Just a question really, since I read that avast! 4.8 “now incorporates anti-rootkit capability” [whatever that might mean]:

Why doesn’t avast! detect TDSSixgp.dll?

Thanks to some help I got from browsing this forum, on the subject of Win32:Trojan-gen {other}, I used MBAM which found C:\WINDOWS\system32\TDSSixgp.dll (Rootkit.Agent).
Then SUPERAntispyware which found 10 registry entries -
Rootkit.TDSServ
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#group
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#INITSTARTFAILED

Actually, that’s another question. I had assumed that the registry entries were associated with TDSSixgp.dll but now I’m not so sure…
Are they?

Oh, and another thing, if I may ask…
I’m very glad that avast! warns of virus found when visiting a website, but to what degree I can expect to be protected from infection in such a case?

In the most recent case, for example, it appears that avast! did quarantine one instance of Win32:Trojan-gen {other}, at the time, but a boot scan immediately after found two more instances of the same thing as well as a couple more trojans - Win32:Fasec [3 locations] and Win32:Tidserv.
Then, mysteriously, 3-4 weeks later Win32:Trojan-gen {other} was found in one of my installed programs’ .exe files [as well as it’s associated setup.exe (installation) file.
Maybe a fp, but I’d sooner err on the side of caution and, besides, I haven’t used the program for a long while and probably won’t want to in the future.
Maybe not a fp too… I have another machine connected by LAN, and found Win32:Trojan-gen {other} in similar [same publisher, different program] .exe and setup.exe files.

That machine doesn’t have good internet connection [don’t ask me why ??? ??? ???], not good enough to run updater for MBAM or SUPERAntispyware, so ran SDfix (How to, and dowload link)

Oh, and… I ran three other anti-rootkit utilities mentioned somewhere on this forum. I’m fairly confident that both machines are clear of malware for the present, but I would be interested also in hearing any comments regarding safety and efficacy of SDfix, from qualified person[s].

Very happy avast! Home user. ;D 8)

TDSSixgp.dll is associated with Antispyware XP 2009/XP Antivirus 2009.

Download HiJackThis and post a log here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:32 PM, on 14/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BOINC\boinctray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Telstra\BigPond Assist\assist.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\www.worldcommunitygrid.org\wcg_hcc1_img_6.06_windows_intelx86
C:\Program Files\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [boinctray] “C:\Program Files\BOINC\boinctray.exe”
O4 - HKLM..\Run: [EPSON Stylus Photo RX530 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGP.EXE /P31 “EPSON Stylus Photo RX530 Series” /O6 “USB001” /M “Stylus Photo RX530”
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [ecc] C:\Program Files\Telstra\BigPond Assist\assist.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{69D6AF96-E886-4E9D-AAD7-3131C65F3264}: Domain = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip..{AE378024-5B47-4080-B6B5-F1A30DCB49B6}: NameServer = 10.0.0.138
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

–
End of file - 8644 bytes

I need to see the SDFix log.

SDFix: Version 1.240
Run by Colin on Wed 14/01/2009 at 10:41 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 10:47:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\WINDOWS\network diagnostic\xpnetdiag.exe”="C:\WINDOWS\network diagnostic\xpnetdiag.exe::Enabled:Network Diagnostic for Windows XP”
“C:\Program Files\Telstra\BigPond Assist\assist.exe”=“C:\Program Files\Telstra\BigPond Assist\assist.exe::Enabled:BigPond Assist"
“C:\Program Files\Telstra\BigPond Assist\assist_setup.exe”="C:\Program Files\Telstra\BigPond Assist\assist_setup.exe::Enabled:assist_setup.exe”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

Remaining Files :

Files with Hidden Attributes :

