Rootkit.HiddenValue[at]0 BEB3C0C7-B648-4257-96D9-B5D024816E27

Comodo Internet Security - CIS AV False Positive/Negative Detection Reporting
1

CIS 5.3.174622.1216 find this after full scan:

Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version\Version

High level, but unpossible to delete or quarantine or send false option.
only CIS see this, not other software: Malwarebyte, Gmer, Comodo Cleaning Essentials, Sophos Anti-Rootkit

I think it’s probably false positive

2

It has been reported elsewhere.

Please check permissions of that key, as suggest by Ronny.

Dennis

3

System, Users and Admins Read only.

subkey “Version” not accessible: error, file not found

4

Hi Raph4,

Do you have any Adobe applications installed?

5

Yes, I have
Adobe Reader X
Adobe Acrobat X (incl. Distiller X)
Photoshop CS5 (incl. Bridge CS5)
Audition 3.0

6

Since CIS found that key in my system, I scanned with RootkitRevealer, that found these two keys with identical timestamp:

HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version	2010-03-05 09:52	0 bytes	Key name contains embedded nulls (*)
HKLM\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version	2010-03-05 09:52	0 bytes	Key name contains embedded nulls (*)

SurCode Dolby Digital Premiere is part of Adobe Media Encoder, so probably BEB3C0C7-B648-4257-96D9-B5D024816E27 is also an Adobe key.

7

ok ok, yes probably.
I have previously installed CS5 Master Collection in my system (Premiere, Adobe Media…etc incl.)
probably a trace of uninstall

8

Hi Raph4,

We will check this and provide a fix as soon as possible.

Regards,
Ionel

9

I have been having the same problem, and I have Adobe CS5 Master Collection installed. Is it a false positive or not?

COMODO Internet Security Premium - Log Viewer Logs
Records count: 5

Date Location Malware Name Action Status
2011-03-27 00:01:41 HKEY_LOCAL_MACHINE\Software\Classes\CLSID{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version\Version Rootkit.HiddenValue@0 Quarantine Success
2011-03-27 00:01:41 HKEY_LOCAL_MACHINE\Software\Classes\CLSID{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version\Version Rootkit.HiddenValue@0 Detect Success
2011-04-01 15:39:50 HKEY_LOCAL_MACHINE\Software\Classes\CLSID{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version\Version Rootkit.HiddenValue@0 Detect Success
2011-04-01 18:11:30 HKEY_LOCAL_MACHINE\Software\Classes\CLSID{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version\Version Rootkit.HiddenValue@0 Remove Failure
2011-04-01 18:11:35 HKEY_LOCAL_MACHINE\Software\Classes\CLSID{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version\Version Rootkit.HiddenValue@0 Remove Failure
End of The Report

10

Getting the same one: Rootkit.HiddenValue[at]0 BEB3C0C7-B648-4257-96D9-B5D024816E27

Any news?

11

Is the Comodo Team still looking into this?

12

HKLM\SOFTWARE\Classes\CLSID{BEB3C0C7-B648-4257-96D9-B5D024816E27}\VersionVersion 0 bytes Key name contains embedded nulls ()
hex:e4,87,57,8d,44,0b,a9,b9,ce,31,74,b2,7a,11,ad,18,ed,4d,53,5f,05, 26,bd,ae,9b,f2,89,aa,01,10,99,34,84,2e,0f,c6,5c,a4,80,92,a4,c6,9f,77,aa,88,\

HKLM\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\VersionVersion 0 bytes Key name contains embedded nulls ()
hex:e4,87,57,8d,44,0b,a9,b9,ce,31,74,b2,7a,11,ad,18,ed,4d,53,5f,05, 26,bd,ae,9b,f2,89,aa,01,10,99,34,84,2e,0f,c6,5c,a4,80,92,a4,c6,9f,77,aa,88,\

Indeed, they are one and the same. Strangely, darn near the only results that were returned via google search, are all related to malware, adware, spyware, viruses, trojans, worms; just being infected in general. Probably just due to this being common and or widely used software.

Took me about an hour to get that ‘hex:’ information. Then again, I was also doing other research, but still. (Don’t have a timestamp for the above sadly.) Still haven’t found anything like a before and after of the registry of someone with basic clean install of windows and with adobe products on them.

Reference for the Dolby Digital Premiere / Adobe : Axia Discussion Board - Index page

Can anyone provide anymore additional, updated, and or more accurate information?

