ROOTKIT? : aswfsblk \ aswmon2 \ aswsp \ aswtdi

Eljo · April 12, 2011, 3:06pm

For some reason after upgrade I get 63 rootkits on a system:

HKey_local_machine\system\controleset001\services\aswfsblk \ $%&‘()+,-, … (long string)
HKey_local_machine\system\controleset001\services\aswmon2 \ $%&'()+,-, … (long string)
HKey_local_machine\system\controleset001\services\swsp \ $%&’()+,-, … (long string)
HKey_local_machine\system\controleset001\services\aswtdi \ $%&'()+,-, … (long string)

and so on

Is this correct?

kail · April 12, 2011, 3:25pm

These all look like Avast component names. What was the upgrade & what reported the 63 rootkits?

Eljo · April 12, 2011, 3:44pm

There is no Avast on the system bu Comodo IS 2011
The upgrade was standard Comodo, I think that the 20mb went to 40mb file check.
All the rootkits are the same long string mentioned above with 50 of 60 strange characters.

kail · April 12, 2011, 3:55pm

Do you mean the upgrade was a CIS virus definition update?

If you’ve never had Avast on your system previously, then this does look a bit suspicious to me. I’ll need to get one of AV guys to have a look at this & see what he thinks.

PS Can you post an example of one the CIS’ alerts of these (I think they usually have a reference number associated with the detection name).

Eljo · April 12, 2011, 4:00pm

No the AV before CIS was Avast, can I assume this is not a problem than? It came wit a big CIS update not a def update.

kail · April 12, 2011, 4:08pm

Ah… a version upgrade to 5.3 then. Then yes, that’s possible. CIS 5.3 added better rootkit scanning.

However, I’m not sure if (a) Avast leaves registry keys behind or (b) if they are meant to have longword strings (the $%&'()*+ bits you’ve described) on them. But, I know a man who does. I’ll try get him here.

edit: Message sent. It might take a little while due to time-zones, etc.

Citizen_K · April 12, 2011, 6:44pm

Try running the Avast removal tool and see if these registry keys go away. You can find a list of removal tools here: ESET Knowledgebase .

Tech · April 12, 2011, 7:11pm

Controleset001 keys aren’t the current keys (registry). They’re there for “Last known good configuration” boot. avast does not remove them for these reasons.
Anyway, swsp does not seem to belong to avast.
Once uninstalled, imho, Comodo shouldn’t be detecting that keys are rootkits.

Download the latest version of avast! Uninstall Utility and save it.
Uninstall avast from Control Panel (if possible, or if you did not run before). If, for any reason, you can’t run it, try booting in Safe Mode and doing it from there. Anyway, boot after that.
Run the avast! Uninstall Utility saved on 1. If, for any reason, you can’t run it, try booting in Safe Mode and doing it from there. Anyway, boot after you’ve run it.

Hope it helps.