Archived from groups: microsoft.public.windowsxp.general (
More info?)
Wes -
Interesting. When I open certmgr.msc, I have:
- one empty folder with a square as a name
- one empty folder with an "oriental" character as a name, and
- one empty folder with a name consisting of 5 "oriental" characters followed by the letter k.
Anyway, we are far beyond the limits of my knowledge. Thanks for the info. Probably time to move on.
What do you think about:
[HKEY_LOCAL_MACHINE\SOFTWARE\K22Pgc9TnAyyFw34OtlvCCWW]
"V0oR0dY0GUOHg7_0"="3Noe-2IGw4Th2LZM0CpcMHF5CCWW"
"Oj3TBCWW"="DeYYfHTcXdrncBeGvOfW"
"3VLFlSZiNBWW"=""
"8D6XjM5HvA0W"="9At!qileF7xhcBInD7fW"
"8D6XjM5HvAfW"=""
"4Jbk2CWW"="0j3o1CWW"
"2iK!zDfW"="lKdW"
"3VLdmY76NBWW"="BDUq"
"TeRf"="vrJVn37W"
"2p4s!7fW"="VCRSaZir6A_sa77P"
"OepB"=""
"rQu!FOdW"="pRmsntpiBGB0MkpN-iIFwusJ-43uS-WW"
"iD-8BbM4"="zNWW"
"lPYi3RzDRDxNbB8jqvfW"="zNWW"
"x8RSGODEfqMM!ayBQvR-"="zNWW"
"Ivihcz8Nt87W"="zNWW"
Bob
***********************************************
"Wesley Vogel" <123WVogel955@comcast.net> wrote in message news:OMtmnxaiFHA.1372@TK2MSFTNGP10.phx.gbl...
> Bob,
>
> Found my notes. I had posted this @ a private group for input. For what
> it's worth here are those notes...
>
> Theory: Opening certmgr.msc adds those entries to the registry.
>
> Anyone want to open certmgr.msc and see if they have these as empty folders
> in the left hand pane.
>
> <--should show a square
> <--should show a square
> k <--should show 5 squares, then the letter k
>
> And if they do have those folders, do they then see the square entries in
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
> and
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
> -----
> ****
> Some folks had the same entries, some didn't. One person confirmed my
> theory.
> ****
> -----
>
> Long story, short.
>
> I exported these keys...
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
> and
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
>
> Then I deleted these keys...
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ <--should
> show a square
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\k
> <--should show 5 squares, then the letter k
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ <--should
> show a square
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ <--should show a
> square
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\k <--should
> show 5 squares, then the letter k
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ <--should show a
> square
>
> Opened certmgr.msc and checked the registry again.
>
> Those entries are back.
>
> Deleted the entries again they stay gone as long as certmgr.msc is not
> opened.
>
> Opening certmgr.msc adds those entries to the registry.
> -----
>
> I can go off on a tangent with the best of them.
>
> To the best of my knowledge I do not have any viruses, spyware or trojans on
> my machine. I ran RootkitRevealer because I was curious.
>
> Saving the RootkitRevealer Scan to a text file resulted in this...
>
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
> Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
> Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
> Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
> name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
> name contains embedded nulls (*)
> HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
> name contains embedded nulls (*)
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
> bytes Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
> bytes Key name contains embedded nulls (*)
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
> bytes Key name contains embedded nulls (*)
>
> What the RootkitRevealer Scan actually showed, more or less was this...
>
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|*ustedPublisher <-- one
> pipe, then the asterisk
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|*ustedPublisher <-- one
> pipe, then the asterisk
> HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|||||k*Publisher <-- five
> pipes, the letter k, then the asterisk
> HKLM\SOFTWARE\Microsoft\SystemCertificates\|*ustedPublisher <-- one pipe,
> then the asterisk
> HKLM\SOFTWARE\Microsoft\SystemCertificates\|*ustedPublisher <-- one pipe,
> then the asterisk
> HKLM\SOFTWARE\Microsoft\SystemCertificates\|||||k*Publisher <-- five pipes,
> the letter k, then the asterisk
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|||||k*Publisher <--
> five pipes, the letter k, then the asterisk
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|*ustedPublisher <-- one
> pipe, then the asterisk
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|*ustedPublisher <-- one
> pipe, then the asterisk
>
> I exported these keys...
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
> and
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
>
> Then I deleted these keys...
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\
> Certificates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CTLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\
> Certificates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CTLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\Certifi
> cates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\CTLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\Certificates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CTLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\Certificates]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CTLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\Certificate
> s]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\CRLs]
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\CTLs]
>
> Then I opened certmgr.msc.
> I still have...
> <--should show a square
> <--should show a square
> k <--should show 5 squares, then the letter k
>
> That blew my theory.
>
> Killed explorer.exe, they are still there.
>
> So I rebooted, they are still there.
>
> Then I ran RootkitRevealer again.
>
> All the reg entries that I deleted are back.
>
> Changed Permissions and deleted them again.
>
> Opened the Registry again and SOB, they're back.
>
> Deleted them again and ran RootkitRevealer again.
>
> Opening certmgr.msc adds those entries back to the registry.
>
> Why? Beats the *expletive deleted* out of me.
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:eZ9NC3ZiFHA.3936@TK2MSFTNGP10.phx.gbl,
> BobLeavitt <robertl101@hotmail.com> hunted and pecked:
>> Thanks Wes. You did not get what appear to be the Chinese characters,
>> but rather, I guess the windows default characters. But anyway, my
>> question is why the strange characters? Why not some plain ol'
>> understandable english? Like, I already have:
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust]
>>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certific
> ates]
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs]
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs]
>>
>> Could I have picked these up in the course of a file download from
>> Canon's Japanese website? Also, these values show up when I do a search
>> for rootkits, which bothers me a bit. Think I will delete them (after
>> backing up, of course).
>>
>>
>> "Wesley Vogel" <123WVogel955@comcast.net> wrote in message
>> news:uyppMrZiFHA.2644@TK2MSFTNGP09.phx.gbl...
>>> They are created when you open Certificates (certmgr.msc). If you delete
>>> them and open certmgr.msc again, they'll be created again. I have no
>>> idea why. And I can't find the notes that I made on this. ;-(
>>>
>>> --
>>> Hope this helps. Let us know.
>>>
>>> Wes
>>> MS-MVP Windows Shell/User
>>>
>>> In news:uZa2AhZiFHA.3544@TK2MSFTNGP15.phx.gbl,
>>> BobLeavitt <robertl101@hotmail.com> hunted and pecked:
>>>> Can anyone explain what the following refers to, or how these keys with
>>>> Chinese(?) characters got into my registry? (Oops - I hope these
>>>> characters come thru ok - I see that only those recipients whose email
>>>> client supports Unicode will be able to see the characters ).
>>>>
>>>> Thanks.
>>>>
>>>> Windows Registry Editor Version 5.00
>>>>
>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>>> ‘牤ç¥ä‰³æ½¯k]
>>>>
>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>>> ‘牤ç¥ä‰³æ½¯k\Certificates]
>>>>
>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>>> ‘牤ç¥ä‰³æ½¯k\CRLs]
>>>>
>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
>>> ‘牤ç¥ä‰³æ½¯k\CTLs]
>
Facebook
Twitter
Instagram