Computer snooping using InstallRite By Floydman, Bachelor in Computer Sciences Floydian_99@yahoo.com Floydman@hacker.am September 19th, 2000 You can distribute this document freely, as long as no changes are made to the file, or as long as credit for it is not pretended by someone else. All comments and suggestions about the material presented here should be directed at floydian_99@yahoo.com. If future versions of this document include add-ons coming from other people than me, then proper credit to the various authors will be clearly identified. All version updates of this document are to be released by me. You can find this paper and more online at http://www.geocities.com/floydian_99/ Abstract The goal of this paper is to present a way for someone interested in computer usage tracking to do so using InstallWatch. The reasons or the ethics behind computer usage tracking is beyond the scope of this document. Other ways to achieve the same (or probably better) results already exists, so this is just one more way to do it. Preface While doing my research this summer, I found a nice program that I immediately fell in love with. Better yet, it had a twin sister even more attractive. These programs are InstallWatch and InstallRite, available at www.epsilonsquared.com. In my paper "A poor man Tripwire-like system on Windows 9x/NT", I described how to use InstallWatch/InstallRite (identified as InstallRite from hereon) to have a setup similar to a basic Tripwire system (www.tripwire.com). This paper presents one other way to use this software. Targeted audience This document is presented to anyone who has interests in computer security, privacy issues, computer monitoring, snooping techniques and computing in general. Table of contents 1. A little bit about InstallRite 2. A different goal in mind 3. The experiment 4. Conclusion Appendice A. The BOFH Way 1. A little bit about InstallRite InstallRite can be found free of charge at Epsilon Squared web site (www.epsilonsquared.com). This is one utility that all network administrator/desktop support person should have. Here's how it works. First, it proceeds to create a database of your current system, i.e. directory structure, complete file list, file properties and CRC check, along with a focus on modification of INI files, and complete registry scan. This will be the base system database. Then let's say you install some piece of software. After the installation is done, you do the second step, "Analyze", which will scan your whole system once again, checking for any single change (addition, modification and deletion of files or registry entries) to the database previously created. The result is the "installation trace" of the software you just installed. An interesting feature is that InstallRite let's you create an installation package, extracting all the files and registry entries involved with the software installation and creating a self-extract install file. 2. A different goal in mind When I had my idea about the poor man Tripwire, I was pretty sure it would work right on the first time, since the concept is fairly simple after all. But I knew that I couldn't write about such a setup without building one in the first place, or else the project wouldn't have been serious. And as with many experiments, I encountered some unexpected results. It worked all right, maybe a little too well. In fact, it did the job right, but the sole fact of Windows running showed that it can leave quite a trace when submitted to this kind of observation. In fact, I was quite surprised because it revealed information that could be used to identify me. So I thought, what if someone had something else in mind instead of software installs? 3. The experiment So I decided to make the experiment. I recommend that you do so too, it proves to be quite a learning tool on the inner workings of the Windows system. InstallRite can let you sort the data by "Time after changes" where applicable (files). So the experiment is quite simple: it consists of installing InstallRite on someone's computer in a location where the victim is not likely to find it, configure it so that it stays quiet (no launch at startup, no auto-detect of setup processes), and then do a system scan. Then wait. Let's say we want to track for a period of 24 hours (well, it turns out 48 in this case, because I spent a whole day away from my computer). Then, the day after, you activate InstallRite and proceed to do an analyze process. Where applicable, data can be sorted by the time after, and you will get a pretty good idea of what the user (victim) has been doing on his machine: documents he worked on, programs he used, shortcuts he double-clicked, web sites he visited, all sorted by the time it happened and much much more. Not having a real job right now, it means I don't have a network to try these things on. It also means that I have a shortage in victims (users :-). So I assumed both roles, the snooper and the victim, pretending that I was not aware that InstallRite was watching me. Here are the results, using ## characters as a field delimiter, just in case this looks all weird in your text viewer. If you don't feel like going all through these log entries, go at the end of the file for a deeper analysis. This data has been sanitized. Added files File name##Size Before##Size After##Attrib before##Attrib after##Date before##Date after##Version before##Version after##CRC before##CRC after D:\WINNT\Profiles\Administrator\Recent\boot.ini.lnk##1KB##A##9/15/00 11:10:10 PM####f66c2a9f D:\WINNT\Profiles\Administrator\Recent\AdvNotify documentation.htm.lnk##1KB##A##9/16/00 1:07:42 AM####5cdd862e D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\f_Accueil[1].html##1KB##A##9/16/00 1:21:41 AM####d33af3fa D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\f_Accueil_texte[1].html##1KB##A##9/16/00 1:21:42 AM####12bee831 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\M_6_BA_Olympics_468G_Fr[1].gif##16KB##A##9/16/00 1:21:46 AM####9050eb10 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\other;cat=enterprise;ord=736792297648347100[1].html##2KB##A##9/16/00 1:22:02 AM####6861bfd0 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\;sz=1x1;abr=!webtv;site=informit;ord=5851462586903687[1]##1KB##A##9/16/00 1:22:06 AM####b8c0242e D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\informit[1].html##72KB##A##9/16/00 1:22:10 AM####99fb1e D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\Accounts[1].html##23KB##A##9/16/00 1:22:19 AM####65cf282b D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\other;cat=enterprise;ord=427330269033187100[1].html##2KB##A##9/16/00 1:22:20 AM####64d2c58f D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\07987068884[1].html##28KB##A##9/16/00 1:22:28 AM####fe2d1b0e D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\;cat=developer;cat=web_developer;ord=966674423919037700[1].html##2KB##A##9/16/00 1:22:29 AM####cb9db556 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\;sz=1x1;abr=!webtv;site=informit;ord=07753204673714888[1]##1KB##A##9/16/00 1:22:31 AM####f4332d1b D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\;cat=developer;cat=web_developer;ord=572203314287611260[1].html##2KB##A##9/16/00 1:22:39 AM####bc6c359b D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\;sz=1x1;abr=!webtv;site=informit;ord=6648850554683242[1]##1KB##A##9/16/00 1:22:42 AM####9921ba9f D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\element_004[1].html##278KB##A##9/16/00 1:23:30 AM####f5cd0a20 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\element_004_code_19[1].html##1KB##A##9/16/00 1:36:56 AM####39b28baf D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\bofh8[1].html##5KB##A##9/16/00 1:52:44 AM####f098b7ae D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\bofh9[1].html##5KB##A##9/16/00 1:53:14 AM####e3a0c2ba D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\bofh10[1].html##6KB##A##9/16/00 1:53:53 AM####b3a3f7b9 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\bofh11[1].html##5KB##A##9/16/00 2:00:14 AM####fe220b1c D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\bofh12[1].html##6KB##A##9/16/00 2:04:56 AM####949751a1 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\bofh13[1].html##6KB##A##9/16/00 2:10:17 AM####bca88d69 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\bsmh1[1].html##5KB##A##9/16/00 2:15:37 AM####608f406a D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\bsmh2[1].html##4KB##A##9/16/00 2:19:06 AM####559f60a4 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\bofh14[1].html##7KB##A##9/16/00 2:21:26 AM####85fbe4c2 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\bofh15[1].html##10KB##A##9/16/00 2:27:54 AM####911866f5 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\index[1].html##16KB##A##9/16/00 2:38:36 AM####6c8522e D:\WINNT\Profiles\Administrator\Desktop\perl digest.txt##67KB##A##9/16/00 12:33:08 PM####3be44fcf D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\AdCache\65f52850.png##1KB##A##9/16/00 1:42:27 PM####52daa48c D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\510[1].png##1KB##A##9/16/00 1:42:27 PM####52daa48c D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\grandstitres[1].html##23KB##A##9/16/00 2:26:51 PM####b7227efa D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\000916gagliano-reunion-lib[1].jpeg##3KB##A##9/16/00 2:26:53 PM####b48bcbe7 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\000916dufresne-j-v-2[1].jpeg##6KB##A##9/16/00 2:26:54 PM####f02ff597 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\000914urgence-reunion-pres[1].jpeg##6KB##A##9/16/00 2:26:57 PM####6cddd42c D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\samaranch2[1].jpeg##14KB##A##9/16/00 2:26:59 PM####2628f982 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\mail.yahoo[1].html##6KB##A##9/16/00 2:27:30 PM####56adba5b D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\login[7]##1KB##A##9/16/00 2:27:57 PM####c36de0d9 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\Navbar[6]##9KB##A##9/16/00 2:27:58 PM####bdeba558 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\login[8]##6KB##A##9/16/00 2:28:00 PM####b4baad39 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\login[1].html##22KB##A##9/16/00 2:28:00 PM####d1c78c83 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\travel[1].gif##2KB##A##9/16/00 2:28:02 PM####e27a502d D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\exit[1].html##4KB##A##9/16/00 