Sign in with
Sign up | Sign in
Your question

Strange HKLM/Software Keys ???

Tags:
  • Software
  • Registry
  • Microsoft
  • Windows XP
Last response: in Windows XP
Share
Anonymous
July 15, 2005 8:52:27 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Can anyone explain what the following refers to, or how these keys with Chinese(?) characters got into my registry? (Oops - I hope these characters come thru ok - I see that only those recipients whose email client supports Unicode will be able to see the characters ).

Thanks.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\摁牤獥䉳潯k]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\摁牤獥䉳潯k\Certificates]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\摁牤獥䉳潯k\CRLs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\摁牤獥䉳潯k\CTLs]

More about : strange hklm software keys

Anonymous
July 15, 2005 10:10:37 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

They are created when you open Certificates (certmgr.msc). If you delete
them and open certmgr.msc again, they'll be created again. I have no idea
why. And I can't find the notes that I made on this. ;-(

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:uZa2AhZiFHA.3544@TK2MSFTNGP15.phx.gbl,
BobLeavitt <robertl101@hotmail.com> hunted and pecked:
> Can anyone explain what the following refers to, or how these keys with
> Chinese(?) characters got into my registry? (Oops - I hope these
> characters come thru ok - I see that only those recipients whose email
> client supports Unicode will be able to see the characters ).
>
> Thanks.
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
‘?牤ç?¥ä‰³æ½¯k]
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
‘?牤ç?¥ä‰³æ½¯k\Certificates]
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
‘?牤ç?¥ä‰³æ½¯k\CRLs]
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
‘?牤ç?¥ä‰³æ½¯k\CTLs]
Anonymous
July 15, 2005 10:10:38 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Thanks Wes. You did not get what appear to be the Chinese characters, but rather, I guess the windows default characters. But anyway, my question is why the strange characters? Why not some plain ol' understandable english? Like, I already have:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs]

Could I have picked these up in the course of a file download from Canon's Japanese website? Also, these values show up when I do a search for rootkits, which bothers me a bit. Think I will delete them (after backing up, of course).


"Wesley Vogel" <123WVogel955@comcast.net> wrote in message news:uyppMrZiFHA.2644@TK2MSFTNGP09.phx.gbl...
> They are created when you open Certificates (certmgr.msc). If you delete
> them and open certmgr.msc again, they'll be created again. I have no idea
> why. And I can't find the notes that I made on this. ;-(
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:uZa2AhZiFHA.3544@TK2MSFTNGP15.phx.gbl,
> BobLeavitt <robertl101@hotmail.com> hunted and pecked:
>> Can anyone explain what the following refers to, or how these keys with
>> Chinese(?) characters got into my registry? (Oops - I hope these
>> characters come thru ok - I see that only those recipients whose email
>> client supports Unicode will be able to see the characters ).
>>
>> Thanks.
>>
>> Windows Registry Editor Version 5.00
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
> ‘ç‰¤ç¥ä‰³æ½¯k]
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
> ‘ç‰¤ç¥ä‰³æ½¯k\Certificates]
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
> ‘ç‰¤ç¥ä‰³æ½¯k\CRLs]
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
> ‘ç‰¤ç¥ä‰³æ½¯k\CTLs]
>
Related resources
Anonymous
July 16, 2005 12:16:38 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Bob,

Found my notes. I had posted this @ a private group for input. For what
it's worth here are those notes...

Theory: Opening certmgr.msc adds those entries to the registry.

Anyone want to open certmgr.msc and see if they have these as empty folders
in the left hand pane.

? <--should show a square
? <--should show a square
?????k <--should show 5 squares, then the letter k

And if they do have those folders, do they then see the ? square entries in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
-----
****
Some folks had the same entries, some didn't. One person confirmed my
theory.
****
-----

Long story, short.

I exported these keys...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

Then I deleted these keys...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\? <--should
show a square

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k
<--should show 5 squares, then the letter k

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\? <--should
show a square

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\? <--should show a
square

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k <--should
show 5 squares, then the letter k

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\? <--should show a
square

Opened certmgr.msc and checked the registry again.