Mon 14 Apr 2008 1,695,232 …SH. — “C:\Program Files\Messenger\msmsgs.exe”
Wed 22 Oct 2008 949,072 …SHR — “C:\Program Files\Spybot - Search & Destroy\advcheck.dll”
Mon 15 Sep 2008 1,562,960 …SHR — “C:\Program Files\Spybot - Search & Destroy\SDHelper.dll”
Tue 16 Sep 2008 1,833,296 …SHR — “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe”
Wed 22 Oct 2008 962,896 …SHR — “C:\Program Files\Spybot - Search & Destroy\Tools.dll”
Sat 9 Aug 2008 4,348 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”
Sat 9 Aug 2008 401 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv12.bak”
Sat 9 Aug 2008 4,348 …H. — “C:\Documents and Settings\Colin\My Documents\My Music\License Backup\drmv1key.bak”
Sat 9 Aug 2008 401 …H. — “C:\Documents and Settings\Colin\My Documents\My Music\License Backup\drmv1lic.bak”
Sat 9 Aug 2008 312 …H. — “C:\Documents and Settings\Colin\My Documents\My Music\License Backup\drmv2key.bak”
Sat 9 Aug 2008 1,536 …H. — “C:\Documents and Settings\Colin\My Documents\My Music\License Backup\drmv2lic.bak”

Finished!

Looks okay.

For further protection, I suggest using a different browser like Firefox, Opera, or Flock and a firewall like PC Tools Firewall or Online Armor.

Thank you, Jtaylor83, for your speedy response. 8)
I shall certainly take your advice seriously.
Dunno why… I’ve never really enjoyed using Firefox tho.

Hmmm… now I notice that…

I’ve hardly even heard of those programs, let alone d’load or install them.
It’s near impossible now to find the site which infected my machine in the first place. It may have offered either one or both of those for d’load - I know it had some, what I would consider as, [i]suspect[i] file sharing software.

I was actually looking for something called RapidShare which is a merely a site where one can upload files for others, given the link, to view and not a problem at all.
I thought I had found it and would’ve been in my history list…
There was something in my browsing history with something like “rapid-share…” tag. Gone now, of course. That was the one which infected my machine - not, apparently, when I first visited but upon [i]re-[i]visiting it.

btw
Did what I should’ve in the first place and googled up some info on SDfix ;D

RapidShare is the latest vehicle used by the antivirus2009 gang:
http://www.malwarebytes.org/forums/index.php?showtopic=9790

I do not like Firefox neither but Opera 10 works great with Web of Trust.

I like McAfee SiteAdvisor with IE7 plus IE7Pro.

@ CCV
If you still have a copy of TDSSixgp.dll tucked away in some quarantine area, etc.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

DavidR

TDSSixgp.dll is in MBAM quarantine. Do you have any suggestion as to what I may be able to do with it from there?
Apart from restore it first, then follow your instructions, and mbam it again, that is.

And, YoKenny

Thanks for the info. I got Opera 9.63.
I’ll look into the other stuff…
I’ve been using IE7 since it came out, so it has quite a number passwords stored plus a few cookies affecting personal settings which I like to keep. I can easily manage those and trash the rest using CCleaner [still can with Opera, it seems]. Maybe McAfee SiteAdvisor would be the way for me to go…

Just to clarify:
It was http://rapidshare.com I was talking about.

I simply uploaded a few video files to there, then posted the links to a few friends so they could download them - not actually view them through the site.
Would that kind of activity be a likely cause of infection on my machine?
If so, I should warn my friends to check for some such similar, or the same, malware!

I notice now, rapidshare.com has some ‘tools’ and whatnot on offer - I didn’t touch any of those.

No such thing as a free lunch, they say…
Probably, little likelyhood of a ‘free’ webhosting service either. :

The only problem as I see it with MBAM it isn’t quite as flexible as the avast chest where you can extract (copy) it to a temporary location. Even though it is an infected file not being in the original location means it is inert as there is no run command, etc to start it.

However, restore in MBAM if the same as the avast chest would place it back in the original location and that could be dangerous as I don’t know if MBAM would also restore any associated registry entry effectively activating it again and you don’t want to do that.

So I think we will have to wait for another opportunity rather than possibly put you at any risk.

Note: MBAM 1.33 has just been released.

Which raises, again, the question as to whether the Rootkit.TDSServ registry entries found by SUPERAntispyware are, or might be, associated with Rootkit TDSSixgp.dll.