2:28:37 PM####e3babc87 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\login[2].html##7KB##A##9/16/00 2:28:42 PM####ad882e8 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\mail[1].html##9KB##A##9/16/00 2:29:20 PM####26a719bf D:\WINNT\Profiles\Administrator\Cookies\floydman@yahoo[1].txt##1KB##A##9/16/00 2:29:51 PM####9a65ac81 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\login[8]##1KB##A##9/16/00 2:29:55 PM####2acac756 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\Navbar[7]##9KB##A##9/16/00 2:29:58 PM####8db45e6d D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\login[9]##22KB##A##9/16/00 2:30:01 PM####b1fc7b95 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\alloy[1].gif##1KB##A##9/16/00 2:30:02 PM####b1c40de3 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\ShowFolder[6]##24KB##A##9/16/00 2:30:53 PM####db0ba58a D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\HF468x60[1].gif##4KB##A##9/16/00 2:31:22 PM####b7b7b5b7 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\ShowFolder[9]##24KB##A##9/16/00 2:31:22 PM####83ab212d D:\WINNT\Profiles\Administrator\History\History.IE5\MSHist012000091620000917\index.dat##33KB##A##9/16/00 2:52:02 PM####fbe56152 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\www2.sympatico[1].html##29KB##A##9/16/00 2:52:10 PM####620e0fda D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\query[1].html##22KB##A##9/16/00 2:52:47 PM####b1b79f3f D:\Dev\Perl\Work\Log Agent\newlog.pl##2KB##A##9/16/00 3:44:12 PM####9fe7f1c3 D:\WINNT\Profiles\Administrator\Recent\perl digest.txt.lnk##1KB##A##9/16/00 3:45:21 PM####a369a80e D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\38625991.mfs##6KB##A##9/16/00 3:50:24 PM####986faeff D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\484[1].png##6KB##A##9/16/00 3:50:24 PM####d887d3fa D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\AdCache\65d032e8.png##6KB##A##9/16/00 3:50:24 PM####d887d3fa D:\WINNT\Profiles\Administrator\Recent\Microsoft Office 97, Professional Edition - Deleted Registry.txt.lnk##1KB##A##9/16/00 4:09:45 PM####d8c9b310 D:\WINNT\Profiles\Administrator\Recent\Microsoft Office 97, Professional Edition - Modified Registry.txt.lnk##1KB##A##9/16/00 4:10:50 PM####e71b5111 D:\WINNT\Profiles\Administrator\History\History.IE5\MSHist012000091620000917##1KB##D###### ------------------------------------------------------------------------------------------- Modified files File name##Size Before##Size After##Attrib before##Attrib after##Date before##Date after##Version before##Version after##CRC before##CRC after D:\WINNT\Profiles\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT##17KB##17KB##A##A##9/5/00 11:07:32 PM##9/5/00 11:07:32 PM######7c6e0##a378abad D:\Program Files\XNews\Floydman.newsrc.bak##741KB##740KB##A##A##9/12/00 9:06:09 PM##9/13/00 6:34:59 PM######c79fca95##954b2ed D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\453876-br-logo100x60[1].gif##5KB##5KB##A##A##9/15/00 3:50:01 PM##9/16/00 1:22:32 AM######54192513##54192513 D:\Dev\Test\test1.log##1KB##1KB##A##A##9/12/00 9:43:04 PM##9/16/00 1:50:37 AM######49a8b4e5##a6163ce6 D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\37724605.mfs##9KB##9KB##A##A##9/15/00 2:38:49 PM##9/16/00 2:39:19 AM######f4bd8d7f##e14cdde9 D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\36753968.mfs##4KB##4KB##A##A##9/15/00 2:18:55 PM##9/16/00 2:39:19 AM######2f560aeb##f2e997fa D:\Program Files\Qualcomm\Eudora\Out.toc##2KB##2KB##A##A##9/15/00 2:39:16 PM##9/16/00 2:39:21 AM######3c5e4a3c##81a1bfcd D:\WINNT\Internet Logs\ZALog.txt##6KB##6KB##A##A##9/15/00 9:14:19 PM##9/16/00 1:42:19 PM######cdd1ab4d##c7c59359 D:\Program Files\XNews\folders\Sent.hdr##1KB##1KB##A##A##9/13/00 5:38:32 PM##9/16/00 1:59:13 PM######308df113##7c41e8af D:\Program Files\XNews\folders\Sent.mbx##2KB##4KB##A##A##9/13/00 5:38:32 PM##9/16/00 1:59:13 PM######4984fb8d##565906db D:\Program Files\XNews\Floydman.newsrc##740KB##743KB##A##A##9/13/00 6:34:59 PM##9/16/00 2:25:41 PM######954b2ed##b1eb77ad D:\Program Files\XNews\Xnews.ini##2KB##2KB##A##A##9/13/00 6:34:59 PM##9/16/00 2:25:41 PM######eaffaa3##50533291 D:\Program Files\Security\Genius3\to do list.dat##2KB##3KB##A##A##9/15/00 7:34:10 PM##9/16/00 2:44:22 PM######6f1c2a56##f3b50627 D:\Program Files\Security\Genius3\genius3.ini##5KB##5KB##A##A##9/15/00 10:41:12 PM##9/16/00 2:44:22 PM######44b8ab9a##44b8ab9a D:\Program Files\Security\Cookie Crusher\Start.dat##1KB##1KB##A##A##9/15/00 8:44:12 PM##9/16/00 2:52:07 PM######4f4bbee5##4f4bbee5 D:\WINNT\Profiles\Administrator\Desktop\Command Prompt.lnk##2KB##2KB##A##A##9/5/00 10:50:05 AM##9/16/00 3:00:12 PM######d8671bcc##4f579b24 D:\WINNT\Profiles\Administrator\Recent\index.html.lnk##1KB##1KB##A##A##9/15/00 2:54:07 PM##9/16/00 3:08:07 PM######26fc5d5##d0edf178 D:\WINNT\Profiles\Administrator\Recent\test1.log.lnk##1KB##1KB##A##A##9/15/00 3:07:05 PM##9/16/00 3:32:51 PM######dbe50bf5##474425a8 D:\WINNT\Profiles\Administrator\Recent\test2.log.lnk##1KB##1KB##A##A##9/15/00 3:33:16 PM##9/16/00 3:38:03 PM######4a4325b2##a3785a1d D:\Test\test2.log##1KB##1KB##A##A##9/12/00 9:41:49 PM##9/16/00 3:43:19 PM######ea289125##dddf9936 D:\WINNT\amcdl\cache\index.chc##1KB##1KB##A##A##9/15/00 10:31:29 PM##9/16/00 3:44:47 PM######82f5b60a##82f5b60a D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\index.dat##885KB##902KB##A##A##9/15/00 9:13:57 PM##9/16/00 3:49:10 PM######4a230618##77a5d6b D:\WINNT\Profiles\Administrator\Cookies\index.dat##33KB##33KB##A##A##9/15/00 9:13:57 PM##9/16/00 3:49:10 PM######196969ff##43a1670 D:\WINNT\Profiles\Administrator\History\History.IE5\index.dat##246KB##246KB##A##A##9/15/00 9:14:32 PM##9/16/00 3:49:10 PM######10b54720##6ff32eb D:\Program Files\Qualcomm\Eudora\LinkHistory.dat##3KB##3KB##A##A##9/15/00 3:56:57 PM##9/16/00 3:49:31 PM######376ea315##7b5470ce D:\Program Files\Qualcomm\Eudora\Old.toc##12KB##16KB##A##A##9/15/00 3:56:49 PM##9/16/00 3:50:02 PM######88b00ca4##2fe3c61c D:\Program Files\Qualcomm\Eudora\Old.mbx##244KB##300KB##A##A##9/15/00 3:56:49 PM##9/16/00 3:50:02 PM######a87fcd3b##3a95c7e9 D:\WINNT\system32\ras\rasphone.pbk##1KB##1KB##A##A##9/15/00 7:49:49 PM##9/16/00 3:50:16 PM######2535be1d##2535be1d D:\Program Files\Qualcomm\Eudora\updateurl.htm##2KB##2KB##A##A##9/15/00 3:56:45 PM##9/16/00 3:50:20 PM######aa190db6##aa190db6 D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\35994433.mfs##23KB##23KB##A##A##9/15/00 3:56:44 PM##9/16/00 3:50:24 PM######d2c5f012##e0f01994 D:\Program Files\Qualcomm\Eudora\spool\lmos.dat##6KB##3KB##A##A##9/15/00 3:57:00 PM##9/16/00 3:50:53 PM######83d34c70##7b43a806 D:\Program Files\Qualcomm\Eudora\descmap.pce##1KB##1KB##A##A##9/15/00 3:57:01 PM##9/16/00 3:50:54 PM######d99ea161##d99ea161 D:\Program Files\Qualcomm\Eudora\In.mbx##27KB##117KB##A##A##9/15/00 3:57:24 PM##9/16/00 3:50:54 PM######e2f0b8bb##42041d7b D:\Program Files\Qualcomm\Eudora\In.toc##2KB##2KB##A##A##9/15/00 3:57:24 PM##9/16/00 3:50:55 PM######4c0f5326##8ed1e1c3 D:\Program Files\Qualcomm\Eudora\History.lst##1KB##1KB##A##A##9/15/00 3:57:25 PM##9/16/00 3:51:17 PM######e3eb0d68##e3eb0d68 D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\Eudora.idx##2KB##2KB##A##A##9/15/00 3:57:25 PM##9/16/00 3:51:17 PM######21e276b7##13d75bad D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\CInfo.dat##2KB##2KB##A##A##9/15/00 3:57:25 PM##9/16/00 3:51:17 PM######5b3fb6ff##894a4c55 D:\Program Files\Qualcomm\Eudora\DsQuery.lst##1KB##1KB##A##A##9/15/00 3:57:25 PM##9/16/00 3:51:17 PM######## D:\Program Files\Qualcomm\Eudora\Audit.log##5KB##5KB##A##A##9/15/00 3:57:25 PM##9/16/00 3:51:17 PM######d183fd5f##bd87731a D:\Program Files\Qualcomm\Eudora\eudora.ini##13KB##13KB##A##A##9/15/00 3:57:26 PM##9/16/00 3:51:18 PM######b856dbc2##9fcad4c4 D:\Program Files\Multi Medias\Winamp\winamp.m3u##1KB##1KB##A##A##9/14/00 6:58:53 AM##9/16/00 4:16:24 PM######6ff5c11d##279ec30 D:\WINNT\winamp.ini##1KB##1KB##A##A##9/14/00 6:58:53 AM##9/16/00 4:16:25 PM######6fd1e793##7404df6a D:\RECYCLER\S-1-5-21-1114705054-1084767886-68360779-500\desktop.ini##1KB##1KB##H##H##9/15/00 1:11:00 PM##9/16/00 4:36:58 PM######74221298##74221298 D:\WINNT\system32\config\SysEvent.Evt##66KB##66KB##A##A##9/15/00 10:41:31 PM##9/16/00 5:14:51 PM######5165112f##936fe9d5 D:\WINNT\system32\config\SecEvent.Evt##66KB##66KB##A##A##9/15/00 10:41:31 PM##9/16/00 5:14:51 PM######82cc72b8##f41e7688 D:\WINNT\SchedLog.Txt##4KB##5KB##A##A##9/15/00 10:41:31 PM##9/16/00 5:14:51 PM######9540585b##60ea0f93 D:\WINNT\Tasks\SA.DAT##1KB##1KB##HA##HA##9/15/00 10:42:51 PM##9/17/00 10:26:17 PM######22aa10aa##22aa10aa D:\WINNT\system32\config\SYSTEM.ALT##1,496KB##1,496KB##A##A##9/15/00 10:43:36 PM##9/17/00 10:26:42 PM######## D:\Program Files\Utils\GetRight\GetRight.ini##1KB##1KB##A##A##9/15/00 10:43:48 PM##9/17/00 10:26:43 PM######## D:\Program Files\Security\Genius3\port guardian log.txt##16KB##19KB##A##A##9/15/00 10:46:24 PM##9/17/00 10:27:03 PM######b48d6fd5##9775971e D:\Program Files\Multi Medias\Winamp\Winamp.ini##2KB##2KB##A##A##9/15/00 7:20:09 PM##9/17/00 10:27:10 PM######ed4a49fa##4f5fd6ca ------------------------------------------------------------------------------------------- Deleted files File name##Size Before##Size After##Attrib before##Attrib after##Date before##Date after##Version before##Version after##CRC before##CRC after D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\mail[1].htm##9KB##A##9/12/00 12:36:53 PM####7b253cec D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\query[1].htm##22KB##A##9/12/00 9:52:04 PM####b1b79f3f D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\element_004[1].htm##278KB##A##9/13/00 12:51:53 AM####f5cd0a20 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\grandstitres[1].htm##23KB##A##9/14/00 12:44:45 AM####1e9bdd9a D:\WINNT\Profiles\Administrator\Recent\moon08.bmp.lnk##1KB##A##9/14/00 5:36:02 AM####7a88c13e D:\WINNT\Profiles\Administrator\Recent\moon08.jpg.lnk##1KB##A##9/14/00 5:37:48 AM####580f5c45 D:\WINNT\Profiles\Administrator\Recent\027.wav.lnk##1KB##A##9/14/00 6:11:38 AM####2d896d27 D:\WINNT\Profiles\Administrator\Recent\CD Prog.m3u.lnk##1KB##A##9/14/00 6:13:25 AM####19151a5c D:\WINNT\Profiles\Administrator\Recent\my_page.html.lnk##1KB##A##9/14/00 6:22:30 AM####ba0989f4 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\mail.yahoo[1].htm##6KB##A##9/15/00 2:27:09 PM####2d3503dd D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\exit[2].htm##5KB##A##9/15/00 2:31:01 PM####35feed4a D:\WINNT\Profiles\Administrator\Cookies\floydman@yahoo[2].txt##1KB##A##9/15/00 