Those entries are back.

Deleted the entries again they stay gone as long as certmgr.msc is not
opened.

Opening certmgr.msc adds those entries to the registry.
-----

I can go off on a tangent with the best of them.

To the best of my knowledge I do not have any viruses, spyware or trojans on
my machine. I ran RootkitRevealer because I was curious.

Saving the RootkitRevealer Scan to a text file resulted in this...

HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
name contains embedded nulls (*)
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
bytes Key name contains embedded nulls (*)

What the RootkitRevealer Scan actually showed, more or less was this...

HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|*ustedPublisher <-- one
pipe, then the asterisk
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|*ustedPublisher <-- one
pipe, then the asterisk
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|||||k*Publisher <-- five
pipes, the letter k, then the asterisk
HKLM\SOFTWARE\Microsoft\SystemCertificates\|*ustedPublisher <-- one pipe,
then the asterisk
HKLM\SOFTWARE\Microsoft\SystemCertificates\|*ustedPublisher <-- one pipe,
then the asterisk
HKLM\SOFTWARE\Microsoft\SystemCertificates\|||||k*Publisher <-- five pipes,
the letter k, then the asterisk
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|||||k*Publisher <--
five pipes, the letter k, then the asterisk
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|*ustedPublisher <-- one
pipe, then the asterisk
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|*ustedPublisher <-- one
pipe, then the asterisk

I exported these keys...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

Then I deleted these keys...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\
Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\
Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\Certifi
cates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\Certificate
s]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\CTLs]

Then I opened certmgr.msc.
I still have...
? <--should show a square
? <--should show a square
?????k <--should show 5 squares, then the letter k

That blew my theory.

Killed explorer.exe, they are still there.

So I rebooted, they are still there.

Then I ran RootkitRevealer again.

All the reg entries that I deleted are back.

Changed Permissions and deleted them again.

Opened the Registry again and SOB, they're back.

Deleted them again and ran RootkitRevealer again.

Opening certmgr.msc adds those entries back to the registry.

Why? Beats the *expletive deleted* out of me.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:eZ9NC3ZiFHA.3936@TK2MSFTNGP10.phx.gbl,
BobLeavitt <robertl101@hotmail.com> hunted and pecked:
> Thanks Wes. You did not get what appear to be the Chinese characters,
> but rather, I guess the windows default characters. But anyway, my
> question is why the strange characters? Why not some plain ol'
> understandable english? Like, I already have:
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust]
>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certific
ates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs]
>
> Could I have picked these up in the course of a file download from
> Canon's Japanese website? Also, these values show up when I do a search
> for rootkits, which bothers me a bit. Think I will delete them (after
> backing up, of course).
>
>
> "Wesley Vogel" <123WVogel955@comcast.net> wrote in message
> news:uyppMrZiFHA.2644@TK2MSFTNGP09.phx.gbl...
>> They are created when you open Certificates (certmgr.msc). If you delete
>> them and open certmgr.msc again, they'll be created again. I have no
>> idea why. And I can't find the notes that I made on this. ;-(
>>
>> --
>> Hope this helps. Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:uZa2AhZiFHA.3544@TK2MSFTNGP15.phx.gbl,
>> BobLeavitt <robertl101@hotmail.com> hunted and pecked:
>>> Can anyone explain what the following refers to, or how these keys with
>>> Chinese(?) characters got into my registry? (Oops - I hope these
>>> characters come thru ok - I see that only those recipients whose email
>>> client supports Unicode will be able to see the characters ).
>>>
>>> Thanks.
>>>
>>> Windows Registry Editor Version 5.00
>>>
>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>> ‘?牤ç?¥ä‰³æ½¯k]
>>>
>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>> ‘?牤ç?¥ä‰³æ½¯k\Certificates]
>>>
>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>> ‘?牤ç?¥ä‰³æ½¯k\CRLs]
>>>
>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>> ‘?牤ç?¥ä‰³æ½¯k\CTLs]
Anonymous
July 16, 2005 12:51:17 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Wes -

Interesting. When I open certmgr.msc, I have:
- one empty folder with a square as a name
- one empty folder with an "oriental" character as a name, and
- one empty folder with a name consisting of 5 "oriental" characters followed by the letter k.

