Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect registry entries keep returning


  • This topic is locked This topic is locked
31 replies to this topic

#1 Exfso

Exfso

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 13 April 2016 - 07:42 AM

I was running my AVG utilities program around a week ago and it kept finding 2 empty keys marked for removal. One of which sparked my interest.
The two keys are:
HKEY_CURRENT_USER\Software\Locky
HKEY_CURRENT_USER\Software\6925KrIr4fw

The locky entry scared the pants off me. I have done a full check with, eset, malwarebytes, fixmestick, plus at least another dozen programs to check for malware,  and I cannot find any dodgy stuff on the computer, all seems to be operating normally.
I have tried removing both these keys within regedit, and they disappear until I reboot the computer and then they re-appear. Some process is making these keys re-appear, but it is beyond me.

Just for information about a month ago I received an email with a word attachment which I promptly deleted as I have read that this is one of the common ways for ransomware to attack. I never open any attachments unless I am 100% certain of their content and certainly not word/doc attachments.
I was wondering if this attachment although deleted immediately did something. Eset have said to me that I should probably reformat and start again, I know this is a possibility, but was wondering if anyone here has struck this scenario.

I am the only person who touches this computer so I know that no one else could have opened anything suspect.

As far as I can tell everything is operating as it should be with the possible exception of system restore that seems to have stopped.  This has happened in the past and I eventually just re-formatted and did a complete re-build, with no issues.

Any help much appreciated.

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:57 PM

Posted 13 April 2016 - 08:15 AM

Hello, Welcome to SpywareInfoForum.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

The Registry entries may be some remnant of the failed Ransomware, read about it.

The Locky Ransomware Encrypts Local Files and Unmapped Network Shares
http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/
===

Let find out what else it has left over.

===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#3 Exfso

Exfso
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 13 April 2016 - 08:50 AM

Attached are the requested scans for your perusal.

Thanks for being so prompt.

 

I have malwarebytes premium installed for over 12 months now, it is currently doing the scan for you as requested .

Attached Files


Edited by Exfso, 13 April 2016 - 09:04 AM.


#4 Exfso

Exfso
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 13 April 2016 - 09:15 AM

enclosed logs for adwcleaner and mwbytes. The scan on adwcleaner was done yesterday.

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:57 PM

Posted 13 April 2016 - 01:10 PM



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\igfxcui: igfxdev.dll [X]
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
Winsock: Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224 2014-12-06] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224 2009-07-14] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\napinsp.dll"
Winsock: Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024 2009-07-14] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\pnrpnsp.dll"
Winsock: Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024 2009-07-14] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\pnrpnsp.dll"
Winsock: Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424 2013-09-08] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992 2009-07-14] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\System32\winrnr.dll"
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @EDVR/WebClient -> C:\windows\system32\WebClient\npwebclient.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF user.js: detected! => C:\Users\Peter Miller\AppData\Roaming\Mozilla\Firefox\Profiles\tebpp3nq.default\user.js [2016-04-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Peter Miller\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
S3 efavdrv; \??\C:\Windows\system32\drivers\efavdrv.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
C:\Users\Peter Miller\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [178]
cmd: netsh winsock reset catalog
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the log and let me know of any issues with this computer.

#6 Exfso

Exfso
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 13 April 2016 - 07:49 PM

I have done as requested and note that the registry entries mentioned previously still come up.  Attached is the fix  log.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:57 PM

Posted 14 April 2016 - 06:43 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :regfind
    Locky
    6925KrIr4fw
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
===

Let see what this scan will report.

#8 Exfso

Exfso
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 14 April 2016 - 07:30 AM

I hope this is what you are looking for.

BTW, this key is another that keeps popping up and is empty:  HKEY_CURRENT_USER\Software\MozillaPlugins, I suspect this is dodgy as well as it keeps returning.

Attached Files


Edited by Exfso, 14 April 2016 - 08:01 AM.


#9 Exfso

Exfso
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 14 April 2016 - 08:03 AM

I decided to repeat the above regarding Mozilla Plugins

 

 

 

 

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:57 PM

Posted 15 April 2016 - 07:03 AM

This fix should take care of these registry entries.


Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Locky]
[-HKEY_CURRENT_USER\Software\Classes\Software\Locky]
[-HKEY_USERS\.DEFAULT\Software\Locky]
[-[HKEY_USERS\S-1-5-19\Software\Locky]
[-HKEY_USERS\S-1-5-20\Software\Locky]
[-HKEY_USERS\S-1-5-21-561714436-3558436729-3695926089-1000\Software\Locky]
[-HKEY_USERS\S-1-5-21-561714436-3558436729-3695926089-1000\Software\Classes\Software\Locky]
[-HKEY_USERS\S-1-5-21-561714436-3558436729-3695926089-1000_Classes\Software\Locky]
[-HKEY_USERS\S-1-5-18\Software\Locky]
[-HKEY_CURRENT_USER\Software\6925KrIr4fw]
[-HKEY_CURRENT_USER\Software\Classes\Software\6925KrIr4fw]
[-[HKEY_USERS\.DEFAULT\Software\6925KrIr4fw]
[-HKEY_USERS\S-1-5-19\Software\6925KrIr4fw]
[-HKEY_USERS\S-1-5-20\Software\6925KrIr4fw]
[-HKEY_USERS\S-1-5-21-561714436-3558436729-3695926089-1000\Software\6925KrIr4fw]
[-HKEY_USERS\S-1-5-21-561714436-3558436729-3695926089-1000\Software\Classes\Software\6925KrIr4fw]
[-HKEY_USERS\S-1-5-21-561714436-3558436729-3695926089-1000_Classes\Software\6925KrIr4fw]
[-HKEY_USERS\S-1-5-18\Software\6925KrIr4fw]


Restart the computer when completed.

You can delete the fixme.reg file when done.

==

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#11 Exfso

Exfso
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 15 April 2016 - 07:51 AM

Just for information, did as requested, no change at all except on boot up it took ages to find my eset internet security. The AVG checkup still found the empty registry keys as shown in the attached image.

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:57 PM

Posted 15 April 2016 - 12:36 PM

Please run the SystemLook search again.

Let see what will be reported.

#13 Exfso

Exfso
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 15 April 2016 - 08:06 PM

Ok I have done that. I really appreciate your efforts nasdaq.

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:57 PM

Posted 16 April 2016 - 06:51 AM



These keys are protected.
Lets check further.

Run the SystemLook tool with the following in the Textfield.

:filefind
Locky.*
6925KrIr4fw.*

:folderfind
*Locky.*
*6925KrIr4fw*


Post the logs.

===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#15 Exfso

Exfso
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 16 April 2016 - 08:15 AM

Here are the results of the latest system look. more to come re the other request.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users