2:31:04 PM####a4368dc1 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\login[1].htm##7KB##A##9/15/00 2:31:05 PM####ad882e8 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\informit[2].htm##74KB##A##9/15/00 3:49:57 PM####99fb1e D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\Accounts[1].htm##28KB##A##9/15/00 3:50:15 PM####65cf282b D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\0789708884[1].htm##28KB##A##9/15/00 3:50:22 PM####fe2d1b0e D:\WINNT\Profiles\All Users\Desktop\Setup for Microsoft Internet Explorer 3.01.lnk##1KB##A##9/15/00 7:46:43 PM####a0f65c17 D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\www2.sympatico[1].html##29KB##A##9/15/00 7:50:14 PM####774bdc6e ------------------------------------------------------------------------------------------- INI files INI filename##Section##Item##Data before##Data after D:\Program Files\Multi Medias\Winamp\Winamp.ini##Winamp##wx##749##716 D:\Program Files\Multi Medias\Winamp\Winamp.ini##Winamp##eq_wx##749##716 D:\Program Files\Multi Medias\Winamp\Winamp.ini##Winamp##pe_wx##749##716 D:\Program Files\Multi Medias\Winamp\Winamp.ini##Winamp##mb_wx##1014##981 D:\Program Files\Multi Medias\Winamp\Winamp.ini##Winamp##pilp##0##13 D:\Program Files\Multi Medias\Winamp\Winamp.ini##WinampAgent##lastchk##01C01F6B7D5D92A0##01C02117F2BB75F0 D:\Program Files\Qualcomm\Eudora\eudora.ini##Settings##NGBase1##969047799##969133767 D:\Program Files\Qualcomm\Eudora\eudora.ini##Settings##NGLast1##969047799##969133767 D:\Program Files\Qualcomm\Eudora\eudora.ini##Settings##AdToolbarDock##0##2 D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar3##MRUDockRightPos##1025##992 D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar3##MRUHorzDockCX##1024##991 D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar5##Bars##3##4 D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar5##Bar#2##0##59424 D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar5##Bar#3####0 D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar9##MRUWidth##33651##33885 D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar9##PctWidth##1000000##500000 D:\Program Files\Qualcomm\Eudora\eudora.ini##Window Position##AdToolbarWindowPosition##0,0,0,0##933,39,991,82 D:\Program Files\XNews\Xnews.ini##Metrics##S:Floydman##0,3,-1,-1,-1,-1,0,0,890,272##2,3,-1,-1,-1,-1,0,0,890,272 D:\WINNT\winamp.ini##WinampReg##Stats##0000000A,0000C935,00001322,0000B0D0,00000007,00000FB5,00000000,##0000000C,0000F886,00003818,0000DFF1,00000007,0000347B,00000000, ------------------------------------------------------------------------------------------- Added Registry entries Key##Value##Data HKEY_CURRENT_USER\Printers#### HKEY_CURRENT_USER\Printers\Connections#### HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Track_Writer#### HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Desktop##BitmapIds##hex:0a,00,0b,00,0c,00,0d,00,00,00,01,00,02,00,03,00,04,00,05,00,06,00,07,00,08,00,09,00,0e,00, HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Programs##BitmapIds##hex:00,00,01,00,02,00,03,00,04,00,05,00,06,00,07,00,08,00,09,00,0a,00,0b,00,0c,00,0d,00,0e,00,0f,00,10,00,11,00,12,00,13,00, HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\205.43.75.146#### HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\205.47.73.146##Tag##dword:00000002 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\205.47.73.146##LastModified##dword:39c30365 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\205.47.73.146##Network##"NETWORK0" HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74#### HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##Tag##dword:00000003 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##LastModified##dword:39c3037d HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##Network##"NETWORK0" HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112#### HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##Tag##dword:00000003 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##LastModified##dword:39c3bb95 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##Network##"NETWORK0" HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140#### HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##Tag##dword:00000002 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##LastModified##dword:39c3bb70 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##Network##"NETWORK0" HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com#### HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##Tag##dword:00000004 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##LastModified##dword:39c3bbaf HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##Network##"NETWORK0" HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au#### HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##Tag##dword:00000004 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##LastModified##dword:39c30aa7 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##Network##"NETWORK0" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917#### HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CachePath##hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,48,69,73,74,6f,72,79,5c,48,69,73,74,6f,72,79,2e,49,45,35,5c,4d,53,48,69,73,74,30,31,32,30,30,30,30,39,31,36,32,30,30,30,30,39,31,37,5c,00, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CachePrefix##":2000091620000917: " HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheLimit##dword:00002000 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheOptions##dword:0000000b HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheRepair##dword:00000000 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Printers#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Printers\Connections#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Adaptec\Easy CD Creator\Track_Writer#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Desktop##BitmapIds##hex:0a,00,0b,00,0c,00,0d,00,00,00,01,00,02,00,03,00,04,00,05,00,06,00,07,00,08,00,09,00,0e,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Programs##BitmapIds##hex:00,00,01,00,02,00,03,00,04,00,05,00,06,00,07,00,08,00,09,00,0a,00,0b,00,0c,00,0d,00,0e,00,0f,00,10,00,11,00,12,00,13,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\205.43.75.146#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\205.43.75.146##Tag##dword:00000002 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\205.43.75.146##LastModified##dword:39c30365 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\205.43.75.146##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##Tag##dword:00000003 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##LastModified##dword:39c3037d HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##Tag##dword:00000003 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##LastModified##dword:39c3bb95 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##Tag##dword:00000002 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##LastModified##dword:39c3bb70 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##Tag##dword:00000004 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##LastModified##dword:39c3bbaf HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##Tag##dword:00000004 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##LastModified##dword:39c30aa7 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\10##CabView##hex:40,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,9a,00,00,00,9a,00,00,00,6c,01,00,00,63,01,00,00,01,00,00,00,00,00,00,00,c0,00,00,00,00,00,00,00,4c,6b,58,01, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CachePath##hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,48,69,73,74,6f,72,79,5c,48,69,73,74,6f,72,79,2e,49,45,35,5c,4d,53,48,69,73,74,30,31,32,30,30,30,30,39,31,36,32,30,30,30,30,39,31,37,5c,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CachePrefix##":2000091620000917: " HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheLimit##dword:00002000 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheOptions##dword:0000000b HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheRepair##dword:00000000 ------------------------------------------------------------------------------------------- Deleted Registry entries Key##Value##Data Autodial\Addresses\207.253.106.137##LastModified##dword:39bfe3eb HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\207.253.106.137##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\a372.g.a.yimg.com#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\a372.g.a.yimg.com##Tag##dword:00000005 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\a372.g.a.yimg.com##LastModified##dword:39bfe594 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\a372.g.a.yimg.com##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\ads.msn.com#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\ads.msn.com##Tag##dword:00000005 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\ads.msn.com##LastModified##dword:39c2b5f7 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\ads.msn.com##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.dilbert.com#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.dilbert.com##Tag##dword:00000005 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.dilbert.com##LastModified##dword:39c269c1 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.dilbert.com##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.msn.com#### HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.msn.com##Tag##dword:00000004 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.msn.com##LastModified##dword:39b56b09 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.msn.com##Network##"NETWORK0" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\27##CabView##hex:40,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,6e,00,00,00,6e,00,00,00,40,01,00,00,37,01,00,00,04,00,00,00,00,00,00,00,c0,00,00,00,00,00,00,00,4c,6b,58,01, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\28##CabView##hex:40,00,00,00,00,00,00,00,01,00,00,00,00,83,ff,ff,00,83,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,9a,00,00,00,9a,00,00,00,6c,01,00,00,63,01,00,00,01,00,00,00,00,00,00,00,c0,00,00,00,88,3a,13,00,4c,6b,58,01, ------------------------------------------------------------------------------------------- Deleted Registry entries Key##Value##Data before##Data after