Anyway, we are far beyond the limits of my knowledge. Thanks for the info. Probably time to move on.

What do you think about:

[HKEY_LOCAL_MACHINE\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW]
"V0oR0dY0GUOHg7_0"="3Noe-2IGw4Th2LZM0CpcMHF5CCWW"
"Oj3TBCWW"="DeYYfHTcXdrncBeGvOfW"
"3VLFlSZiNBWW"=""
"8D6XjM5HvA0W"="9At!qileF7xhcBInD7fW"
"8D6XjM5HvAfW"=""
"4Jbk2CWW"="0j3o1CWW"
"2iK!zDfW"="lKdW"
"3VLdmY76NBWW"="BDUq"
"TeRf"="vrJVn37W"
"2p4s!7fW"="VCRSaZir6A_sa77P"
"OepB"=""
"rQu!FOdW"="pRmsntpiBGB0MkpN-iIFwusJ-43uS-WW"
"iD-8BbM4"="zNWW"
"lPYi3RzDRDxNbB8jqvfW"="zNWW"
"x8RSGODEfqMM!ayBQvR-"="zNWW"
"Ivihcz8Nt87W"="zNWW"

Bob
***********************************************

"Wesley Vogel" <123WVogel955@comcast.net> wrote in message news:o MtmnxaiFHA.1372@TK2MSFTNGP10.phx.gbl...
> Bob,
>
> Found my notes. I had posted this @ a private group for input. For what
> it's worth here are those notes...
>
> Theory: Opening certmgr.msc adds those entries to the registry.
>
> Anyone want to open certmgr.msc and see if they have these as empty folders
> in the left hand pane.
>
>  <--should show a square
>  <--should show a square
> k <--should show 5 squares, then the letter k
>
> And if they do have those folders, do they then see the  square entries in
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
> and
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
> -----
> ****
> Some folks had the same entries, some didn't. One person confirmed my
> theory.
> ****
> -----
>
> Long story, short.
>
> I exported these keys...
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
> and
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
>
> Then I deleted these keys...
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ <--should
> show a square
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\k
> <--should show 5 squares, then the letter k
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ <--should
> show a square
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ <--should show a
> square
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\k <--should
> show 5 squares, then the letter k
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ <--should show a
> square
>
> Opened certmgr.msc and checked the registry again.
>
> Those entries are back.
>
> Deleted the entries again they stay gone as long as certmgr.msc is not
> opened.
>
> Opening certmgr.msc adds those entries to the registry.
> -----
>
> I can go off on a tangent with the best of them.
>
> To the best of my knowledge I do not have any viruses, spyware or trojans on
> my machine. I ran RootkitRevealer because I was curious.
>
> Saving the RootkitRevealer Scan to a text file resulted in this...
>
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
> Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
> Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
> Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
> name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
> name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
> name contains embedded nulls (*)
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
> bytes Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
> bytes Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
> bytes Key name contains embedded nulls (*)
>
> What the RootkitRevealer Scan actually showed, more or less was this...
>
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|*ustedPublisher <-- one
> pipe, then the asterisk
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|*ustedPublisher <-- one
> pipe, then the asterisk
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|||||k*Publisher <-- five
> pipes, the letter k, then the asterisk
> HKLM\SOFTWARE\Microsoft\SystemCertificates\|*ustedPublisher <-- one pipe,
> then the asterisk
> HKLM\SOFTWARE\Microsoft\SystemCertificates\|*ustedPublisher <-- one pipe,
> then the asterisk
> HKLM\SOFTWARE\Microsoft\SystemCertificates\|||||k*Publisher <-- five pipes,
> the letter k, then the asterisk
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|||||k*Publisher <--
> five pipes, the letter k, then the asterisk
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|*ustedPublisher <-- one
> pipe, then the asterisk
