I have a registry entry with strange characters:
"C:\Program Files (x86)\Google\Desktop\Install\{a33ad396-dacb-512c-46ab-10675be7c6b5}\ \...\ﯹ๛\{a33ad396-dacb-512c-46ab-10675be7c6b5}\GoogleUpdate.exe" <
"C:\Users\Bart\AppData\Local\Google\Desktop\Install\{a33ad396-dacb-512c-46ab-10675be7c6b5}\dxÙ\" h\.ù[\{a33ad396-dacb-512c-46ab-10675be7c6b5}\GoogleUpdate.exe" >
C:\Users\Bart\AppData\Local\Google\Desktop\Install\{a33ad396-dacb-512c-46ab-10675be7c6b5}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{a33ad396-dacb-512c-46ab-10675be7c6b5}\L
It's all about these two characters: ﯹ๛
(Try to copy this to Notepad and see what happens)
Everything that you type behind that character is going from right to left.
Regedit can't read this value and gives this error: error reading the value's contents when you open the Run subkey. That's why I can't delete this entry at all.
I'm almost sure it's the ZeroAccess malware.
What's going on here?
Best Answer
You cannot modify it because it has reg_none value and you will need a native registry editor to load the hives and then remove it from there. However, you can delete the whole run key and you will be fine. You can find more info regarding this rootkit here http://www.virusresearch.org/zeroaccess-botnet-crippled-but-not-dead/