Welcome Guest.   Make a donation to an author on the site September 23, 2014, 07:25:10 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
View the new Member Awards and Badges page.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Strange encrypted key in my registry  (Read 3016 times)
alxwz
Charter Member
***
Posts: 115


View Profile Give some DonationCredits to this forum member
« on: May 22, 2009, 05:29:47 PM »

When roaming my registry today, I found a suspicious key under HKLM\Software that was obviously encrypted, and the values inside were likewise:

[HKEY_LOCAL_MACHINE\SOFTWARE\T96Pk0Px4ALJoXfi0l_v7CWW]
"vFFOg4JQG0r7wfUevNmW"="liC!t06Jas-jsKtpyH_zu!He2BWW"
"QoOAmAsdC!nFJ4o_pHP_oIyDenSBX4Yg-HfvaLwveEk0X49_xrNW"="QM-A3fRGekiQJfTPo_M_34cGCgSQh4kR-H1d34KdekiQI4U1TkNW"
"CJsPtCWW"="RkYa"
"lY3dqQGEpCWW"=""
"YQtOwAGbOFZW"=""
"YQtOwAGbOFXW"=""
"zjumvCWW"=""
"0jivbQZW"=""
"lY3FyXJjpCWW"=""
"5kz0"=""
"0UolLhZW"=""
"JklO"=""
"1PrvjaOW"="iZrIB_ZvTcH-dhBW"
"26_mic_K"="0BWW"
"rVfpxKGFeQGfh3j_f_XW"="0-WW"
"IrzxTG8uju_V-AnSRwzD"="0BWW"
"w0SPY6jKTM-W"="0BWW"

Well, I think I remember having read something about encrypting registry keys (e.g. to protect shareware), but I've never seen any legitimate shareware (or other software) really do that. I have no idea where this key comes from (and I like to know such stuff).
I decided to just delete this key (after backing it up), and afterwards tested all (!) my programs for error messages on startup (found none), but I'm still wondering:
What might have produced this key?
Is it really safe to delete it?
Is this a sign of malware? (Never had any, and just recently scanned the machine thoroughly.)
Is there an OS-supplied encryption system for registry entries? (that next to nobody seems to use?)

Since I know there are some pretty bright people in this forum, and especially some shareware authors, maybe someone could give me some pointers.
Logged
MilesAhead
Member
**
Posts: 4,844



View Profile WWW Give some DonationCredits to this forum member
« Reply #1 on: May 22, 2009, 05:35:47 PM »

Did you try googling the keys?  If it's an encrypted name of a popular copy protected software it may come up.

It's probably left over from some trial ware.  Many authors use software that does the copy protecting instead of trying to think it up themselves.  So they don't even know how it works themselves sometimes.

If you are scanning clean with a few packages like Malware bytes then I wouldn't worry about it.

If you keep deleting it and something keeps putting it back, then I'd try harder to find out what's up with it.

edit: btw before you post anything encrypted like that I would at least put it through ROT13 to make sure you're not posting your name address ss # and credit card info on the internet!! smiley

« Last Edit: May 22, 2009, 05:39:46 PM by MilesAhead » Logged

"Genius is not knowing you can't do it that way."
- MilesAhead
alxwz
Charter Member
***
Posts: 115


View Profile Give some DonationCredits to this forum member
« Reply #2 on: May 22, 2009, 05:42:49 PM »

I tried to google some of the values, but came up empty-handed.
I also cross-searched the registry itself for some of them, without success.

OTOH, I always wondered how some shareware authors keep me from uninstalling and reinstalling their demos... Cool

But it's not like I'm usually into this kind of stuff (warez, cracking demos etc.). So I'm probably a bit uneducated in this field.

My main worry was that it could be some sign of malware (and yes, MalwareBytes was one of the packages I used).
Logged
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: May 22, 2009, 05:51:25 PM »

Chances are the key for the crypto is extrapolated from a value unique to your system, thus you won't find the same values on another machine. If you suspect a particular app is the culprit, try running Process Monitor when you start it up and see which registry keys it queries.

Ehtyar.
Logged
mwb1100
Supporting Member
**
Posts: 1,310


View Profile Give some DonationCredits to this forum member
« Reply #4 on: May 22, 2009, 05:52:33 PM »

You can use something like SysInternals' ProcMon to monitor what process tries to access that key (set a filter so only something messing with that key will show up).  ProcMon supports boot time logging, so if something is accessing it, you should be able to catch it even if it starts early.

http://technet.microsoft....ysinternals/bb896645.aspx
Logged
alxwz
Charter Member
***
Posts: 115


View Profile Give some DonationCredits to this forum member
« Reply #5 on: May 22, 2009, 06:26:09 PM »

Yikes! I didn't even know Process Monitor existed. I still use the same old copies of Process Explorer and Filemon I've had for years.
Thanks for the hint!
Logged
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.035s | Server load: 0.08 ]