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|*ustedPublisher <-- one
> pipe, then the asterisk
>
> I exported these keys...
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
> and
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
>
> Then I deleted these keys...
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\
> Certificates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CTLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\
> Certificates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CTLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\Certifi
> cates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\CTLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\Certificates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CTLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\Certificates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CTLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\Certificate
> s]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\CTLs]
>
> Then I opened certmgr.msc.
> I still have...
>  <--should show a square
>  <--should show a square
> k <--should show 5 squares, then the letter k
>
> That blew my theory.
>
> Killed explorer.exe, they are still there.
>
> So I rebooted, they are still there.
>
> Then I ran RootkitRevealer again.
>
> All the reg entries that I deleted are back.
>
> Changed Permissions and deleted them again.
>
> Opened the Registry again and SOB, they're back.
>
> Deleted them again and ran RootkitRevealer again.
>
> Opening certmgr.msc adds those entries back to the registry.
>
> Why? Beats the *expletive deleted* out of me.
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:eZ9NC3ZiFHA.3936@TK2MSFTNGP10.phx.gbl,
> BobLeavitt <robertl101@hotmail.com> hunted and pecked:
>> Thanks Wes. You did not get what appear to be the Chinese characters,
>> but rather, I guess the windows default characters. But anyway, my
>> question is why the strange characters? Why not some plain ol'
>> understandable english? Like, I already have:
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust]
>>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certific
> ates]
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs]
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs]
>>
>> Could I have picked these up in the course of a file download from
>> Canon's Japanese website? Also, these values show up when I do a search
>> for rootkits, which bothers me a bit. Think I will delete them (after
>> backing up, of course).
>>
>>
>> "Wesley Vogel" <123WVogel955@comcast.net> wrote in message
>> news:uyppMrZiFHA.2644@TK2MSFTNGP09.phx.gbl...
>>> They are created when you open Certificates (certmgr.msc). If you delete
>>> them and open certmgr.msc again, they'll be created again. I have no
>>> idea why. And I can't find the notes that I made on this. ;-(
>>>
>>> --
>>> Hope this helps. Let us know.
>>>
>>> Wes
>>> MS-MVP Windows Shell/User
>>>
>>> In news:uZa2AhZiFHA.3544@TK2MSFTNGP15.phx.gbl,
>>> BobLeavitt <robertl101@hotmail.com> hunted and pecked:
>>>> Can anyone explain what the following refers to, or how these keys with
>>>> Chinese(?) characters got into my registry? (Oops - I hope these
>>>> characters come thru ok - I see that only those recipients whose email
>>>> client supports Unicode will be able to see the characters ).
>>>>
>>>> Thanks.
>>>>
>>>> Windows Registry Editor Version 5.00
>>>>
>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>>> ‘ç‰¤ç¥ä‰³æ½¯k]
>>>>
>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>>> ‘ç‰¤ç¥ä‰³æ½¯k\Certificates]
>>>>
>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>>> ‘ç‰¤ç¥ä‰³æ½¯k\CRLs]
>>>>
>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>>> ‘ç‰¤ç¥ä‰³æ½¯k\CTLs]
>
Anonymous
July 16, 2005 1:41:13 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Hi Bob,

I don't think that any of this is anything to worry about. But it is
curious.

HKEY_LOCAL_MACHINE\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW

In a word, funky.

Looks like a virus or scumware with all the random letters/numbers.

[[file download from Canon's Japanese website]] <shrug> beats me.

Have you updated your antivirus software and run a complete scan?

