Rootkit.HiddenValue(at)0 Revisited

This deserves to be looked at again. Elsewhere in this forum it was flagged as “resolved” in 2011, yet all I see is it’s a false positive. Well the cause is still there producing false positives. I think I found it. It is a Null character, which is not supposed to be in the registry. It could be there due to sloppy/corrupted/bad/malicious code, who knows, but it has no legitimate function in the registry so it needs to be removed. Here’s how.

Download the free tool “RegDelNull” from Microsoft or CNET
RegDelNull - Free download and software reviews - CNET Download
Start it from a command line. Here’s a capture from my command window on my PC:

C:\regdelnull HKLM -s

RegDelNull v1.10 - Delete Registry keys with embedded Nulls
Copyright (C) 2005-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Null-embedded key (Nulls are replaced by ‘*’):

HKLM\SOFTWARE\Classes\CLSID{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version

Delete? (y/n) y
Key successfully deleted.

I went back to the folder and replaced the Key. No more false positives.

Note1: The description of this tool at Microsoft gives more detail about this problem.
Note2: It won’t scan the full registry, you need to scan each hive individually.