Unwanted Registry Entries

[JohninNH]

Hi All,
I had reason to go into my registry today and noticed some odd entries; see attached file. I suspected malware/virus activity so I ran all my protective software; Windows Defender, Malwarebytes, JRT, adwcleaner, SuperAntispyware and they found nothing but tracking cookies. I can't see anything that I don't recognize running in Task Manager or Services.
I deleted the entries and they came right back. It doesn't matter if I'm connected to the Internet or not. I did google for suggestions and didn't come up with much other than run your protective software.

Any suggestions or guidance would be most appreciated!

Thanks!
John

 

[Trouble]

I can't see anything that I don't recognize running in Task Manager or Services.

You might have a peek at Task Scheduler to see if it has any entries that might explain it.
By way of a comparison, this it what I have at the same registry location.

 

[davehc]

Do you mean you attempted to delete that folder?. Or some of the contents in the expanded tree?
Removing items from the "software" folder, has always been a weak point with MS OSs. Not a process I recommend, but, I am for ever, experimenting with software, through an organisation I work with. Whenever I "uninstall" this software, I go into the software folders and manually eras the entry, which is inevitably still there.
Fwiw. There is another such folder under the HKLM header, with similar entries.

 

[Trouble]

I think the OP is talking about the top two entries (keys) in the tree on the left.
One with a character that looks like an O but may be a square box or some special character and the other with no text associated with it

 

[davehc]

Oh. Yes. Tks Trouble. Didn't look up there.

 

[JohninNH]

You might have a peek at Task Scheduler to see if it has any entries that might explain it.
By way of a comparison, this it what I have at the same registry location.

View attachment 7181

Thanks for that suggestion. I forgot how much stuff Windows places in the Task Scheduler! I couldn't find anything that didn't originate from Windows, Intel or software I installed.

 

[JohninNH]

It is possible to apply mechanical troubleshooting principles to computer issues in that, after checking the obvious, you ask what was the last thing you did before the problem showed itself.
About two weeks ago I updated my video card drivers so I uninstalled the drivers and software. Sure enough two of those mystery entries stopped appearing! A month or so before that I installed updated software for my game controller. I uninstalled that as well and sure enough the other two mystery entries stopped appearing.
I've restarted the computer several times and the entries have not reappeared. I also ran the DISM Restore Health to make sure my basic Windows files were good. Now back to installing the old drivers and software for my video card and controller.
I won't mark this problem as solved until I'm finished re-installing the software and I don't see any mystery entries in my registry.

 

[Regedit32]

The HKEY_CURRENT_USER profile stores pointers to the environment variables, personal program groups, desktop settings, network connections, printers, and application preference of the current logged on User.

This section does not store Data per se, but rather points to the SID key for the logged on user, whose Data is stored at HKEY_USERS\[logged on users SID].

In the event something goes awry during shutdown or startup, Windows will create a HKEY_CURRENT_USER tree from the NTUSER.DAT file, which is a protected system operating file stored inside each User's directory, e.g. C:\Users\Regedit32\NTUSER.DAT). Note: To view this file you need to go to folder options and remove the check next to Hide protected operating system files (recommended).

In this instance you appear to have two rogue entries, although there may be nothing malicious going on, as it could easily be a corrupted data point.

What I'd be doing first would be to open Task Manager, and end task applications one by one, then monitor the Registry by tapping F5 to refresh it, as each task ends, to see whether the rogue keys disappear.

When they do disappear, I'd then sign-out as the logged in User, then shut down the computer and restart it to allow the information stored in RAM to be reloaded, given then entire registry loads into RAM each time to start up.

 

[JohninNH]

The HKEY_CURRENT_USER profile stores pointers to the environment variables, personal program groups, desktop settings, network connections, printers, and application preference of the current logged on User.

Thanks for this tip! Before I could try it out the mystery entries stopped appearing. It turned out game controller and video card software was not the culprit. Trouble is I'm not sure what the issue was caused by. I had downloaded some malware/anti-virus scanners/cleaners from a reputable site but had not used all of them. After deleting the software the mystery entries stopped appearing and it's been four days without their appearance.

John