Rootkit.HiddenValue@0

Comodo Internet Security - CIS AV False Positive/Negative Detection Reporting
#1

Comodo found:
Rootkit.HiddenValue@0 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Rootkit.HiddenKey@0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

There are no keys visibly related to the above at the locations in the Registry and Comodo cannot remove them. Previous scans by Comodo, Malwarebytes and SuperAntiSpyware have found nothing. I previously had Avast installed instead of Comodo AV but recent scans with Comodo AV found nothing related to the above.

#2

Please upload your file to Comodo (Valkyrie). Or to camas.comodo.com

#3

I’ll try to send. It’s a bit silly that when the detection occurs you cannot send the report to Comodo as “suspicious” and it will not allow the report to be sent as a false positive either.

Thanks.

Tried Valkyrie and the other. It’s a rootkit report, not a file that I can upload and the registry entries do not seem to exist either. Nothing to send. I sent the text report of the scan results and it said unexecutable. Clearly no human being at the other end!

Found Valkyrie email address so sent report by that route.

#4

I did not hear back from Valkyrie nor do I know whether they got the email. If the virus scan shows:

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping{c95fe080-8f5d-11d2-a20b-00aa003c157a}

does that mean I should find the key {c95fe…} at that location in Regedit, or does it mean there is a key of that name that is not visible in Regedit but does actually exist?

#5

I never got answers to my questions back in 2011. I would still like to know where Comodo is pulling this non-existent key from. It’s not in my registry so how does Comodo come up with it?
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping{c95fe080-8f5d-11d2-a20b-00aa003c157a}
There are other keys under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\ but not the one specified.
The key cannot be quarantined which may be due to the fact it does not exist?

I searched the registry for the key {c95… in question and found the following:

[HKEY_CURRENT_USER\Software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map]
“92cb6f10673beaf6”=“,1,HKCU,Software\Microsoft\Internet Explorer\Extensions\CmdMapping,{c95fe080-8f5d-11d2-a20b-00aa003c157a},”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility{C95FE080-8F5D-11D2-A20B-00AA003C157A}]
“Compatibility Flags”=dword:00000400

Needless to say I have no idea what these keys do.