rootkit infected....comodo cant remove it....hitman/mbam dont detect

here is what smartscab by cis shows
comodo says some files couldnt be removed and shoes all 15 again on next scan

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com*

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com\www*

Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com\www

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com*

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\okulta.com*

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com\www*

Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com\www

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com*

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com\www*

Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com\www

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com*

Rootkit.HiddenValue[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\okulta.com*

Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mp3musicdirect.com

Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\andromedical.com

Rootkit.HiddenKey[at]0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\okulta.com

https://forums.comodo.com/antivirus-help-cis/best-av-config-on-low-resource-pos-1gb-ram-t69933.0.html;prev_next=next

this user apparently had the same problem

What other security tools do you use? it looks like these domains have exceptions for IE security settings.

I can’t make of it which zone they are in ‘trusted/intranet/blocked’ because the zone number is missing.
Can you go to IE security settings and verify if they show up on a security zone probably trusted or blocked?

hey thanks for replying

other than cis (all faculties active) i have mbam pro…i use advanced system care for reg and harddisk cleanup…ccleaner as back up reg cleaner…hitman pro as on demand second opinion scanner

yup those things are there in the blocked zone…but its not just those 15 there are hundreds more in the blocked zone…only 15 entries pop on the scan though

what should i do??
do i remove those from blocked zone??
isnt that a bad thing??

I would remove one, and note the details, then scan to see if it’s gone from the results.

Do you have any idea which tool put them up there?

i think advanced system care…either that or ccleaner

even after removing them from the list and rescaning with cis it still cant be removed

goignt to try cce and see of that can remove them

I don’t think they are a ‘rootkit’ what it is is that CIS can’t access them with normal means as these registry key’s seem protected/hidden.

If you run CCE you need to test the rescue disk in the beta board as the current versions can’t remove this on a ‘live’ system.
But as said, I’m almost certain that it’s just ‘hidden’ and not ‘rootkit’.

so i should those in the ignore/exclusions list??

nothing to worry about right??

That doesn’t seem to work in the current version 5.10

nothing to worry about right??
If the latest hitman and mbam show up empty I'm almost certain this is a False-Positive.

You can try to remove the entries by using regedit, but only if you trust yourself with regedit as it might also cause more damage then good when used bad.
You probably have to take ownership first and then edit the security permissions before you’ll be able to delete them.

well so long as it doesnt harm my machine il let sleeping dogs lie

i would +1 you but this forum doesnt seem to have that option

thanks for ur help :slight_smile:

Thanks :-TU