Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Registry Keys keeps re-appearing after removal

16 Apr 2016   #11
DBone

Windows 7 Home Premium x64 SP1
 
 

It looks like those keys have something to do with Bitdefender Anti-Ransomware:

BitDefender Anti-Ransomware | Wilders Security Forums


My System SpecsSystem Spec
.
17 Apr 2016   #12
Exfso

Windows 7 Professional
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
Quote   Quote: Originally Posted by Exfso View Post
I was running my AVG utilities program around a week ago and it kept finding 2 empty keys marked for removal. One of which sparked my interest.
The two keys are:
HKEY_CURRENT_USER\Software\Locky
HKEY_CURRENT_USER\Software\6925KrIr4fw

The locky entry scared the pants off me. I have done a full check with, eset, malwarebytes, fixmestick, and I cannot find any dodgy stuff on the computer, all seems to be operating normally.
I have tried removing both these keys within regedit, and they disappear until I reboot the computer and then they re-appear.
~~~
Manually remove those two keys again.
Reboot into the Windows Safe Mode:
Safe Mode
(Not safe mode with networking.)

If booting to the safe mode prevents the keys from being created again, then the troubleshooting steps in this tutorial might help you find the offending app: Troubleshoot Application Conflicts by Performing a Clean Startup

If the keys are created again - even in the safe mode - then we can try Process Monitor's boot logging.

Just for information, I have done the boot with safe mode without networking, and the keys were still there.
My System SpecsSystem Spec
17 Apr 2016   #13
Exfso

Windows 7 Professional
 
 

Quote   Quote: Originally Posted by DBone View Post
It looks like those keys have something to do with Bitdefender Anti-Ransomware:

BitDefender Anti-Ransomware | Wilders Security Forums
I had those keys before I installed the BitDefender anti-ransomware. the keys were the reason I installed it in the first place to see if it would help..
My System SpecsSystem Spec
.

17 Apr 2016   #14
torchwood

W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
 
 

Please only follow the advise from BleepingComputers, lt makes it very difficult to keep track of whats going on,
Note it also states this when you started the thread over there.

Roy
My System SpecsSystem Spec
19 Apr 2016   #15
Exfso

Windows 7 Professional
 
 

Roy, the guy from Bleeping computers has said obviously there is no sign of this on my computer apart from the continual registry entries, All is working ok, so he said he was closing the thread. So really it is not solved, but there do not appear to be any issues. Basically leave as is and monitor..
My System SpecsSystem Spec
31 May 2016   #16
DonnaB

Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-bit (VM)
 
 

@ Exfso,

I realize this topic is outdated but, since this is an ongoing issue with others who are infected with Locky....

Out of curiosity, did you get this resolved? If so, what was the final resolution\cause for those keys regeneration?

Donna
My System SpecsSystem Spec
18 Jun 2016   #17
BillH651

Windows 7 Home Premium 64 bit
 
 
Locky/BitDefender

Quote   Quote: Originally Posted by Exfso View Post
Quote   Quote: Originally Posted by DBone View Post
Exfso are you using Bitdefender Anti-Ransomware?
Yes I am. The guy from Bleeping computers has had me try at least a dozen ideas, none working as yet, but still trying to isolate the cause.
Realise this is a late reply - Just uninstalled BDAR and restarted PC - so far all empty registry keys gone.
My System SpecsSystem Spec
18 Jun 2016   #18
DonnaB

Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-bit (VM)
 
 

Hello BillH651,

After extensive research, I came to the conclusion that these registry keys are associated with BitDefender Anti-Ransomeware (BDAR). To prevent from having to type out what I posted at another forum, I will just copy and paste my findings below:

You confirmed my thoughts when you pointed out that you uninstalled BDAR, deleted the reg keys, rebooted and they never came back. That alone proves that the technician you spoke with at BD was in the dark about the newest updates to BDAR. I am not only surprised but very disappointed that the technician had no knowledge of BDAR creating these registry keys.

Please read the articles in SecurityWeek and SpiceWorks. Both articles discuss the following:

Quote:
As disclosed in SecurityWeek;

However, what users could do is to create the HKCU\Software\Locky registry key, which is the first thing that the ransomware tries to create on the compromised machine. The malware terminates if the creation process fails, and having the registry key already present on the computer ensures that the malicious application is not executed.
Quote:
As disclosed in SpiceWorks;

At present, however, it works by taking advantage of a slew of built-in tests shared by Locky, TeslaCrypt, and CTB-Locker, which scan their host computer to see if it is already infected. "The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker," Computerworld writes.
You said that you read the BiteDefender article I shared with my associates. If you read it thoroughly then I am sure you came across the following comment by David:

Quote:
62. David says:
April 4, 2016 at 12:35 pm

I’ve read article
Free Bitdefender tool protects against ransomware infections | PCWorld
but still want to know how does it actually do?
“The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker. This prevents those programs from infecting them again.”

What does it “vaccines”? What part of Windows tells ransomware it is already infected by it?