HKEY_CLASSES_ROOT\AutoRun\5\DefaultIcon##@##"F:\i386\autorun.exe,0"##"F:\ecdc.ICO" HKEY_CLASSES_ROOT\AutoRun\5\Shell\AutoRun\command##@##"F:\i386\autorun.exe"##"F:\AUTORUN.EXE" HKEY_CURRENT_USER\Software\JG\EditPad##State##hex:1a,00,00,00,fc,ff,ff,ff,fc,ff,ff,ff,08,04,00,00,ec,02,00,00,04,00,00,00,01,01,##hex:1a,00,00,00,fc,ff,ff,ff,fc,ff,ff,ff,e7,03,00,00,ec,02,00,00,04,00,00,00,01,01, HKEY_CURRENT_USER\Software\JG\EditPad##LastDir##"D:\Dev\Perl\site\lib\Win32\"##"D:\WINNT\Profiles\Administrator\Desktop\" HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item0##hex:2a,26,30,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,73,69,74,65,5c,6c,69,62,5c,57,69,6e,33,32,5c,41,64,76,4e,6f,74,69,66,79,2e,70,6d,##hex:3a,26,30,20,44,3a,5c,57,49,4e,4e,54,5c,50,72,6f,66,69,6c,65,73,5c,41,64,6d,69,6e,69,73,74,72,61,74,6f,72,5c,44,65,73,6b,74,6f,70,5c,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item3##hex:18,26,33,20,44,3a,5c,44,65,76,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67,##hex:14,26,33,20,44,3a,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item4##hex:29,26,34,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,66,69,6c,65,74,65,73,74,2e,70,6c,##hex:27,26,34,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,6e,65,77,6c,6f,67,2e,70,6c, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item5##hex:1d,26,35,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,63,61,74,2e,68,74,6d,6c,##hex:18,26,35,20,44,3a,5c,44,65,76,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item6##hex:1f,26,36,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,69,6e,64,65,78,2e,68,74,6d,6c,##hex:2a,26,36,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,73,69,74,65,5c,6c,69,62,5c,57,69,6e,33,32,5c,41,64,76,4e,6f,74,69,66,79,2e,70,6d, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item7##hex:2d,26,37,20,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,67,69,6c,65,5c,46,6c,6f,79,64,6d,61,6e,5c,69,6e,64,65,78,2e,68,74,6d,6c,##hex:29,26,37,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,66,69,6c,65,74,65,73,74,2e,70,6c, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item8##hex:21,26,38,20,44,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,58,4e,65,77,73,5c,73,69,67,2e,74,78,74,##hex:1d,26,38,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,63,61,74,2e,68,74,6d,6c, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item9##hex:3d,26,39,20,44,3a,5c,64,6f,77,6e,6c,6f,61,64,73,5c,48,61,63,6b,5c,64,6f,63,73,5c,43,6f,6d,6d,6f,6e,20,53,79,73,74,65,6d,20,49,6e,74,72,75,73,69,6f,6e,20,4d,65,74,68,6f,64,73,2e,74,78,74,##hex:1f,26,39,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,69,6e,64,65,78,2e,68,74,6d,6c, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item10##hex:27,26,41,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,65,72,72,6f,72,2e,6c,6f,67,##hex:2d,26,41,20,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,67,69,6c,65,5c,46,6c,6f,79,64,6d,61,6e,5c,69,6e,64,65,78,2e,68,74,6d,6c, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item11##hex:2a,26,42,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,4c,6f,67,20,41,67,65,6e,74,2e,70,6c,##hex:21,26,42,20,44,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,58,4e,65,77,73,5c,73,69,67,2e,74,78,74, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item12##hex:20,26,43,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,41,64,76,4e,6f,74,69,66,79,5c,74,65,73,74,2e,70,6c,##hex:3d,26,43,20,44,3a,5c,64,6f,77,6e,6c,6f,61,64,73,5c,48,61,63,6b,5c,64,6f,63,73,5c,43,6f,6d,6d,6f,6e,20,53,79,73,74,65,6d,20,49,6e,74,72,75,73,69,6f,6e,20,4d,65,74,68,6f,64,73,2e,74,78,74, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item13##hex:26,26,44,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,77,61,74,63,68,2e,70,6c,##hex:27,26,44,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,65,72,72,6f,72,2e,6c,6f,67, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item14##hex:1c,26,45,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,61,6c,70,68,61,2e,70,6c,##hex:2a,26,45,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,4c,6f,67,20,41,67,65,6e,74,2e,70,6c, HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item15##hex:1c,26,46,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,62,6c,61,6e,6b,2e,70,6c,##hex:20,26,46,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,41,64,76,4e,6f,74,69,66,79,5c,74,65,73,74,2e,70,6c, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU##Cache##hex:af,6f,00,00,d0,00,00,00,b0,04,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,##hex:af,6f,00,00,d7,00,00,00,b0,04,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main##Window_Placement##hex:2c,00,00,00,02,00,00,00,03,00,00,00,00,83,ff,ff,00,83,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,2c,00,00,00,2c,00,00,00,2c,03,00,00,45,02,00,00,##hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,42,00,00,00,42,00,00,00,42,03,00,00,5b,02,00,00, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url1##"http://www.microsoft.com"##"http://mail.yahoo.com/" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url2##"http://officeupdate.microsoft.com/downloadDetails/sr1off97detail.htm"##"http://www.informit.com/" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url3##"http://www.microsoft.com/"##"http://www.microsoft.com" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url4##"http://www.informit.com/"##"http://officeupdate.microsoft.com/downloadDetails/sr1off97detail.htm" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url5##"http://mail22.bigmailbox.com/users/hackeram"##"http://www.microsoft.com/" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url6##"http://mail.yahoo.com/"##"http://mail22.bigmailbox.com/users/hackeram" HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Shortcut Bar##LastToolbar##dword:00000000##dword:00000001 HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Desktop##Buttons##hex:00,80,80,20,4d,79,20,43,6f,6d,70,75,74,65,72,00,20,4e,65,74,77,6f,72,6b,20,4e,65,69,67,68,62,6f,72,68,6f,6f,64,00,20,52,65,63,79,63,6c,65,20,42,69,6e,00,20,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00,20,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,70,74,2e,6c,6e,6b,00,20,45,64,69,74,50,61,64,20,43,6c,61,73,73,69,63,2e,6c,6e,6b,00,20,45,75,64,6f,72,61,2e,6c,6e,6b,00,20,53,6f,75,6e,64,20,46,6f,72,67,65,20,34,2e,35,2e,6c,6e,6b,00,20,53,79,6d,70,61,74,69,63,6f,2e,6c,6e,6b,00,20,57,49,4e,41,4d,50,2e,4c,4e,4b,00,20,57,69,6e,64,6f,77,73,20,4e,54,20,45,78,70,6c,6f,72,65,72,2e,6c,6e,6b,00,20,57,69,6e,5a,69,70,2e,6c,6e,6b,00,20,58,6e,65,77,73,2e,6c,6e,6b,00,00,05,00,02,00,00,00,##hex:00,80,80,20,4d,79,20,43,6f,6d,70,75,74,65,72,00,20,4e,65,74,77,6f,72,6b,20,4e,65,69,67,68,62,6f,72,68,6f,6f,64,00,20,52,65,63,79,63,6c,65,20,42,69,6e,00,20,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00,20,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,70,74,2e,6c,6e,6b,00,20,45,64,69,74,50,61,64,20,43,6c,61,73,73,69,63,2e,6c,6e,6b,00,20,45,75,64,6f,72,61,2e,6c,6e,6b,00,20,53,6f,75,6e,64,20,46,6f,72,67,65,20,34,2e,35,2e,6c,6e,6b,00,20,53,79,6d,70,61,74,69,63,6f,2e,6c,6e,6b,00,20,57,49,4e,41,4d,50,2e,4c,4e,4b,00,20,57,69,6e,64,6f,77,73,20,4e,54,20,45,78,70,6c,6f,72,65,72,2e,6c,6e,6b,00,20,57,69,6e,5a,69,70,2e,6c,6e,6b,00,20,58,6e,65,77,73,2e,6c,6e,6b,00,20,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74,00,00,05,00,01,00,00,00, HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Programs##BtnFaces##"Pro5"##"Pro1" HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\128.11.60.80##Tag##dword:00000004##dword:00000003 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\128.11.60.80##LastModified##dword:39c02c37##dword:39c30387 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\209.226.175.83##Tag##dword:00000003##dword:00000002 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\209.226.175.83##LastModified##dword:39be5507##dword:39c3b104 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\216.94.184.160##Tag##dword:00000004##dword:00000003 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\216.94.184.160##LastModified##dword:39bc6476##dword:39c3bb6a HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\216.95.147.195##Tag##dword:00000003##dword:00000002 HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\216.95.147.195##LastModified##dword:39bc646d##dword:39c3036a HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer##DirectoryCols##hex:22,01,3c,00,78,00,78,00,3c,00,##hex:e4,00,68,00,78,00,78,00,3c,00, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer##Shutdown Setting##dword:00000002##dword:00000001 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##a##hex:68,00,65,00,72,00,6f,00,73,00,2e,00,68,00,74,00,6d,00,6c,00,00,00,1e,00,30,00,00,00,00,00,00,00,00,00,00,00,68,65,72,6f,73,2e,68,74,6d,6c,2e,6c,6e,6b,00,00,00,00,##hex:4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,4f,00,66,00,66,00,69,00,63,00,65,00,20,00,39,00,37,00,2c,00,20,00,50,00,72,00,6f,00,66,00,65,00,73,00,73,00,69,00,6f,00,6e,00,61,00,6c,00,20,00,45,00,64,00,69,00,74,00,69,00,6f,00,6e,00,20,00,2d,00,20,00,4d,00,6f,00,64,00,69,00,66,00,69,00,65,00,64,00,20,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,2e,00,74,00,78,00,74,00,00,00,55,00,30,00,00,00,00,00,00,00,00,00,00,00,4d,69,63,72,6f,73,6f,66,74,20,4f,66,66,69,63,65,20,39,37,2c,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,45,64,69,74,69,6f,6e,20,2d,20,4d,6f,64,69,66,69,65,64,20,52,65,67,69,73,74,72,79,2e,74,78,74,2e,6c,6e,6b,00,00,00,00, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##MRUList##"dkohbnefmlaijcg"##"aijdkhcgobnefml" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##c##hex:72,00,69,00,63,00,68,00,61,00,72,00,64,00,30,00,38,00,2e,00,6a,00,70,00,67,00,00,00,21,00,30,00,00,00,00,00,00,00,00,00,00,00,72,69,63,68,61,72,64,30,38,2e,6a,70,67,2e,6c,6e,6b,00,00,00,00,##hex:41,00,64,00,76,00,4e,00,6f,00,74,00,69,00,66,00,79,00,20,00,64,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,68,00,74,00,6d,00,00,00,2f,00,30,00,00,00,00,00,00,00,00,00,00,00,41,64,76,4e,6f,74,69,66,79,20,64,6f,63,75,6d,65,6e,74,61,74,69,6f,6e,2e,68,74,6d,2e,6c,6e,6b,00,00,00,00, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##g##hex:72,00,69,00,63,00,68,00,61,00,72,00,64,00,30,00,38,00,2e,00,62,00,6d,00,70,00,00,00,21,00,30,00,00,00,00,00,00,00,00,00,00,00,72,69,63,68,61,72,64,30,38,2e,62,6d,70,2e,6c,6e,6b,00,00,00,00,##hex:62,00,6f,00,6f,00,74,00,2e,00,69,00,6e,00,69,00,00,00,1c,00,30,00,00,00,00,00,00,00,00,00,00,00,62,6f,6f,74,2e,69,6e,69,2e,6c,6e,6b,00,00,00,00, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