Locky Folder in Regedit

[Mike McCall]

So, I'm working on a client's system this morning and I notice a "Locky" folder in Regedit under Software.



The system appears to be clean except for these folders. A search for Locky folder in regedit produced a bunch of returns regarding the virus itself, but nothing related to these folders. It's entirely possible these may be left over from a previous infection as the client was referred to me by the local Police Department after he fell for one of the Microsoft scams. Of course, that would also mean I managed to miss these when I cleaned the machine at the time. Nevertheless, before I delete them I want to make sure there isn't another reason for their existence, though I can't imagine what that would be.

 

[Archon Prime]

I use stuff like CCleaner to see if it picks up the broken folder/link/info for that stuff in the registry and it will purge it for you. however, just in case, i might recommend running another full system scan with Emsisoft Emergency Kit and some others just in case....

or hell even a Fab's, nuke and pave if you're really wanting to be thorough.

 

[Mike McCall]

While I haven't checked every client, the ones I have checked (including internal machines) all have the folder. That suggests to me that it serves a purpose other than malware. However, I've been unable to find any information about the folder.

 

[glennd]

While I haven't checked every client, the ones I have checked (including internal machines) all have the folder. That suggests to me that it serves a purpose other than malware. However, I've been unable to find any information about the folder.

... or all of the machines were attacked at some point. Have you searched for .ykcol files on the system? Also check the registry run keys.

What was the customer's reason for giving you this machine in the first place? Is it possible it's still suffering from damage even though the virus has allegedly been removed?

 

[Mike McCall]

Just for laughs, would some of you check your own machines and see if it's there?

 

[glennd]

Just for laughs, would some of you check your own machines and see if it's there?

nothing on my (shock!) Win7 machine.

 

[fencepost]

Nothing on my relatively recently clean installed Win10. Older upgrade is stuffed in a bag, will check later.

Is there something on there that might have been trying to "vaccinate" the system?

 

[Mike McCall]

It doesn't appear to be malware related as every one of my Win10 machines I've checked (which is most of them) have the folder. I'm less concerned now and more curious. I run BD GravityZone on all clients, and have for some time. It may have something to do with that, but I don't know yet. Interesting.

 

[Moltuae]

I run BD GravityZone on all clients, and have for some time.

I believe that's what creates it. I seem to remember reading something a while ago about it.

I use BD GravityZone too and the systems that it's installed on also have the same registry key. If you examine the key's properties you should see that it has a special Deny permission set for 'everyone'. I think the idea is that by creating the key in advance of any infection and locking down the permissions, it prevents the malware from creating it.

 

[Mike McCall]

I believe that's what creates it. I seem to remember reading something a while ago about it.

I use BD GravityZone too and the systems that it's installed on also have the same registry key. If you examine the key's properties you should see that it has a special Deny permission set for 'everyone'. I think the idea is that by creating the key in advance of any infection and locking down the permissions, it prevents the malware from creating it.

Ah, thank you! None of my clients have ever been infected so it seemed odd to me to see it, and then be unable to find anything about it. Your suggestion makes sense to me. Thanks!