Just looking at the scan results for my old mans XP pro box and i keep getting (after a full scan) the entry`s
Rootkiy.hiddenvalue@0 for
HKEY_USER\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
I try and use the Clean or Disinfect and it states “Not all threats have been removed” Infact it doesnt remove any of them, subsequent scans still show them. The keys arent present in regedit
Any thoughts on this anyone?
Cheers,
Hi Matty_R,
Can you please export the detected keys from registry, find the corresponding files to whom registry data refer to, and submit them to us?
Thanks and regards,
riggers
January 26, 2011, 12:35pm
3
Hi Matty_R,
Can you please export the detected keys from registry, find the corresponding files to whom registry data refer to, and submit them to us?
Thanks and regards,
Hi Ionel,
The keys are not present in the registry. At least regedit doesnt show them to be there (will try with regalyzer in a bit). Show hidden is ticked/Hide protected is unticked. Any other things i could try? Cant understand why these are being flagged when there not present ???
Cheers,
I to have had rootkit discovered with scan of critical areas. When I tried to have Comodo remove 58 registry entries it failed. I have done this several times and they are stuck and fail to remove.
Rootkit.HiddenValue@0 HKEY_LOCAL_MACHINE\Software\Classes\CLSID{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
These registry keys were driving me nuts too, RootkitRevealer turned up the same ones because they have embedded nulls.
Do you currently have or ever had Pinnacle Studio 9 installed? They are apparently using rootkit methods to hide registration information… and they are using the following keys:
Details: HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}
Details: HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}
Details: HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}
Details: HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}
Details: HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}
Details: HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}
Details: HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}
Details: HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}
Details: HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}
Details: HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}
Details: HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}
Details: HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}
Why companies have to do stuff like this is beyond me… I lost like half a day tracking this down. I’m telling you right now I will not buy or install another Pinnacle product… >:(
Information here: Safer-Networking Forums
…have a better one…
norain
February 4, 2011, 10:30am
6
I also have the rootkit detection, yet cannot remove it like the first poster in this thread.
Just looking at the scan results for my old mans XP pro box and i keep getting (after a full scan) the entry`s
Rootkiy.hiddenvalue[at]0 for
HKEY_USER\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
I try and use the Clean or Disinfect and it states “Not all threats have been removed” Infact it doesnt remove any of them, subsequent scans still show them. The keys arent present in regedit
Any thoughts on this anyone?
Cheers,
hey
i posted already a couple of times in another thread about this, it just drives me crazy to see that rootkit alert on my regular scan each time :-\
I have the same problem:
CIS reports them but is unable to do anything about them.
Regedit shows the CTFMON key (Data C:\WINDOWS\system32\ctfmone.exe) but not the tscuninstall key.
XP Pro
Are these actual problems or false reports?
Trusty65
I’ve got these after full system scan:
Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\services\sptd\Cfg\h0
Rootkit.HiddenKey[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\services\sptd\Cfg\s1
Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\services\sptd\Cfg\s2
Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\services\sptd\Cfg\h0
Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\services\sptd\Cfg\g0
I believe these are FPs and the entries are releated to SCSI Pass Through Direct (SPTD) layer (64 bit) (Daemon Tools Lite driver). Could you verify that?
CIS version: 5.4.189822.1355
I have a similar problem:
Rootkit.HiddenValue@0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE Risk: High
CIS reports but is unable to do anything about it.
XP Pro
I have the same problem of dontbetonit
58 Rootkit.HiddenValue@0 due to Pinnacle Studio…
There are not solutions to avoid these FPs since they are harmless?
Thanks
These registry keys were driving me nuts too, RootkitRevealer turned up the same ones because they have embedded nulls.
Do you currently have or ever had Pinnacle Studio 9 installed? They are apparently using rootkit methods to hide registration information… and they are using the following keys:
Details: HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}
Details: HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}
Details: HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}
Details: HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}
Details: HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}
Details: HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}
Details: HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}
Details: HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}
Details: HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}
Details: HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}
Details: HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}
Details: HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}
Why companies have to do stuff like this is beyond me… I lost like half a day tracking this down. I’m telling you right now I will not buy or install another Pinnacle product… >:(
Information here: Safer-Networking Forums
…have a better one…
I too was recently concerned by the untimely find of no less than 58 instances found on a Comodo AV scan of Rootkit.HiddenValue0 however now you mention that Pinnacle have something to do with it, it’s understandable, I too have a Pinnacle USB 70e dongle installed.
I agree that while this method of installation is not appropriate behaviour it also leads to other vulnerabilities. I noticed that after setting Comodo to scan for rootkits, the option was unticked after the first scan, therefore any further scans would not include rootkit scanning by Comodo AV.
Like you a day wasted trying to either remove these very stubborn entries, or find out information about them, I was generally getting nowhere until I read about Pinnacle being a possible culprit.
siketa
September 28, 2012, 8:53am
14
Rootkit.HiddenValue detections should be fixed in CIS 6.
These detections only appear with advanced rootkit scanning enabled, right?
cmc
September 28, 2012, 5:39pm
17
Yes, for the first time in past several years I turned advanced rootkit scan on and the following, for the first time ever was listed. Cannot be removed and could not be reported as false positive either. Smart scan reveals:
“Rootkit.HiddenKey[at]0
Attempt to quarantine:
“Not all threats have been successfully quarantined”
Rescan detects the same nonsense. Turned off rootkit scan and no problem detected.
Yes, for the first time in past several years I turned advanced rootkit scan on and the following, for the first time ever was listed. Cannot be removed and could not be reported as false positive either. Smart scan reveals:
“Rootkit.HiddenKey[at]0
Attempt to quarantine:
“Not all threats have been successfully guarantied”
Rescan detects the same nonsense. Turned off rootkit scan and no problem detected.
Advanced Rootkit Scan is for expert users & can give false positives.
I have observed mostly when it fails to remove any detection, either the detection is FP or not present, so in a way it is good but hope it doesn’t fail to remove the real malware. On my system advanced rootkit scan enabled never detected anything.
so these were confirmed FP’s in your case, right?