澐 澓 --Two chinese characters show up as root entries in HKEY_CURRENT_USER

Is this a malware indication? What do these two chinese characters mean?

@澐 @澓

Each of these has just one value stored:
“cl”=dword:00000003

There’s also another entry right above them: “&”, with the same value.
“cache2” and “ext” have no assigned values.

Here’s the structure and values: (also see JPG file attached for graphical version)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER&]
“cl”=dword:00000003
[HKEY_CURRENT_USER&\cache2]
[HKEY_CURRENT_USER&\ext]

[HKEY_CURRENT_USER@澐]
“cl”=dword:00000003
[HKEY_CURRENT_USER@澐\cache2]
[HKEY_CURRENT_USER@澐\ext]

[HKEY_CURRENT_USER@澓]
“cl”=dword:00000003
[HKEY_CURRENT_USER@澓\cache2]
[HKEY_CURRENT_USER@澓\ext]

I have the same problem!

If you want a check, attach requested diagnostic logs >> https://forum.avast.com/index.php?topic=194892.0

The two FRST logs are the important ones

The following “Chinese” key was created in the root of my Windows 7 registry, HKCU hive, the other day:

潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䤮䍳湯敮瑣摥潔慍慮敧䍤湯潳敬

Interpreting this as 8-bit ASCII characters rather than 32-bit UNICODE characters yields this:

com.avast.ipm.ClientParameters.IsConnectedToManagedConsole

Rather than being caused by possible malware, is it possible that Avast is mistakenly storing malformed ASCII strings as UNICODE in the registry?

I’ve run Avast’s “full virus scan”, both in Windows as well as during boot time. Nothing found.

What do you think?

Here’s the key, exported:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䤮䍳湯敮瑣摥潔慍慮敧䍤湯潳敬]
“cl”=dword:00000003

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䤮䍳湯敮瑣摥潔慍慮敧䍤湯潳敬\cache2]

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䤮䍳湯敮瑣摥潔慍慮敧䍤湯潳敬\ext]

Another “Chinese” key was created yesterday. Again, with a reference to Avast (different):

潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䌮湯楦畧慲楴湯敖獲潩ne

Interpreting this as 8-bit ASCII characters rather than 32-bit UNICODE characters yields this (refers to Avast’s “.ConfigurationVersion” rather than “.IsConnectedToManagedConsole”):

ÿþcom.avast.ipm.ClientParameters.ConfigurationVersion e

I noticed this new “Chinese” key shortly after I ran Avast’s “Smart Scan” – but I don’t know if it was in the registry before that.

Additional information, if it would help:

When these “Chinese” keys first started appearing back in November, there were a couple plain English keys that also appeared in the root of HKCU (i.e., out of place):

“MThree Development” (see JPG attached)
and
“system52216”

Here are the abovementioned keys, exported:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䌮湯楦畧慲楴湯敖獲潩ne]
“cl”=dword:00000003

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䌮湯楦畧慲楴湯敖獲潩ne\cache2]

[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䌮湯楦畧慲楴湯敖獲潩ne\

[HKEY_CURRENT_USER\MThree Development]

[HKEY_CURRENT_USER\System52216]

yes I have another ‘chinese’ key as well that wasn’t there before

HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲伮湭瑩牵卥瑩䍥瑡污獹噴牡㔵

which looks very similar to yours

How did you convert to 8 bit ascii?

Your UNICODE character string evaluates to the following ASCII string:

ÿþcom.avast.ipm.ClientParameters.OmnitureSiteCatalystVar55

I use a text editor that supports UNICODE and has a Hex Viewer.

Actually, I pay no attention to the hexadecimal numbers. But this Hex Viewer also shows the values in ordinary ASCII characters on the right, even if the string was stored as UNICODE.

See the sample screenshot attached.

thanks for the ‘translation’. Interesting - it does seem as if Avast is doing something dodgy.

