Registry Keys keeps re-appearing after removal

[Exfso]

I was running my AVG utilities program around a week ago and it kept finding 2 empty keys marked for removal. One of which sparked my interest.
The two keys are:
HKEY_CURRENT_USER\Software\Locky
HKEY_CURRENT_USER\Software\6925KrIr4fw

The locky entry scared the pants off me. I have done a full check with, eset, malwarebytes, fixmestick, and I cannot find any dodgy stuff on the computer, all seems to be operating normally.
I have tried removing both these keys within regedit, and they disappear until I reboot the computer and then they re-appear.
About a month ago I received an email with a word attachment which I promptly deleted as I have read that this is one of the common ways for ransomware to attack. I never open any attachments unless I am 100% certain of their content and certainly not word/doc attachments.
I was wondering if this attachment although deleted immediately did something. Eset have said to me that I should probably reformat and start again, I know this is a possibility, but was wondering if anyone here has struck this scenario.

 

[AddRAM]

Get rid of AVG, cleanup your registry with Ccleaner and nothing else.

https://www.piriform.com/ccleaner/download


HKEY_CURRENT_USER\Software\Locky is not in my registry and won`t even come up on a google search.

 

[Exfso]

Get rid of AVG, cleanup your registry with Ccleaner and nothing else.

https://www.piriform.com/ccleaner/download


HKEY_CURRENT_USER\Software\Locky is not in my registry and won`t even come up on a google search.

Just used CCleaner and those two empty keys are still in the registry.. As I said, I have removed them before with Regedit and they disappear until I do a reboot and then they re-appear..

 

[AddRAM]

Then something you have installed keeps re creating them.

https://www.google.com/search?q=hkey current user Software Locky

From what I read, your best bet IS to reinstall

But read through the articles, maybe there`s a cure.

And please tell me you DO NOT have a mail program installed on your PC ???

 

[wasnotwas]

Get rid of AVG, cleanup your registry with Ccleaner and nothing else.

https://www.piriform.com/ccleaner/download


HKEY_CURRENT_USER\Software\Locky is not in my registry and won`t even come up on a google search.

I found this at MBAM (using DuckDuckGo search) - apparently there's ransomware called Locky that's delivered via Office docs and email attachments

https://blog.malwarebytes.org/threat-analysis/2016/03/look-into-locky/

also
?Locky? crypto-ransomware rides in on malicious Word document macro | Ars Technica

at Microsoft
Ransom:Win32/Locky.A

does not necessarily mean the OP is infected.

 

[UsernameIssues]

I was running my AVG utilities program around a week ago and it kept finding 2 empty keys marked for removal. One of which sparked my interest.
The two keys are:
HKEY_CURRENT_USER\Software\Locky
HKEY_CURRENT_USER\Software\6925KrIr4fw

The locky entry scared the pants off me. I have done a full check with, eset, malwarebytes, fixmestick, and I cannot find any dodgy stuff on the computer, all seems to be operating normally.
I have tried removing both these keys within regedit, and they disappear until I reboot the computer and then they re-appear.
~~~

Manually remove those two keys again.
Reboot into the Windows Safe Mode:
http://www.sevenforums.com/tutorials/69585-safe-mode.html
(Not safe mode with networking.)

If booting to the safe mode prevents the keys from being created again, then the troubleshooting steps in this tutorial might help you find the offending app: http://www.sevenforums.com/tutorial...ation-conflicts-performing-clean-startup.html

If the keys are created again - even in the safe mode - then we can try Process Monitor's boot logging.

 

[Exfso]

I use Office 2010. Getting late here will have a go at those suggestions tomorrow, thanks people, very much appreciated

 

[Exfso]

I have a guru from bleeping computers working on this, he has me jumping through hoops. Will keep this up to date.

 

[DBone]

Exfso are you using Bitdefender Anti-Ransomware?

 

[Exfso]

Exfso are you using Bitdefender Anti-Ransomware?

Yes I am. The guy from Bleeping computers has had me try at least a dozen ideas, none working as yet, but still trying to isolate the cause.

 

[DBone]

It looks like those keys have something to do with Bitdefender Anti-Ransomware:

BitDefender Anti-Ransomware | Wilders Security Forums

 

[Exfso]

I was running my AVG utilities program around a week ago and it kept finding 2 empty keys marked for removal. One of which sparked my interest.
The two keys are:
HKEY_CURRENT_USER\Software\Locky
HKEY_CURRENT_USER\Software\6925KrIr4fw

The locky entry scared the pants off me. I have done a full check with, eset, malwarebytes, fixmestick, and I cannot find any dodgy stuff on the computer, all seems to be operating normally.
I have tried removing both these keys within regedit, and they disappear until I reboot the computer and then they re-appear.
~~~

Manually remove those two keys again.
Reboot into the Windows Safe Mode:
http://www.sevenforums.com/tutorials/69585-safe-mode.html
(Not safe mode with networking.)

If booting to the safe mode prevents the keys from being created again, then the troubleshooting steps in this tutorial might help you find the offending app: http://www.sevenforums.com/tutorial...ation-conflicts-performing-clean-startup.html

If the keys are created again - even in the safe mode - then we can try Process Monitor's boot logging.

Just for information, I have done the boot with safe mode without networking, and the keys were still there.

