澐 澓 --Two chinese characters show up as root entries in HKEY_CURRENT_USER

[James Newbie]

Is this a malware indication? What do these two chinese characters mean?

@澐  @澓 

Each of these has just one value stored:
"cl"=dword:00000003

There's also another entry right above them: "&", with the same value.
"cache2" and "ext" have no assigned values.

Here's the structure and values:  (also see JPG file attached for graphical version)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\&]
"cl"=dword:00000003
[HKEY_CURRENT_USER\&\cache2]
[HKEY_CURRENT_USER\&\ext]

[HKEY_CURRENT_USER\@澐
]
"cl"=dword:00000003
[HKEY_CURRENT_USER\@澐
\cache2]
[HKEY_CURRENT_USER\@澐
\ext]

[HKEY_CURRENT_USER\@澓
]
"cl"=dword:00000003
[HKEY_CURRENT_USER\@澓
\cache2]
[HKEY_CURRENT_USER\@澓
\ext]

[REDACTED]

I have the same problem!

[Pondus]

If you want a check, attach requested diagnostic logs >>  https://forum.avast.com/index.php?topic=194892.0

The two FRST logs are the important ones

[James Newbie]

The following "Chinese" key was created in the root of my Windows 7 registry, HKCU hive, the other day:

潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䤮䍳湯敮瑣摥潔慍慮敧䍤湯潳敬

Interpreting this as 8-bit ASCII characters rather than 32-bit UNICODE characters yields this:

com.avast.ipm.ClientParameters.IsConnectedToManagedConsole

Rather than being caused by possible malware, is it possible that Avast is mistakenly storing malformed ASCII strings as UNICODE in the registry?

I've run Avast's "full virus scan", both in Windows as well as during boot time.  Nothing found.

What do you think?


Here's the key, exported:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䤮䍳湯敮瑣摥潔慍慮敧䍤湯潳敬]
"cl"=dword:00000003

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䤮䍳湯敮瑣摥潔慍慮敧䍤湯潳敬\cache2]

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䤮䍳湯敮瑣摥潔慍慮敧䍤湯潳敬\ext]

[James Newbie]

Another "Chinese" key was created yesterday. Again, with a reference to Avast (different):

潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䌮湯楦畧慲楴湯敖獲潩ne

Interpreting this as 8-bit ASCII characters rather than 32-bit UNICODE characters yields this (refers to Avast's ".ConfigurationVersion" rather than ".IsConnectedToManagedConsole"):

ÿþcom.avast.ipm.ClientParameters.ConfigurationVersion e

I noticed this new "Chinese" key shortly after I ran Avast's "Smart Scan" -- but I don't know if it was in the registry before that.

Additional information, if it would help:

When these "Chinese" keys first started appearing back in November, there were a couple plain English keys that also appeared in the root of HKCU (i.e., out of place):

"MThree Development" (see JPG attached)
and
"system52216"

Here are the abovementioned keys, exported:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䌮湯楦畧慲楴湯敖獲潩ne]
"cl"=dword:00000003

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䌮湯楦畧慲楴湯敖獲潩ne\cache2]

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䌮湯楦畧慲楴湯敖獲潩ne\

[HKEY_CURRENT_USER\MThree Development]

[HKEY_CURRENT_USER\System52216]

[REDACTED]

yes I have another 'chinese' key as well that wasn't there before

HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲伮湭瑩牵卥瑩䍥瑡污獹噴牡㔵

which looks very similar to yours

How did you convert to 8 bit ascii?

[James Newbie]

Your UNICODE character string evaluates to the following ASCII string:

ÿþcom.avast.ipm.ClientParameters.OmnitureSiteCatalystVar55

I use a text editor that supports UNICODE and has a Hex Viewer.

Actually, I pay no attention to the hexadecimal numbers. But this Hex Viewer also shows the values in ordinary ASCII characters on the right, even if the string was stored as UNICODE.

See the sample screenshot attached.

[REDACTED]

thanks for the 'translation'. Interesting - it does seem as if Avast is doing something dodgy.

Omniture is a web analytics company and SiteCatalyst is one of their products. Could be that Avast is using Omniture for some sort of analytics or web tracking.

I checked in Avast and I did have 'participate in data sharing' and 'participate in avast community' enabled  which I have now disabled (it didn't remove the key from the registry though)

[James Newbie]

Do Avast programmers or staff members browse this forum?

It would be helpful to know if these malformed strings being placed in the root of HKCU are the result of a bug in an Avast system component.

Thanks.

[bob3160]

Avast is aware of this. It's apparently caused by the Browser Cleanup.
They are working on a fix

[James Newbie]

Thank you, Bob, for your prompt response.
Much appreciated.

[bob3160]

You're welcome. Now all we need is the fix.

[REDACTED]

Avast is aware of this. It's apparently caused by the Browser Cleanup.
They are working on a fix

The strange thing is that I don't have Avast Browser Cleanup installed.
Could it be that Avast creates the registry entries regardless whether Browser Cleanup is installed or not?

[James Newbie]

Avast is aware of this. It's apparently caused by the Browser Cleanup.
They are working on a fix

The strange thing is that I don't have Avast Browser Cleanup installed.
Could it be that Avast creates the registry entries regardless whether Browser Cleanup is installed or not?

Same here, actually.

[REDACTED]

I don't have Browser Ceanup installed either.

Could Avast let us know whether it is safe to delete the keys?