Either way, it’s a risk I would, personally, be willing to take for the sake of any help it may be. It’s only a matter of seconds to zip the file up, then however long it takes scan again with mbam and superantispyware [thereby, answering my own question ;D].

And, how could I be worse off by doing that than I am now?

Thanks update on mbam too, btw.

OK, went ahead and restored the file, zipped and emailed as per instructions.

Rescanned with MBAM.
It looked as if it wasn’t going to find it this time :o, till it got right to the end of the scan - doing ‘extra and heuristics scans’.
Bam!.. back in quarantine now. ;D 8)

Scanned registry with SUPERAntispyware and it came up clean this time (i’ll do a full system scan later) so I guess the TDSServ.sys entries in there aren’t related. Just another sneaky little infection.

TDSServ doesn’t appear to be related to malware detected by avast! either:
Infected files in avast! Chest include TDSScrxx.dll, TDSSe938.tmp, TDSSmxoe.sys, TDSSnpur.dll, TDSSoitu.dll and TDSSyaqu.dll. There’s also one called fhexj6825097.exe, originally located \Application Data\Google, which I think is the one detected during download. The others detected during scan afterward.

update:
I found the culprit webpage too [http://rapid-share-file.downloadsoftware4free.com/]

And avast! detected a virus nearly a minute or so after I closed the tab on it.
I am using Opera 10, btw.

Now I gotta go do another scan or three. Would’n’ya know! just when I thought I had things cleaned up. >:( :

OK, three aforementioned scans turned up clean this time.

The malware intercepted by avast! in this most recent case is named, in chest, upd.exe C:\Documents and Settings\Colin\Application Data

Somewhere, I thought, that sort of info was saved in a .txt file but can’t find it now…

Also, when avast! virus found screen displays, there is a more full description of the virus found - e.g., Worm-suchandsuch or Smitfraud-soandso - but, apart from taking a screenshot, there’s no way to save that sort of info.

Maybe it ain’t important anyway…

avast! boot time scan revealed something like:
C:\Docs + Settings\me\Local Settings\App Data\Opera\Opera 10 preview\profile\Cache4\opr007I$temp$[30]\sachook.cab\saplvgin.dll ERROR 42127 {CAB archive is corrupted}

I dunno… maybe it would be handy if that sort of thing was recorded in aswBoot.text

This is nothing to worry that much… just a packed file that couldn’t be corrected unpacked and scanned. If anything was really wrong, when unpacked avast will detect it.

Thanks for going the extra mile to help improve avast detections.

It is handy that SAS detected registry entry entries when MBAM didn’t as I do believe they are related. So without the registry entries not present, restoring the file with MBAM wasn’t as high a risk as I guessed.

I do think the TDSServ registry entry is related the the TDSS files that avast detected. during a normal on-demand scan avast doesn’t actually scan the registry, if it finds malware then I believe it then looks for entries related to the detected file and would handle those.

The problem being the registry entry wasn’t directly related to a file avast detected, but more likely the file it didn’t find. So this shows the benefits of a multi-application approach to security (no single application providing 100% protection) and these three tools work well together and increase overall protection.

As Tech mentions the inability to scan isn’t a problem (not an indication of infection, why it isn’t in the aswBoot.txt file), just that it can’t be scanned.

Hopefully, we are getting to the end of the journey, dotting the i’s and crossing the t’s we will wait for the results of the other anti-rootkit scans.

My pleasure, really, to go the extra few yards if it will help out.
The least I can do in appreciation for the use of such a great product as avast! for free all this time - years now.

And, I would like to say thank you to all who responded in this thread for your kind assistance.
I do believe that using Opera instead of IE7 saved me from the multiple infections I got last time from that rogue webpage [btw, can anything be done about that page?]

OK, now…
Scans with F-Secure Blacklight, Trend Micro Rootkitbuster and Panda Anti-Rootkit all showed clean.
I don’t know, would it be worth looking for updated versions of those from time to time?
Oh well, the Panda one can check for updates anyway…

There’s also this thing:
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
I don’t know how good it is. It found two registry keys with ‘embedded nulls’, but the time stamp on those predates the last format and reinstall I did, so I’m guessing it’s nothing to worry about.