13

Hi RGentle,
If you can find the file,you can submit through this
link:http://internetsecurity.comodo.com/submit.php.Then we can go to have a look at it.
Thanks and Regards,
Lin mengze

14
15

download this program she helps, was this problem

[attachment deleted by admin]

16

Registry Trash Keys Finder is socalled Donationware. It will not work with full potential in the Free version. For full functionality you need donate some.This is what the website tells:

Full version is not available for free downloading and at the moment it requires making a personal contribution for TrashReg project further development. By some signs the Full version of Registry Trash Keys Finder can be likened to DonationWare software.

“What is DonationWare?”

DonationWare is software where you give to the author what you think his software is worth. The author gives you a few suggestions of what, he humbly thinks, deserves for further development of his program but you have the final word, absolutely.

“OK. So why should I donate?”

Here I give a few reasons, you may find others:
Encourage me if you will. I must admit that I sometimes wonder why I’m spending hours adding more features to RTKF. Or why I’m translating every version into English. There are several reasons, and money is one of them. (Well, if it were the only one, I would have stopped developing a long time ago…)

You think it’s fair that I get some reward for my continuous work.

I have expenses for developing and distributing RTKF: backup CD-ROM’s, domain name, expensive internet access, ink, paper, bread and butter, coffee and a lot of Russian Vodka (of course it’s a joke:-))…

If you use Registry Trash Keys Finder successfully. Then I have helped you to save money. So I deserve a reward, don’t you think so?

At last, you want to be an user of the Full version of RTKF, because it gives you enhanced capabilities and more power.

17

I finally found a proper, free solution for those “keynames with embedded nulls”.
RegKeyFixer. It’s a tool that uses ideas from the old RegDelNull from Sysinternals,
but this is even better, and most, most importantly - it DOES support x64!

For this specific key, the syntax is

RegKeyFixer64.exe \Registry\Machine\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27} -r -n

This will rename the key from “Version[null]Version” into “Version*Version”
Then you will have access to it, and you may delete it if you want to…!

18

Just to iterate a bit on this…:

Some Adobe programs have the option to create Dolby Digital® certified AC-3 (stereo or 5.1 surround) audio streams;

Adobe Audition
Adobe Media Encoder
Adobe Premiere Pro
Adobe Soundbooth

There are many other - often 100% free - ways to create Dolby Digital AC-3 streams,
but if you wanted to sell a product - i.e. a DVD - and you wanted to be able to legally put the DD logo on the box,
it will need to be created as a Dolby Digital certified AC-3 stream.

Since there are licensing fees to Dolby involved when you want to create and sell a program that can produce these
Dolby Digital certified AC-3 streams, Adobe chose to provide this as an option, instead of a mandatory part of the main program…

  • this way, only the customers who are really needing the Dolby Digital certified AC-3 streams will have to pay for this option.

Therefore, the Dolby Digital certified AC-3 stream encoder is not made by Adobe itself,
but instead provided as an (integrated) plugin;
the Minnetonka Audio SurCode for Dolby Digital 5.1 surround encoder,
fully certified & licensed by Dolby Laboratories, Inc.

This plugin comes as a 14-day free trial.
And therein lies the reason for these 2 in-accessible keys.
Minnetonka obviously do not want a situation were people may try the plugin for 14 days,
and then just reset the timer, giving them a new, free 14 day trial period.
So they “lock” the information about when the trial was started inside these 2 in-accessible keys.

One could think that it would be nice of Minnetonka if they made the plugin so that it waited until a user started a trial period,
and then created these keys - so that the people who did not want to use the plugin was not bothered with these keys either.
Unfortunately, Adobe / Minnetonka / PACE Anti-Piracy made it so that these two keys are created by the Adobe host program
the first time it is started, the very moment the SurCode.vca plugin is loaded into the memory of the host process.
To be fair, this is “standard procedure”, almost all plugins which I have seen…

  • be it Adobe Premiere PRM, Adobe After Effects AEX, The Foundry OFX, Avid AVX, Avid AAX, Digidesign RTAS, Steinberg VST…
  • it does not matter if the plugin is actually used or not, when it is loaded by the host process into memory, registry keys are made immediately.
    If I should guess, maybe doing it this way gives better protection against software theft?
    Also, for the programmer, it is probably easier when he / she can be certain that all the necessary registry keys have already been made.
    Plus, for the average user, it will not matter much doing it one way or the other, since he / she will, most likely,
    don’t give a **** about whether some - possibly unnecessary - registry keys were made, or not…! :wink:

Almost all Windows programs “do stuff” by using the so-called “Windows API” functions.
E.g. RegCreateKeyEx is the function that is used when creating a registry key with RegEdit.exe.
When you want to specify the name of the key you want to create,
you just enter a Unicode or ANSI string, then put a [null] (“0”) at its end,
so that the function knows that it should not use anything after this [null] (“0”) for the name.
Well, in practice, we usually end the name with…
…maybe a closing single-/double-quotation mark (’ or "), or maybe the Enter/Return key…

  • but if we, later on, should use a hex-editor to take a look at the code that was generated, inside that program we created,
    we will see there that this name - that is, all names, or rather, all strings, to be precise - are ended, or terminated as we say, with a [null] (“0”).
    The term, which we often use for this, is “a null-terminated string”.

