I’ve recently tried two free rootkit detection programs–Avira RootKit Detection and Spybot S&D’s RootAlyzer–and both find “hidden” (what I assume are) Avast-related entries under various keys: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet(,ControlSet001,ControlSet002,ControlSet003)\Services\Aavmker4(,avast! Antivirus,aswTdi,aswMon2,etc.)”. In total, there are hundreds of similar registry entries, and all the values start with the characters “$%&”.
This didn’t bother me too much, but then I saw this http://www.bruceb.com/news/2008_05_01_archive.html#6541581289747589698 warning of registry damage caused by installation of Windows XP Service Pack 3 in machines with Norton AV and possibly other software. One of the characteristics of the corrupted entries, which are in “HKEY_LOCAL_MACHINE/SYSTEM/CURRENTCONTROLSET/ENUM” (close by!), is that they are very numerous and they all start with “$%&” (same!).
So, these are my questions: Are what I am seeing legitimate registry entries? Am I correct in assuming that they are not rootkits? If they are not legitimate Avast entries or rootkits, are they spurious entries added by the SP3 upgrade? I haven’t seen any problems following the installation of SP3, so I’m probably just being paranoid. Does anyone else see this in the registry?
Your Source about XP SP3 problems is similar to what Scott Dunn wrote in
“XP SP3 triggers false positives in security apps” available at http://WindowsSecrets.com/comp/080522 . In the last paragraph it mentions
Susan Bradley’s Advise and what should have been done to “prepare” for
Installation of SP3 .
I just scanned my registry and I find 7,407 of the darned things - every one of them associated with avast.
I do have one Norton product on my system but it it is not a security product (like AV or Firewall) and I have no entries of this type associated with Norton registry entries.
Now I suppose we need the answers to:
are they legitimate? Most probably not.
are they a one time occurrence with the SP3 install
-or-
are they still being created?
The question of who is at fault may be a bit academic but if the SP3 update created all these keys I have to wonder if it might be provoked by (for want of a better term) the self protection features of both Norton and avast. More than 4,200 of these keys are logged as denied access by the avast self protection feature during my SP3 install.
For what it’s worth, when I installed SP3, I’m pretty sure that I had Avast disabled, per M$'s somewhat cryptic recommendations. We need a guinea pig–does this part of the registry change when SP3 is installed?
It is possible I have been hasty in my comments. I now see that another XP system that I updated to SP3 back in February also has > 6,600 of the same avast entries in the registry. While I am kicking myself for not keeping an update log for that machine I do believe that I was running the early beta of avast 4.8 at that time on that machine (to troubleshoot dial up versus permanently connected issues in the beta).
I think I can take that machine back to a January 2008 image with avast 4.7.
There are a number of options from there:
SP3 with avast 4.7 active or de-activated
SP3 with avast 4.8 active or de-activated
May take a bit of time. Unless the avast team have some guidance to short-circuit my amateur testing.
For anyone reading this thread before you proceed any further I beg you to have a backup solution that you know and trust.
I have just run a scan using a freeware program (that I do not recommend to anyone unless you comply with my entreaty above) called RegSeeker. I asked it to look for all registry keys containing the string
$%&
All the keys found referred (as I reported above) to avast.
RegSeeker found again the same number of entries (7,407) that I referred to earlier. I asked RegSeeker to delete all these registry entries and, when complete, I restarted the system.
I just asked RegSeeker to perform a scan for any registry entries containing the string:
$%&
it found none.
As you see from the fact that I am reporting this - my system is working. Should I find any ill effects or re-creation of these keys I will report back in this thread.
I have only just installed SP3 on a XP-Home (previously SP2) computer. As far as Avast! was concerned, just prior to the install I turned off Avast’s self defense module & stopped the On access protection. I also turned off Spybot’s browser helper and teatimer, and un-immunised. The SP3 update was done offline from a CD that I had previously burnt with the 300+MB full download of SP3 on it.
I have used RegSeeker from memory virtually since it first came out, and having read your post thought a check from another PC might be of interest. I did a RegSeeker v1.55 Find in Registry search for $%&. It found only 5 entries, all relating to NVIDIA (my video card), and all in HKEY_CURRENT_USER.