;D You might’ve noticed from hjt log that I’m a bit of a fan of a multi-application approach.
I don’t believe any single application will be able to give 100% assurance in any case. Of course, I can’t run more than one anti-virus program on my machine, but I do various online scans, occasionally, just to double check.

Still, when it comes to first line of defense, it is my honest opinion that it doesn’t get any better than avast!.

Mmmm, I love the smell of burning malware… any time of day. ;D

You’re welcome.

1. Since avast is actually alerting on content from that site, on detections, avast will gather some stats (there is a check box in the alert window, see image). These anonymous stats will be uploaded to avast during the next update (auto or manual) so they should get to know about the site I believe.

If this site is one you normally visit try contacting webmaster(at)sitename(dot)com, obviously don’t do this if it isn’t one that you use nor trusted as they would have your email ;D.

2. Good that the rootkit tools don’t come back with anything s this pretty much means there isn’t anything hiding malware from the other scanners, avast, sas and mbam, etc.

RootkitRevealer was designed by Mark Russinovich a very smart guy and his company SysInternals was bought out by MS, to get their hands on some really good analysis/troubleshooting tools. The only real problem with RootkitRevealer if you could call it a problem is it is an analysis tool only which needs someone with system knowledge to say what should be done.

A bit like hijackthis on steroids so it isn’t particularly user friendly and that is the only reason I suggest the three I do as they are more user friendly and would normally only say something is a rootkit if absolutely certain.

3. The first line of defence is between the chair and the keyboard ;D

That’s me for the night, 1:33am here.

Now you’re just trying to keep me awake at night… :o

The “…TunneUp…” wassname displayed there looks like probably a hacked version of TuneUp Utilities 2009 which I do actually use - it’s not free btw, but is the only commercial registry cleaner I know of which gives a genuine trial period, where the others tend to look like scams to me.

Well, it’s more than a registry cleaner, but that’s mainly what I use it for - plus, it’s StartUp Manager the only thing I know of which gives me enough information about my startup programs, what they individually do, so I can decide if I need them or not.

Part of my multi-application approach to registry cleaning - along with 3 not bad freeware cleaners… ;D

Also, the avast alert I get looks different to that.
It doesn’t seem to stop malware from downloading to my machine but, rather, gives me option to move to chest or whatever…
Maybe there’s some settings in avast I could/should change?

In an effort to conjure up the alert, I revisited that site but nothing happened today… not even a little jerkiness or freezing up of browser which would normally tell me something was wrong.
And, btw, no, I do not trust it at all, nor use it - only happened across it by accident once too often.

Thanks again.
Sweet dreamzzzzzzzzzzz

The image is only there as an example of the allow sending of anonymous stats, the other info is nothing more than a coincidence (notice the VPS version date on the image 28/11/2008), so nothing to worry about on your part.

This was just me testing a site to help someone on the forums, this way a) I could get a copy of the offending file and b) avast would get the stats about the alert including site, etc.

The stopping of malware will differ from browser to browser (on firefox it is dropped immediately) and if you happen to be using a download manager, but avast does attempt to abort the connection, some browsers might ignore that and complete the in progress download, the same could apply to download managers. The important thing is that you are at least made aware.

Re RootkitRevealer:
Out of interest I downloaded the latest version and updated the one I have and ran it and it too reported the same embedded null values. Now this system is 6 months old and XP Pro SP3 was pre-installed I have kept it up to date and made no modifications to security policy, the area it is referring to.

So I opened the registry editor and looked at the path of the reported embedded nulls and the keys don’t exist (see image), so I have no idea if this is what RR is considering an embedded null, so here we have what I mean by it isn’t very user friendly as a) it doesn’t offer any advice, b) there are no options like correct, delete, etc. nada, nothing.

So the user is in a quandary and such information is worthless if they don’t know what to do with it. I know what I’m doing about it, nothing.

The alert looking different could be that because the abort connection didn’t happen (some possibilities there or the browser continued regardless) and you get the Standard Shield alerting as the file is saved to the HDD (browser cache), this would give multiple options as it is on your system, image2.