R
Robbie Hatley
Some years ago, I found the following weird key in my registry.
It looked suspicious, so I snipped it out:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[HKEY_LOCAL_MACHINE\SOFTWARE\_IWLX^HVMIK2]
[HKEY_LOCAL_MACHINE\SOFTWARE\_IWLX^HVMIK2\{cwqbilq*c}f]
"Xiws"=">?=2"
"Kiu~"="{cwqbilq*c}f"
"Zcb"="q"
"ZcbLns"="Eu%T{efn74"
"Xgvt"=""
"XNU"="q"
"XNURYF"="`rqw1%&oatflq68&b|i~$jmi'iba){by"
"XNUNelf"="lcab"
"[ckcBix"="f"
"AetRBD"=""
"AETAYED"=""
"AetT~hcggr"=""
"AETJnyzccc"=""
"Nowb\\ken"=""
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now, that looked to me like something that had been scrambled
with ROT13, so I ran it through a ROT13 utility, but I got:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ROT13 version:
[UXRL_YBPNY_ZNPUVAR\FBSGJNER\_VJYK^UIZVX2]
[UXRL_YBPNY_ZNPUVAR\FBSGJNER\_VJYK^UIZVX2\{pjdovyd*p}s]
"Kvjf"=">?=2"
"Xvh~"="{pjdovyd*p}s"
"Mpo"="d"
"MpoYaf"="Rh%G{rsa74"
"Ktig"=""
"KAH"="d"
"KAHELS"="`edj1%&bngsyd68&o|v~$wzv'von){ol"
"KAHArys"="ypno"
"[pxpOvk"="s"
"NrgEOQ"=""
"NRGNLRQ"=""
"NrgG~uptte"=""
"NRGWalmppp"=""
"Abjo\\xra"=""
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Still scrambled.
Any ever run into something like that? Some program that
is attempting to hide it's settings from its own users?
I don't like that. Whenever I discover software doing
stuff like that, I uninstall it, delete it, and send a
nasty letter to its author. Except in this case, I was
never able to determine what software it was, or who wrote
it, or how it got on my computer. I'd like to know, though.
Anyone have a clue as to how to unscramble this registry
entry so it's human-readable? Not ROT-13, but perhaps
some other cipher. What other schemes are commonly used
to encode registry entries?
--
Curious,
Robbie Hatley
lonewolf at well dot com
www dot well dot com slant tilde lonewolf slant
It looked suspicious, so I snipped it out:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[HKEY_LOCAL_MACHINE\SOFTWARE\_IWLX^HVMIK2]
[HKEY_LOCAL_MACHINE\SOFTWARE\_IWLX^HVMIK2\{cwqbilq*c}f]
"Xiws"=">?=2"
"Kiu~"="{cwqbilq*c}f"
"Zcb"="q"
"ZcbLns"="Eu%T{efn74"
"Xgvt"=""
"XNU"="q"
"XNURYF"="`rqw1%&oatflq68&b|i~$jmi'iba){by"
"XNUNelf"="lcab"
"[ckcBix"="f"
"AetRBD"=""
"AETAYED"=""
"AetT~hcggr"=""
"AETJnyzccc"=""
"Nowb\\ken"=""
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now, that looked to me like something that had been scrambled
with ROT13, so I ran it through a ROT13 utility, but I got:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ROT13 version:
[UXRL_YBPNY_ZNPUVAR\FBSGJNER\_VJYK^UIZVX2]
[UXRL_YBPNY_ZNPUVAR\FBSGJNER\_VJYK^UIZVX2\{pjdovyd*p}s]
"Kvjf"=">?=2"
"Xvh~"="{pjdovyd*p}s"
"Mpo"="d"
"MpoYaf"="Rh%G{rsa74"
"Ktig"=""
"KAH"="d"
"KAHELS"="`edj1%&bngsyd68&o|v~$wzv'von){ol"
"KAHArys"="ypno"
"[pxpOvk"="s"
"NrgEOQ"=""
"NRGNLRQ"=""
"NrgG~uptte"=""
"NRGWalmppp"=""
"Abjo\\xra"=""
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Still scrambled.
Any ever run into something like that? Some program that
is attempting to hide it's settings from its own users?
I don't like that. Whenever I discover software doing
stuff like that, I uninstall it, delete it, and send a
nasty letter to its author. Except in this case, I was
never able to determine what software it was, or who wrote
it, or how it got on my computer. I'd like to know, though.
Anyone have a clue as to how to unscramble this registry
entry so it's human-readable? Not ROT-13, but perhaps
some other cipher. What other schemes are commonly used
to encode registry entries?
--
Curious,
Robbie Hatley
lonewolf at well dot com
www dot well dot com slant tilde lonewolf slant