ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Strange encrypted key in my registry

(1/2) > >>

alxwz:
When roaming my registry today, I found a suspicious key under HKLM\Software that was obviously encrypted, and the values inside were likewise:

[HKEY_LOCAL_MACHINE\SOFTWARE\T96Pk0Px4ALJoXfi0l_v7CWW]
"vFFOg4JQG0r7wfUevNmW"="liC!t06Jas-jsKtpyH_zu!He2BWW"
"QoOAmAsdC!nFJ4o_pHP_oIyDenSBX4Yg-HfvaLwveEk0X49_xrNW"="QM-A3fRGekiQJfTPo_M_34cGCgSQh4kR-H1d34KdekiQI4U1TkNW"
"CJsPtCWW"="RkYa"
"lY3dqQGEpCWW"=""
"YQtOwAGbOFZW"=""
"YQtOwAGbOFXW"=""
"zjumvCWW"=""
"0jivbQZW"=""
"lY3FyXJjpCWW"=""
"5kz0"=""
"0UolLhZW"=""
"JklO"=""
"1PrvjaOW"="iZrIB_ZvTcH-dhBW"
"26_mic_K"="0BWW"
"rVfpxKGFeQGfh3j_f_XW"="0-WW"
"IrzxTG8uju_V-AnSRwzD"="0BWW"
"w0SPY6jKTM-W"="0BWW"

Well, I think I remember having read something about encrypting registry keys (e.g. to protect shareware), but I've never seen any legitimate shareware (or other software) really do that. I have no idea where this key comes from (and I like to know such stuff).
I decided to just delete this key (after backing it up), and afterwards tested all (!) my programs for error messages on startup (found none), but I'm still wondering:
What might have produced this key?
Is it really safe to delete it?
Is this a sign of malware? (Never had any, and just recently scanned the machine thoroughly.)
Is there an OS-supplied encryption system for registry entries? (that next to nobody seems to use?)

Since I know there are some pretty bright people in this forum, and especially some shareware authors, maybe someone could give me some pointers.

MilesAhead:
Did you try googling the keys?  If it's an encrypted name of a popular copy protected software it may come up.

It's probably left over from some trial ware.  Many authors use software that does the copy protecting instead of trying to think it up themselves.  So they don't even know how it works themselves sometimes.

If you are scanning clean with a few packages like Malware bytes then I wouldn't worry about it.

If you keep deleting it and something keeps putting it back, then I'd try harder to find out what's up with it.

edit: btw before you post anything encrypted like that I would at least put it through ROT13 to make sure you're not posting your name address ss # and credit card info on the internet!! :)

alxwz:
I tried to google some of the values, but came up empty-handed.
I also cross-searched the registry itself for some of them, without success.

OTOH, I always wondered how some shareware authors keep me from uninstalling and reinstalling their demos... 8)

But it's not like I'm usually into this kind of stuff (warez, cracking demos etc.). So I'm probably a bit uneducated in this field.

My main worry was that it could be some sign of malware (and yes, MalwareBytes was one of the packages I used).

Ehtyar:
Chances are the key for the crypto is extrapolated from a value unique to your system, thus you won't find the same values on another machine. If you suspect a particular app is the culprit, try running Process Monitor when you start it up and see which registry keys it queries.

Ehtyar.

mwb1100:
You can use something like SysInternals' ProcMon to monitor what process tries to access that key (set a filter so only something messing with that key will show up).  ProcMon supports boot time logging, so if something is accessing it, you should be able to catch it even if it starts early.

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Navigation

[0] Message Index

[#] Next page

Go to full version