Comodo reports these entries as a rootkit.
Rootkit.HiddenValue@0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
Rootkit.HiddenValue@0 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
It will not allow me to quarantine nor disinfect. What can I do?
Other tools have also reported my machine is infected, but they cannot delete the entries either.
Tricky stuff! 
Del
Hi norain,
Please export respective registry key and submit it to us.
Regards,
Haja
Hey there (:WAV)
Please follow hajaâs advice. if I am not wrong that a key to AVG. have you uninstalled AVG?
Regards,
Valentin N
Yes, I had AVG on the machine for awhile, then Avast for 1 year, and now only Comodo.
I canât export the key as its invisible. When I look in the registry with regedit those two keys do not show at all.
I have tried various registry cleaners, but most of them do not see these hidden keys, and the ones that can see them cannot delete them.
here is a like that has the needed removal tools. ESET Knowledgebase
(I forgot to add the link, sorry)
Regards,
Valentin N
use a bootable cd like UBCD4Win to access the registry, there you should be able to do what you want.
Valentin there was no link displayed.
languy99 UBCD4Win seems to require the original CD. I donât know where I put it. Thanks for the tip. Iâll search for my XP cd. My office is too messy! 88)
Perhaps you meant to link to something like this:
http://malwaretips.com/Thread-List-of-Uninstallers-and-Removal-Tools-for-Antivirus-Software
Hi all !
Windows XP Home SP3.
Comodo firewall user since 3 years, together with AVG free version.
Due to AVG slowing down my (very old) computer and to compatibility issues (AVG dfidnt let me install the newest 2011 version because it claims I have CIS and there would be a conflict, while in reality I only had the Comodo Firewall) I uninstalled AVG around 2 weeks ago, and then uninstalled Comodo firewall and installed from scratch the whole CIS.
Initial scans showed no detections, but recently I played in the âScanner settingsâ and checked the âenable rootkit scanâ box (while leaving the heuristics at the default âlowâ).
So in my todays bi-weekly scan Comodo suddenly finds :
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Rootkit.HiddenValue@0 Detect Success
I am not sure if it would come on the default scan (without scanning for rootkits), probably not .
A quick look into google brought me to these forums here and THIS very recent thread, so I tend to believe this might be a false positive, but having a rootkit is the last thing Iâd want 
Hey and warm welcome tom comodo forums slightly_concerned
That might be a FP. an employee with contact you soon
Hi slightly_concerned,
If you can find the file,you can submit through this
link:Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year we can go to have a look at it.
Thanks and Regards,
Lin mengze
If your not sure on how to do this, follow my steps here (donât worry, it simple step-by-step) 
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
- Click âstartâ
- Click ârunâ
- type in âregeditâ
- Find the registry in question, in this case itâs
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load- Right click on âloadâ
- Click on âexportâ
- Save it to âdesktopâ
Cool name the file âresistry in questionâ- go to
Comodo Antivirus Database | Submit Files for Malware Analysis
10)fill out the form and tell it where itâs located (desktop)
Thanks for the replies.
Similarly to the user who started this thread, I cannot find this entry with regedit (I followed the advice from the post above me)
Hereâs a screenshot, keep in mind its local language (polish).
http://wstaw.org/m/2011/02/26/screenshot_.JPG
as you can see, in the indicated location, thereâs just no âloadâ showing
any more input appreciated
to the thread starter, did you find a solution/explanation ?
I guess the main problem now is finding that hidden registry key for windows xp. You need to change the setting to show hidden folders and files
Hereâs the simplest way.
download this file that I put on here (you have to be logged in to click on it other wise it wonât show it)
ITâS AT THE BOTTOM OF MY POST :-La
Can you find the hidden registry key now??
For those that donât want to download it, you can create what I uploaded by following the steps here
http://www.softwaretipsandtricks.com/forum/windows-xp/37769-unable-unhide-see-hidden-folders.html
If you get this screen here
"Registry editing has been disable by your administrator"try it in windows "safe mode"
=====================================================
another possible idea recommended by âLanguy99â
is to use this program here
[attachment deleted by admin]
I downloaded and ran the script, but the keys are still invisible.
I still get the following results for each comodo scan:
Rootkit.HiddenValue@0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
Rootkit.HiddenValue@0 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
but those keys do not show at all anywhere.
Malwarebytes does not see them either.
I am thinking these are a false positive maybe.
Ok, I downloaded this file put here by jay2007tech (thanks!) but similarly to norain it didnât change a thing.
Despite running it, despite having changed the folder options to show hidden files, I can not locate
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
I can not locate it in safe mode either.
HOWEVER, I have tried to log in with the administrator account and I could see it.
On my PC, I got one account âadministratorâ (accessible only in safe mode) and another one for myself, with full administrtive privileges. I think thatâs the common set up in Windows but Im not sure. Some people use an account with limited privileges for web surfing for increased security, I do not. I always use my account named after my first name, and the âadministratorâ account exists because it needs to exist.
So basically, the entry in question can be seen when I log in with the âAdministratorâ account.
I am not sure why it can be seen there and not normally and how to proceed now.
I give to the possibity to do so
If I am not wrong run cmd as admin by right click and then write net user administrator /active:yes (write admin in your language)
Regards,
Valentin N
Valentin, thanks for the reply, but Iâm not sure on the exact steps⌠and EVEN more on what it should accomplish, so Iâm hesistant on doing what you said (at least for now).
Im using XP sp3 as said previously, the default administrator account exists and the entry
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
which is told by CIS to be a rootkit, can be seen there. In my normal windows account, it can not be seen, despite this account having full administrative privileges.
Overall, I must say I noticed quite a few threads on the comodo board about suspected rootkit false positives. My limited knowledge tells me its also a f/p in my case, but Iâd want to prove it once and for all.
And ideally, Comodo would stop showing this rootkit (or ârootkitâ?) during the rootkin scan.
Perhaps anyone from Comodo can comment again?
ops. Can you activate your admin account?
Did some scans, Malwarebytes finds nothing, neither does Super Anti Spyware.
Comodo System Cleaner ârepairedâ many registry entries (in agressive mode) but didnât do a thing about this ârootkitâ.
I also used the Registry Trash Keys Finder, posted by jay2007tech and originally by languy99, it corrected some entries, but not this one.
I also scanned with Sophos Anti Rootkit and RootkitRevelear and neither of them alerts me of this hidden entry.
I did upload the whole entry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
where âloadâ is not visible for analysis to Comodo.
I hope someone will be able to look at it there and say whatâs the problem or reason it is invisible.
I hope Comodo will also stop showing this as a rootkit sooner or later.