Comodo reports these entries as a rootkit.

Rootkit.HiddenValue@0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
Rootkit.HiddenValue@0 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

It will not allow me to quarantine nor disinfect. What can I do?
Other tools have also reported my machine is infected, but they cannot delete the entries either.
Tricky stuff! :cry:


Hi norain,

Please export respective registry key and submit it to us.


Hey there (:WAV)

Please follow haja’s advice. if I am not wrong that a key to AVG. have you uninstalled AVG?

Valentin N

Yes, I had AVG on the machine for awhile, then Avast for 1 year, and now only Comodo.
I can’t export the key as its invisible. When I look in the registry with regedit those two keys do not show at all.
I have tried various registry cleaners, but most of them do not see these hidden keys, and the ones that can see them cannot delete them.

here is a like that has the needed removal tools. ESET Knowledgebase

(I forgot to add the link, sorry)

Valentin N

use a bootable cd like UBCD4Win to access the registry, there you should be able to do what you want.

Valentin there was no link displayed.

languy99 UBCD4Win seems to require the original CD. I don’t know where I put it. Thanks for the tip. I’ll search for my XP cd. My office is too messy! 88)

Perhaps you meant to link to something like this:

Hi all !

Windows XP Home SP3.
Comodo firewall user since 3 years, together with AVG free version.

Due to AVG slowing down my (very old) computer and to compatibility issues (AVG dfidnt let me install the newest 2011 version because it claims I have CIS and there would be a conflict, while in reality I only had the Comodo Firewall) I uninstalled AVG around 2 weeks ago, and then uninstalled Comodo firewall and installed from scratch the whole CIS.

Initial scans showed no detections, but recently I played in the “Scanner settings” and checked the “enable rootkit scan” box (while leaving the heuristics at the default ‘low’).

So in my todays bi-weekly scan Comodo suddenly finds :

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Rootkit.HiddenValue@0 Detect Success

I am not sure if it would come on the default scan (without scanning for rootkits), probably not .

A quick look into google brought me to these forums here and THIS very recent thread, so I tend to believe this might be a false positive, but having a rootkit is the last thing I’d want :slight_smile:

Hey and warm welcome tom comodo forums slightly_concerned :slight_smile:

That might be a FP. an employee with contact you soon :slight_smile:

Hi slightly_concerned,
If you can find the file,you can submit through this
link:Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year we can go to have a look at it.
Thanks and Regards,
Lin mengze

If your not sure on how to do this, follow my steps here (don’t worry, it simple step-by-step) :wink:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
  1. Click “start”
  2. Click “run”
  3. type in “regedit”
  4. Find the registry in question, in this case it’s
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
  5. Right click on “load”
  6. Click on “export”
  7. Save it to “desktop”
    Cool name the file “resistry in question”
  8. go to
    Comodo Antivirus Database | Submit Files for Malware Analysis
    10)fill out the form and tell it where it’s located (desktop)

Thanks for the replies.
Similarly to the user who started this thread, I cannot find this entry with regedit (I followed the advice from the post above me)

Here’s a screenshot, keep in mind its local language (polish).

as you can see, in the indicated location, there’s just no “load” showing

any more input appreciated

to the thread starter, did you find a solution/explanation ?

I guess the main problem now is finding that hidden registry key for windows xp. You need to change the setting to show hidden folders and files

Here’s the simplest way.

download this file that I put on here (you have to be logged in to click on it other wise it won’t show it)

  1. Download the file
  2. open the .rar file
  3. Double click on “showhiddenfiles.reg”
  4. click on “yes”
  5. If you already have regedit open, close it then reopen it
  6. find the file in question, in this case it is
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Can you find the hidden registry key now??

For those that don’t want to download it, you can create what I uploaded by following the steps here

If you get this screen here

"Registry editing has been disable by your administrator"
try it in windows "safe mode"

another possible idea recommended by “Languy99” :slight_smile:
is to use this program here

[attachment deleted by admin]

I downloaded and ran the script, but the keys are still invisible.
I still get the following results for each comodo scan:

Rootkit.HiddenValue@0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AVG7_Run
Rootkit.HiddenValue@0 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

but those keys do not show at all anywhere.
Malwarebytes does not see them either.
I am thinking these are a false positive maybe.

Ok, I downloaded this file put here by jay2007tech (thanks!) but similarly to norain it didn’t change a thing.
Despite running it, despite having changed the folder options to show hidden files, I can not locate

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

I can not locate it in safe mode either.

HOWEVER, I have tried to log in with the administrator account and I could see it.

On my PC, I got one account “administrator” (accessible only in safe mode) and another one for myself, with full administrtive privileges. I think that’s the common set up in Windows but Im not sure. Some people use an account with limited privileges for web surfing for increased security, I do not. I always use my account named after my first name, and the “administrator” account exists because it needs to exist.

So basically, the entry in question can be seen when I log in with the “Administrator” account.

I am not sure why it can be seen there and not normally and how to proceed now.

I give to the possibity to do so :slight_smile:

If I am not wrong run cmd as admin by right click and then write net user administrator /active:yes (write admin in your language)

Valentin N

Valentin, thanks for the reply, but I’m not sure on the exact steps… and EVEN more on what it should accomplish, so I’m hesistant on doing what you said (at least for now).

Im using XP sp3 as said previously, the default administrator account exists and the entry

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

which is told by CIS to be a rootkit, can be seen there. In my normal windows account, it can not be seen, despite this account having full administrative privileges.

Overall, I must say I noticed quite a few threads on the comodo board about suspected rootkit false positives. My limited knowledge tells me its also a f/p in my case, but I’d want to prove it once and for all.
And ideally, Comodo would stop showing this rootkit (or ‘rootkit’?) during the rootkin scan.

Perhaps anyone from Comodo can comment again?

ops. Can you activate your admin account?

Did some scans, Malwarebytes finds nothing, neither does Super Anti Spyware.
Comodo System Cleaner ‘repaired’ many registry entries (in agressive mode) but didn’t do a thing about this “rootkit”.

I also used the Registry Trash Keys Finder, posted by jay2007tech and originally by languy99, it corrected some entries, but not this one.

I also scanned with Sophos Anti Rootkit and RootkitRevelear and neither of them alerts me of this hidden entry.

I did upload the whole entry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
where “load” is not visible for analysis to Comodo.

I hope someone will be able to look at it there and say what’s the problem or reason it is invisible.
I hope Comodo will also stop showing this as a rootkit sooner or later. :slight_smile: