CIS 5.3 and "Rootkit.HiddenValue[at]0"

CIS 5.3 and “Rootkit.HiddenValue[at]0”

Hello . . .

This is my first msg. . . then take the opportunity to greet all the members of the forum. Also forgive the bad English translated by Google. . .

I searched the topic before posting!

I do not understand the definition of CIS that attaches to some registry keys when listed as “Rootkit.HiddenValue [at] 0”. That is, if CIS considers these values to the real threats.

  1. I have available: Premium 5.3.176757.1236 CIS - 7607 DBVirus

  2. I have an ADSL-2 - 8GB fast

  3. My s.o. Comodo is used with: Win XP SP3

  4. My user is “Admin”

  5. No further real-time security sw / installed currently active - either before, apart from the old version of Comodo. I do a weekly scan with Malwarebytes’ downloaded from here: http://www.malwarebytes.org/e sporadic use of scanners as GMER downloaded from: GMER - Rootkit Detector and Remover or Combofix files or downloaded from here: ttp://www.combofix.org/

  6. The native XP firewall is disabled since the first installation of CIS in the same way Windows Defender

  7. My system seems to work properly … I feel no particular signs of malfunction, reset, block, slow, traffic data output is modest and it is conceivable that depends on the normal activity of svchost, systems and little else.

For a virus scan of critical areas of CIS, the system is “polluted” by a series of “Rootkit.HiddenValue [at] 0”, as in the picture posted below. However, the scanner does not identify specifically antirootkits GMER (red) keys such as rootkits.

The only feature that could involve threats to these values is the feature that these are impossible to remove (not delete) from CIS, but also with direct manual intervention carried out standard administrative procedures, (I have not tried in safe mode). More precisely, although these values can be attributed to my users complete control, you still can not eliminate them.

I attach it to an example:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}]

I kindly ask if the values shown below can be considered as threats, or “false positive”. If they were real threats, such activities could be undertaken? Also in case of elimination, there is a risk of compromising the normal function of the system?

Forgive the length, (and bad English …) but I wanted to explain in detail the terms of the problem, as also required by the policy of the forum.

Thanks . . . .

http://www.iouppo.com/life/1102/8ef0191440e9d8c16082fbad2f3eea4e.JPG

This is not the section where you would expect to get the quickest response, a moderator will likely be along shortly and sort this out, but for now, you’re stuck with me.
These registry keys have hidden themselves from a normal view with regedit, which is behaviour that is not usually necessary with legitimate files due to them having nothing to hide. Rootkits commonly have the behaviour of hiding registry values to stop users finding out about the rootkit on their system.

In Windows 7 they make some of the registry key a pain in the a :o :o.

http://www.mydigitallife.info/2009/08/05/how-to-disable-and-remove-libraries-from-windows-7-explorer/

for xp or vista
http://www.theeldergeek.com/forum/index.php?showtopic=27156

Hi kRel ,

1st, the name(s) of the alleged infection means absolutely nothing and pretty much never provide any valuable information
So - “Rootkit.HiddenValue[at]0” could be an item in developers “Da Vinci Code” internal list, but actually it’s just less real than theoretical notion of the “ideal gas”.

You have to submit the report by CIS and whatever flagged entries found to the developers.

Then, the specific CLSID mentioned by you can be and most likely IS absolutely legit

For example, that is what I have belonging to Visual Basic

HKCU\Software\VB and VBA Program Settings\SNC\0	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}	REG_SZ	39217	6/08/2010 1:38:10 PM	6	
HKU\S-1-5-21-507921405-113007714-839522115-1003\Software\VB and VBA Program Settings\SNC\0	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}	REG_SZ	39217	6/08/2010 1:38:10 PM	6

Why would I ever being in sober mind make any attempts removing that ???