I am almost certain that he also started the topic found at Simoch on the same day just hours later. Davidenko just shortened his name to David. If you have a look at his second post, he went out on a limb and installed BDAR to find out for himself since he wasn't getting the answers he needed to confirm his suspicions, just as you did by uninstalling BDAR.

The security guru's that be won't necessarily put this information out there in the internet for just anyone to find. As pointed out in the first paragraph of the SpiceWorks article:

Quote:
The new Bitdefender Anti-Ransomware vaccine is built on the same principle as a previous tool that the company designed to prevent CryptoWall infections." That tool was later made obsolete and ineffective after CryptoWall's creators updated their ransomware. Something similar is expected to happen to Bitdefender's tool.
The sooner that the bad guys find out that the good guys created a vaccine they will alter the code and the good guys will have to start all over again trying to find out how the bad guys altered the code so the good guys can update their tools and release an update. Honestly, it is a never ending battle between the good and the bad.

Think about the BDAR vaccine from a medical point of view.. Researchers create vaccines using the virus itself then inoculate the human population with that vaccine. Since a potential victim already has the antibodies of any particular virus, such as the flu, diphtheria, measles, mumps, etc., the virus can detect this and the potential victim will not get the full blown virus, if at all.

Truly, I would not be worried that you are infected, BDAR creates those registry keys to prevent you from becoming infected. As pointed out in the SecurityWeek article, if the registry keys already exist on the computer the malware will terminate itself and the creation process fails.

If you really are that worried about becoming infected, protect yourself by creating back ups pf personal data that you just couldn't bear to live without. You could eve go as far as cloning your drive. Never a bad idea to have more than one back up.
My System SpecsSystem Spec
01 Jul 2016   #19
alucardx

Windows 7 Home x64
 
 

These entries may be from Bitdefender Anti-Ransomware. It tries to defeat ransomware by trying to convince it that your system is already infected. So it seems that Bitdefender Anti-Ransomware creates these keys on purpose. I have both Bitdefender Anti-Ransomware and similar reg keys. All scans of my system show no infection.
My System SpecsSystem Spec
07 Jul 2016   #20
blueaxe

Windows 7 Ultimate 64 bit
 
 
Whew!

I have been wrestling with this same registry issue for several weeks now, and I have had a feeling that BDAR may have been the cause. I didn't try the uninstall trick (because I simply didn't think of it ), but now, in hindsight, it just makes sense that those keys would reappear. It works as a vaccine does in the human body.
My 'workaround' for this problem was to run Ccleaner after bootup to delete these keys. Now I see that was a bad move. Leaving me vulnerable...
I run MWB, ASC, and Ccleaner every night before I shut down; thinking that when I bootup in the morning, everything starts fresh, kinda like how I like to sweep my cabinet shop every night, so my employees come into a clean & tidy shop every day.
I've been a member here for a bit, and have solved more than a few issues with the help of the fine people here, and would just like to take this opportunity to say Thank You All!!
My System SpecsSystem Spec
Reply

 Registry Keys keeps re-appearing after removal




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
AuditPol.exe - Where are the registry keys?
Hey everyone, This may be a dumb question but when we set up the Advanced Auditing features on our Win 7 image, where are the registry keys for those settings stored? I already looked at /HKLM/Security/Policy/PolAdtEv however I have nothing under Security at all (not expandable). I can confirm...
System Security
Unusual registry keys
All, Today was not a good day - I ran Windows update and after restarting, my computer hung at the ""Preparing to configure Windows. Do not turn off your computer." message. Took numerous reboots, including safe mode and using a previous restore point to get things running again. After all of...
General Discussion
corrupted registry entries on user profile after malware removal
Running Windows 7 x64 I had a recent infection with the Windows 7 Security Center virus and used the BleepingComputer.com article to remove the malware. Part of the process involved running MalwareBytes to finally delete the infectious file. Once removed I deleted all the system restore points...
General Discussion
Deleted Registry Keys
Hi, Am on Windows 7, and reinstalled it couple of times before, although it works probably, but games dont work, gives me crashAPP message, and even failed to install it. even play player dont play some files. am wondering is this is due to deleted Reg keys, and how can I restore deleted reg...
Performance & Maintenance
How do I know what is the function of some keys in registry?
uhh That is a good Thread tittle :p well yeah, i mean when im in regedit, i want to know what some keys are for... but still it is just a big damn tree, im wondering how some people make tutorials of, how to change an option in desktop!, how did they know that if you modify certain keys you...
Customization
Registry keys not identified
Hello All, I have been trying to create a registry entry which my Script searches for and performs a certain action upon successfully identifying it. HKLM/Software/XYZ Say XYZ is the key I am creating. XYZ also has a subkey making it HKLM/Software/XYZ/ABC Now I am adding a string value to ABC...
Performance & Maintenance


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 22:03.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App