Bob,
Found my notes. I had posted this @ a private group for input. For what
it's worth here are those notes...
Theory: Opening certmgr.msc adds those entries to the registry.
Anyone want to open certmgr.msc and see if they have these as empty folders
in the left hand pane.
<--should show a square
<--should show a square
k <--should show 5 squares, then the letter k
And if they do have those folders, do they then see the square entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
-----
****
Some folks had the same entries, some didn't. One person confirmed my
theory.
****
-----
Long story, short.
I exported these keys...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
Then I deleted these keys...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ <--should
show a square
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\k
<--should show 5 squares, then the letter k
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\ <--should
show a square
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ <--should show a
square
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\k<--should
show 5 squares, then the letter k
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ <--should show a
square
Opened certmgr.msc and checked the registry again.
Those entries are back.
Deleted the entries again they stay gone as long as certmgr.msc is not
opened.
Opening certmgr.msc adds those entries to the registry.
-----
I can go off on a tangent with the best of them.
To the best of my knowledge I do not have any viruses, spyware or trojans on
my machine. I ran RootkitRevealer because I was curious.
Saving the RootkitRevealer Scan to a text file resulted in this...
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\ 3/28/2004 12:56 PM 0 bytes
Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0 bytes Key
name contains embedded nulls (*)
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ 3/28/2004 12:56 PM 0
bytes Key name contains embedded nulls (*)
What the RootkitRevealer Scan actually showed, more or less was this...
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|*ustedPublisher <-- one
pipe, then the asterisk
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|*ustedPublisher <-- one
pipe, then the asterisk
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\|||||k*Publisher <-- five
pipes, the letter k, then the asterisk
HKLM\SOFTWARE\Microsoft\SystemCertificates\|*ustedPublisher <-- one pipe,
then the asterisk
HKLM\SOFTWARE\Microsoft\SystemCertificates\|*ustedPublisher <-- one pipe,
then the asterisk
HKLM\SOFTWARE\Microsoft\SystemCertificates\|||||k*Publisher <-- five pipes,
the letter k, then the asterisk
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|||||k*Publisher <--
five pipes, the letter k, then the asterisk
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|*ustedPublisher <-- one
pipe, then the asterisk
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\|*ustedPublisher <-- one
pipe, then the asterisk
I exported these keys...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
Then I deleted these keys...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\
Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\
Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\Certifi
cates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\?????k\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?\CTLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\Certificate
s]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\?????k\CTLs]
Then I opened certmgr.msc.
I still have...
<--should show a square
<--should show a square
k <--should show 5 squares, then the letter k
That blew my theory.
Killed explorer.exe, they are still there.
So I rebooted, they are still there.
Then I ran RootkitRevealer again.
All the reg entries that I deleted are back.
Changed Permissions and deleted them again.
Opened the Registry again and SOB, they're back.
Deleted them again and ran RootkitRevealer again.
Opening certmgr.msc adds those entries back to the registry.
Why? Beats the *expletive deleted* out of me.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In
BobLeavitt said:
Thanks Wes. You did not get what appear to be the Chinese characters,
but rather, I guess the windows default characters. But anyway, my
question is why the strange characters? Why not some plain ol'
understandable english? Like, I already have:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certific
ates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs]
Could I have picked these up in the course of a file download from
Canon's Japanese website? Also, these values show up when I do a search
for rootkits, which bothers me a bit. Think I will delete them (after
backing up, of course).
Wesley Vogel said:
They are created when you open Certificates (certmgr.msc). If you delete
them and open certmgr.msc again, they'll be created again. I have no
idea why. And I can't find the notes that I made on this. ;-(
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In BobLeavitt <
[email protected]> hunted and pecked:
Can anyone explain what the following refers to, or how these keys with
Chinese(?) characters got into my registry? (Oops - I hope these
characters come thru ok - I see that only those recipients whose email
client supports Unicode will be able to see the characters ).
Thanks.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
‘牤ç¥ä‰³æ½¯k]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
‘牤ç¥ä‰³æ½¯k\Certificates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
‘牤ç¥ä‰³æ½¯k\CRLs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\æ
‘牤ç¥ä‰³æ½¯k\CTLs]