##i##hex:43,00,44,00,20,00,50,00,72,00,6f,00,67,00,2e,00,6d,00,33,00,75,00,00,00,1f,00,30,00,00,00,00,00,00,00,00,00,00,00,43,44,20,50,72,6f,67,2e,6d,33,75,2e,6c,6e,6b,00,00,00,00,##hex:4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,4f,00,66,00,66,00,69,00,63,00,65,00,20,00,39,00,37,00,2c,00,20,00,50,00,72,00,6f,00,66,00,65,00,73,00,73,00,69,00,6f,00,6e,00,61,00,6c,00,20,00,45,00,64,00,69,00,74,00,69,00,6f,00,6e,00,20,00,2d,00,20,00,44,00,65,00,6c,00,65,00,74,00,65,00,64,00,20,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,2e,00,74,00,78,00,74,00,00,00,54,00,30,00,00,00,00,00,00,00,00,00,00,00,4d,69,63,72,6f,73,6f,66,74,20,4f,66,66,69,63,65,20,39,37,2c,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,45,64,69,74,69,6f,6e,20,2d,20,44,65,6c,65,74,65,64,20,52,65,67,69,73,74,72,79,2e,74,78,74,2e,6c,6e,6b,00,00,00,00, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##j##hex:30,00,32,00,37,00,2e,00,77,00,61,00,76,00,00,00,1b,00,30,00,00,00,00,00,00,00,00,00,00,00,30,32,37,2e,77,61,76,2e,6c,6e,6b,00,00,00,00,##hex:70,00,65,00,72,00,6c,00,20,00,64,00,69,00,67,00,65,00,73,00,74,00,2e,00,74,00,78,00,74,00,00,00,23,00,30,00,00,00,00,00,00,00,00,00,00,00,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74,2e,6c,6e,6b,00,00,00,00, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_PGYFRFFVBA##hex:19,fa,00,0e,09,00,00,00,##hex:6d,00,01,0e,0b,00,00,00, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_HVGBBYONE##hex:09,00,00,00,e1,00,00,00,20,03,92,6b,80,1f,c0,01,##hex:0a,00,00,00,e5,00,00,00,b0,0e,58,b5,0b,20,c0,01, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_HVGBBYONE:0k1,120##hex:09,00,00,00,b1,00,00,00,20,03,92,6b,80,1f,c0,01,##hex:0a,00,00,00,b5,00,00,00,b0,0e,58,b5,0b,20,c0,01, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count##HRZR_PGYFRFFVBA##hex:19,fa,00,0e,09,00,00,00,##hex:6d,00,01,0e,0b,00,00,00, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections##SavedLegacySettings##hex:3c,00,00,00,4d,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,##hex:3c,00,00,00,54,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, HKEY_LOCAL_MACHINE\SOFTWARE\Aureate\V3\Servers##@##"http://ans3.adsoftware.com/"##"http://ans2.adsoftware.com/" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\5\DefaultIcon##@##"F:\i386\autorun.exe,0"##"F:\ecdc.ICO" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\5\Shell\AutoRun\command##@##"F:\i386\autorun.exe"##"F:\AUTORUN.EXE" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc##UuidSequenceNumber##dword:f9a9302b##dword:f9a9302f HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability##LastAliveStamp##hex:d0,07,09,00,06,00,10,00,03,00,07,00,24,00,1c,03,##hex:d0,07,09,00,01,00,12,00,02,00,24,00,00,00,f7,01, HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm\Registration\2.1.25##LastCheckDate##dword:39c254a0##dword:39c3b0f9 HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData##NetworkAddress##hex:b1,1b,2e,8d,80,02,##hex:ca,4d,5e,cb,91,02, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows##ShutdownTime##hex:49,8d,40,9f,87,1f,c0,01,##hex:49,25,04,27,23,20,c0,01, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad##State##hex:1a,00,00,00,fc,ff,ff,ff,fc,ff,ff,ff,08,04,00,00,ec,02,00,00,04,00,00,00,01,01,##hex:1a,00,00,00,fc,ff,ff,ff,fc,ff,ff,ff,e7,03,00,00,ec,02,00,00,04,00,00,00,01,01, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad##LastDir##"D:\Dev\Perl\site\lib\Win32\"##"D:\WINNT\Profiles\Administrator\Desktop\" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item0##hex:2a,26,30,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,73,69,74,65,5c,6c,69,62,5c,57,69,6e,33,32,5c,41,64,76,4e,6f,74,69,66,79,2e,70,6d,##hex:3a,26,30,20,44,3a,5c,57,49,4e,4e,54,5c,50,72,6f,66,69,6c,65,73,5c,41,64,6d,69,6e,69,73,74,72,61,74,6f,72,5c,44,65,73,6b,74,6f,70,5c,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item3##hex:18,26,33,20,44,3a,5c,44,65,76,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67,##hex:14,26,33,20,44,3a,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item4##hex:29,26,34,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,66,69,6c,65,74,65,73,74,2e,70,6c,##hex:27,26,34,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,6e,65,77,6c,6f,67,2e,70,6c, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item5##hex:1d,26,35,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,63,61,74,2e,68,74,6d,6c,##hex:18,26,35,20,44,3a,5c,44,65,76,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item6##hex:1f,26,36,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,69,6e,64,65,78,2e,68,74,6d,6c,##hex:2a,26,36,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,73,69,74,65,5c,6c,69,62,5c,57,69,6e,33,32,5c,41,64,76,4e,6f,74,69,66,79,2e,70,6d, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item7##hex:2d,26,37,20,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,67,69,6c,65,5c,46,6c,6f,79,64,6d,61,6e,5c,69,6e,64,65,78,2e,68,74,6d,6c,##hex:29,26,37,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,66,69,6c,65,74,65,73,74,2e,70,6c, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item8##hex:21,26,38,20,44,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,58,4e,65,77,73,5c,73,69,67,2e,74,78,74,##hex:1d,26,38,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,63,61,74,2e,68,74,6d,6c, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item9##hex:3d,26,39,20,44,3a,5c,64,6f,77,6e,6c,6f,61,64,73,5c,48,61,63,6b,5c,64,6f,63,73,5c,43,6f,6d,6d,6f,6e,20,53,79,73,74,65,6d,20,49,6e,74,72,75,73,69,6f,6e,20,4d,65,74,68,6f,64,73,2e,74,78,74,##hex:1f,26,39,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,69,6e,64,65,78,2e,68,74,6d,6c, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item10##hex:27,26,41,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,65,72,72,6f,72,2e,6c,6f,67,##hex:2d,26,41,20,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,67,69,6c,65,5c,46,6c,6f,79,64,6d,61,6e,5c,69,6e,64,65,78,2e,68,74,6d,6c, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item11##hex:2a,26,42,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,4c,6f,67,20,41,67,65,6e,74,2e,70,6c,##hex:21,26,42,20,44,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,58,4e,65,77,73,5c,73,69,67,2e,74,78,74, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item12##hex:20,26,43,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,41,64,76,4e,6f,74,69,66,79,5c,74,65,73,74,2e,70,6c,##hex:3d,26,43,20,44,3a,5c,64,6f,77,6e,6c,6f,61,64,73,5c,48,61,63,6b,5c,64,6f,63,73,5c,43,6f,6d,6d,6f,6e,20,53,79,73,74,65,6d,20,49,6e,74,72,75,73,69,6f,6e,20,4d,65,74,68,6f,64,73,2e,74,78,74, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item13##hex:26,26,44,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,77,61,74,63,68,2e,70,6c,##hex:27,26,44,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,65,72,72,6f,72,2e,6c,6f,67, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item14##hex:1c,26,45,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,61,6c,70,68,61,2e,70,6c,##hex:2a,26,45,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,4c,6f,67,20,41,67,65,6e,74,2e,70,6c, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item15##hex:1c,26,46,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,62,6c,61,6e,6b,2e,70,6c,##hex:20,26,46,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,41,64,76,4e,6f,74,69,66,79,5c,74,65,73,74,2e,70,6c, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\International\CpMRU##Cache##hex:af,6f,00,00,d0,00,00,00,b0,04,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,##hex:af,6f,00,00,d7,00,00,00,b0,04,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\Main##Window_Placement##hex:2c,00,00,00,02,00,00,00,03,00,00,00,00,83,ff,ff,00,83,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,2c,00,00,00,2c,00,00,00,2c,03,00,00,45,02,00,00,##hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,42,00,00,00,42,00,00,00,42,03,00,00,5b,02,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url1##"http://www.microsoft.com"##"http://mail.yahoo.com/" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url2##"http://officeupdate.microsoft.com/downloadDetails/sr1off97detail.htm"##"http://www.informit.com/" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url3##"http://www.microsoft.com/"##"http://www.microsoft.com" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url4##"http://www.informit.com/"##"http://officeupdate.microsoft.com/downloadDetails/sr1off97detail.htm" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url5##"http://mail22.bigmailbox.com/users/hackeram"##"http://www.microsoft.com/" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url6##"http://mail.yahoo.com/"##"http://mail22.bigmailbox.com/users/hackeram" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Office\8.0\Shortcut Bar##LastToolbar##dword:00000000##dword:00000001 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Desktop##Buttons##hex:00,80,80,20,4d,79,20,43,6f,6d,70,75,74,65,72,00,20,4e,65,74,77,6f,72,6b,20,4e,65,69,67,68,62,6f,72,68,6f,6f,64,00,20,52,65,63,79,63,6c,65,20,42,69,6e,00,20,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00,20,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,70,74,2e,6c,6e,6b,00,20,45,64,69,74,50,61,64,20,43,6c,61,73,73,69,63,2e,6c,6e,6b,00,20,45,75,64,6f,72,61,2e,6c,6e,6b,00,20,53,6f,75,6e,64,20,46,6f,72,67,65,20,34,2e,35,2e,6c,6e,6b,00,20,53,79,6d,70,61,74,69,63,6f,2e,6c,6e,6b,00,20,57,49,4e,41,4d,50,2e,4c,4e,4b,00,20,57,69,6e,64,6f,77,73,20,4e,54,20,45,78,70,6c,6f,72,65,72,2e,6c,6e,6b,00,20,57,69,6e,5a,69,70,2e,6c,6e,6b,00,20,58,6e,65,77,73,2e,6c,6e,6b,00,00,05,00,02,00,00,00,##hex:00,80,80,20,4d,79,20,43,6f,6d,70,75,74,65,72,00,20,4e,65,74,77,6f,72,6b,20,4e,65,69,67,68,62,6f,72,68,6f,6f,64,00,20,52,65,63,79,63,6c,65,20,42,69,6e,00,20,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00,20,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,70,74,2e,6c,6e,6b,00,20,45,64,69,74,50,61,64,20,43,6c,61,73,73,69,63,2e,6c,6e,6b,00,20,45,75,64,6f,72,61,2e,6c,6e,6b,00,20,53,6f,75,6e,64,20,46,6f,72,67,65,20,34,2e,35,2e,6c,6e,6b,00,20,53,79,6d,70,61,74,69,63,6f,2e,6c,6e,6b,00,20,57,49,4e,41,4d,50,2e,4c,4e,4b,00,20,57,69,6e,64,6f,77,73,20,4e,54,20,45,78,70,6c,6f,72,65,72,2e,6c,6e,6b,00,20,57,69,6e,5a,69,70,2e,6c,6e,6b,00,20,58,6e,65,77,73,2e,6c,6e,6b,00,20,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74,00,00,05,00,01,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Programs##BtnFaces##"Pro5"##"Pro1" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\128.11.60.80##Tag##dword:00000004##dword:00000003 