Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

? Working with Quarantined HKCU Registry Values, Data and Files


  • Please log in to reply
2 replies to this topic

#1 Babziellia

Babziellia

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:08:23 PM

Posted 09 May 2012 - 10:45 AM

Greetings.
A rogue.fakeAV and PUM.Hijack.StartMenu took over my laptop yesterday. I've isolated it in quarantine with Malwarebytes. There are 7 entries total: 4 files, 1 registry value and 2 registry data entries.

I was searching for graphics when I got hit with this drive-by download. It shut down and locked me out of my apps, hid my program data files, app data files and all my shortcut links in the desktop/start menus. It used my own anti-virus software screen to try to get me to buy a "component" I "didn't have."

Laptop is in safe mode currently. I'm on another computer as I type.

I have kids; they constantly download junk and sometimes they get infected. I've dealt with this before; however, this particular is on my primary laptop and I need to proceed carefully. Unlike my children, I have data I can not lose without serious consequences. So here I am, seeking help.

The virus executables do not produce google results like they normally do. So, has anyone heard of items:

c:\programData\ZuTBB1WK8qdEiQ.exe
c:\programData\HVQyGgmxOVolAC.exe
c:\users\...\AppData\..\cqimjtkzynyzbmgl[1].exe
c:\users\...\AppData\...\NNyikPGrHVD4xG.exe.tmp

?

I know to prolly delete them.

My main purpose here is to understand the registry entries these little buggers made on my laptop.

I'm confident editing my registry. However, I'm not confident that these registry items are fake and can be deleted or if I need to fix the values.

In Windows 7, is there an authentic registry line/value/data for (going to list them) and do they have default values I can use or are these fake or duplicate entries?

(These are quarantined in Malwarebytes)
First one is

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HVQyGgmxOVolAC.exe
MalB Category: Registry Value
Vendor: Rogue.FakeAV

Second one is

HKCU\SOFTWARE\Microsoft\Windows|CurrentVersion\Explorer\Advanced|Start_ShowMyComputer
MalB Category: Registry Data
Vendor: PUM.Hijack.StartMenu

Third one is

HKCU\SOFTWARE\Microsoft\Windows|CurrentVersion\Explorer\Advanced|Start_ShowSearch
MalB Category: Registry Data
Vendor: PUM.Hijack.StartMenu

I would appreciate if you could confidently tell me if these three registry items can be deleted without a problem or if I need to fix the values/data in the registry.

Thanks.

Edit: Moved topic from AntiVirus, Firewall and Privacy Products and Protection Methods to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 herg62123

herg62123

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:09:23 PM

Posted 09 May 2012 - 11:03 AM

It looks like you had this virus - Smart HDD


The virus executables do not produce google results like they normally do. So, has anyone heard of items:

c:\programData\ZuTBB1WK8qdEiQ.exe
c:\programData\HVQyGgmxOVolAC.exe
c:\users\...\AppData\..\cqimjtkzynyzbmgl[1].exe
c:\users\...\AppData\...\NNyikPGrHVD4xG.exe.tmp



Those files look like the main virus files that installed the virus. So they need to be removed carefully.
Posted Image

#3 Babziellia

Babziellia
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:08:23 PM

Posted 09 May 2012 - 12:28 PM

Yes @HERG... It was SMART HDD! That's what the screen said. But I recall the window label was S.M.A.R.T. something.

I got trigger happy and deleted the 4 quarantined files before I read your post. But I just ran UNHIDE anyway. It successfully restored my hidden menu and desktop items; however, it didn't restore ALL my toolbar short cuts. My custom pinned apps do not display. I'll just re-pin them.

Interesting that some of the folders on the StartMenu/Programs display as highlighted. They are not greyed out, and I can access them. Do you know why they are shaded?

Concerning the registry value and data items, I didn't find the one value under the |Run; I assume it was removed to quarantine as a bogus entry. I DID find the 2 data lines associated with the PUM.Hijack.StartMenu mentioned above in the registry file. The values looked normal and I couldn't tell if these were authentic or not. Plus, I didn't have a restore point for the registry. So, I backed up the registry, and then removed these two keys altogether. Not sure this was smart or stupid. Rebooted. No ill effects YET. These items are still in quarantine.

Most everything looks back to normal.
Thanks for responding.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users