Possible malware modification of Windows registry entry

2

I found a strange entry in Windows registry on two of my PCs, and posted it as a question on Stack Overflow, here: https://stackoverflow.com/questions/27716746/hklm-system-currentcontrolset-control-timezoneinformation-timezonekeyname-corrup

One of the top gurus there, a guy I highly respect, says it's probably the result of malware.

I know very, very little about malware, and would appreciate it if someone takes a look at my question at Stack Overflow and tells me what I should do.

So far I've run a full scan with Microsoft Security Essentials. On one PC it says "no threats were detected", on the other PC it's still running - 8 hours so far and only about 50% done. :-(

EDIT - beginning to think that this is "normal"

After running several of the suggested malware detection programs (one of which was so cryptic and ruthless that it scared me), and doing a lot more Googling, I'm beginning to suspect that my "corrupt" registry entry is actually normal. I've found two indications that the the TimeZoneKeyName entry in the registry is supposed to be 256 bytes, or 128 WCHAR REG_SZ, as it's called here: https://support.microsoft.com/kb/KbView/2001086

See also figure 7.13 in this book extract: https://books.google.dk/books?id=V9tgQI1QQyQC&pg=PA340&lpg=PA340&dq=regedit+timezonekeyname&source=bl&ots=jisKBTTO_s&sig=1uzMOn1RSpvkaNoun_-Q85h4zBE&hl=en&sa=X&ei=ghGlVKCsEuLNygOv1YKICw&redir_esc=y#v=onepage&q=regedit%20timezonekeyname&f=false

Just to confirm, I'd appreciate it if one or two people here would do me the favor of firing up regedit.exe, and navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation, and right-clicking on TimeZoneKeyName, and selecting "Modify Binary Data...", and tell me how many bytes you see. I'm seeing hex 100, i.e., 256, on the three Windows 7 computers I have, and I'm beginning to think this is the way it's supposed to be.

Thanks in advance.

RenniePet

Posted 2014-12-31T19:42:22.447

Reputation: 163

1The value is also 256 bytes long on my machine (Vista SP2 x86) so you may be right that this is normal. Carelessness on Microsoft's part, I'd guess. – Harry Johnston – 2015-01-02T00:45:20.673

@HarryJohnston: Thank you. Please post something as an answer and I'll accept it. – RenniePet – 2015-01-02T08:02:13.953

Answers

1

As you suggested, it seems that this value is always malformed. If you remove the extra data, and then change the timezone, the extra data reappears. So it appears to be Windows itself that is doing this, not third-party software (malicious or otherwise).

I don't think it is likely to have been intentional, it is more likely to have been due to carelessness on Microsoft's part. (However, it might be being intentionally left as-is due to compatibility constraints.)

Harry Johnston

Posted 2014-12-31T19:42:22.447

Reputation: 5 054

1

You should try running a scan with Malwarebytes Antimalware. (Here - https://www.malwarebytes.org/mwb-download/) Its much better than Microsoft Security Essentials.

TheKB

Posted 2014-12-31T19:42:22.447

Reputation: 813

Thanks for the recommendation. It's certainly much, much faster than Microsoft Security Essentials! I've run it on one of the two PCs, and it did not find any malware. Other recommendations, and especially any opinions about my specific registry problem, are still very welcome. – RenniePet – 2014-12-31T20:23:05.937

try using adwcleaner as well: http://www.bleepingcomputer.com/download/adwcleaner/ it finds other ones

– Jeff Clayton – 2014-12-31T20:31:50.013

@JeffClayton: Thanks for the recommendation. AdwCleaner found two things it didn't like, Microsoft Bing Browser Helper Object and Microsoft Bing Bar. Still hoping for an opinion as to whether my modified registry entry is a sign of malware or not. – RenniePet – 2014-12-31T21:03:20.733

The Microsoft Bing stuff is probably not malware. I would assume its for the bing bar (in IE). You could get rid of it anyway. – TheKB – 2014-12-31T21:05:47.087

Very likely. The slash-zero is another way of saying 'end of string' -- in SQL Injection attacks on web database servers for example, they will issue a slash-zero and then a damaging command after it. The machine will think it is a real command after the other one has finished. If it is a real line of code in the Bing bar, as @TheKB mentioned, Microsoft should be ashamed... – Jeff Clayton – 2014-12-31T21:06:20.637

Try the advice found in this Super User Answer. It addresses a case where a trojan hides itself in malformed registry data.

– I say Reinstate Monica – 2014-12-31T22:26:25.420

@Twisty: Man, that ComboFix program is really something! Scared the pants off of me. It was only after I'd run it and was trying to figure out what it had done that I became aware that ordinary people and not supposed to use it, only trained experts. But thanks anyway. I seem to have survived it. – RenniePet – 2015-01-01T09:54:20.987

Asked: 2014-12-31T19:42:22.447

Viewed: 346 times

Active: 2015-01-02T10:34:13.813