Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Registry Keys located in HKCU & HKU


  • Please log in to reply
6 replies to this topic

#1 windowsxp550

windowsxp550

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Location:Maplewood, Minnesota
  • Local time:09:02 PM

Posted 13 August 2009 - 03:55 PM

I am not certain how or why these keys are there but under my HKEY_CURRENT_USER are a bunch of weird looking subkeys composed of random characters followed by an Equals sign. I have posted a screenshot to show. These keys also show up under HKEY_USERS. I have no idea how they got there and virus/spyware scans all come back clean. I am running Vista Ultimate and I am not really experiencing any problems.

Posted Image



I am concerned because I am fairly knowledgeable about computers and the registry but I have never seen anything like this before. Typically things like this sound off my virus/worm/keylogger..etc alarms.

Any ideas?

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 13 August 2009 - 04:00 PM

Hello and welcome to Bleeping Computer.

What virus/spyware scans have you used so far?
Computer Pro

#3 windowsxp550

windowsxp550
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Location:Maplewood, Minnesota
  • Local time:09:02 PM

Posted 13 August 2009 - 04:05 PM

I have scanned with my Nod32, Ran a Spybot Full Scan, Ran HiJackThis and cleaned it up. Everything runs fine, but I am sure that these keys should not be there.

I am going to post a screenshot of the HKEY_USERS. The weird keys that appear under HKEY_CURRENT_USER also appear under one of the HKEY_USERS subkeys. It's hard to explain so I will post the screenshot(s) in a second (after I get them loaded into Image Shack)

#4 windowsxp550

windowsxp550
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Location:Maplewood, Minnesota
  • Local time:09:02 PM

Posted 13 August 2009 - 04:11 PM

Ok here they are:

Posted Image
Posted Image
Posted Image

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 13 August 2009 - 04:11 PM

Ok, then please scan with Malwarebytes.

Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#6 windowsxp550

windowsxp550
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Location:Maplewood, Minnesota
  • Local time:09:02 PM

Posted 13 August 2009 - 04:13 PM

See the key still has the normal keys you would expect, like:

AppEvents, Console, Control Panel, etc.

But then it also has all these extra keys with gibberish in them

I am not sure what these are or what caused them or if they are a sign of some kind of virus/worm/hacking attempt

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 13 August 2009 - 04:14 PM

They maybe, I looked in my registry and do not have them, (the gibberish ones), so please scan with Malwarebytes and see what it finds. The instructions are above
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users