Solved Suspicious registry key

[menthos]

Hello,

I was surfing on internet today, and encountered fake antivirus webpage on my screen.

Although it appeared after I clicked on website that I usually went to, I felt that I may have contracted a virus in other previous websites.

No further unusual activity was occurred, but I panicked nonetheless.

I cleared cookies and temporary internet files. Then I ran both avast and malewarebyte. There was nothing.

Then I was looking through registry keys and found this:

HKEY_CURRENT_USER/Software/81A6A3E5A7A34F83FEACB79F1A291ADF

Default REG_SZ (value not set)
FRun REG_SZ 0
O'ld REG_SZ Rqxv'sd!Qsnudbuhno
Q'ui REG_SZ B;]Trdsr]Nvods]@qqE'u']Sn'lhof]edgdoeds/dyd

I could not find exact registry name on websites, but many suggested that fake av viruse registry are located in HKEY_CURRENT_USER/Software and have random characters.

Can you guys confirm if this is indeed a virus registry?

Best regards,

 

[TwinHeadedEagle]

Please read this first --> http://malwaretips.com/threads/preparation-guide-before-requesting-malware-removal-help.20334/

 

[menthos]

Thank you. Here are the logs from Farbar.

 

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Follow the prompts and click Scan.
• When finished, please click Clean.
• Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.

Please include the contents of that file in your reply.

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

 

[menthos]

Here are the logs. Running Farbar fix changed my explorer homepage for some reason.

None of these programs picked up the registry in question at all. Does that mean its legit?

I appreciate your help.

 

[TwinHeadedEagle]

I do not see any sign of serious infection in your reports, so this could be some leftover or empty value. Anyway it is not connected with something to be malicious.

I would like to see new set of logs:
- Run FRST again, check Addition.txt, press Scan and attach fresh reports.



Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

• Type 81A6A3E5A7A34F83FEACB79F1A291ADF into the Search: field in FRST then click the Search Registry button.
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
• Please attach it to your reply.

 

[menthos]

That's good to hear .

Here are the logs.

 

[TwinHeadedEagle]

I forgot to answer about Internet Explorer. You were infected with several Adware infection, we cleaned them and we still have one to clean, and this will be our last step:

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[menthos]

Here it is.

What's your take on this registry key? I was suspicious, because parts like O'ld REG_SZ Rqxv'sd!Qsnudbuhno had some resemblance to Trojan REG keys posted in websites like McAfee.

 

[TwinHeadedEagle]

There is no such key in Google search, so it is probably malicious.


I forgot one simple thing. I need you to run one more FRST fix.


Tell me how is your PC now?

 

[menthos]

My computer has been behaving normally before the first fix. That fake AV popup only happened once. I guess all these adware files were the leftovers of previous infections.

Is it safe to leave that key? Or should I delete it?

 

[TwinHeadedEagle]

We deleted that key in previous step

Since everything is okay, we can finish.



Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.

Recommended reading:
​

MUST READ - security tips: Computer Security - a short guide to staying safer online. Simple and easy ways to keep your computer safe and secure on the Internet

MUST READ - general maintenance: What to do if your Computer is running slowly?

Recommended additional software:
​

TFC - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

CryptoPrevent - to secure yourself from very severe CryptoLocker infection.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.


• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!​

Stay safe,
TwinHeadedEagle

 

[menthos]

I wish I found this website sooner.

Thank you very much for your help!

 

[TwinHeadedEagle]

Since this issue appears to be resolved, I am closing the topic. If that is not the case and you need or wish to continue with this topic, please contact me or any staff member with the address of the thread.

Other members who need assistance please start your own topic in a new thread. Thanks!