Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

HELP : Strange registry entry :-(

13 views
Skip to first unread message

Phaeton

unread,
Feb 5, 2008, 10:34:30 PM2/5/08
to

I have run RootkitRevealer for www.sysinternals.com. It has
turned up a strange registry entry.

The entry is in HKLM\SOFTWARE\Microsoft.
It seems to be a folder. Its "name" comes after "W", and it
looks like two squares ( I guess they are some kind of
non-printable characters ? )

I tried different softwares to remove it, no luck. I right-clicked
on it and tried every option, all I get is error messages. It
doesn't even show any security info about it.

I don't have any problem with my PC, I *think*, but I don't
like this... Is there a solution for this ? Rebuilding the
Registry ? Thanks for any help & suggestion.

Cheers, Csaba

----------------------------------------------------------------------------------
|d|i|g|i|t|a|l| http://csabaharangozo.blogspot.com
----------------------------------------------------------------------------------
EARTH::AUSTRALIA:[SYDNEY]HARANGOZO.CSABA;1, delete? [N]:

Caterpallor (n.): The color you turn after finding half a grub in the
fruit you're eating.

PeterD

unread,
Feb 7, 2008, 9:01:22 AM2/7/08
to
On Wed, 06 Feb 2008 14:34:30 +1100, Phaeton
<pha...@nsw.chariot.net.au> wrote:

>
> I have run RootkitRevealer for www.sysinternals.com. It has
> turned up a strange registry entry.
>
> The entry is in HKLM\SOFTWARE\Microsoft.
> It seems to be a folder. Its "name" comes after "W", and it
> looks like two squares ( I guess they are some kind of
> non-printable characters ? )
>
> I tried different softwares to remove it, no luck. I right-clicked
> on it and tried every option, all I get is error messages. It
> doesn't even show any security info about it.
>
> I don't have any problem with my PC, I *think*, but I don't
> like this... Is there a solution for this ? Rebuilding the
> Registry ? Thanks for any help & suggestion.
>
> Cheers, Csaba

Can you see it in RegEdit? Will RegEdit allow it to be deleted.

Also where are you located (language specifically...) That may give a
clue as to what's up.

Mad_Maxine

unread,
Feb 9, 2008, 1:17:09 PM2/9/08
to
Take the usual precautions and back up the registry first.

Export the suspect folder as a .REG file.
Right-click it and select Edit.
Place a minus (-) after the first bracket and delete any data values that
follow it.

Your REG should look something like this:


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Microsoft\[][]]


Save the REG file, then right-click it and select Merge.

If all goes well, the key will be deleted.


"Phaeton" <pha...@nsw.chariot.net.au> wrote in message
news:47a92ac6$1...@news.chariot.net.au...

Phaeton

unread,
Feb 9, 2008, 8:41:02 PM2/9/08
to
> Mad_Maxine wrote:
>> Take the usual precautions and back up the registry first.
>>
>> Export the suspect folder as a .REG file.
>> Right-click it and select Edit.
>> Place a minus (-) after the first bracket and delete any data values that follow it.
>>
>> Your REG should look something like this:
>>
>>
>> Windows Registry Editor Version 5.00
>>
>> [-HKEY_LOCAL_MACHINE\Software\Microsoft\[][]]
>>
>>
>> Save the REG file, then right-click it and select Merge.
>>
>> If all goes well, the key will be deleted.
>
> Thanks, I will try it. If I don't respond here, everything is OK :-)

Sorry, no go. I exported the HKLM\SOFTWARE\Microsoft folder,
opened it with Notepad, but there was nothing in the end, only
the last "valid" reg key called WZCSVC and its content. ( I tried
to open it with Wordpad, it choked on it, never opens the 17 MB file. )

I also opened it with WinHex ( a hex editor ) and it also didn't
indicate anything unusual, maybe 3 characters with the hex code
0D, 0A, 0A. I try to find out what these are, maybe they are
causing all this... It seems Regedit sense that there are some
funny characters there, but it can not do anything with them, as
they are not part of the normal character set. I think they are
some junk ASCII codes left there somehow...

Thanks again.

Cheers, Csaba

----------------------------------------------------------------------------------
|d|i|g|i|t|a|l| http://csabaharangozo.blogspot.com
----------------------------------------------------------------------------------
EARTH::AUSTRALIA:[SYDNEY]HARANGOZO.CSABA;1, delete? [N]:

Heller's Law :
The first myth of management is that it exists.

Phaeton

unread,
Feb 7, 2008, 2:24:33 PM2/7/08
to
PeterD wrote:
> On Wed, 06 Feb 2008 14:34:30 +1100, Phaeton
> <pha...@nsw.chariot.net.au> wrote:
>
>> I have run RootkitRevealer for www.sysinternals.com. It has
>> turned up a strange registry entry.
>>
>> The entry is in HKLM\SOFTWARE\Microsoft.
>> It seems to be a folder. Its "name" comes after "W", and it
>> looks like two squares ( I guess they are some kind of
>> non-printable characters ? )
>>
>> I tried different softwares to remove it, no luck. I right-clicked
>> on it and tried every option, all I get is error messages. It
>> doesn't even show any security info about it.
>>
>> I don't have any problem with my PC, I *think*, but I don't
>> like this... Is there a solution for this ? Rebuilding the
>> Registry ? Thanks for any help & suggestion.
>>
>> Cheers, Csaba
>
> Can you see it in RegEdit?

Yes. As two "squares"... By the way, it is 0 bytes, so it might be
completely empty...

> Will RegEdit allow it to be deleted.

No. I tried every option, by right-clicking it. All I got is error
messages, and not even security info...

> Also where are you located (language specifically...) That may give a
> clue as to what's up.

I am in Australia. I don't think it is a language problem. By the way,
the entry is dated from 2005, so it is not new...

Cheers, Csaba

----------------------------------------------------------------------------------
|d|i|g|i|t|a|l| http://csabaharangozo.blogspot.com
----------------------------------------------------------------------------------
EARTH::AUSTRALIA:[SYDNEY]HARANGOZO.CSABA;1, delete? [N]:

The trouble with life is, that you're halfway through it before you
realise that it's a "do it yourself" thing.

Phaeton

unread,
Feb 9, 2008, 4:09:30 PM2/9/08
to
Mad_Maxine wrote:
> Take the usual precautions and back up the registry first.
>
> Export the suspect folder as a .REG file.
> Right-click it and select Edit.
> Place a minus (-) after the first bracket and delete any data values that
> follow it.
>
> Your REG should look something like this:
>
>
> Windows Registry Editor Version 5.00
>
> [-HKEY_LOCAL_MACHINE\Software\Microsoft\[][]]
>
>
> Save the REG file, then right-click it and select Merge.
>
> If all goes well, the key will be deleted.

Thanks, I will try it. If I don't respond here, everything is OK :-)

Cheers, Csaba

----------------------------------------------------------------------------------
|d|i|g|i|t|a|l| http://csabaharangozo.blogspot.com
----------------------------------------------------------------------------------
EARTH::AUSTRALIA:[SYDNEY]HARANGOZO.CSABA;1, delete? [N]:

Circumvent (n.), the opening in the front of boxer shorts.

0 new messages