Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • September 04, 2015, 11:36:53 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Strange encrypted key in my registry  (Read 3418 times)

alxwz

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 117
    • View Profile
    • Donate to Member
Strange encrypted key in my registry
« on: May 22, 2009, 05:29:47 PM »
When roaming my registry today, I found a suspicious key under HKLM\Software that was obviously encrypted, and the values inside were likewise:

[HKEY_LOCAL_MACHINE\SOFTWARE\T96Pk0Px4ALJoXfi0l_v7CWW]
"vFFOg4JQG0r7wfUevNmW"="liC!t06Jas-jsKtpyH_zu!He2BWW"
"QoOAmAsdC!nFJ4o_pHP_oIyDenSBX4Yg-HfvaLwveEk0X49_xrNW"="QM-A3fRGekiQJfTPo_M_34cGCgSQh4kR-H1d34KdekiQI4U1TkNW"
"CJsPtCWW"="RkYa"
"lY3dqQGEpCWW"=""
"YQtOwAGbOFZW"=""
"YQtOwAGbOFXW"=""
"zjumvCWW"=""
"0jivbQZW"=""
"lY3FyXJjpCWW"=""
"5kz0"=""
"0UolLhZW"=""
"JklO"=""
"1PrvjaOW"="iZrIB_ZvTcH-dhBW"
"26_mic_K"="0BWW"
"rVfpxKGFeQGfh3j_f_XW"="0-WW"
"IrzxTG8uju_V-AnSRwzD"="0BWW"
"w0SPY6jKTM-W"="0BWW"

Well, I think I remember having read something about encrypting registry keys (e.g. to protect shareware), but I've never seen any legitimate shareware (or other software) really do that. I have no idea where this key comes from (and I like to know such stuff).
I decided to just delete this key (after backing it up), and afterwards tested all (!) my programs for error messages on startup (found none), but I'm still wondering:
What might have produced this key?
Is it really safe to delete it?
Is this a sign of malware? (Never had any, and just recently scanned the machine thoroughly.)
Is there an OS-supplied encryption system for registry entries? (that next to nobody seems to use?)

Since I know there are some pretty bright people in this forum, and especially some shareware authors, maybe someone could give me some pointers.

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 6,202
    • View Profile
    • Miles Ahead Software
    • Donate to Member
Re: Strange encrypted key in my registry
« Reply #1 on: May 22, 2009, 05:35:47 PM »
Did you try googling the keys?  If it's an encrypted name of a popular copy protected software it may come up.

It's probably left over from some trial ware.  Many authors use software that does the copy protecting instead of trying to think it up themselves.  So they don't even know how it works themselves sometimes.

If you are scanning clean with a few packages like Malware bytes then I wouldn't worry about it.

If you keep deleting it and something keeps putting it back, then I'd try harder to find out what's up with it.

edit: btw before you post anything encrypted like that I would at least put it through ROT13 to make sure you're not posting your name address ss # and credit card info on the internet!! :)

« Last Edit: May 22, 2009, 05:39:46 PM by MilesAhead »

alxwz

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 117
    • View Profile
    • Donate to Member
Re: Strange encrypted key in my registry
« Reply #2 on: May 22, 2009, 05:42:49 PM »
I tried to google some of the values, but came up empty-handed.
I also cross-searched the registry itself for some of them, without success.

OTOH, I always wondered how some shareware authors keep me from uninstalling and reinstalling their demos... 8)

But it's not like I'm usually into this kind of stuff (warez, cracking demos etc.). So I'm probably a bit uneducated in this field.

My main worry was that it could be some sign of malware (and yes, MalwareBytes was one of the packages I used).

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Strange encrypted key in my registry
« Reply #3 on: May 22, 2009, 05:51:25 PM »
Chances are the key for the crypto is extrapolated from a value unique to your system, thus you won't find the same values on another machine. If you suspect a particular app is the culprit, try running Process Monitor when you start it up and see which registry keys it queries.

Ehtyar.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,430
    • View Profile
    • Donate to Member
Re: Strange encrypted key in my registry
« Reply #4 on: May 22, 2009, 05:52:33 PM »
You can use something like SysInternals' ProcMon to monitor what process tries to access that key (set a filter so only something messing with that key will show up).  ProcMon supports boot time logging, so if something is accessing it, you should be able to catch it even if it starts early.

http://technet.micro...ernals/bb896645.aspx

alxwz

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 117
    • View Profile
    • Donate to Member
Re: Strange encrypted key in my registry
« Reply #5 on: May 22, 2009, 06:26:09 PM »
Yikes! I didn't even know Process Monitor existed. I still use the same old copies of Process Explorer and Filemon I've had for years.
Thanks for the hint!