chromatic47 Posted January 6, 2009 Share Posted January 6, 2009 (edited) So I was doing some registry pruning and once again stumbled upon this oddly titled key and value. Every time I see it it makes me go hmm. The full key is this:[HKEY_LOCAL_MACHINE\Software\Microsoft\J9<000000]"é "=hex:05,40,45,45...and it has been there since a clean install of Win98se. Google turns up nothing, so does anybody know, what gives with J9, and why would it ever be less than 000000? And further, what is up with that funky binary value? Somehow it seems a shame to delete this bit of cryptic until I understand its inscrutable purpose. Edited January 6, 2009 by chromatic47 Link to comment Share on other sites More sharing options...
whatever420 Posted January 6, 2009 Share Posted January 6, 2009 I don't have that key... sorry But... I do have this one:[HKEY_LOCAL_MACHINE\Software\Microsoft\D=5000000]"} "=hex:04,80,84,84... which is also a bit strange... Link to comment Share on other sites More sharing options...
Mijzelf Posted January 6, 2009 Share Posted January 6, 2009 I've got this one:[HKEY_LOCAL_MACHINE\Software\Microsoft\J46000000]"d "=hex:05,05,00,05 Link to comment Share on other sites More sharing options...
Molecule Posted January 6, 2009 Share Posted January 6, 2009 I have[HKEY_LOCAL_MACHINE\Software\Microsoft\G52373<:=]name = %sãúvalue = cd cd f0 cdmight it be put there by the wga validation program, which generates the little cut and paste to download wga stuff?(reactOS is lurking large in the future ...) Link to comment Share on other sites More sharing options...
Lecco Posted January 6, 2009 Share Posted January 6, 2009 Mine :HKEY_LOCAL_MACHINE\Software\Microsoft\G13?:8<021Żč, CC 0C F2 CCmight it be put there by the wga validation program, which generates the little cut and paste to download wga stuff?WGA in Win98 ? NO WAY !!! Link to comment Share on other sites More sharing options...
Multibooter Posted January 7, 2009 Share Posted January 7, 2009 might it be put there by the wga validation programDefinitely not. Perhaps it is the encrypted Windows serial number? Does Win98 still work after deleting this key? What registration info does Control Panel -> System show after deleting this key? Link to comment Share on other sites More sharing options...
chromatic47 Posted January 7, 2009 Author Share Posted January 7, 2009 Perhaps it is the encrypted Windows serial number? Does Win98 still work after deleting this key? What registration info does Control Panel -> System show after deleting this key?Well I deleted that key and Windows boots/runs with no complaints. The registration info is unchanged in CP. I'm going to merge it back in there though, as who knows if it will apply later on for some process. Link to comment Share on other sites More sharing options...
Dave-H Posted January 7, 2009 Share Posted January 7, 2009 Nothing like this on my machine, for what it's worth! Link to comment Share on other sites More sharing options...
Multibooter Posted January 8, 2009 Share Posted January 8, 2009 (edited) Nothing like this on my machine, for what it's worth!Maybe it's a fingerprint or identifying code, so that they know who is doing what, for Big Brother's monitoring/tapping/recording of the whole internet? Or maybe a key for decrypting encrypted stuff?Maybe it's just used to mark users of a US opsys version, since you are from the UK and you don't have it? All postings reporting markers, except for Lecco's, are from the US. Maybe they watch only those people who don't have a marker? In any case it looks like something intentionally hidden, and is therefore worth while investigating. What is listed on your Internet Explorer -> About under Cipher Strength? is it 128-bit (=strong encryption)? Edited January 8, 2009 by Multibooter Link to comment Share on other sites More sharing options...
iamtheky Posted January 8, 2009 Share Posted January 8, 2009 (edited) congrats whatever420 you have a virushttp://www.symantec.com/security_response/...-99&tabid=2Id be willing to bet most garbage keys you find in that path are malware, have you tried hijackthis to see what it thinks?do a google for HKEY_LOCAL_MACHINE\Software\Microsoft\GHKEY_LOCAL_MACHINE\Software\Microsoft\JHKEY_LOCAL_MACHINE\Software\Microsoft\K you will see many eerily similar entries that other people cannot identify. Everything in this section should be M$ and clearly identified from what i gather. The most nondescript entry i have is the WZCSVC (wireless zero config service). Edited January 8, 2009 by iamtheky Link to comment Share on other sites More sharing options...
Multibooter Posted January 8, 2009 Share Posted January 8, 2009 I'm going to merge it back in there though, as who knows if it will apply later on for some process.What happens if you replace your marker with that of somebody else? If its an encryption key, something might stop working.Also: maybe it's an identifyer for strong encryption of the installed IE, which about 10 years ago was still under US export controls? Link to comment Share on other sites More sharing options...
Joseph_sw Posted January 8, 2009 Share Posted January 8, 2009 i also curious, and made a quick check, found one too:[HKEY_LOCAL_MACHINE\Software\Microsoft\J90000000]") "=hex:02,40,42,42 Link to comment Share on other sites More sharing options...
Multibooter Posted January 8, 2009 Share Posted January 8, 2009 i also curious, and made a quick check, found one tooDo you use the US version of Win98? Does your IE have 128-bit encryption? Link to comment Share on other sites More sharing options...
chromatic47 Posted January 8, 2009 Author Share Posted January 8, 2009 (edited) Also: maybe it's an identifyer for strong encryption of the installed IE, which about 10 years ago was still under US export controls?In case this relates to that possibility -- the key names posted here are all 9 characters long, with 4 data values each. It would be rather a highly visible way to hide an encrypted string within the registry. I mean, there's less obvious ways to do it. Especially having only 4 characters, it seems possible that this data was meant to be written to, not just read.I just tried substituting a different key, rebooted etc, but nothing happened.(well..... so far ....... Edited January 8, 2009 by chromatic47 Link to comment Share on other sites More sharing options...
Multibooter Posted January 8, 2009 Share Posted January 8, 2009 I just made a search with Win98 Find -> Containing text in \Windows\ with the 9 digit registry key name. This 9-digit string occurs only in the registry file System.dat and its backups, but a couple of bytes after its occurence the hexeditor displays the following:CryptographyQ.......Q...........Machine Settings............CatRootE:\USWIN98\SYSTEM\CatRoot\....................Providers....................Trust"......."...........Initialization{.......{...&.......{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}............$DLLSOFTPUB.DLLThe registry has 2 entries under the key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}: SOFTPUB.DLL and SoftpubCheckCertSo it's possibly an encryption key, but what might Microsoft want to encrypt differently for each installed instance of Windows? Or is it just the encrypted Product Key (cd key) used to install Windows, saved in the registry? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now