Joseph_sw Posted January 8, 2009 Share Posted January 8, 2009 (edited) Do you use the US version of Win98? Does your IE have 128-bit encryption?yes, to both questions. (IE about box says, Chiper Strength: 128-bit)and speaking about softpub.dll, i found two version on my computer: newer, version 5.131.1880.14 - size: 6,928 bytes - Description: Softpub Forwarder DLL (this file currently on %windir%\SYSTEM directory) older, version 5.131.1877.9 - size: 62,736 bytes - Description: Microsoft Trust Policy Providers (this file was existed on %windir%\OPTIONS\CABS directory)yup, the file size was THAT different. (6k vs 62k) Edited January 8, 2009 by Joseph_sw Link to comment Share on other sites More sharing options...
Mijzelf Posted January 8, 2009 Share Posted January 8, 2009 I can hardly imagine that it's a cryptographic key, because the registry keyname itself is part of the data. The only way to find the regkey if you don't know it's name is enumerating al keys in HKLM/Sw/Ms, en decide for each key if it could be the searched data. This is hard, especially if the name could be everything.I used regmon to find if something is reading that key. Started it from RunServicesOnce (the earliest moment to start anything). Tried to start everything in the startmenu, but it didn't find anything. (Except regedit, duh!) Link to comment Share on other sites More sharing options...
Ninho Posted January 8, 2009 Share Posted January 8, 2009 Interesting subject... I also have a similar mystery key, which iwon't paste here in case it could be revealing something which ought to stay secret (haha! I'm the most paranoïd in this thread!)Had worried about it some time ago, but could not find anything related. I think it appeared after doing some windozupdate, it has to be a MS thing. Oh, and it's Windows 98 SE, 128 bit crypto, French. Link to comment Share on other sites More sharing options...
Dude111 Posted January 8, 2009 Share Posted January 8, 2009 (edited) I have A9=000000As the first entry in my MICROSOFT section,what is it?? (Have always wondered) Edited January 9, 2009 by Dude111 Link to comment Share on other sites More sharing options...
Philco Posted January 8, 2009 Share Posted January 8, 2009 Mine :HKEY_LOCAL_MACHINE\Software\Microsoft\G13?:8<021Żč, CC 0C F2 CCmight it be put there by the wga validation program, which generates the little cut and paste to download wga stuff?WGA in Win98 ? NO WAY !!! [HKEY_LOCAL_MACHINE\Software\Microsoft\G173377?8]"q3wŻ"=hex:cc,cc,dd,cc Link to comment Share on other sites More sharing options...
whatever420 Posted January 9, 2009 Share Posted January 9, 2009 congrats whatever420 you have a virus...http://www.symantec.com/security_response/...-99&tabid=2Nope...I've had that key for years... and never tested positive for any virus or Trojan...I checked out the page you linked to and my 'puter has none of the "symptoms" or files indicated...Thanks for looking though... Link to comment Share on other sites More sharing options...
iamtheky Posted January 9, 2009 Share Posted January 9, 2009 your symptom looks an awful lot like #13 on that symantec bulletin.Attempts to download a configuration file using one of the following domains:[http://]www.certdreams.com/cm[REMOVED][http://]www.certdreams.com/pm[REMOVED][http://]www.certdreams.com/down[REMOVED]Alternatively, the Trojan may use a domain configured under the following registry entry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\"d" = "[DOMAIN NAME]"Keys under this path do not have cryptic names, with special characters, with no further identifying information. You dont suppose an older version of an antivirus did not contain the logic to clean every entry the trojan made and now that the primary marker is gone newer versions do not recognize an issue? Link to comment Share on other sites More sharing options...
Dude111 Posted January 10, 2009 Share Posted January 10, 2009 Whats wierd is: WE ALL HAVE SOME WIERD ENTRY IN THAT SECTION!! Link to comment Share on other sites More sharing options...
iamtheky Posted January 10, 2009 Share Posted January 10, 2009 'We all' - being the 5-6 people that responded minus Dave-H and myself? Would not exactly call that a large enough cross section to be concerned, especially when there have been no reported ill effects from removing the cryptic keys. I'd really like to see a hijackthis log from one of the target systems if someone could oblige, maybe it will find some other keys that could narrow the hunt. Link to comment Share on other sites More sharing options...
