Author Topic: RootKits, Registry Entries & XP SP3 (Read 15696 times)

Vlk · « **Reply #15 on:** May 26, 2008, 04:22:13 PM »

I guess so.
Alternatively, you could try deleting the top level avast service keys (altogether) and then using the Repair feature of avast (Control Panel -> Add/Remove Programs -> avast! antivirus -> Change/Remove -> Repair). Of course, at your own risk

Abraxas · « **Reply #16 on:** May 26, 2008, 04:31:27 PM »

I suppose seeing that these "... keys are completely useless and can be deleted without any side-effects." ; they can be quite happily left alone with no ill effects also . I understand the principals of having a garbage free and defragged Registry , but maybe not a big deal to just leave things be

Giraffe · « **Reply #17 on:** May 26, 2008, 04:48:33 PM »

Just checked my SP3, but then realised that, since doing the update, I'd re-installed with a slipstreamed version (via nLite) of XP Pro SP2 + SP3.
There are no $%& entrie at all, but I installed Avast afterwards of course.

For clearing multiple entries from the Reg. I use Registrar Registry Manager (Lite - free) as it allows this and will also remove Legacy keys (eventually - have to select some a couple of times).

sevendy · « **Reply #18 on:** May 26, 2008, 06:04:37 PM »

Quote from: Vlk on May 26, 2008, 04:22:13 PM

I guess so.
Alternatively, you could try deleting the top level avast service keys (altogether) and then using the Repair feature of avast (Control Panel -> Add/Remove Programs -> avast! antivirus -> Change/Remove -> Repair). Of course, at your own risk

OK, I tried the following:
-Disable self-protection and Standard Shield
-Export "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\aswTdi"
-delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\aswTdi"
-Repair Avast
Key was NOT recreated; I imported saved version to put things back as they were.

I then tried the same thing with key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswTdi": the key WAS recreated, but without the spurious entries.

Now what??

Vlk · « **Reply #19 on:** May 26, 2008, 06:38:26 PM »

Quote from: Abraxas on May 26, 2008, 04:31:27 PM

I suppose seeing that these "... keys are completely useless and can be deleted without any side-effects." ; they can be quite happily left alone with no ill effects also . I understand the principals of having a garbage free and defragged Registry , but maybe not a big deal to just leave things be

That's right. The keys are completely useless but they don't hurt either. That's why I think it's not such an issue - even though thousands of avast users probably have them there, they'll never really find out (and care about them) anyway.

Quote from: sevendy on May 26, 2008, 06:04:37 PM

Quote from: Vlk on May 26, 2008, 04:22:13 PM
I guess so.
Alternatively, you could try deleting the top level avast service keys (altogether) and then using the Repair feature of avast (Control Panel -> Add/Remove Programs -> avast! antivirus -> Change/Remove -> Repair). Of course, at your own risk

OK, I tried the following:
-Disable self-protection and Standard Shield
-Export "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\aswTdi"
-delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\aswTdi"
-Repair Avast
Key was NOT recreated; I imported saved version to put things back as they were.

I then tried the same thing with key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswTdi": the key WAS recreated, but without the spurious entries.

Now what??

Yep, that's normal. CurrentControlSet is what matters. The other control sets are not in use (they are the "Last Known Good" configuration(s)).
Please note that one of the ControlSet00x's is actually the CurrentControlSet (CurrentControlSet is just a link).

Cheers
Vlk

sevendy · « **Reply #20 on:** May 26, 2008, 07:50:28 PM »

OK, I went through the procedure of removing the keys from /CurrentControlSet/ and repairing the installation. Somehow in the process, I damaged the Web scanner (I know I turned it off by mistake sometime while trying to make this work). I ended up with spurious entries only in /ControlSet003/, but the web scanner icon was colored but "grayed out" on the the control panel, and the tray icon, when hovered, did not indicate it as working. Repairing did not help. I rebooted, and got the red-circle-of-death and an RPC error; I repaired again, rebooted and now everything seems to be working and "$%&"-free.

Oh--and no more "rootkits"!

Thanks...I think.

Vlk · « **Reply #21 on:** May 26, 2008, 09:43:32 PM »

Yeah, I forgot to say that a reboot or two may be required to complete the "disinfection".

Cheers
Vlk

Sesame · « **Reply #22 on:** May 27, 2008, 04:11:39 PM »

Quote from: Vlk on May 26, 2008, 06:38:26 PM

The keys are completely useless but they don't hurt either. That's why I think it's not such an issue - even though thousands of avast users probably have them there, they'll never really find out (and care about them) anyway.

Thinking of it, I think the person who uses the computer will never notice it.

On top of that, I have my hands full with other things to do at the moment.

So, I only checked the event viewer of the computer in question to find it happy enough...no nags, I mean, no warning logs. Since nobody including the computer is unhappy, I'll leave the registry entries alone. In any case, again, thank you for the info.

Author Topic: RootKits, Registry Entries & XP SP3 (Read 15696 times)

Vlk

Re: RootKits, Registry Entries & XP SP3

Abraxas

Re: RootKits, Registry Entries & XP SP3

Giraffe

Re: RootKits, Registry Entries & XP SP3

sevendy

Re: RootKits, Registry Entries & XP SP3

Vlk

Re: RootKits, Registry Entries & XP SP3

sevendy

Re: RootKits, Registry Entries & XP SP3

Vlk

Re: RootKits, Registry Entries & XP SP3

Sesame

Re: RootKits, Registry Entries & XP SP3