Garbage Entry

[drunkardswalk]

Some time back I ran across a registry entry on one machine under
HKLM\Software in which the key and all its subkeys were apparently garbage.
Now, two things immediately occurred to me. One, this might be a Trojan or
virus hiding itself; and two, it might not be garbage, but encrypted material,
possibly legitimate. I run with FIPS 140 enabled, and certificates set up
correctly, but don't have anything (so far as I know) encrypted under EFS.
Besides, EFS doesn't stash anything like this in the Local Machine hive, so
far as I'm aware, anyway.

Anyone able to give me a tell on this one? I know of no valid registry key
that looks like this. All of the subkeys are apparently garbage in both the
name and value sections. I exported the key and deleted it from the registry
with no apparent ill effects. I'd post the exported key for examination, but
not without knowing what its contents actually are, as you can all well
understand.

Thanks in advance for any help anyone can offer.

Reid Sweatman
Elder Orangutan what's in Charge of da Code Monkeys

 

[Marco]

I would run a virus scan and run regmon (www.sysinternals.com) to see if any
app tries to read/write to these keys.

 

[Kent W. England [MVP]]

Some time back I ran across a registry entry on one machine under
HKLM\Software in which the key and all its subkeys were apparently
garbage. Now, two things immediately occurred to me. One, this might
be a Trojan or virus hiding itself; and two, it might not be garbage,
but encrypted material, possibly legitimate. I run with FIPS 140
enabled, and certificates set up correctly, but don't have anything
(so far as I know) encrypted under EFS. Besides, EFS doesn't stash
anything like this in the Local Machine hive, so far as I'm aware,
anyway.

Some spyware obfuscates registry keys so they are not humanly readable,
but they are not encrypted. These are typically things like the browser
home page and search page.