However, there is also another set of functions that may be used for “doing stuff” in Windows.
These functions belongs to a set that are called the “NT Native API”.
These are more low-level and cumbersome to use, but are usually dependent on either only the kernel file ntoskrnl.exe, or also its companion, the ntdll.dll.
This makes them needed for doing things when Windows have just been started, when all the other *.exe and *.dll files have yet to be loaded.
As an example, take the device drivers - the *.sys files - these are loaded at the very beginning of the Windows start-up period,
so these always use the NT Native API functions.
Since there are more serious consequences when there is a programming error / bug in these files, compared to the “normal” files,
there are set up higher restrictions for the use of NT Native API functions vs the use of Windows API functions.

Those null-terminated strings i mentioned earlier, they are a thing that may cause problems.
If you write the program, but forget to put a closing single-/double-quotation mark on a string…
…the resulting code will suddenly have a string that is waaay too long.
And if you have also set up a naming scheme where all strings are, say, 8 bytes long,
and you have a buffer that has been set up to hold exactly these 8 bytes…
…when that waaay too long string suddenly comes along, you will get a buffer overflow.

To reduce the possibility of these buffer overflow situations appearing in the device drivers,
the NT Native API is set up with this restriction:

  • you have to explicitly state the length of each and every string you are using.
    Therefore, there are no null-terminated strings here.

(Additionally, the strings can only be expressed in Unicode format,
instead of giving you a choice of either ANSI or Unicode, as you have in the Windows API.)

While RegCreateKeyEx is the Windows API function for creating a registry key,
NtCreateKey / ZwCreateKey is the corresponding NT Native API function for creating it.

However, the difference is, like I just wrote:
while in the Windows API, you have to use null-terminated strings,
in the NT Native API, you can not use null-terminated strings…

  • i.e. you do not end the name string of the registry key you want to create with a [null] (“0”).
    Instead, you have to explicitly specify the length of the (Unicode) registry key name string.

So - it is fully possible to use the NtCreateKey / ZwCreateKey function from the NT Native API,
to create a registry key which has the name “Version[null]Version”.
The length of that name is 7 characters + 1 [null] (“0”) + 7 characters, that is 15 characters,
and since these are 16-bit (2-byte) Unicode characters, the length of that name string would be 30 bytes.

Now, when you start RegEdit.exe - which is using the Windows API, and it comes to that registry key name, this is what actually is there:

(HEXadecimal) : 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00
(Unicode view) : V e r s i o n [nul] V e r s i o n

However, since the character after the “n” in the first “Version” is a [null] (“0”),
RegEdit.exe will assume that it should only use…

(HEXadecimal) : 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00
(Unicode view) : V e r s i o n [nul]

…i.e. that the registry key name string is “Version”, and that it is a null-terminated string, encoded in Unicode.

So when you try to either enter that registry key to see its subkeys etc,
or try to rename it into something else, or delete it,
it will not work, because the real name is not “Version”, but instead “Version[null]Version”.

The only way to be able to get access to that “Version[null]Version” registry key,
is if you are using a program that uses the more cumbersome NT Native API functions instead of the default Windows API functions.

The program RegKeyFixer has a name that gives most people bad associations…
…it sounds exactly like one of the countless CCleaner wannabees, i.e. a general-purpose registry “fixer”

  • that usually promises to make your system SOOO much faster, and are often bundled with lots of adware.
    But this is not the case. RegKeyFixer is not general-purpose at all, most “normal” people would NEVER have any use for it whatsoever!
    Instead, it is made for this one, specific situation;
    where a program has used the NtCreateKey / ZwCreateKey function from the NT Native API to create a registry key name
    which contains a [null] (“0”) inside the name itself, and so all the usual programs that relies on the default Windows API
    are not able to do anything with that registry key.

Obviously, this “locking” of information is something that also malware writers are very interested in.
And that is probably the reason why Comodo was reacting to this.
Now, if it would have been possible to add this key to the exclusion list,
that would have been the end of it…
…but this was not possible, because of that same “These aren’t the keys you’re looking for…” issue;
Comodo wanted to add the “Version” registry key to the exclusion list,
but in reality, there existed no “Version” registry key.