Mysterious Registry Keys

Discussion in 'SpywareBlaster & Other Forum' started by itman, Apr 17, 2013.

Thread Status:
Not open for further replies.
  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Win 7 x64 SP1.

    I have seen these keys appear in multiple registry hives for some time. It was driving me nuts trying to figure out what was creating them. Finally determined SpywareBlaster update was creating them. They ceratinly don't look legit to me. Also I was under they assumption that all SpywareBlaster did was populated your browser restricted web site listing.

    Mod edit: For your convenience, you can jump to the reply here: https://www.wilderssecurity.com/showpost.php?p=2220637&postcount=16 -jc
     

    Attached Files:

    Last edited by a moderator: Apr 22, 2013
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Re: Mysterious Spyware Blaster Registry Keys

    No responses?

    Additional comments. I have seen those jibberish registry key names also appear at times as hidden disabled non-plug and play drivers when I used the set devmgr_show_nonpresent_devices=1 and devmgmt.msc from an admin command prompt.

    Surfice it to say that SpywareBlaster is uninstalled from my PC.
     
  3. cyberlost24

    cyberlost24 Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    73
    Re: Mysterious Spyware Blaster Registry Keys

    Q...How exactly did you determine that those entries came from Spyware Blaster?
    So after un-installing the program what happened to the registry items you are pointing out?
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Re: Mysterious Spyware Blaster Registry Keys

    I have been monitoring those registry entries multiple times a day to determine what was installing them.

    Prior to the last update of SpywareBlaster the keys had been manually removed by me. When manually removed, the keys to not reappear on subsequent reboots or normal PC usage.

    I had just checked about an hour or less prior to the SpywareBlaster update if the keys were present in the registry. They were not. I then subsequently ran a SpywareBlaster update. I then checked my registry and the keys were present.

    And yes, the registry keys persisted after SpywareBlaster was uninstalled using Revo Uninstaller.

    I will continue monitoring and if the keys do reappear, I will most certainly repost that fact and apologize. I am 99% certain that the keys were created from SpywareBlaster updater.

    Additionally, the version of SpywareBlaster I was running was 5.0 downloaded via a new version update prompt when I ran a normal manual SpywareBlaster update.
     
  5. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Re: Mysterious Spyware Blaster Registry Keys

    For future reference, and forgive me if you already know this, SysInternals Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) can be useful for zeroing in on what is doing the manipulation. For example:

    - Launch Registry Editor
    - Launch Process Monitor
    - Create a new, non-conflicting, key under HKCU\Software, such as DeleteMeJustTesting.
    - Stop Process Monitor capture
    - In Process Monitor do a find for the string: DeleteMeJustTesting
    - You'll see the RegCreateKey operation, and the associated Process Name. You can also right click on that line and select Properties. Check out the Process and Stack tabs.
    - Delete that new registry key you created when you are done
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Re: Mysterious Spyware Blaster Registry Keys

    I assume for this to capture the culprit, Process Monitor would have to be constantly running in monitoring mode? I run Process Monitor sparingly since it conflicts with NIS 2013. A short session using it will totally fill my NIS 2013 activity log.
     
  7. cyberlost24

    cyberlost24 Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    73
    Re: Mysterious Spyware Blaster Registry Keys

    I definitely think this bares to be watched more carefully for exactly what these entries are...
    Have you contacted Javacool in regards to asking him for an explanation of what they represent or why they are thereo_O
    Or perhaps someone can/will notify him and get a clarification on this!!!
    It indeed is very strange IMHO...
     
  8. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    Re: Mysterious Spyware Blaster Registry Keys

    I too have spyware blaster and those reg keys that you are talking, I did a search for in my registry and I do not have them?

    Mine also is win 7 ultimate 64bit
     
    Last edited: Apr 20, 2013
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Re: Mysterious Spyware Blaster Registry Keys

    I can't find the entry in the first screenshot. As for the second screenshot, I have that entry, but with different values.

    I'm running Windows 7 32-bit.
     
  10. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Re: Mysterious Spyware Blaster Registry Keys

    One could try enabling capture only during that window when they think the activity happens. Based on your earlier post it would seem worthwhile for someone to try capturing during a Spyware Blaster update.

    I wouldn't know what you options are WRT excluding Process Monitor from NIS 2013 logging. One can create Process Monitor filters and enable Filter->Drop Filtered Events.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Re: Mysterious Spyware Blaster Registry Keys

    I suspect that with X64, keys are copied to both x32 and x64 portions of the registry. Since your x32, would only appear in x32 area.

    BTW - I didn't mention this previously. Although those keys I show in the screen shots occur in multiple registry hives, when they are deleted from the root hive, all other occurances "magically" disappered from the other hives. That is why I strongly suspect this is malware.
     
  12. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    Re: Mysterious Spyware Blaster Registry Keys

    Well mine is exactly like m00nbl00d but my system is win 7 ultimate 64bit.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Re: Mysterious Spyware Blaster Registry Keys

    Another detail I forgot to post.

    When the HCR\Wow6432Node\ key is created, the InProcServer32 value changes. When I first found it was plasrv.exe. When the key was reinstalled after a SB update, the InProcServer32 changed to shell32.dll.
     
  14. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,166
    Re: Mysterious Spyware Blaster Registry Keys

    I think you may have a deep or hidden/ stealth infection. maybe a rootkit. All the symptoms you are suggesting and saying does not exist for me. Anyway try a new image or try and test these symptoms you are saying by spyware blaster on a new clean pc or test pc and see if it does happen.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Re: Mysterious Spyware Blaster Registry Keys

    I went that route initially. Did multiple online and offline scans using multiple antimalware software - zip. Scanned with GMER, Kapersky's TDSS and MBAM's new rootkit scanner - zip. I have set NIS 2013 boot scanner to Aggresive - zip. Did a few Win 7 startup repairs. Log said MBR was fine.

    I became suspicious of SpywareBlaster sometime ago when I caught it doing stealth dialouts using TCP port 80 via Win Explorer. That one is well documented.

    Since SpywareBlaster has been uninstalled, I have yet to see one suspicious connection while browsing using IE9.

    Finally I had Kapersky IS 2012 installed on my PC for a while. When I tried to install it, it wanted me to remove SpywareBlaster. I asked Kapersky about that and received a few choice comments along the lines that SpywareBlaster was not something I wanted installed on my PC although comments were general and not specific.

    -Edit-

    I just downloaded Avast's aswMBR. Also downloaded Avast definitions and did a scan. Zip - boot drive shows WIN 7 defaut MBR code. Avast definitions found nothing.
     
    Last edited: Apr 21, 2013
  16. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Hi,

    Please see the answers below.

    1.) Registry keys with encrypted data.

    SpywareBlaster utilizes a number of methods to try to protect itself against malware and other unwanted software (for example, to try to protect against or detect being malicious modified). A few bits are stored outside of the program as part of this self-protection process, and the location may differ. As always, modifying the registry is recommended only for advanced users, and there's no advantage to removing registry entries like these. They are there to help. (Also, keep in mind that several other security products do similar things to store self-protection or other important bits of data. Before making any manual changes to your registry, it is important to make a backup.)

    2.) Windows explorer tries to connect to the Internet?

    This really has nothing to do with SpywareBlaster. There are several common reasons that Windows Explorer may try to connect to the Internet. What you are likely seeing is Windows Explorer is trying to verify the digital signature on one or more executable files (perhaps SpywareBlaster's executables, although most other legit programs are digitally signed and the same process occurs). As part of this process, Windows Explorer may connect to the Internet to try to request a CRL, or Certificate Revocation List. If you are interested in more details about how this works, please see: http://en.wikipedia.org/wiki/Revocation_list

    3.) I delete a registry key in one hive, and it seems to disappear from other registry hives?

    This also has nothing to do with SpywareBlaster. You may be interested in looking more into the structure of the Windows Registry to see why this can happen with all kinds of registry keys. Some of the "hives" that you see do, in fact, contain links to data in other parts of the registry. In some ways, it may be easier to think of them as "views", where some of the data can be seen in different "branches" of the registry, but is actually stored in one place.

    For example, on HKEY_CLASSES_ROOT:

    See: http://en.wikipedia.org/wiki/Windows_Registry

    4.) Kaspersky installer asks you to uninstall SpywareBlaster

    This is unfortunately an all-too-common technique that other security software companies use. They rightfully like to notify you that it's not a good idea to run multiple "active"/"resident" security products at the same time. However, they tend to lump all other security products in the same category.

    SpywareBlaster is built to work alongside other security software, and be part of a solid multi-layered security setup. Kaspersky's installer is wrong to lump it with other "resident" security suites (which it is not), and we have in fact tested the two products together and they work fine. (Even though it's built to work alongside, we still do the testing to be sure.)

    5.) "I was under they assumption that all SpywareBlaster did was populated your browser restricted web site listing."

    SpywareBlaster does quite a bit more. For example, on Google Chrome, SpywareBlaster can block malicious/potentially unwanted/annoying Javascripts, and potentially unwanted / ad / tracking cookies. All of this is, of course, entirely configurable and customizable.

    I hope this helps.

    Best regards,

    -Javacool
     
    Last edited: Apr 22, 2013
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Thanks Javacool for verifying the registry keys are part of SpywareBlaster.
     
  18. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,132
    Location:
    R.I.P. Roger(roddy32)
    thank you JCool!!
     
  19. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i don't see where javacool said that the regkeys-in-question did-or-didn't belong to spywareblaster, just some vague reference to spywareblaster's protecting itself..
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I believe this can be inferred from prior postings that indicate that the keys exist, but with different data values, on many individuals PCs that have SpywareBlaster installed.

    What was not addressed is why do the "encrypted" keys persist after SpywareBlaster is uninstalled?
     
  21. Wallaby

    Wallaby Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    156
    Thanks for the clarification javacool :thumb:
     
  22. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i noticed that the newest version of spywareblaster adds a new regkey, "HKCU\Software\The Silicon Realms Toolworks\Armadillo", and a new "licenses" folder, at "C:\Documents and Settings\All Users\Application Data\Licenses", with a "LIC" file within it.. the regkeys might be related to that..

    i have one of the regkeys that you mentioned, on my computer, the "HKCR\{5c321e34-4206-13d1-b2e4-0060975b8649}" regkey, but i don't have the "HKCR\wow6432node\" regkey.. i suppose that that because i am running win xp, which isn't a 64-bit version of windows..

    itman, how did you notice the regkeys? did a security-program that you use alert you to then?
     
  23. cyberlost24

    cyberlost24 Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    73
    Yes,good question...Why do they??
     
  24. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    We could clean up those few small registry values on uninstall, although obviously if a user has entered a license we don't want to just automatically remove that (in case they simply want to uninstall/reinstall the product). So at the moment we don't, for the convenience of users who have entered a license. That's it.

    As I said above, there's really no reason to manually remove them, but if you are an advanced user you are certainly welcome to.

    Additionally, if you have a license, that information will be stored in a few places - because we've unfortunately seen far too often that certain "cleanup" tools remove way too much. (We had a bunch of users complaining about having to enter their license repeatedly, and we discovered that it was the fault of some overzealous and not-very-accurate cleanup software that was deleting tons of data that the users wanted to keep.)

    Finally, this is really not the forum to discuss other software, and there seem to be some misconceptions about how licensing code and software works. I have removed some unnecessary and inaccurate assumptions and speculation. Thank you.
     
Thread Status:
Not open for further replies.