Omniture is a web analytics company and SiteCatalyst is one of their products. Could be that Avast is using Omniture for some sort of analytics or web tracking.

I checked in Avast and I did have ‘participate in data sharing’ and ‘participate in avast community’ enabled which I have now disabled (it didn’t remove the key from the registry though)

Do Avast programmers or staff members browse this forum?

It would be helpful to know if these malformed strings being placed in the root of HKCU are the result of a bug in an Avast system component.

Thanks.

Avast is aware of this. It’s apparently caused by the Browser Cleanup.
They are working on a fix

Thank you, Bob, for your prompt response.
Much appreciated.

You’re welcome. Now all we need is the fix. :slight_smile:

The strange thing is that I don’t have Avast Browser Cleanup installed.
Could it be that Avast creates the registry entries regardless whether Browser Cleanup is installed or not?

Same here, actually.

I don’t have Browser Ceanup installed either.

Could Avast let us know whether it is safe to delete the keys?

I’m bumping this, because I’d also like an answer to the last question: Is it safe to delete the mojibake keys? Or should we convert them to their ASCII equivalents? Mine are:

  • 뻸㽷넰㽷뻸㽷d슐Ꭲ470568A
  • ⮨學Ĕ伀텐貤,
  • 銸ᔈ毰▃킘⩙_
  • 㒐泛
  • 㔲〳㐸㘴ㅟ㈱ㄵ㌷㘱㈴㔸㈳弴㐵㈰㐴㌶㈶㠹㤷㘸㐹弴⹮灭4づ慦

As far as I can tell, I don’t have Browser Cleaner, but I don’t know how to be sure.

Also, a curiosity question for the others having this problem (which might also help Avast troubleshoot): Is your copy of Windows perchance a foreign language version (even if you are currently using English for the UI)? Or at a minimum, do you have a multi-byte language pack installed? In my case, this is a Japanese computer, originally with Japanese Windows, whose settings I changed to show English. Another thread I found by Google was a computer with Hebrew and English.

Some questions. Are you guys still out on Windows 7 (it is now dead in the water and became a liability).
Do you use a VPN service?
See the related malware analysis:
https://www.hybrid-analysis.com/sample/8f19851ff097674bf4d11a3231f15a017fe5ff1c273dec67fe5b13665a6de2e4?environmentId=100
and could this be reversed code? ("-http://so.much.anime.so.little.time.left.strike.that.reverse.it etc.)

But we should wait for an avast fix, really.

polonus

I’m seeing a few entries with these odd characters (can only assume this a bug).

I’m convinced this is Avast doing this but why? Can I delete these keys?

  • �›⟀ו�›_
  • ㄲ㔵㔷㤵ㅟ㔶㈸㐹㈳㈴㔱㈰弶㔳㠸㘷㘵㤶㔱㐲㔳㘴強⹮灪gt
  • 傠⟲㊘✨傠⟲
  • 潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲䈮汣桗瑩汥扡汥湩偧牡湴牥摉
  • 灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ灸Ồ謝ଽ蠀㒐涠
  • 筀ሜ⚳筀ሜE
  • 肨♲肨♲肨♲肨♲肨♲肨♲菘♲菘♲蟸♲蟸♲肨♲肨♲螘♲脸♲肨♲肨♲䟡駐幬蠀C:
  • 鈀➤ә鈀➤E
  • 㒐滣

Why do you think this is coming from Avast?
I’m also using the free version and don’t see anything like that.

https://screencast-o-matic.com/screenshots/u/Lh/1580926910201-89839.png

Hi bob3160,

I also guess this has nothing to do with avast,
as these characters aren’t very friendly in Chinese,
they read like “stubborn & idiot”.

Folks at avast’s and we here on the forums
are not calling anybody a “stubborn idiot”.
At least it is not my formal way of addressing people. :-[

Did it come from an attack of sorts, a webshell-attack?
These are rather common nowadays, and coming from China among other places.

polonus