Please search the Registry and probably you will find associated legit Software as well

==============

Those strange values, which Jay showed, as far as I know, have nothing to do with those Rootkit-like detections either by AVs or by dedicated Rootkit scanners. Please correct me if I am wrong
I was a bit surprised by such misleading post (softly speaking)

============

  • “hidden from API” / “Data mismatch between Windows API and raw hive data”
    like
HKU\S-1-5-21-507921405-113007714-839522115-1003\Software\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath	13/05/2010 4:25 PM	91 bytes	Data mismatch between Windows API and raw hive data
  • “Key name contains embedded nulls”
    like these Microsoft Keys
HKLM\SECURITY\Policy\Secrets\SAC* 0 bytes...	Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 0 bytes...	Key name contains embedded nulls (*)

and those are needed keys , but sure “null value” keys can be used by malware

  • or here is another example :
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg	13/05/2007 1:06 AM	0 bytes	Access is denied
  • that belongs to legit Deamon Tools Application and its driver and indeed is implemented as a “rootkit-like-hidden” , but we are using it

… and so on & so forth…

Point is - in this case there is no such question as attempting to “remove” anything yet at all. The matter has to be investigated

Finally, in regard to the above examples

...sporadic use of scanners as GMER...
Please don't do that sporadically. There is no need for that. Especially do not act upon any "detections" unless you are very experienced or asked by the specialist to run and show the report. In addition Gmer and alike Rootkit-revealers have to be run when nothing is running in the background. Otherwise, you will have tones of "incorrect" entries.
... or Combofix...
Again - as above. Do not run that Utility without supervision of the specialist, who will advise you [i]"when and how" [/i] after obtaining preliminary information about your system. By running Combofix you can damage your system beyond repair way before getting any help.

Once again - please submit what was found by CIS

My regards

Well said SiberLynx (:CLP)

Hello elliotcroft, (sorry my english…)
then you say that these values are suspected and are generated by activities “abnormal and dangerous” ?

hello jay2007tech,

Sorry … the feature of “Regassassin” is precisely to remove the keys locked. It’s ok!
But the risk of doing damage to legitimate software and / or operating system is great

So, I need to know exactly what I am doing … I do not know, because I do not know exactly what is the value (what that value points) in that key locked (not hidden!)

Thanks Jay, Sometimes we do agree :wink:
Cheers!

Hello SiberLynx
You have been very precise, and also I think as you. (You have said so. . . and I have thought about it. . .) Many removal tools, often do more damage of the “alleged virus”

How I can send to CIS scan results ?. I know how to make a suspicious file, but I do not know how to send these values.

Then, as is indicated by me, means very little. . .

So, I want to know not only how to send, but also how to send in a form readable and more analyzable by Comodo team …

about. . . this is the result of the scan in critical areas to provide text for better readability: http://dl.dropbox.com/u/6872685/Risultati%20scansione%20Aree%20Critiche.txt
I also tried searching the registry one or two values associated with keys hidden: in both cases are present only in the keys “indicted” … Do not link to specific software. . .

Thanks . . .
(And sorry my english . . .)

PS
Finally, and more generally, as I do I do when receiving further notices of this type to be CIS ?
I always have to carry out a careful analysis, so if I can not do it, post it here?
And when I work ?? :smiley: :smiley:

Thanks kRel … I’m trying to be precise. That’s not always possible though :smiley:

Sure.

The submission methods are described here

But that is when and if you can find associated files.
Otherwise, just Export the main node of the registry where you found the value and send that by e-mail see above

Similar advices were given in the following threads regarding this famous “Rootkit.HiddenValue[at]0” detection

The links are :
https://forums.Comodo.com/av-false-positivenegative-detection-reporting/rootkithiddenvalueat0-t68549.0.html
https://forums.Comodo.com/av-false-positivenegative-detection-reporting/reporting-registry-possible-false-rootkit-positives-t68759.0.html
https://forums.Comodo.com/av-false-positivenegative-detection-reporting/rootkithiddenvalueat0-beb3c0c7b648425796d9b5d024816e27-t67177.0.html;msg473910#msg473910

Unfortunately I couldn’t find anything, which ended with a solution yet, but you may try

My regards

Hi . . .

Thanks, for all . . .

PS
I added in my request immediately above, the link in .text format the scan of critical areas for better readability. And I ave send to Comodo team te same text file . . .

… and I’m learning to write in English. . . :smiley: :smiley: :smiley:

PS

What do you think of Comodo System-Cleaner ? You know ? In you opinion should be considered the same as other cleaners? (although this is not the place to talk about…)

1st, your English is understandable enough. This is international community
We non-English speaking users always learning, nothing wrong with that.

Again, I hope that you will get the answer from the developers regarding the matter

Cheers!

P.S.

That’s indeed !ot! here
Personally - I shall not approach it more close than a distance of a gun shot.
No way for me - dangerous stuff!
But please read dedicated threads, test this one and other perfectly working Cleaners and make your own conclusion. Sure if you have questions do not hesitate and ask in those threads