Regsitry MRU list "encrypted" with ROT13

Discussion in 'MRU Blaster Forum' started by ebg13, Jul 6, 2003.

Thread Status:
Not open for further replies.
  1. ebg13

    ebg13 Registered Member

    Joined:
    Jul 6, 2003
    Posts:
    1
    I have MRU Blaster 1.5 from 6/1/03, and Windows ME.

    While examining my registry, I found some items that weren't deleted by MRU Blaster. Some of the items were "encrypted" with ROT13.

    First the plain ones: (in the registry, boldfaced items would be changed to real values of usernames, titles, URLs, etc.)
    • [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips1]
      @="TITLE|http://..."
      ...
      [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips2]
      ...
      etc. (mine went up to MostRecentClips:cool:

      ("TITLE" is replaced by the item's title,
      "http://..." is replaced by its URL; some of the items in the list are quite ancient)
    • [HKEY_USERS\.USERNAME\Software\Macromedia\Shockwave 8\movies\1]
      [HKEY_USERS\.USERNAME\Software\Macromedia\Shockwave 8\movies\1\url]
      @="http://www.somedomain.com/..."
    • [HKEY_USERS\.USERNAME\Software\Microsoft\Office\9.0\Common\Internet\FTP Sites\site_0]
      "Site Name"="ftp://ftp.somedomain.com/..."
    There were also two huge MRU lists "encrypted" with ROT13. They contained previously run programs, URLs of websites I accessed, etc.
    • [HKEY_USERS\.USERNAME\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF\9}\Count]
      ...
      "HRZR_EHACNGU:p:\\JVAQBJF\\fpnaertj.rkr"=hex:...
      ...

      There is a HUGE list of items like this in that key, this one is just a sample; note that if you put the quoted string through ROT13, it becomes

      "UEME_RUNPATH:C:\\WINDOWS\\scanregw.exe"
    • [HKEY_USERS\.USERNAME\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE83\7}\Count]
      ...
      "HRZR_EHACVQY:%pfvqy6%\\Lnubb! Znvy.hey"=hex:...
      ...

      Again, there's a huge list, this one item is just a sample. Putting the item in quotes through ROT13 gives
      "UEME_RUNPIDL:%csidl6%\\Yahoo! Mail.url"

      Google searches for HRZR, UEME, ROT13, etc., came up with with some sites with information about this:

      site 1 (German): http://www.supernature-forum.de/vbb/showthread.php?s=&threadid=5763

      site 2: http://www.utdallas.edu/~jeremy.bryan.smith/articles/explorer_spy.html
     
    ebg13, Jul 6, 2003
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...