• Dodgy Registry Keys keep re-appearing.

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Dodgy Registry Keys keep re-appearing.

    • This topic has 11 replies, 7 voices, and was last updated 9 years ago.
    Author
    Topic
    Exfso
    AskWoody Lounger
    April 12, 2016 at 5:32 am #505246

    I was running my AVG utilities program around a week ago and it kept finding 2 empty keys marked for removal. One of which sparked my interest.
    The two keys are:
    HKEY_CURRENT_USERSoftwareLocky
    HKEY_CURRENT_USERSoftware6925KrIr4fw

    The locky entry scared the pants off me. I have done a full check with, eset, malwarebytes, fixmestick, and I cannot find any dodgy stuff on the computer, all seems to be operating normally.
    I have tried removing both these keys within regedit, and they disappear until I reboot the computer and then they re-appear.
    About a month ago I received an email with a word attachment which I promptly deleted as I have read that this is one of the common ways for ransomware to attack. I never open any attachments unless I am 100% certain of their content and certainly not word/doc attachments.
    I was wondering if this attachment although deleted immediately did something. Eset have said to me that I should probably reformat and start again, I know this is a possibility, but was wondering if anyone here has struck this scenario.

    Reply | Quote
    Viewing 9 reply threads
    Author
    Replies
    • MrJimPhelps
      AskWoody MVP
      April 12, 2016 at 7:34 am #1559705

      Try scanning with several different scanning tools. For example, Trend Micro has some free tools at their website, one of which is called Trend Micro Anti-Ransomware Tool. Check other vendors’ web sites also for their free manual scanning tools.

      If, after you have tried several different tools, the ransomware seems to still be there, you might try doing a restore point to back before the suspicious behavior appeared.

      Group "L" (Linux Mint)
      with Windows 10 running in a remote session on my file server
      Reply | Quote
    • WSSudo
      AskWoody Lounger
      April 12, 2016 at 7:38 am #1559706

      At the end of this lengthy article there are some steps that will allow you to go deeper to get rid of Locky.

      http://www.virusresearch.org/remove-locky-files-recover-instructions/#recover

      The fact that your machine is otherwise working okay, may mean that something on your computer may have disrupted its spread through your system – it seems like you may have had a lucky escape.

      However, restoring with a system image would have nipped this in the bud, so once your machine is clean, get into the habit of creating regular system images.

      Reply | Quote
    • WSbrino
      AskWoody Lounger
      April 12, 2016 at 8:29 am #1559711

      Exfso2,

      That registry entry would scare me too!

      Locky can also spread by other spam email attachments like microsoft excel macros, javascript and possibly even powerpoint macros(and of course any executable file!). Are you the only one using that machine? Can you guarantee that no one else opened one?

      I’d also give a scan with the free Emsisoft Emergency Kit:
      https://www.emsisoft.com/en/software/eek/

      Have you done some research about Locky? There is a great write-up here:
      http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/

      Have you double-checked that you recognize everything in the Windows start-up list? If the registry entries keep re-appearing then they are coming from somewhere.
      I would also check that there are absolutely no signs of encrypted files.

      In fact I would probably go overboard and not boot from that OS/drive again until I was sure. I would instead attach it to another PC and scan it from there.

      Do you have recent backups?

      Good Luck!
      -brino

      Reply | Quote
      • Exfso
        AskWoody Lounger
        April 12, 2016 at 9:08 am #1559715

        Exfso2,

        That registry entry would scare me too!

        Locky can also spread by other spam email attachments like microsoft excel macros, javascript and possibly even powerpoint macros(and of course any executable file!). Are you the only one using that machine? Can you guarantee that no one else opened one?

        I’d also give a scan with the free Emsisoft Emergency Kit:
        https://www.emsisoft.com/en/software/eek/

        Have you done some research about Locky? There is a great write-up here:
        http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/

        Have you double-checked that you recognize everything in the Windows start-up list? If the registry entries keep re-appearing then they are coming from somewhere.
        I would also check that there are absolutely no signs of encrypted files.

        In fact I would probably go overboard and not boot from that OS/drive again until I was sure. I would instead attach it to another PC and scan it from there.

        Do you have recent backups?

        Good Luck!
        -brino

        Yes I am the only person who uses this computer. Everything I use regularly appears totally normal. I do have a full image backup, but surely that would be compromised as well as it backs up weekly to an external USB expansion drive.

        Reply | Quote
    • WSSudo
      AskWoody Lounger
      April 12, 2016 at 9:37 am #1559721

      I create a system image onto an external HDD after the various updates each month and then it is unplugged.

      However, I always give the machine a scan before creating the new image.

      Reply | Quote
    • Exfso
      AskWoody Lounger
      April 19, 2016 at 11:25 pm #1560906

      I have had a guy from bleeping computers trying to help, we have done a heap of tests, and he has finally concluded that my computer is clean except for the registry entries continuing to appear. He believes they are pointing no where and unless the computer acts up just to basically ignore them. He has closed the thread over there, so I just need to monitor things.

      Reply | Quote
    • Paul T
      AskWoody MVP
      April 20, 2016 at 1:30 am #1560909

      Registry entries do not appear randomly, they are inserted by software.
      Have you booted from a virus checking CD and then scanned your computer?
      http://windowssecrets.com/forums/showthread//175475-Update-Tools-to-remove-almost-any-malware

      cheers, Paul

      Reply | Quote
    • WSSudo
      AskWoody Lounger
      April 20, 2016 at 3:24 am #1560914

      I favour the Kaspersky Rescue Disk as mentioned in Paul’s link, but Process Explorer may show up what may be activating them.

      https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

      Click on Options and ensure Verify Signature is checked then hover over VirusTotal.com and check its box.

      In the VirusTotal column, any suspect entries will be shown in red with a highish value/50ish, but check the signatures of each item.

      I assume the bleepingcomputer guy checked your msconfig for start up items as well as Task Scheduler ?

      Also download FreeFixer http://www.freefixer.com/

      That will have a removal box next to every file that hasn’t been white listed.

      Look through those and click on the more info button for any you aren’t sure about which will give its origin.

      Reply | Quote
    • satrow
      AskWoody MVP
      April 20, 2016 at 3:32 am #1560915

      Can we have a link to your Malwarebytes topic please, there could be useful info in the logs supplied?

      EDIT: Sorry, that should have been Bleeping topic…

      Reply | Quote
    • WScpwilson
      AskWoody Lounger
      April 20, 2016 at 7:48 am #1560923

      I happened to see the thread in question at bleeping computers. interesting
      http://www.bleepingcomputer.com/forums/t/611050/suspect-registry-entries-keep-returning/

      Reply | Quote
    • satrow
      AskWoody MVP
      April 20, 2016 at 8:15 am #1560925

      Those keys appear to have been created as a preventative measure by BitDefender’s AntiRansomware.

      HKEY_CURRENT_USERSoftwaredAPI5c95x1Tqa (‘random’ name).
      HKEY_CURRENT_USERSoftwareLocky

      https://labs.bitdefender.com/2016/03/combination-crypto-ransomware-vaccine-released/

      Reply | Quote
    Viewing 9 reply threads
    Reply To: Dodgy Registry Keys keep re-appearing.

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.