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\128.11.60.80##LastModified##dword:39c02c37##dword:39c30387 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\209.226.175.83##Tag##dword:00000003##dword:00000002 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\209.226.175.83##LastModified##dword:39be5507##dword:39c3b104 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\216.94.184.160##Tag##dword:00000004##dword:00000003 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\216.94.184.160##LastModified##dword:39bc6476##dword:39c3bb6a HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\216.95.147.195##Tag##dword:00000003##dword:00000002 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\216.95.147.195##LastModified##dword:39bc646d##dword:39c3036a HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer##DirectoryCols##hex:22,01,3c,00,78,00,78,00,3c,00,##hex:e4,00,68,00,78,00,78,00,3c,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer##Shutdown Setting##dword:00000002##dword:00000001 HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\DesktopStreams\1##CabView##hex:40,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,00,00,00,00,30,1b,5a,01,00,00,00,00,fe,ff,ff,ff,e4,02,00,00,02,04,00,00,02,03,00,00,d4,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,##hex:40,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,00,00,00,00,30,1b,5a,01,00,00,00,00,fe,ff,ff,ff,e4,02,00,00,02,04,00,00,02,03,00,00,bc,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\DesktopStreams\1##ViewView##hex:1c,00,13,00,01,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,15,00,00,00,02,00,00,00,14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,15,00,00,00,4d,00,00,00,14,00,1f,00,60,2c,8d,20,ea,3a,69,10,a2,d7,08,00,2b,30,30,9d,15,00,00,00,98,00,00,00,14,00,1f,00,42,3b,f2,fb,f0,e3,1b,10,84,88,00,aa,00,3e,56,f8,15,00,00,00,e3,00,00,00,14,00,1f,00,40,f0,5f,64,81,50,1b,10,9f,08,00,aa,00,2f,95,4e,60,00,00,00,2e,01,00,00,32,00,3a,00,9f,02,00,00,27,29,a5,a8,20,00,41,63,72,6f,62,61,74,20,52,65,61,64,65,72,20,34,2e,30,2e,6c,6e,6b,00,41,43,52,4f,42,41,7e,31,2e,4c,4e,4b,00,60,00,00,00,c4,01,00,00,4a,00,3a,00,22,01,00,00,2f,29,d6,bd,20,00,53,65,74,75,70,20,66,6f,72,20,4d,69,63,72,6f,73,6f,66,74,20,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,20,33,2e,30,31,2e,6c,6e,6b,00,53,45,54,55,50,46,7e,31,2e,4c,4e,4b,00,15,00,00,00,2e,01,00,00,26,00,32,00,02,02,00,00,2c,29,d3,19,20,00,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,41,56,47,36,30,7e,31,2e,4c,4e,4b,00,15,00,00,00,79,01,00,00,2e,00,32,00,##hex:1c,00,13,00,01,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,15,00,00,00,02,00,00,00,14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,15,00,00,00,4d,00,00,00,14,00,1f,00,60,2c,8d,20,ea,3a,69,10,a2,d7,08,00,2b,30,30,9d,15,00,00,00,98,00,00,00,14,00,1f,00,42,3b,f2,fb,f0,e3,1b,10,84,88,00,aa,00,3e,56,f8,15,00,00,00,e3,00,00,00,14,00,1f,00,40,f0,5f,64,81,50,1b,10,9f,08,00,aa,00,2f,95,4e,60,00,00,00,2e,01,00,00,32,00,3a,00,9f,02,00,00,27,29,a5,a8,20,00,41,63,72,6f,62,61,74,20,52,65,61,64,65,72,20,34,2e,30,2e,6c,6e,6b,00,41,43,52,4f,42,41,7e,31,2e,4c,4e,4b,00,15,00,00,00,2e,01,00,00,26,00,32,00,02,02,00,00,2c,29,d3,19,20,00,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,41,56,47,36,30,7e,31,2e,4c,4e,4b,00,15,00,00,00,79,01,00,00,2e,00,32,00,ac,05,00,00,30,29,07,98,20,00,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,70,74,2e,6c,6e,6b,00,43,4f,4d,4d,41,4e,7e,31,2e,4c,4e,4b,00,60,00,00,00,4d,00,00,00,2f,00,32,00,67,02,00,00,2e,29,64,28,20,00,45,64,69,74,50,61,64,20,43,6c,61,73,73,69,63,2e,6c,6e, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ExpView##Settings##hex:40,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,7f,00,00,00,51,00,00,00,df,03,00,00,81,02,00,00,04,00,00,00,00,00,00,00,51,01,00,00,68,3a,13,00,5d,6c,58,01,##hex:40,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,7f,00,00,00,51,00,00,00,df,03,00,00,81,02,00,00,04,00,00,00,00,00,00,00,51,01,00,00,c0,3a,13,00,5d,6c,58,01, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##a##hex:68,00,65,00,72,00,6f,00,73,00,2e,00,68,00,74,00,6d,00,6c,00,00,00,1e,00,30,00,00,00,00,00,00,00,00,00,00,00,68,65,72,6f,73,2e,68,74,6d,6c,2e,6c,6e,6b,00,00,00,00,##hex:4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,4f,00,66,00,66,00,69,00,63,00,65,00,20,00,39,00,37,00,2c,00,20,00,50,00,72,00,6f,00,66,00,65,00,73,00,73,00,69,00,6f,00,6e,00,61,00,6c,00,20,00,45,00,64,00,69,00,74,00,69,00,6f,00,6e,00,20,00,2d,00,20,00,4d,00,6f,00,64,00,69,00,66,00,69,00,65,00,64,00,20,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,2e,00,74,00,78,00,74,00,00,00,55,00,30,00,00,00,00,00,00,00,00,00,00,00,4d,69,63,72,6f,73,6f,66,74,20,4f,66,66,69,63,65,20,39,37,2c,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,45,64,69,74,69,6f,6e,20,2d,20,4d,6f,64,69,66,69,65,64,20,52,65,67,69,73,74,72,79,2e,74,78,74,2e,6c,6e,6b,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##MRUList##"dkohbnefmlaijcg"##"aijdkhcgobnefml" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##c##hex:72,00,69,00,63,00,68,00,61,00,72,00,64,00,30,00,38,00,2e,00,6a,00,70,00,67,00,00,00,21,00,30,00,00,00,00,00,00,00,00,00,00,00,72,69,63,68,61,72,64,30,38,2e,6a,70,67,2e,6c,6e,6b,00,00,00,00,##hex:41,00,64,00,76,00,4e,00,6f,00,74,00,69,00,66,00,79,00,20,00,64,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,68,00,74,00,6d,00,00,00,2f,00,30,00,00,00,00,00,00,00,00,00,00,00,41,64,76,4e,6f,74,69,66,79,20,64,6f,63,75,6d,65,6e,74,61,74,69,6f,6e,2e,68,74,6d,2e,6c,6e,6b,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##g##hex:72,00,69,00,63,00,68,00,61,00,72,00,64,00,30,00,38,00,2e,00,62,00,6d,00,70,00,00,00,21,00,30,00,00,00,00,00,00,00,00,00,00,00,72,69,63,68,61,72,64,30,38,2e,62,6d,70,2e,6c,6e,6b,00,00,00,00,##hex:62,00,6f,00,6f,00,74,00,2e,00,69,00,6e,00,69,00,00,00,1c,00,30,00,00,00,00,00,00,00,00,00,00,00,62,6f,6f,74,2e,69,6e,69,2e,6c,6e,6b,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##i##hex:43,00,44,00,20,00,50,00,72,00,6f,00,67,00,2e,00,6d,00,33,00,75,00,00,00,1f,00,30,00,00,00,00,00,00,00,00,00,00,00,43,44,20,50,72,6f,67,2e,6d,33,75,2e,6c,6e,6b,00,00,00,00,##hex:4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,4f,00,66,00,66,00,69,00,63,00,65,00,20,00,39,00,37,00,2c,00,20,00,50,00,72,00,6f,00,66,00,65,00,73,00,73,00,69,00,6f,00,6e,00,61,00,6c,00,20,00,45,00,64,00,69,00,74,00,69,00,6f,00,6e,00,20,00,2d,00,20,00,44,00,65,00,6c,00,65,00,74,00,65,00,64,00,20,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,2e,00,74,00,78,00,74,00,00,00,54,00,30,00,00,00,00,00,00,00,00,00,00,00,4d,69,63,72,6f,73,6f,66,74,20,4f,66,66,69,63,65,20,39,37,2c,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,45,64,69,74,69,6f,6e,20,2d,20,44,65,6c,65,74,65,64,20,52,65,67,69,73,74,72,79,2e,74,78,74,2e,6c,6e,6b,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##j##hex:30,00,32,00,37,00,2e,00,77,00,61,00,76,00,00,00,1b,00,30,00,00,00,00,00,00,00,00,00,00,00,30,32,37,2e,77,61,76,2e,6c,6e,6b,00,00,00,00,##hex:70,00,65,00,72,00,6c,00,20,00,64,00,69,00,67,00,65,00,73,00,74,00,2e,00,74,00,78,00,74,00,00,00,23,00,30,00,00,00,00,00,00,00,00,00,00,00,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74,2e,6c,6e,6b,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##a##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,21,00,31,00,00,00,00,00,b6,22,a6,9b,11,00,57,69,6e,76,65,72,69,66,79,00,57,49,4e,56,45,7e,31,44,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,53,1d,00,31,00,00,00,00,00,fa,28,2a,b7,11,00,64,65,6d,6f,20,32,00,44,45,4d,4f,32,7e,37,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##MRUList##"mhrejac{ytguxl|qzwnibfksvop}d"##"w|rhme{jacyztgqsbnifkvdulx}op" HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##b##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,09,47,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,42,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##c##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,31,00,31,00,00,00,00,00,b6,22,a6,9b,11,00,57,69,6e,64,6f,77,73,20,39,35,20,53,65,72,76,69,63,65,20,50,61,63,6b,20,31,00,57,49,4e,44,4f,7e,31,41,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,53,14,00,31,00,00,00,00,00,f9,28,e6,8c,11,00,64,65,6d,6f,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##d##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,25,00,31,00,00,00,00,00,27,29,ce,81,30,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,22,00,31,00,00,00,00,00,2e,29,d5,10,10,00,65,2d,43,6f,6d,6d,65,72,63,65,00,45,2d,43,4f,4d,4d,7e,31,00,29,00,31,00,00,00,00,00,2e,29,d5,10,10,00,57,65,62,47,65,6e,69,65,20,53,6f,66,74,77,61,72,65,00,57,45,42,47,45,4e,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##e##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,46,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,45,8a,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##f##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,21,00,31,00,00,00,00,00,26,29,c8,95,30,00,64,6f,77,6e,6c,6f,61,64,73,00,44,4f,57,4e,4c,4f,7e,31,00,15,00,31,00,00,00,00,00,26,29,c7,81,30,80,55,74,69,6c,73,00,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,25,00,31,00,00,00,00,00,2f,29,db,bd,30,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,15,00,31,00,00,00,00,00,2b,29,25,09,30,00,55,74,69,6c,73,00,00,27,00,31,00,00,00,00,00,1e,29,cf,bc,30,00,45,70,73,69,6c,6f,6e,20,53,71,75,61,72,65,64,00,45,50,53,49,4c,4f,7e,31,00,23,00,31,00,00,00,00,00,30,29,5b,a1,30,00,49,6e,73,74,61,6c,6c,52,69,74,65,00,49,4e,53,54,41,4c,7e,31,00,21,00,31,00,00,00,00,00,30,29,14,18,30,00,53,6e,61,70,73,68,6f,74,73,00,53,4e,41,50,53,48,7e,31,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##g##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,48,21,00,31,00,00,00,00,00,19,29,66,8c,11,00,44,65,6d,6f,73,20,4d,50,33,00,44,45,4d,4f,53,4d,7e,39,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##h##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,21,00,31,00,00,00,00,00,26,29,c8,95,30,00,64,6f,77,6e,6c,6f,61,64,73,00,44,4f,57,4e,4c,4f,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,65,4b,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##i##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,09,45,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,42,21,00,31,00,00,00,00,00,01,29,a8,a2,11,00,44,61,74,61,62,61,73,65,73,00,44,41,54,41,42,41,7e,33,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##j##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