Regsitry MRU list "encrypted" with ROT13

Discussion in 'MRU Blaster Forum' started by ebg13, Jul 6, 2003.

Thread Status:
Not open for further replies.
  1. ebg13

    ebg13 Registered Member

    Joined:
    Jul 6, 2003
    Posts:
    1
    I have MRU Blaster 1.5 from 6/1/03, and Windows ME.

    While examining my registry, I found some items that weren't deleted by MRU Blaster. Some of the items were "encrypted" with ROT13.

    First the plain ones: (in the registry, boldfaced items would be changed to real values of usernames, titles, URLs, etc.)
    • [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips1]
      @="TITLE|http://..."
      ...
      [HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\Software\RealNetworks\RealPlayer\6.0\Preferences\MostRecentClips2]
      ...
      etc. (mine went up to MostRecentClips:cool:

      ("TITLE" is replaced by the item's title,
      "http://..." is replaced by its URL; some of the items in the list are quite ancient)
    • [HKEY_USERS\.USERNAME\Software\Macromedia\Shockwave 8\movies\1]
      [HKEY_USERS\.USERNAME\Software\Macromedia\Shockwave 8\movies\1\url]
      @="http://www.somedomain.com/..."
    • [HKEY_USERS\.USERNAME\Software\Microsoft\Office\9.0\Common\Internet\FTP Sites\site_0]
      "Site Name"="ftp://ftp.somedomain.com/..."
    There were also two huge MRU lists "encrypted" with ROT13. They contained previously run programs, URLs of websites I accessed, etc.
    • [HKEY_USERS\.USERNAME\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF\9}\Count]
      ...
      "HRZR_EHACNGU:p:\\JVAQBJF\\fpnaertj.rkr"=hex:...
      ...

      There is a HUGE list of items like this in that key, this one is just a sample; note that if you put the quoted string through ROT13, it becomes

      "UEME_RUNPATH:C:\\WINDOWS\\scanregw.exe"
    • [HKEY_USERS\.USERNAME\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE83\7}\Count]
      ...
      "HRZR_EHACVQY:%pfvqy6%\\Lnubb! Znvy.hey"=hex:...
      ...

      Again, there's a huge list, this one item is just a sample. Putting the item in quotes through ROT13 gives
      "UEME_RUNPIDL:%csidl6%\\Yahoo! Mail.url"

      Google searches for HRZR, UEME, ROT13, etc., came up with with some sites with information about this:

      site 1 (German): http://www.supernature-forum.de/vbb/showthread.php?s=&threadid=5763

      site 2: http://www.utdallas.edu/~jeremy.bryan.smith/articles/explorer_spy.html
     
Loading...
Thread Status:
Not open for further replies.