Dude111 Posted January 10, 2009 Share Posted January 10, 2009 (edited) It must not be needed (Maybe its created when first installing the os)Right now im on an XP and there isnt anything like that in this reg........ Edited January 10, 2009 by Dude111 Link to comment Share on other sites More sharing options...
charly Posted January 10, 2009 Share Posted January 10, 2009 'We all' - being the 5-6 people that responded minus Dave-H and myself? Would not exactly call that a large enough cross section to be concerned, especially when there have been no reported ill effects from removing the cryptic keys. I'd really like to see a hijackthis log from one of the target systems if someone could oblige, maybe it will find some other keys that could narrow the hunt. I have the same entry and have used hijackthis for along time. Never found this entry as a problem in the log file. Link to comment Share on other sites More sharing options...
herbalist Posted January 10, 2009 Share Posted January 10, 2009 I've checked my 98FE and SE systems and ran a search through all the Inctrl5 install records I have, about 300 of them. I don't have any of the keys mentioned in this thread or any that are remotely similar. Nothing I've installed on 9X (software, updates, patches, etc) has made any similar keys. Link to comment Share on other sites More sharing options...
the xt guy Posted January 11, 2009 Share Posted January 11, 2009 (edited) I have three different computers all running Win 98SE and each one has a different "mystery key":D=9000000Value name 1/2Value Data 0000 05 80 85 85J29000000Value Name 2 (in superscript!)Value Data 0000 61 01 60 61I:9000000Value name (some weird ASCII character which I won't try to show here)Value Data 0000 02 60 62 62All three of these computers have in common: 98SE2ME, 98 Lite, Unofficial 98SE service pack 3, IE6 removed (along with removing other M$ software: WMP, Outlook "Distress", Chat, NetMeeting, Windows Update, msjava, etc.) I have also never connected any of them to Windows Update even once, using the resources on mdgx's page to update everything.I've been using Firefox with noscript added (and most websites 'untrusted' with all the options blocked) so java, frames, Iframes, adobe flash, microsoft satanlight...oops I mean silverlight, etc. etc. etc. are all blocked from running.All of these are relatively new, clean installations (the oldest being about 3 months, the other two less than one month). None of them have ever reported any kind of virus, spyware, malware, etc. nor have they done the slightest suspicious behaviour that would make me think something had infected them. They have all been connected to the Internet through a cable modem with a seperate hardware firewall.So I don't believe it is any kind of an infection or spyware. Edited January 11, 2009 by the xt guy Link to comment Share on other sites More sharing options...
chromatic47 Posted January 11, 2009 Author Share Posted January 11, 2009 (edited) All three of these computers have in common: 98SE2ME, 98 Lite, Unofficial 98SE service pack 3, IE6 removed (along with removing other M$ software: WMP, Outlook "Distress", Chat, NetMeeting, Windows Update, msjava, etc.) I have also never connected any of them to Windows Update even once, using the resources on mdgx's page to update everything.I've been using Firefox with noscript added (and most websites 'untrusted' with all the options blocked) so java, frames, Iframes, adobe flash, microsoft satanlight...oops I mean silverlight, etc. etc. etc. are all blocked from running.For what it's worth, my system has in common with the above:- 98lite- IE and other M$ software removed- no usey Windows Update- Firefox (through v.2) with noscript- internet secure Edited January 11, 2009 by chromatic47 Link to comment Share on other sites More sharing options...
chromatic47 Posted January 11, 2009 Author Share Posted January 11, 2009 I can hardly imagine that it's a cryptographic key, because the registry keyname itself is part of the data. The only way to find the regkey if you don't know it's name is enumerating al keys in HKLM/Sw/Ms, en decide for each key if it could be the searched data. This is hard, especially if the name could be everything.This logic sounds right. Such a key, and/or its values could only function as input data if the seeking application already knew what to look for. Which points to the key being tied to either a specific installation or a specific license. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now