,16,00,31,00,00,00,00,00,b6,22,a6,9b,11,00,57,69,6e,7a,69,70,00,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,53,16,00,31,00,00,00,00,00,fa,28,33,b7,11,00,75,70,64,61,74,65,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##k##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,25,00,31,00,00,00,00,00,27,29,ce,81,30,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,14,00,2e,00,80,a2,27,22,ea,3a,69,10,a2,de,08,00,2b,30,30,9d,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##m##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,21,00,31,00,00,00,00,00,26,29,c8,95,30,00,64,6f,77,6e,6c,6f,61,64,73,00,44,4f,57,4e,4c,4f,7e,31,00,26,00,31,00,00,00,00,00,30,29,ea,13,10,00,4f,66,66,69,63,65,20,75,70,64,61,74,65,73,00,4f,46,46,49,43,45,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,65,4b,14,00,31,00,00,00,00,00,f1,28,ad,b4,11,00,61,64,61,6d,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##n##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,4a,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,42,21,00,31,00,00,00,00,00,01,29,95,a2,11,00,53,6e,61,70,73,68,6f,74,73,00,53,4e,41,50,53,48,7e,35,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##o##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,1a,00,31,00,00,00,00,00,87,28,b1,00,10,00,41,67,69,6c,65,00,41,47,49,4c,45,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,13,00,31,00,00,00,00,00,2e,29,4f,21,10,00,44,65,76,00,00,14,00,31,00,00,00,00,00,2d,29,c5,0c,10,00,50,65,72,6c,00,00,14,00,31,00,00,00,00,00,2d,29,0b,09,10,00,57,6f,72,6b,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##p##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,1a,00,31,00,00,00,00,00,87,28,b1,00,10,00,41,67,69,6c,65,00,41,47,49,4c,45,00,1e,00,31,00,00,00,00,00,87,28,e7,8b,10,00,47,65,6d,69,6e,69,39,00,47,45,4d,49,4e,49,39,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,13,00,31,00,00,00,00,00,2e,29,4f,21,10,00,44,65,76,00,00,14,00,31,00,00,00,00,00,2d,29,c5,0c,10,00,50,65,72,6c,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##q##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,13,00,31,00,00,00,00,00,2d,29,3a,0c,10,00,44,65,76,00,00,22,00,31,00,00,00,00,00,2e,29,48,21,10,00,65,2d,43,6f,6d,6d,65,72,63,65,00,45,2d,43,4f,4d,4d,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,48,15,00,31,00,00,00,00,00,1e,29,36,ad,11,00,63,6c,69,70,73,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##s##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,25,00,31,00,00,00,00,00,27,29,ce,81,30,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,22,00,31,00,00,00,00,00,2e,29,d5,10,10,00,65,2d,43,6f,6d,6d,65,72,63,65,00,45,2d,43,4f,4d,4d,7e,31,00,29,00,31,00,00,00,00,00,2e,29,d5,10,10,00,57,65,62,47,65,6e,69,65,20,53,6f,66,74,77,61,72,65,00,57,45,42,47,45,4e,7e,31,00,3e,00,31,00,00,00,00,00,2e,29,ed,10,10,00,57,65,62,47,65,6e,69,65,20,53,68,6f,70,70,69,6e,67,20,43,61,72,74,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,76,33,00,57,45,42,47,45,4e,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,25,00,31,00,00,00,00,00,2f,29,db,bd,30,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,15,00,31,00,00,00,00,00,2b,29,25,09,30,00,55,74,69,6c,73,00,00,27,00,31,00,00,00,00,00,1e,29,cf,bc,30,00,45,70,73,69,6c,6f,6e,20,53,71,75,61,72,65,64,00,45,50,53,49,4c,4f,7e,31,00,23,00,31,00,00,00,00,00,30,29,5b,a1,30,00,49,6e,73,74,61,6c,6c,52,69,74,65,00,49,4e,53,54,41,4c,7e,31,00,24,00,31,00,00,00,00,00,30,29,c4,a1,30,00,49,6e,73,74,61,6c,6c,20,4b,69,74,73,00,49,4e,53,54,41,4c,7e,31,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##t##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,18,00,31,00,00,00,00,00,b6,22,a6,9b,11,00,4d,53,4f,66,66,69,63,65,00,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,48,21,00,31,00,00,00,00,00,19,29,25,8c,11,00,64,6f,77,6e,6c,6f,61,64,73,00,44,4f,57,4e,4c,4f,7e,42,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##v##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,17,00,31,00,00,00,00,00,44,25,d7,ab,10,80,57,69,6e,64,6f,77,73,00,00,1e,00,31,00,00,00,00,00,44,25,2c,ac,10,00,44,65,73,6b,74,6f,70,00,44,45,53,4b,54,4f,50,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##y##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,22,00,31,00,00,00,00,00,b6,22,a6,9b,11,00,4d,53,49,6e,74,65,72,6e,65,74,00,4d,53,49,4e,54,45,7e,45,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,65,59,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##z##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,1a,00,31,00,00,00,00,00,87,28,b1,00,10,00,41,67,69,6c,65,00,41,47,49,4c,45,00,1e,00,31,00,00,00,00,00,87,28,e7,8b,10,00,47,65,6d,69,6e,69,39,00,47,45,4d,49,4e,49,39,00,21,00,31,00,00,00,00,00,b0,28,6b,94,10,00,53,79,6d,70,61,74,69,63,6f,00,53,59,4d,50,41,54,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,48,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##{##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,15,00,31,00,00,00,00,00,b6,22,a6,9b,11,80,57,69,6e,39,35,00,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,53,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##|##hex:14,00,1f,00,40,f0,5f,64,81,50,1b,10,9f,08,00,aa,00,2f,95,4e,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,65,47,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##}##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,15,00,31,00,00,00,00,00,2e,29,eb,10,30,80,57,69,6e,6e,74,00,00,18,00,31,00,00,00,00,00,1e,29,04,b5,30,00,50,72,6f,66,69,6c,65,73,00,00,21,00,31,00,00,00,00,00,26,29,9c,92,30,00,41,6c,6c,20,55,73,65,72,73,00,41,4c,4c,55,53,45,7e,31,00,22,00,31,00,00,00,00,00,1e,29,48,92,30,00,53,74,61,72,74,20,4d,65,6e,75,00,53,54,41,52,54,4d,7e,31,00,18,00,31,00,00,00,00,00,27,29,63,be,30,00,50,72,6f,67,72,61,6d,73,00,00,18,00,31,00,00,00,00,00,2e,29,f1,10,10,00,53,65,63,75,72,69,74,79,00,00,22,00,31,00,00,00,00,00,2e,29,f1,10,10,00,65,2d,43,6f,6d,6d,65,72,63,65,00,45,2d,43,4f,4d,4d,7e,31,00,29,00,31,00,00,00,00,00,2e,29,f1,10,10,00,57,65,62,47,65,6e,69,65,20,53,6f,66,74,77,61,72,65,00,57,45,42,47,45,4e,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,13,00,31,00,00,00,00,00,2e,29,4f,21,10,00,44,65,76,00,00,14,00,31,00,00,00,00,00,2d,29,c5,0c,10,00,50,65,72,6c,00,00,14,00,31,00,00,00,00,00,2d,29,0b,09,10,00,57,6f,72,6b,00,00,21,00,31,00,00,00,00,00,2f,29,58,98,10,00,4c,6f,67,20,41,67,65,6e,74,00,4c,4f,47,41,47,45,7e,31,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\1##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,15,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\10##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,13,00,01,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\11##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\13##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\14##ViewView##hex:1c,00,18,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,14,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\15##ViewView##hex:1c,00,18,00,04,00,00,00,00,00,18,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,17,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\16##ViewView##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,15,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\18##ViewView##hex:1c,00,18,00,04,00,00,00,00,00,27,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\19##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\2##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\20##ViewView##hex:1c,00,14,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\21##ViewView##hex:1c,00,18,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,15,00,04,00,00,00,00,00,12,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\22##ViewView##hex:1c,00,17,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\23##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,14,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\24##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\25##ViewView##hex:1c,00,16,00,04,00,00,00,00,00,19,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,15,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\26##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\27##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\28##ViewView##hex:1c,00,17,00,01,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,15,00,00,00,02,00,00,00,42,00,32,00,94,03,00,00,2e,29,f1,10,20,00,57,65,62,47,65,6e,69,65,20,53,68,6f,70,70,69,6e,67,43,61,72,74,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,2e,6c,6e,6b,00,57,45,42,47,45,4e,7e,31,2e,4c,4e,4b,00,15,00,00,00,02,00,00,00,00,00,00,00,##hex:1c,00,17,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\3##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,17,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\30##CabView##hex:5c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,42,00,00,00,42,00,00,00,42,03,00,00,5b,02,00,00,01,00,00,00,00,00,00,00,78,38,fe,70,00,00,00,00,5e,6b,0b,00,06,00,00,00,00,00,00,00,88,c8,06,00,93,9c,fe,70,c0,11,b7,01,01,00,00,00,00,00,00,00,##hex:5c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,42,00,00,00,42,00,00,00,42,03,00,00,5b,02,00,00,01,00,00,00,00,00,00,00,78,38,fe,70,00,00,00,00,7e,8e,0f,00,06,00,00,00,00,00,00,00,88,c8,06,00,93,9c,fe,70,70,0f,9f,01,01,00,00,00,00,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\4##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\5##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\6##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,15,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_PGYFRFFVBA##hex:19,fa,00,0e,09,00,00,00,##hex:6d,00,01,0e,0b,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_HVGBBYONE##hex:09,00,00,00,e1,00,00,00,20,03,92,6b,80,1f,c0,01,##hex:0a,00,00,00,e5,00,00,00,b0,0e,58,b5,0b,20,c0,01, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_HVGBBYONE:0k1,120##hex:09,00,00,00,b1,00,00,00,20,03,92,6b,80,1f,c0,01,##hex:0a,00,00,00,b5,00,00,00,b0,0e,58,b5,0b,20,c0,01, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count##HRZR_PGYFRFFVBA##hex:19,fa,00,0e,09,00,00,00,##hex:6d,00,01,0e,0b,00,00,00, HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections##SavedLegacySettings##hex:3c,00,00,00,4d,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,##hex:3c,00,00,00,54,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, End of log files OK, here's all of it, skimmed version. First of all, I make this analysis by looking at each of these export files, but for a more precise result for time tracking, you