Jump to content

Mystery key

chromatic47

By chromatic47
in Windows 9x/ME

 Share

Recommended Posts

Joseph_sw

Joseph_sw

Posted
Posted (edited)
Do you use the US version of Win98? Does your IE have 128-bit encryption?
yes, to both questions. (IE about box says, Chiper Strength: 128-bit)

and speaking about softpub.dll, i found two version on my computer:

  1. newer, version 5.131.1880.14 - size: 6,928 bytes - Description: Softpub Forwarder DLL (this file currently on %windir%\SYSTEM directory)
  2. older, version 5.131.1877.9 - size: 62,736 bytes - Description: Microsoft Trust Policy Providers (this file was existed on %windir%\OPTIONS\CABS directory)

yup, the file size was THAT different. (6k vs 62k)

Edited by Joseph_sw
Link to comment
Share on other sites

Mijzelf

Mijzelf

Posted
Posted

I can hardly imagine that it's a cryptographic key, because the registry keyname itself is part of the data. The only way to find the regkey if you don't know it's name is enumerating al keys in HKLM/Sw/Ms, en decide for each key if it could be the searched data. This is hard, especially if the name could be everything.

I used regmon to find if something is reading that key. Started it from RunServicesOnce (the earliest moment to start anything). Tried to start everything in the startmenu, but it didn't find anything. (Except regedit, duh!)

Link to comment
Share on other sites
Ninho

Ninho

Posted
Posted

Interesting subject... I also have a similar mystery key, which iwon't paste here in case it could be revealing something which ought to stay secret (haha! I'm the most paranoïd in this thread!)

Had worried about it some time ago, but could not find anything related. I think it appeared after doing some windozupdate,

it has to be a MS thing. Oh, and it's Windows 98 SE, 128 bit crypto, French.

Link to comment
Share on other sites
Philco

Philco

Posted
Posted
Mine :

HKEY_LOCAL_MACHINE\Software\Microsoft\G13?:8<02

1Żč, CC 0C F2 CC

might it be put there by the wga validation program, which generates the little cut and paste to download wga stuff?

WGA in Win98 ? NO WAY !!! :realmad:

[HKEY_LOCAL_MACHINE\Software\Microsoft\G173377?8]

"q3wŻ"=hex:cc,cc,dd,cc :unsure:

Link to comment
Share on other sites
iamtheky

iamtheky

Posted
Posted

your symptom looks an awful lot like #13 on that symantec bulletin.

Attempts to download a configuration file using one of the following domains:

[http://]www.certdreams.com/cm[REMOVED]

[http://]www.certdreams.com/pm[REMOVED]

[http://]www.certdreams.com/down[REMOVED]

Alternatively, the Trojan may use a domain configured under the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\"d" = "[DOMAIN NAME]"

Keys under this path do not have cryptic names, with special characters, with no further identifying information. You dont suppose an older version of an antivirus did not contain the logic to clean every entry the trojan made and now that the primary marker is gone newer versions do not recognize an issue?

Link to comment
Share on other sites
iamtheky

iamtheky

Posted
Posted

'We all' - being the 5-6 people that responded minus Dave-H and myself? Would not exactly call that a large enough cross section to be concerned, especially when there have been no reported ill effects from removing the cryptic keys. I'd really like to see a hijackthis log from one of the target systems if someone could oblige, maybe it will find some other keys that could narrow the hunt.

Link to comment
Share on other sites
charly

charly

Posted
Posted
'We all' - being the 5-6 people that responded minus Dave-H and myself? Would not exactly call that a large enough cross section to be concerned, especially when there have been no reported ill effects from removing the cryptic keys. I'd really like to see a hijackthis log from one of the target systems if someone could oblige, maybe it will find some other keys that could narrow the hunt.

I have the same entry and have used hijackthis for along time. Never found this entry as a problem in the log file.

Link to comment
Share on other sites
herbalist

herbalist

Posted
Posted

I've checked my 98FE and SE systems and ran a search through all the Inctrl5 install records I have, about 300 of them. I don't have any of the keys mentioned in this thread or any that are remotely similar. Nothing I've installed on 9X (software, updates, patches, etc) has made any similar keys.

Link to comment
Share on other sites
the xt guy

the xt guy

Posted
Posted (edited)

I have three different computers all running Win 98SE and each one has a different "mystery key":

D=9000000

Value name 1/2

Value Data 0000 05 80 85 85

J29000000

Value Name 2 (in superscript!)

Value Data 0000 61 01 60 61

I:9000000

Value name (some weird ASCII character which I won't try to show here)

Value Data 0000 02 60 62 62

All three of these computers have in common: 98SE2ME, 98 Lite, Unofficial 98SE service pack 3, IE6 removed (along with removing other M$ software: WMP, Outlook "Distress", Chat, NetMeeting, Windows Update, msjava, etc.) I have also never connected any of them to Windows Update even once, using the resources on mdgx's page to update everything.

I've been using Firefox with noscript added (and most websites 'untrusted' with all the options blocked) so java, frames, Iframes, adobe flash, microsoft satanlight...oops I mean silverlight, etc. etc. etc. are all blocked from running.

All of these are relatively new, clean installations (the oldest being about 3 months, the other two less than one month). None of them have ever reported any kind of virus, spyware, malware, etc. nor have they done the slightest suspicious behaviour that would make me think something had infected them. They have all been connected to the Internet through a cable modem with a seperate hardware firewall.

So I don't believe it is any kind of an infection or spyware.

Edited by the xt guy
Link to comment
Share on other sites
chromatic47

chromatic47

Posted
  • Author
Posted (edited)
All three of these computers have in common: 98SE2ME, 98 Lite, Unofficial 98SE service pack 3, IE6 removed (along with removing other M$ software: WMP, Outlook "Distress", Chat, NetMeeting, Windows Update, msjava, etc.) I have also never connected any of them to Windows Update even once, using the resources on mdgx's page to update everything.

I've been using Firefox with noscript added (and most websites 'untrusted' with all the options blocked) so java, frames, Iframes, adobe flash, microsoft satanlight...oops I mean silverlight, etc. etc. etc. are all blocked from running.

For what it's worth, my system has in common with the above:

- 98lite

- IE and other M$ software removed

- no usey Windows Update

- Firefox (through v.2) with noscript

- internet secure

Edited by chromatic47
Link to comment
Share on other sites
chromatic47

chromatic47

Posted
  • Author
Posted
I can hardly imagine that it's a cryptographic key, because the registry keyname itself is part of the data. The only way to find the regkey if you don't know it's name is enumerating al keys in HKLM/Sw/Ms, en decide for each key if it could be the searched data. This is hard, especially if the name could be everything.

This logic sounds right. Such a key, and/or its values could only function as input data if the seeking application already knew what to look for. Which points to the key being tied to either a specific installation or a specific license.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...