This may be of interest. You have to scroll back up to the top.
http://groups-beta.google.com/group/alt.windows98/brows...\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW&rnum=2&hl=en#33e1687086e8d162

Here's another, if you read Swedish.
http://groups-beta.google.com/group/se.dator.sys.window...\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW&rnum=3&hl=en#b2ea24e6229064a3

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:%23dLNembiFHA.2852@TK2MSFTNGP15.phx.gbl,
BobLeavitt <robertl101@hotmail.com> hunted and pecked:
> Wes -
>
> Interesting. When I open certmgr.msc, I have:
> - one empty folder with a square as a name
> - one empty folder with an "oriental" character as a name, and
> - one empty folder with a name consisting of 5 "oriental" characters
> followed by the letter k.
>
> Anyway, we are far beyond the limits of my knowledge. Thanks for the
> info. Probably time to move on.
>
> What do you think about:
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW]
> "V0oR0dY0GUOHg7_0"="3Noe-2IGw4Th2LZM0CpcMHF5CCWW"
> "Oj3TBCWW"="DeYYfHTcXdrncBeGvOfW"
> "3VLFlSZiNBWW"=""
> "8D6XjM5HvA0W"="9At!qileF7xhcBInD7fW"
> "8D6XjM5HvAfW"=""
> "4Jbk2CWW"="0j3o1CWW"
> "2iK!zDfW"="lKdW"
> "3VLdmY76NBWW"="BDUq"
> "TeRf"="vrJVn37W"
> "2p4s!7fW"="VCRSaZir6A_sa77P"
> "OepB"=""
> "rQu!FOdW"="pRmsntpiBGB0MkpN-iIFwusJ-43uS-WW"
> "iD-8BbM4"="zNWW"
> "lPYi3RzDRDxNbB8jqvfW"="zNWW"
> "x8RSGODEfqMM!ayBQvR-"="zNWW"
> "Ivihcz8Nt87W"="zNWW"
>
> Bob
> ***********************************************
>
<snip>
Anonymous
July 17, 2005 2:21:14 AM

Archived from groups: microsoft.public.windowsxp.general (More info?)

So, obviously I am not the only one with the funky key. It does not bother Norton AV, Ad-Aware, nor Spybot S&D, so I won't lose any sleep over it. Thanks for your interest.

Bob


"Wesley Vogel" <123WVogel955@comcast.net> wrote in message news:esmlLzhiFHA.576@tk2msftngp13.phx.gbl...
> Hi Bob,
>
> I don't think that any of this is anything to worry about. But it is
> curious.
>
> HKEY_LOCAL_MACHINE\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW
>
> In a word, funky.
>
> Looks like a virus or scumware with all the random letters/numbers.
>
> [[file download from Canon's Japanese website]] <shrug> beats me.
>
> Have you updated your antivirus software and run a complete scan?
>
> This may be of interest. You have to scroll back up to the top.
> http://groups-beta.google.com/group/alt.windows98/brows...\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW&rnum=2&hl=en#33e1687086e8d162
>
> Here's another, if you read Swedish.
> http://groups-beta.google.com/group/se.dator.sys.window...\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW&rnum=3&hl=en#b2ea24e6229064a3
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:%23dLNembiFHA.2852@TK2MSFTNGP15.phx.gbl,
> BobLeavitt <robertl101@hotmail.com> hunted and pecked:
>> Wes -
>>
>> Interesting. When I open certmgr.msc, I have:
>> - one empty folder with a square as a name
>> - one empty folder with an "oriental" character as a name, and
>> - one empty folder with a name consisting of 5 "oriental" characters
>> followed by the letter k.
>>
>> Anyway, we are far beyond the limits of my knowledge. Thanks for the
>> info. Probably time to move on.
>>
>> What do you think about:
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW]
>> "V0oR0dY0GUOHg7_0"="3Noe-2IGw4Th2LZM0CpcMHF5CCWW"
>> "Oj3TBCWW"="DeYYfHTcXdrncBeGvOfW"
>> "3VLFlSZiNBWW"=""
>> "8D6XjM5HvA0W"="9At!qileF7xhcBInD7fW"
>> "8D6XjM5HvAfW"=""
>> "4Jbk2CWW"="0j3o1CWW"
>> "2iK!zDfW"="lKdW"
>> "3VLdmY76NBWW"="BDUq"
>> "TeRf"="vrJVn37W"
>> "2p4s!7fW"="VCRSaZir6A_sa77P"
>> "OepB"=""
>> "rQu!FOdW"="pRmsntpiBGB0MkpN-iIFwusJ-43uS-WW"
>> "iD-8BbM4"="zNWW"
>> "lPYi3RzDRDxNbB8jqvfW"="zNWW"
>> "x8RSGODEfqMM!ayBQvR-"="zNWW"
>> "Ivihcz8Nt87W"="zNWW"
>>
>> Bob
>> ***********************************************
>>
> <snip>
>
Anonymous
July 17, 2005 1:15:29 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Keep having fun. :-)

