Jump to content

Strange registry value


Recommended Posts

I'll start here in the general question section.

A little over 3 weeks ago I had an encounter with Windows System Suite, and I thought I got rid of it with Malwarebytes. One of the experts in the HJK forum went over my HJK log, the computer has shown no sign whatsoever of being infected and it still doesn't. I continue to update and scan with Malwarebytes and SuperAntispyware every day, I've run full scans with online Kaspersky and my resident AVG free 8.5. However, a few days ago I was helping someone else with one of those rogues (Malwarebytes took care of that for him very quickly, too, and he thinks this program is just wonderful...and rightly so! :D), and during that time I was looking around in my own registry, which I don't routinely do, of course. I happened to see a value in the HKey_Current_User key, and it looked rather odd. There is there the usual one named "Default" with its Reg_SZ type, and underneath that is a second value. The name is

Link to post
Share on other sites

  • Root Admin

You can export the key then open it with notepad and copy/paste the contents here, but many keys can have odd or non English entries that are very valid and some that are encrypted on purpose.

If you have no signs of infection and multiple AV and AM scanners show nothing then it's probably nothing or at most a vague left over trail of an old infection.

Link to post
Share on other sites

Hello,

Firstly, be super careful while in registry editor (as I'm sure you know).

You may be looking at something harmless. The value doesn't matter as much as the registry key itself.

That is to say, one needs to see what key is involved first.

The value you see may simply be a harmless leftover from the rogue infection, or it could be some other leftover.

Do not make any changes in your registry. Not by yourself in any event.

{soapbox} Get your registry backed up.

1. Go Here and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Keep & use ERUNT on a regular basis. (does not apply to WinME or Win9x systems)

{/end soapbox}

While in the reg editor, and looking a specific key (the one or 2 you refer to)

Look on right pane of the window. Put your mouse on the specific key.

Do a RIGHT Click

and very carefully, select Copy key name

(I apologize if you know how to do that already; given you know of exporting).

Paste that info in a reply here.

As to monitors for registry, you may look into Process Monitor

and better yet Autoruns

Link to post
Share on other sites

Thank you, Advanced Setup and Maurice.

I just further reassured myself by purchasing 2 MWB licenses just now, and I just put one on the laptop (not the computer I'm writing about in this post, though) and I'll put it on the desktop (the subject of this thread) later. I've been perusing this forum and majorgeeks, and there are so many computers getting hit with these rogues that we're really nervous here about going on any websites we haven't previously visited.

I'm really careful about doing anything with the registry. I would simply rather not to look at it at all, actually. :)

I had wondered and worried that this value was maybe set to trigger something at a certain time or something like that. Or maybe it is just a leftover from something else, like you've said. Having MWB in real time should hopefully prevent anything from happening. I'll copy the name here later on. (I don't have access to that computer at the moment.)

Link to post
Share on other sites

When I hover the mouse cursor over the value in the right pane and right click, there is no option to copy the name, just to modify and (I think) delete and that made me nervous. So I think I'll just leave it for now, since two of you have suggested it's probably nothing to worry about anyway. The value is right in the HKey_Current_User key itself, in the right pane of that, under the Default value.

Thanks for the links to ERUNT, Process Monitor, and Autoruns. Those are handy to have.

I also feel better now that I have Malwarebytes running in real time, I'm more reassured that anything nasty which might have been related to that rogue and some other possible evil things would get stopped in its tracks if it tried to get going.

Thank you so much for your responses to my post. :)

Link to post
Share on other sites

Just to let you know, I goofed a bit in my note from before. I wrote "right" side, when I intended "left". :)

The keys are on the left hand side.

Revise to say:

Look on LEFT pane of the window. Put your mouse on the specific key.

Do a RIGHT Click

and very carefully, select Copy key name

You're most welcome, Amethyst.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.