Rootkit.HiddenKey@0

kda406 · January 7, 2011, 11:21pm

Hello,

Just installed Comodo AV on a system, scanned, and detected a rootkit. I’m having trouble locating information about what rootkit it is and what removal options I may have. Comodo AV was unable to remove the rootkit.

In Antivirus Events there are many entries referring to this rootkit, but here is just one example it finds in the registry:

Location:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MPFP\$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+,-./0123$%&'()*+
Malware Name: Rootkit.HiddenKey@0
Action: Detect
Status: Succes
Date: 01/07/2011 5:13:55PM

Can someone please suggest how to proceed at this point?

Thanks,
Kyle

languy99 · January 7, 2011, 11:23pm

did you ever have mcafee installed?

kda406 · January 7, 2011, 11:28pm

did you ever have mcafee installed?

Yes. Removed it today and installed Comodo Internet Security.

Thanks,
Kyle

languy99 · January 8, 2011, 12:29am

looks like a left over driver/service that Mcafee was using and comodo found it becasue for some reason mcafee hid it.

I would use the mcafee removal tool http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

disable comodo, disable D+, sandbox, and AV so the removal tool can do its job. Run the tool, then restart. Re-enable comodo and rescan. Let me know if it finds it again.

kjdemuth · January 8, 2011, 1:56am

Nice catch languy

kda406 · January 10, 2011, 1:18am

languy,

I uninstalled Comodo IS, downloaded the file you said, ran the program, reinstalled Comodo IS, rescanned, and it still detects the Rootkit.HiddenKey@0.

The rootkit now exists in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSKSSRV and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSKSSRV areas now.

Do you have any further suggestions?

Thanks,
Kyle

languy99 · January 10, 2011, 1:25am

google “how to remove services in windows ( insert your version)” when doing that look for the service marked as mskssrv.

kda406 · January 14, 2011, 9:28pm

That answer was not helpful, as those are required Windows services that Comodo was reporting as a rootkit. Without any more useful suggestions, I ended up formatting and reinstalling for the last few days…
-Kyle

brucine · January 14, 2011, 10:01pm

If mskssrv was at fault, it was not this service itself, as it is windows genuine (and thus, altough not essential, undeletable unless you use a specific utility), but its hijack by a third-party malware.