Another rootkit?

Comodo reports:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE Rootkit.HiddenValue@0
Ther is no hidden keys att all according to Sofos AntyRootkit and NtRegEdit.
What to do if anything?

Hello,

I have the same problem with this rootkit and others:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websearch.com*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websearch.com\www*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websearch.com\www
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE

i can’t see these entries in windows registry and in restricted site zone of internet explorer, so it would definitely be false positive alerts, wouldn’t it ?

Can you give me your opinion ?

Regards.

Hi,

Thank you for your submission.
We’ll check these.

Best regards
Mengze.lin

Hi nicocom,

Have you tried cleaning the above flagged items with CIS, what were the results? Another scan performed after cleaning reveals them again as malicious?

Thanks,
Ionel

I have the same problem with folowing detections:

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\agava.ru\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com\www\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bit-world.eu\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bit-world.eu\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bit-world.eu\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\casalemedia.com\b\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\casalemedia.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\casalemedia.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\casalemedia.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\econocorp.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\econocorp.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\econocorp.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\enigmasoftware.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\enigmasoftware.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\enigmasoftware.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\iframe.biz\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myfasterpc.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myfasterpc.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myfasterpc.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\okulta.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchalot.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\uzupa.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\uzupa.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\uzupa.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websearch.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websearch.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websearch.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xp-vista.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xp-vista.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xp-vista.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxx.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxx.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxx.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\agava.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\agava.ru\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bit-world.eu\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bit-world.eu\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bit-world.eu\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\casalemedia.com\b\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\casalemedia.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\casalemedia.com\www Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\casalemedia.com\b Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\casalemedia.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\econocorp.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\econocorp.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\econocorp.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\enigmasoftware.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\enigmasoftware.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\enigmasoftware.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\iframe.biz\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myfasterpc.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myfasterpc.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myfasterpc.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\okulta.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchalot.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\uzupa.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\uzupa.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\uzupa.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websearch.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websearch.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websearch.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xp-vista.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xp-vista.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xp-vista.com\* Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxx.com\www\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxx.com\www Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxx.com\* Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\casalemedia.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\enigmasoftware.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\econocorp.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\agava.ru Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\iframe.biz Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\websearch.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\uzupa.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchalot.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\agava.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxx.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xp-vista.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\okulta.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\myfasterpc.com Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bit-world.eu
I can't do anything to these. Disinfect/ignore/quarantine... nothing works. ???