Delete these registry keys?

Question

Found some XPpro (SP2) registry keys on Dimension 8400 that may be left after spyware was removed. Need to know if/how to remove them safely. Two of them are related to something called "Deal Info". Up-to-date Ad-aware, Spy-bot, CWshredder, McAfee don't detect it, and I can't find any related files by searches that include hidden and system files.

HKEY_USERS\S-1-5-21-4186795036-2291062689-4051603708-1007\Software\Microsoft\Installer\Products\843B25AA38603B94EB42D840C2A75C44

and:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4186795036-2291062689-4051603708-1007\Products\843B25AA38603B94EB42D840C2A75C44\InstallProperties

msconfig also lists active startup item named (blank), command line (blank) at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (Default) REG_SZ (value not set)
SpySweeper REG_SZ

Never downloaded/installed Spy Sweeper which seems to be legitimate(?) software so I don't know where it came from, or if it's responsible for "Deal Info".

Any recomendations/suggestions?

Thanks!

Ron

Message Edited by RoHe on 12-26-2004 09:52 PM

RoHe · Answer

Denny,
I figured you'd what to do! Many thanks. I'll export the .reg and then delete those keys. It seems that no matter how vigilant we are, somebody still finds a way to sneak things onto our PCs...

Have a happy new year!

Ron

Denny Denham · Answer

RoHe,

The safest thing to do is export those two keys and save the *.reg files in a safe place, then delete the keys. If nothing unexpected happens for a couple of weeks or so, you can delete the *.reg files (or leave them, since they will take up almost no hard drive space). If somthing unexpected does happen (unlikely, given their association) you can just double-click them or right-click and select Merge and restore them.

RoHe · Answer

Denny,
Deleted those keys and wiped out my Earthlink dialup connection! Modem would open a pre-dial terminal screen (never did that before!), dial out but get refused by ELN. Re-imported the .reg but no go, so had to recreate the whole network connection from scratch... Am back online (obviously) and will have to poke around some more to see what those keys are really doing. Am open to further suggestions!

Thanks for your help.
Ron

Denny Denham · Answer

Ron, My last suggestion was so remarkably ineffective I'm out of ideas.

JRosenfeld · Answer

In regedit, right pane for the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-4186795036-2291062689-4051603708-1007\Products\843B25AA38603B94EB42D840C2A75C44\InstallProperties

there should be several values, one of which is DisplayName, which would tell you what software installer installed under that key. Also a value LocalPackage that tells you which .exe or .msi file was used to install it. Also InstalDate (reads year month day) which might give you a clue when it was installed. Several other values might be there, such as Publisher (would tell you whose software it is), etc.

As for the value Spysweeper in the key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run(Default) REG_SZ (value not set)
SpySweeper REG_SZ

since it has no command in the data column it does not do anything and you can delete that value in the right pane ( do not delete the whole run key, nor the default value) right click on Spysweeper, click delete..

RoHe · Answer

JR,
Thanks! Followed your tip and looks like "Deal Info" is related to Earthlink, possibly part of that 6-months free offer Dell installed.
So guess it isn't spyware, and I can probably just leave it there.

Deleted the spysweeper key as you suggested so lets hope that's the end of that problem.

Thanks again,
Ron

Windows General

Delete these registry keys?

Was this post helpful?