My Spybot is 1.5.2.20 with all current updates, and at the time of this test my Avast! was 4.8.1201 with 080525 VPS.
I understand that the full download installs from a higher level of permission than the 60MB on line update.
Edit: I should perhaps have added that I did not disable my ZA firewall during the update, though of course I had to update a few of its program settings after. I also turned off Spybots Host file and Home page locks prior to the install.
Edit: An I agree with you, RegSeeker is not a tool for the inexperienced or those who don’t have a solid backup system. I make weekly Acronis partition Images, and made one immediately before the SP3 update.
My avast is very similar to yours (version and VPS update)
you may well have saved me the effort I mentioned earlier.
When I last installed SP3 on this system it was after (let’s just say a full and frank discussion) another attempt during the last beta release of the present avast production version. I did not (and do not now) believe that avast in that presentation would have been acceptable to the user community.
When I installed SP3 I left the full avast 4.8 installation active. I have difficulty believing that Spybot, which I have used for years along with avast, has anything to do with this.
Right now I have to suspect that either turning off avast’s self defense or on access protection (or both, though I suspect the former) during the SP3 update was key to preventing this mass of worthless registry entires that should be removed.
I hope that the avast team will step up to their clear duty in this issue and advise us of their findings. Otherwise it will be left to the users to determine the basic problem - though not for the first time.
By the way, let me add that following the mass deletion of junk entries I have used a freeware offering (Regcompact.net) to compact the registry hives. With this (and I must again refer to my entreaty above) my system is still able to report this change.
Today is a holiday here in the US (as it it also in other places) and I have guests coming over.
After they leave I will try to find some time to try some further testing with avast and the SP3 update (unfortunately it is a rather large update and the system rollbacks are rather lengthy).
Watching this with interest as I still have XP Pro SP2, having not yet asked a friend with broadband to download and burn it to CD. So I haven’t got round to installing it, so my system is clean of $%& entries, with the exception of 2 relating to Nvidia also.
the keys are created during the XP SP3 install with all avast v4.8 buids before the latest one (1201). The latest version does not have this problem, and neither does v4.7.
the keys are completely useless and can be deleted without any side-effects.
however, deleting them is not a trivial task - mainly because regedit doesn’t allow you to delete multiple keys at once (AFAIK). Plus, in order to delete them, you need to disable the avast self-defense module - otherwise, avast will consider the keys as its own and will not allow you to delete them.
(I’m talking about the strange named subkeys under the avast services keys only [i.e. those which names start with $%]. DON’T delete the whole avast service keys, of course).
I guess so.
Alternatively, you could try deleting the top level avast service keys (altogether) and then using the Repair feature of avast (Control Panel → Add/Remove Programs → avast! antivirus → Change/Remove → Repair). Of course, at your own risk ;D
I suppose seeing that these “… keys are completely useless and can be deleted without any side-effects.” ; they can be quite happily left alone with no ill effects also . I understand the principals of having a garbage free and defragged Registry , but maybe not a big deal to just leave things be ???
Just checked my SP3, but then realised that, since doing the update, I’d re-installed with a slipstreamed version (via nLite) of XP Pro SP2 + SP3.
There are no $%& entrie at all, but I installed Avast afterwards of course.
For clearing multiple entries from the Reg. I use Registrar Registry Manager (Lite - free) as it allows this and will also remove Legacy keys (eventually - have to select some a couple of times).
OK, I tried the following:
-Disable self-protection and Standard Shield
-Export “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\aswTdi”
-delete “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\aswTdi”
-Repair Avast
Key was NOT recreated; I imported saved version to put things back as they were.
I then tried the same thing with key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswTdi”: the key WAS recreated, but without the spurious entries.
That’s right. The keys are completely useless but they don’t hurt either. That’s why I think it’s not such an issue - even though thousands of avast users probably have them there, they’ll never really find out (and care about them) anyway.
Yep, that’s normal. CurrentControlSet is what matters. The other control sets are not in use (they are the “Last Known Good” configuration(s)).
Please note that one of the ControlSet00x’s is actually the CurrentControlSet (CurrentControlSet is just a link).