Regedit shows strange chinese characters in my system - should I be worried?

Question

I suspect that my system has been hacked into. I see huge drops in free hard disk space for a while and then the space returns to near old values. A few days ago, when I clicked "my computer", I saw the properties of the computer instead of "my computer". Start menu showed me the same thing. I rebooted my system and things became normal. All my browsers hang for a while. Additionally, sometimes my FB login page looks weird and unlike the regular page (browser injection?) Then, there are these chinese alphabets in the attached image:

HKEY_CLASSES_ROOT\楖敤䱯乁嘮䍌汐杵湩.1

Is it possible that my system is infected with some stealthy malware? If yes, how do I check if it is really malware?

I am worried to death now. All the paid av, sandboxing, no-scripting finally might have amounted to nothing. :(

Screenshot of regedit with some keys containing chinese characters.

I assume/hope you've run multiple anti-virus scans? Malwarebytes, etc.? — Anorov, Mar 01 '13 at 09:38
@Anorov - Ok, I admit that I am a little lazy to take the trouble of installing multiple AV's. But, I doubt if MBAM or any other software would help at this stage. — FirstName LastName, Mar 02 '13 at 17:56

score 11 · Accepted Answer · answered Mar 01 '13 at 09:47

11

Source appears to be the VLC browser plugin. The weird name is a text encoding bug (ASCII as UTF-16).

Not anything to worry about in itself.

answered Mar 01 '13 at 09:47

bobince

12,494
1
26
42

1

bobince - oops. got that. but, the other behaviors really bother me. how do i investigate? – FirstName LastName Mar 01 '13 at 09:55
Can you post an example of what you mean by the Facebook page being different? – bobince Mar 02 '13 at 13:14
bobince - sorry, i did not take screenshots of all that. But, now I notice that my computer usually becomes slow for a few seconds when I search for facebook. – FirstName LastName Mar 02 '13 at 17:50

score 5 · Answer 2 · answered Mar 01 '13 at 11:37

If you in any way suspect that your system has been hacked first and foremost you should focus on backing up your data. Chances are you are going to have to wipe your entire system and start over, and you don't know how long you will be able to use your system.

Once you have safeguarded your data there are some avenues for investigation I would pursue:

Look at what is taking up space on your disk. Try and save some of it externally. There are few good reasons that your free space usage would see-saw like that
Do a packet capture on your network interface and see what your system is contacting. Filter out what is genuine, and look up some of the rest to see if any are known c&c hosts for botnets

Of course, if your system has been taken over there's nothing you can do to gain 100% assurance that you've fixed it, as these days malware tends to be extremely persistent. Investigating these things tends to be more of an academic exercise, to find out what has taken over and understand it. You can sink a lot of time on investigation with no result, if it were me I'd back up my critical data and rebuild.

GdD - I suspected that it would be an academic exercise. Damn. But, I am skeptical that a back up could help. If this is really a malware attack, then the back up could be infected too, making the whole exercise futile and fatal. What do you think? — FirstName LastName, Mar 02 '13 at 17:51
It is a legitimate concern, however the risk is actually pretty minimal. Most malware does not act as a virus, infecting other files, so in all likelihood your files are safe. The exceptions to this are the files that infected you, if you opened a fake attachment for example. Besides, if you don't back up your date what will you have to work off of? — GdD, Mar 02 '13 at 20:02

score -2 · Answer 3 · answered Dec 19 '17 at 23:42

I know this is old but since there is no definitive answer and it's probably still happening to others I might as well give my opinion that I think it's from an incompatible installer. I tried installing a couple of programs that work on Windows 7 64 bit but the installers don't work and after a few attempts I had a few of these items in my Registry under HKCU. One had a long set of Chinese like characters and three had just one letter/word which is how many times I tried installing it. I deleted them and they did not come back. I think I was trying to install an old program called FileSync and another one called UltraEdit that I paid for a long time ago but don't want to pay $95.00 for the upgrade now. They both work with limited features without the instalation prtogram but I had to edit the registry to get UltraEdit's right click to work which I think is how I found them by chance.

John - there is an accepted, definitive answer. – Rory Alsop Dec 20 '17 at 11:22 — Rory Alsop, Dec 20 '17 at 11:22

Regedit shows strange chinese characters in my system - should I be worried?

3 Answers3

Linked

Related