• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Help! May have a hidden registry key - how to fix?

Z

Zepper

Elite Member
I've been working on this PC for several days and I have used several rootkit detectors (sophos and rootkit shark). Sophos finds a hidden registry key:

HKEY_USERS\S-1-5-21-436374069-1897051121-839522115-500\ (broken to ease reading) Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll

The long alphanumeric after the first slash isn't the same on that machine, but it's the same key. When you use regedit to look at their registry, you don't see the .dll entry listed, while sophos shows that this big long string is in there. And as I said, RKShark says the registry is clean.

Questions:
1- Which one should I believe?
2- How does one fix such a thing (when RK Shark which promises to detect and fix such things can't see it)?

I know the .dll entry is pretty empty on my machine and is quite visible in regedit.

Thanks for giving it a shot!

bh
 
Knee-jerk reaction: maybe it's infected with a Gromozon variant. Here's a couple anti-Gromozon tools to try:

Symantec LinkOptomizer removal tool
Prevx Gromozon removal tool

If the system were infected with Gromozon, then one side effect appears to be that F-Secure BlackLight won't run, so if you happen to have run into that symptom... yeah. Gromozon makes its own Admin account, encrypts stuff using that account's key, hides stuff in NTFS streams and more, so it's pretty advanced.

Also, I'd apply the food-service worker's rule: when in doubt, throw it out! If I had any reason to think it was infected, I'd burn that Windows installation to the ground :evil:
 
Huh 😕 But it was infected with stuff? What sorts of stuff? It's always interesting to learn what's going on out there 🙂
 
It has some traces of CWS, but none of the CWS or About cleaners complained of the hidden key. I got a wild idea that it might be part of the Sony/BMG rootkit. The owner does play audio CDs on the PC. So I gave him links to the list of titles and some cleaning tools.

.bh.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top