Results 1 to 12 of 12
  1. #1
    Lounger
    Join Date
    Feb 2014
    Location
    South Australia
    Posts
    40
    Thanks
    0
    Thanked 1 Time in 1 Post

    Dodgy Registry Keys keep re-appearing.

    I was running my AVG utilities program around a week ago and it kept finding 2 empty keys marked for removal. One of which sparked my interest.
    The two keys are:
    HKEY_CURRENT_USER\Software\Locky
    HKEY_CURRENT_USER\Software\6925KrIr4fw

    The locky entry scared the pants off me. I have done a full check with, eset, malwarebytes, fixmestick, and I cannot find any dodgy stuff on the computer, all seems to be operating normally.
    I have tried removing both these keys within regedit, and they disappear until I reboot the computer and then they re-appear.
    About a month ago I received an email with a word attachment which I promptly deleted as I have read that this is one of the common ways for ransomware to attack. I never open any attachments unless I am 100% certain of their content and certainly not word/doc attachments.
    I was wondering if this attachment although deleted immediately did something. Eset have said to me that I should probably reformat and start again, I know this is a possibility, but was wondering if anyone here has struck this scenario.

  2. #2
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,399
    Thanks
    447
    Thanked 404 Times in 376 Posts
    Try scanning with several different scanning tools. For example, Trend Micro has some free tools at their website, one of which is called Trend Micro Anti-Ransomware Tool. Check other vendors' web sites also for their free manual scanning tools.

    If, after you have tried several different tools, the ransomware seems to still be there, you might try doing a restore point to back before the suspicious behavior appeared.

  3. #3
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,619
    Thanks
    147
    Thanked 875 Times in 837 Posts
    At the end of this lengthy article there are some steps that will allow you to go deeper to get rid of Locky.

    http://www.virusresearch.org/remove-...tions/#recover

    The fact that your machine is otherwise working okay, may mean that something on your computer may have disrupted its spread through your system - it seems like you may have had a lucky escape.

    However, restoring with a system image would have nipped this in the bud, so once your machine is clean, get into the habit of creating regular system images.
    Last edited by Sudo15; 2016-04-12 at 08:41.

  4. #4
    Star Lounger
    Join Date
    Feb 2010
    Location
    near Ottawa, Ontario, Canada
    Posts
    73
    Thanks
    111
    Thanked 15 Times in 14 Posts
    Exfso2,

    That registry entry would scare me too!

    Locky can also spread by other spam email attachments like microsoft excel macros, javascript and possibly even powerpoint macros(and of course any executable file!). Are you the only one using that machine? Can you guarantee that no one else opened one?

    I'd also give a scan with the free Emsisoft Emergency Kit:
    https://www.emsisoft.com/en/software/eek/

    Have you done some research about Locky? There is a great write-up here:
    http://www.bleepingcomputer.com/news...etwork-shares/

    Have you double-checked that you recognize everything in the Windows start-up list? If the registry entries keep re-appearing then they are coming from somewhere.
    I would also check that there are absolutely no signs of encrypted files.

    In fact I would probably go overboard and not boot from that OS/drive again until I was sure. I would instead attach it to another PC and scan it from there.

    Do you have recent backups?

    Good Luck!
    -brino

  5. #5
    Lounger
    Join Date
    Feb 2014
    Location
    South Australia
    Posts
    40
    Thanks
    0
    Thanked 1 Time in 1 Post
    Quote Originally Posted by brino View Post
    Exfso2,

    That registry entry would scare me too!

    Locky can also spread by other spam email attachments like microsoft excel macros, javascript and possibly even powerpoint macros(and of course any executable file!). Are you the only one using that machine? Can you guarantee that no one else opened one?

    I'd also give a scan with the free Emsisoft Emergency Kit:
    https://www.emsisoft.com/en/software/eek/

    Have you done some research about Locky? There is a great write-up here:
    http://www.bleepingcomputer.com/news...etwork-shares/

    Have you double-checked that you recognize everything in the Windows start-up list? If the registry entries keep re-appearing then they are coming from somewhere.
    I would also check that there are absolutely no signs of encrypted files.

    In fact I would probably go overboard and not boot from that OS/drive again until I was sure. I would instead attach it to another PC and scan it from there.

    Do you have recent backups?

    Good Luck!
    -brino
    Yes I am the only person who uses this computer. Everything I use regularly appears totally normal. I do have a full image backup, but surely that would be compromised as well as it backs up weekly to an external USB expansion drive.

  6. #6
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,619
    Thanks
    147
    Thanked 875 Times in 837 Posts
    I create a system image onto an external HDD after the various updates each month and then it is unplugged.

    However, I always give the machine a scan before creating the new image.

  7. #7
    Lounger
    Join Date
    Feb 2014
    Location
    South Australia
    Posts
    40
    Thanks
    0
    Thanked 1 Time in 1 Post
    I have had a guy from bleeping computers trying to help, we have done a heap of tests, and he has finally concluded that my computer is clean except for the registry entries continuing to appear. He believes they are pointing no where and unless the computer acts up just to basically ignore them. He has closed the thread over there, so I just need to monitor things.

  8. #8
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,186
    Thanks
    47
    Thanked 983 Times in 913 Posts
    Registry entries do not appear randomly, they are inserted by software.
    Have you booted from a virus checking CD and then scanned your computer?
    http://windowssecrets.com/forums/sho...st-any-malware

    cheers, Paul

  9. #9
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,619
    Thanks
    147
    Thanked 875 Times in 837 Posts
    I favour the Kaspersky Rescue Disk as mentioned in Paul's link, but Process Explorer may show up what may be activating them.

    https://technet.microsoft.com/en-us/...sexplorer.aspx

    Click on Options and ensure Verify Signature is checked then hover over VirusTotal.com and check its box.

    In the VirusTotal column, any suspect entries will be shown in red with a highish value/50ish, but check the signatures of each item.

    I assume the bleepingcomputer guy checked your msconfig for start up items as well as Task Scheduler ?

    Also download FreeFixer http://www.freefixer.com/

    That will have a removal box next to every file that hasn't been white listed.

    Look through those and click on the more info button for any you aren't sure about which will give its origin.

  10. #10
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,487
    Thanks
    284
    Thanked 575 Times in 478 Posts
    Can we have a link to your Malwarebytes topic please, there could be useful info in the logs supplied?

    EDIT: Sorry, that should have been Bleeping topic...
    Last edited by satrow; 2016-04-20 at 08:51.

  11. #11
    Star Lounger cpwilson's Avatar
    Join Date
    Aug 2014
    Posts
    62
    Thanks
    1
    Thanked 9 Times in 8 Posts
    I happened to see the thread in question at bleeping computers. interesting
    http://www.bleepingcomputer.com/foru...eep-returning/

  12. The Following 2 Users Say Thank You to cpwilson For This Useful Post:

    Fascist Nation (2016-04-22),satrow (2016-04-20)

  13. #12
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,487
    Thanks
    284
    Thanked 575 Times in 478 Posts
    Those keys appear to have been created as a preventative measure by BitDefender's AntiRansomware.

    HKEY_CURRENT_USER\Software\dAPI5c95x1Tqa ('random' name).
    HKEY_CURRENT_USER\Software\Locky

    https://labs.bitdefender.com/2016/03...cine-released/

  14. The Following User Says Thank You to satrow For This Useful Post:

    Fascist Nation (2016-04-22)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •