I'm fairly confortable with understanding what I see in the registry. However, I see something that has appeared recently and I'm hoping someone can explain it. Spybot Search & Destroy, my AV program, and Windows Defender do not react to it.Heres an export of the key. It's located right under HKCU:Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\1T2G8nRaQwTxZ0JATGxkTNuLSVE=]"S+3mJJ+/rgnur89c4dAZphKIAEg="="cDjU7w==""WipXDJTKFccNtjR1SxdtbczrVpE="="cDjU7w==""S8/Uf3QfMu1vaY5oZVIDjE4nN9g="="djg=""rGrpoHYhSsSpQuAVzTPRPPKdt6o="="sO40jB1NygE=""O7U2osiUuHko0i9E5CW7QasGlvw="="A9tQCIq44sf4TxTcbwl1qXguW0w="I have four other keys under HKCU as well that are of the same form.Brian Tillman [MVP-Outlook]1 person needs an answerI do too

Malware?You could create a new user account and see if the spurious keys are created.Does the equivalent HKEY_USERS\S-1-5-21 contain the same ‘garbage’?I’d be inclined to export them, delete them and keep an eye on HKCU for a few days.

Are we sure this is BT?Not what I'd expecte from BT; fundimental description errors in the general description body

"Brian Tillman [MVP-Outlook]" wrote in message news:c8e4dbbe-86d8-48ff-a903-32129a4e4daa...I'm fairly confortable with understanding what I see in the registry. However, I see something that has appeared recently and I'm hoping someone can explain it. Spybot Search & Destroy, my AV program, and Windows Defender do not react to it.Heres an export of the key. It's located right under HKCU:Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\1T2G8nRaQwTxZ0JATGxkTNuLSVE=]"S+3mJJ+/rgnur89c4dAZphKIAEg="="cDjU7w==""WipXDJTKFccNtjR1SxdtbczrVpE="="cDjU7w==""S8/Uf3QfMu1vaY5oZVIDjE4nN9g="="djg=""rGrpoHYhSsSpQuAVzTPRPPKdt6o="="sO40jB1NygE=""O7U2osiUuHko0i9E5CW7QasGlvw="="A9tQCIq44sf4TxTcbwl1qXguW0w="I have four other keys under HKCU as well that are of the same form.Brian Tillman [MVP-Outlook]I'm wondering if they're actually encoded keys in Unicode - but I have no idea about decoding them. You'd probably have to take the pairs, and use the ASCII codes to generate the Unicode - but what you'd end up with is anyone's guess. You may even end up with a Big/Little endian variance, and have to do both to get something that meant anything.OTOH it could just be dross left behind from a forced shutdown or a crash.-- Noel Paton | Nil Carborundum Illegitemi | CrashFixPC

Pardon? To what fundamental errors do you refer?Brian Tillman [MVP-Outlook]------------------------------If a reply helps, please vote it as helpful. If a reply solves the issue, please mark it as an asnwer.

They are under HKEY_USERS as well. I may try to see if they translate, but I think I'll take the advice of exporting them, deleting them, and seeing if there are side-effects.Thanks for the suggestions.Brian Tillman [MVP-Outlook]------------------------------If a reply helps, please vote it as helpful. If a reply solves the issue, please mark it as an asnwer.

BrianI suppose it’s obvious the entries would be present in HKEY_USERS for the current user.Although it’s worrying to have spurious keys in the HKCU hive, it would be more of a concern if the entries appeared in HKLM. I suggest you look there.

Hi Brian,Beside this try to scan from another vendor for malware/viruses by using Superantispyware/Malwarebytes.SuperAntispyware - Freehttp://www.superantispyware.com/superantispywarefreevspro.htmlMalwarebytes© Corporation - Anti-Malwarehttp://www.malwarebytes.org/mbam/program/mbam-setup.exeComplete scan not an express scan:http://www.freedrweb.com/download+cureit/gr/?lng=enPlease download, install get the latest definitions and run a COMPLETE scan!Superantispyware is a good scanner that will pick up the infected keys ( even they are orphans keys!). nass -- http://www.nasstec.co.uk

None of these tools noticed the entries. I'm more convinced than ever to simply export the keys just in case and delete them. Thanks for the suggestions.Brian Tillman [MVP-Outlook]------------------------------If a reply helps, please vote it as helpful. If a reply solves the issue, please mark it as an answer.

BrianNo anti program would identify your spurious keys as malware. The first and most obvious reason is that the key is not a significant Windows key, e.g. \UserInit or a \Run key, where malware hides. Being at the top of the HKCU tree, it can cause no damage other that giving some fool a bit of fun by causing ‘panic‘.If you don’t believe me, open regedit > click on HKCU > Edit > New > Key and name it A False Key. Right-click in the right pane and choose New > String value and name it Not Wanted. Double-click it and type I can be deleted. Next time you open regedit, because of the alphabetic sequence, it will appear as the first key in HKCU and also in the equivalent HKU for the current user. Run any anti program and the key will be ignored, however, you do need to go back to regedit, navigate to HKCU, right-click A False Key and Delete it.

None of these tools noticed the entries. I'm more convinced than ever to simply export the keys just in case and delete them. Thanks for the suggestions. That good at least now you know you are free from nasties!Try to Back it up and then delete and see if after trial and error what app will complain from it being absent. nass -- http://www.nasstec.co.uk

<Q::>No anti program would identify your spurious keys as malware. The first and most obvious reason is that the key is not a significant Windows key, e.g. \UserInit or a \Run key, where malware hides. Being at the top of the HKCU tree, it can cause no damage other that giving some fool a bit of fun by causing ‘panic‘.If you don’t believe me, open regedit > click on HKCU > Edit > New > Key and name it A False Key. Right-click in the right pane and choose New > String value and name it Not Wanted. Double-click it and type I can be deleted. Next time you open regedit, because of the alphabetic sequence, it will appear as the first key in HKCU and also in the equivalent HKU for the current user. Run any anti program and the key will be ignored, however, you do need to go back to regedit, navigate to HKCU, right-click A False Key and Delete it. <Q::/> That rubbish! If the encrypted Value in that Key malicious sure the AVs engine will identify it asBad and try to cure it or delete it. Creating an empty Key with an empty value/string off course will not be identified as Bad with even a kid can't speak yet!If you understand how Avs engines perform their scans you will know they can decrypt the values against the definitions database built in the engine and analysis it to check for malicious code in the value of that Key. I never seen a virus been created with an empty value before, did anyone knows such a thing? nass -- http://www.nasstec.co.uk

That rubbish! If the encrypted Value in that Key malicious sure the AVs engine will identify it asBad and try to cure it or delete it. Creating an empty Key with an empty value/string off course will not be identified as Bad with even a kid can't speak yet!If you understand how Avs engines perform their scans you will know they can decrypt the values against the definitions database built in the engine and analysis it to check for malicious code in the value of that Key. I never seen a virus been created with an empty value before, did anyone knows such a thing?I don’t quite follow some of your strange English, but the point I’m trying to put across is that any key can be added anywhere. It’s the triggering of that key that matters, for instance, create a key as per Brian’s HKCU rogue key and make its value avserve.exe (the old favourite, sasser). An AV program will remove it because it’s in the database but if left alone, it will not cause any problems because A) there is no program present and B) no key to trigger it.

Spybot Search & Destroy, my AV program - its not an AV program

This isn't news, but I still appreciate the guidance.Brian Tillman [MVP-Outlook]------------------------------If a reply helps, please vote it as helpful. If a reply solves the issue, please mark it as an answer.

Once again you provide that you know nothing about how the viruses and malicious codes be written and encrypted in a key to point to a file/Path/Root on the system . Read "Brian" Post again and you know the value for the key NOT EMPTY.Here it is again for you in Big FONT [HKEY_CURRENT_USER\1T2G8nRaQwTxZ0JATGxkTNuLSVE=] The Above is the Key"S+3mJJ+/rgnur89c4dAZphKIAEg="="cDjU7w==""WipXDJTKFccNtjR1SxdtbczrVpE="="cDjU7w==""S8/Uf3QfMu1vaY5oZVIDjE4nN9g="="djg=""rGrpoHYhSsSpQuAVzTPRPPKdt6o="="sO40jB1NygE=""O7U2osiUuHko0i9E5CW7QasGlvw="="A9tQCIq44sf4TxTcbwl1qXguW0w="This is the encrypted Value/String which if you have a Borland or other Programming Suites you can Decompile/Decrypt it by recreating the scenario.I rest my caseWelcome Mr NUT to the Forumsnass -- http://www.nasstec.co.uk

Unlike you to be inprecise.

Use Sysinternals Process Monitor to see what may be accessing that registry key. At first glance, the strings appear to be base64 encoded binary data.