Windows. I also ran rkill, but it found nothing. The computer is not behaving strangely in any way.

The file in question is used in a windows scheduled task which runs every 10 days at midnight; I also schedule virus scans at midnight, and I have seen active windows tasks get flagged by Avast before (windows update, in particular, can throw up some false positives if it runs during a scheduled scan); however, these past false positives did not recur. This alert occurs every time Avast scans; also, this workstation has been running daily midnight scans for far longer than ten days without any past alerts.

Has anyone encountered this in the past? Any suggestions on how to remove or confirm false positive would be hugely appreciated. I am hesitant to jump to the “reinstall windows” conclusion, as we don’t exactly have any spare computers around which could serve as a temporary replacement to this system, which is needed daily. In the meantime, my plan is to disable the scheduled task associated with this file, which is scheduled to run tonight at midnight, just in case the task activates any malicious aspects of this potential infection.

follow this guide: http://forum.avast.com/index.php?topic=53253.0

and attach all logs here then a malware remover will help you out.

Avast calls it agent-xie, but vendors of anti-malware applications are not all using the same name for something.
You can look for the other names with VGREP

I have had some success finding and removing rootkits using malwarebytes full scan in safe mode;

malwarebytes should only be run in safemode if there is a problem

quote from MBAM forum admin

Safe mode doesn't let MBAM load all it's drivers which are often necessary for the best detection and removal results. MBAM works in safe mode but is crippled....

or confirm false positive would be hugely appreciated.

upload the file at www.virustotal.com and test with 40+ malware scanners (if tested before click new scan) post link to scan result here

alternative: www.metascan-online.com / www.jotti.org

Due to the nature and location of the file, I cannot upload it to virustotal. It may be possible if I run the attrib command, as I mentioned in my original post, so I may just do that the next chance I get.

I ran a non safemode MWB quick scan and still got 0 results of any kind.

As far as the directions at http://forum.avast.com/index.php?topic=53253.0, the computer is going to be in constant use until this Saturday, and I can, at best, get my hands on it for 10-15 minutes at a time, rendering this impossible until Saturday.