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:eew4Y9oiFHA.1248@TK2MSFTNGP12.phx.gbl,
BobLeavitt <robertl101@hotmail.com> hunted and pecked:
> So, obviously I am not the only one with the funky key. It does not
> bother Norton AV, Ad-Aware, nor Spybot S&D, so I won't lose any sleep
> over it. Thanks for your interest.
>
> Bob
>
>
> "Wesley Vogel" <123WVogel955@comcast.net> wrote in message
> news:esmlLzhiFHA.576@tk2msftngp13.phx.gbl...
>> Hi Bob,
>>
>> I don't think that any of this is anything to worry about. But it is
>> curious.
>>
>> HKEY_LOCAL_MACHINE\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW
>>
>> In a word, funky.
>>
>> Looks like a virus or scumware with all the random letters/numbers.
>>
>> [[file download from Canon's Japanese website]] <shrug> beats me.
>>
>> Have you updated your antivirus software and run a complete scan?
>>
>> This may be of interest. You have to scroll back up to the top.
>>
http://groups-beta.google.com/group/alt.windows98/brows...\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW&rnum=2&hl=en#33e1687086e8d162
>>
>> Here's another, if you read Swedish.
>>
http://groups-beta.google.com/group/se.dator.sys.window...\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW&rnum=3&hl=en#b2ea24e6229064a3
>>
>> --
>> Hope this helps. Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:%23dLNembiFHA.2852@TK2MSFTNGP15.phx.gbl,
>> BobLeavitt <robertl101@hotmail.com> hunted and pecked:
>>> Wes -
>>>
>>> Interesting. When I open certmgr.msc, I have:
>>> - one empty folder with a square as a name
>>> - one empty folder with an "oriental" character as a name, and
>>> - one empty folder with a name consisting of 5 "oriental" characters
>>> followed by the letter k.
>>>
>>> Anyway, we are far beyond the limits of my knowledge. Thanks for the
>>> info. Probably time to move on.
>>>
>>> What do you think about:
>>>
>>> [HKEY_LOCAL_MACHINE\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW]
>>> "V0oR0dY0GUOHg7_0"="3Noe-2IGw4Th2LZM0CpcMHF5CCWW"
>>> "Oj3TBCWW"="DeYYfHTcXdrncBeGvOfW"
>>> "3VLFlSZiNBWW"=""
>>> "8D6XjM5HvA0W"="9At!qileF7xhcBInD7fW"
>>> "8D6XjM5HvAfW"=""
>>> "4Jbk2CWW"="0j3o1CWW"
>>> "2iK!zDfW"="lKdW"
>>> "3VLdmY76NBWW"="BDUq"
>>> "TeRf"="vrJVn37W"
>>> "2p4s!7fW"="VCRSaZir6A_sa77P"
>>> "OepB"=""
>>> "rQu!FOdW"="pRmsntpiBGB0MkpN-iIFwusJ-43uS-WW"
>>> "iD-8BbM4"="zNWW"
>>> "lPYi3RzDRDxNbB8jqvfW"="zNWW"
>>> "x8RSGODEfqMM!ayBQvR-"="zNWW"
>>> "Ivihcz8Nt87W"="zNWW"
>>>
>>> Bob
>>> ***********************************************
>>>
>> <snip>
!