 

[Exfso]

It looks like those keys have something to do with Bitdefender Anti-Ransomware:

BitDefender Anti-Ransomware | Wilders Security Forums

I had those keys before I installed the BitDefender anti-ransomware. the keys were the reason I installed it in the first place to see if it would help..

 

[torchwood]

Please only follow the advise from BleepingComputers, lt makes it very difficult to keep track of whats going on,
Note it also states this when you started the thread over there.

Roy

 

[Exfso]

Roy, the guy from Bleeping computers has said obviously there is no sign of this on my computer apart from the continual registry entries, All is working ok, so he said he was closing the thread. So really it is not solved, but there do not appear to be any issues. Basically leave as is and monitor..

 

[DonnaB]

@ Exfso,

I realize this topic is outdated but, since this is an ongoing issue with others who are infected with Locky....

Out of curiosity, did you get this resolved? If so, what was the final resolution\cause for those keys regeneration?

Donna

 

[BillH651]

Locky/BitDefender

Exfso are you using Bitdefender Anti-Ransomware?

Yes I am. The guy from Bleeping computers has had me try at least a dozen ideas, none working as yet, but still trying to isolate the cause.

Realise this is a late reply - Just uninstalled BDAR and restarted PC - so far all empty registry keys gone.

 

[DonnaB]

Hello BillH651,

After extensive research, I came to the conclusion that these registry keys are associated with BitDefender Anti-Ransomeware (BDAR). To prevent from having to type out what I posted at another forum, I will just copy and paste my findings below:

You confirmed my thoughts when you pointed out that you uninstalled BDAR, deleted the reg keys, rebooted and they never came back. That alone proves that the technician you spoke with at BD was in the dark about the newest updates to BDAR. I am not only surprised but very disappointed that the technician had no knowledge of BDAR creating these registry keys.

Please read the articles in SecurityWeek and SpiceWorks. Both articles discuss the following:

As disclosed in SecurityWeek;

However, what users could do is to create the HKCU\Software\Locky registry key, which is the first thing that the ransomware tries to create on the compromised machine. The malware terminates if the creation process fails, and having the registry key already present on the computer ensures that the malicious application is not executed.

As disclosed in SpiceWorks;

At present, however, it works by taking advantage of a slew of built-in tests shared by Locky, TeslaCrypt, and CTB-Locker, which scan their host computer to see if it is already infected. "The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker," Computerworld writes.

You said that you read the BiteDefender article I shared with my associates. If you read it thoroughly then I am sure you came across the following comment by David:

62. David says:
April 4, 2016 at 12:35 pm

I’ve read article
Free Bitdefender tool protects against ransomware infections | PCWorld
but still want to know how does it actually do?
“The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker. This prevents those programs from infecting them again.”

What does it “vaccines”? What part of Windows tells ransomware it is already infected by it?

I am almost certain that he also started the topic found at Simoch on the same day just hours later. Davidenko just shortened his name to David. If you have a look at his second post, he went out on a limb and installed BDAR to find out for himself since he wasn't getting the answers he needed to confirm his suspicions, just as you did by uninstalling BDAR.

The security guru's that be won't necessarily put this information out there in the internet for just anyone to find. As pointed out in the first paragraph of the SpiceWorks article:

The new Bitdefender Anti-Ransomware vaccine is built on the same principle as a previous tool that the company designed to prevent CryptoWall infections." That tool was later made obsolete and ineffective after CryptoWall's creators updated their ransomware. Something similar is expected to happen to Bitdefender's tool.

The sooner that the bad guys find out that the good guys created a vaccine they will alter the code and the good guys will have to start all over again trying to find out how the bad guys altered the code so the good guys can update their tools and release an update. Honestly, it is a never ending battle between the good and the bad.

Think about the BDAR vaccine from a medical point of view.. Researchers create vaccines using the virus itself then inoculate the human population with that vaccine. Since a potential victim already has the antibodies of any particular virus, such as the flu, diphtheria, measles, mumps, etc., the virus can detect this and the potential victim will not get the full blown virus, if at all.

Truly, I would not be worried that you are infected, BDAR creates those registry keys to prevent you from becoming infected. As pointed out in the SecurityWeek article, if the registry keys already exist on the computer the malware will terminate itself and the creation process fails.

If you really are that worried about becoming infected, protect yourself by creating back ups pf personal data that you just couldn't bear to live without. You could eve go as far as cloning your drive. Never a bad idea to have more than one back up.

 

[alucardx]

These entries may be from Bitdefender Anti-Ransomware. It tries to defeat ransomware by trying to convince it that your system is already infected. So it seems that Bitdefender Anti-Ransomware creates these keys on purpose. I have both Bitdefender Anti-Ransomware and similar reg keys. All scans of my system show no infection.

 

[blueaxe]

Whew!

I have been wrestling with this same registry issue for several weeks now, and I have had a feeling that BDAR may have been the cause. I didn't try the uninstall trick (because I simply didn't think of it ), but now, in hindsight, it just makes sense that those keys would reappear. It works as a vaccine does in the human body.
My 'workaround' for this problem was to run Ccleaner after bootup to delete these keys. Now I see that was a bad move. Leaving me vulnerable...
I run MWB, ASC, and Ccleaner every night before I shut down; thinking that when I bootup in the morning, everything starts fresh, kinda like how I like to sweep my cabinet shop every night, so my employees come into a clean & tidy shop every day.
I've been a member here for a bit, and have solved more than a few issues with the help of the fine people here, and would just like to take this opportunity to say Thank You All!!