should combine Added files and Modifies files together in an Excel file, and sort it by Time after. This will give you a better chronological picture of what follows here. Also note that when I ran my test, skipit.dll was present in my InstallRite program folder. This .dll file lets the program to skip certain specific items, like pagefile.sys, win386.swp, Temporary Internet files, and the InstallRite program folder itself (I may have forgotten one or two here). Removing skipit.dll from this folder will let you consider 100% of the machine. This means that if I had erased skipit.dll (I actually forgot when I did ny test), there would be even more data being collected. So, as you noticed, there's a lot of data, and I didn't use my computer all that much in that time frame. Much less than say, a guy working in an office working on all sorts of documents and contracts for his company on his computer. I will treat this data sequentially, as if this was all in the "same day", because as you can tell, I did this after regular work hours. Interpreting it all as 1 "work day" will keep things simplified here. In Added files, we can see that I worked in my boot.ini file that is in my Windows 95 partition (C:/ on a dual-boot machine). I mention this because it was out of the scan scope, but it still found a way in the Recent files, thus leaving a trace. Then I proceeded to read the AdvNotify documentation (a Perl module I use for my tool Log Agent). Then, I needed some help with my Perl, so I launched Internet Explorer, which loaded my default page. I then proceeded to InformIT, and we even can tell that I was checking for a book in the web_developer category. We can't tell the title of the book I viewed, but you can tell that I checked chapter 4. D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\;cat=developer;cat=web_developer;ord=572203314287611260[1].html##2KB##A##9/16/00 1:22:39 AM####bc6c359b D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\;sz=1x1;abr=!webtv;site=informit;ord=6648850554683242[1]##1KB##A##9/16/00 1:22:42 AM####9921ba9f D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\element_004[1].html##278KB##A##9/16/00 1:23:30 AM####f5cd0a20 You could probably use the information found there (the original data, not the sanitized) to recreate the original URL and get the exact book title and chapter content. Then I was tired and needed some relaxing, so I went on and read a couple of BOFH (Bastard Operator From Hell). Then I made a file called Perl digest, containing effectively the digest of the day of a Perl mailing list. I was working hard on learning and debugging Perl at the time... Then I checked my mail with Eudora, did the same thing with mail.yahoo.com (notice that I had closed and re-launched IE, since the default homepage is showing again). My Yahoo cookie has been used by the site, so it shows here also. Then I worked with Log Agent (newlog.pl) before checking my mail one last time. In Recent files, you see some Export file from InstallRite (as I was working on another project, I previously hid the snapshot file so InstallRite would behave as if nothing happened). In modified files, we can see here again that I effectively launched IE and Eudora, but also XNews. You know that I sent some mail (entry with out.toc). Some event got logged in ZoneAlarm log file. Then I updated my various projects status in the To Do utility in Genius3 (which I'm currently trying). There's some data from Cookie Crusher. Then I launched the Command prompt (I actually launched it twice, but since it was the same icon, only the last instance is spotted). For some reason I don't remember, I checked something on one of my homepages, probably adding a link or something (I'm just too multitasking sometimes...). test1.log and test2.log are test files I used with Log Agent. Then there's some data about WinAmp, the Event Viewer logs, GetRight and Port Guardian log (a Genius3 utility). These last items are modified at each boot, so what is showing is the last boot. One wouldn't expect to find much in the deleted files, and one would be mistaken to think this. This is a little gravy, thanks to the way Windows works. You actually have some data relating to uses PRIOR to the snooping window. Mostly old "Recent" files being deleted to make place for new ones, and some Internet temporary files, always useful to get some info about internet usage. Namely, you can see that I recently worked with a JPG/BMP file, a WAV file and a MP3 playlist (M3U). You can also see that I deleted that stupid icon to install IE3.0 that goes automatically on your desktop when you install MS-Office. The INI files, on the other hand, prove to be rather thin. It just gives us some info about window positioning for some software packages, nothing really relevant. Now, the icing on the cake: the traces left in the Registry. Unfortunately, registry entries don't carry a date to track their last modification, which makes it impossible to determine the chronological order of the events. But it still provides a wealth of information, and matched with what we already gathered from the file trace, we should be able to define pretty accurately how our victim spent his time at the computer. Added Registry shows that I tried to install a printer, but it didn't work because I turned the RPC services off on my machine (why would I remotely call procedures on my local machine?). There's an entry about Adaptec CD-Creator that I have no idea what it does there. Then some modification the MS Office shortcut bar. What comes next aroused my curiosity. There is a series of RAS Autodial entries which contains IP addresses and some domain names. I checked the IP addresses, and they came from several locations: my ISP news server, one of the servers at Yahoo, some routers, a web-based ad distributor server (ugh!), a time-out... Deleted registry entries looks pretty much the same in structure, be with different data. We can assume that this works on a similar way than the "Recent" folder. So we see more IP addresses relating this time to Topica, InfiniT, MSN.com and Dilbert, all sites I visited recently. Modified registry entries reveal a little more. We can see information related to the files I opened with EditPad (a Notepad replacement). It is hexadecimal data, but it would probably be easy to find out the file names and path by using EditPad ourselves and importing this data in our registry. We could probably be able to use the re-open menu in EditPad and it will show us the file list. Then we get to see clearly some of my recently visited web sites, as they get bumped by one position in the list. Note that I didn't have to visit these sites for them to appear here. Then there's some Autodial entries, and some configuration entries for running software. What comes next, I don't know. If someone know what these entries relating to "Streams" and "StreamsMRU" are about, please let me know. I first spotted these entries when I made my first experiment for the Tripwire system. I don't know exactly what they are, but they get generated a lot, and sometimes even if you're not doing anything with your machine between the scan and analyze. 4. The conclusion Although this wasn't the purpose for what it was intended for, IntallRite could be used in such a way as to gather up info about the computer usage of an individual. As we saw, we could rather easily find out about my web activity during the examination period, and we even got a good glimpse at web sites I visited *earlier*, we saw what documents I worked on, all with full pathname and filename. You can also figure out the full pathname of various applications used by the individual, even if he had tried to conceal its presence (by putting it in an odd-looking folder, for example). You could tell the time I went to bed (look at the time!) or the time the victim would go to lunch (for a normal person :-). Login cookies are marked when you visit the sites (could this be used to crack mail accounts on systems like Hotmail and Yahoo?). Now, imagine that you made a web transaction with your credit card, and the sloppy web site puts your credit card number in a cookie, without you knowing. It is served on a silver plate for the snooper, as all he have to do is to make an install kit to retrieve all this information. What else could be found? You tell me. (NOTE: It is considered bad practice for a web site to leave your credit card number in a cookie, so if you're aware of web sites doing this, don't deal with them. Better yet, blow the whistle on them.) Who is vulnerable? Well, of course machines that the snooper can have physical access. But also machines that can be exploitable via networking techniques and backdoors in which the snooper can have at least a command prompt on the victim's computer. He could then upload InstallRite and use it via the command line interface to achieve the same result. The snooper could use software other than InstallRite, of course. I think there's a couple of freeware that does similar things as InstallRite. The point is, it can be done. Appendice A. The BOFH Way Maybe reading the BOFH inspires me, but I just thought of a new way to use what's discussed in this document: it could be used to frame somebody. Let's take a purely fictional example: an employee doesn't like his boss and he'd like to get him fired. He knows what type of OS his boss is running (useful for having similar pathnames), and he can even manage to get physical access to it. But if he tries to surf on porn sites on his boss machine, he might get caught before he can make enough "evidence" to make it worth firing a person. So what he could do is setup a machine at home, with the same Windows version as the boss machine and the same software (web browser, newsgroup reader), and then generate evidence by surfing sites with explicit content and downloading from the newsgroups and logging everything using the technique described above. He makes sure that the package is not contaminated with some of his personally identifiable data, and proceeds to make an install kit. Now, all he have to do is execute this package on the boss machine when he has a chance. This is much quicker than generating "evidence" on the spot. Hey, if the guy's clever, maybe he won't even have to go to the machine at all, finding a way to do it remotely. After that is done, it is only a matter of calling Human Resources with a complaint of sexual harassment due to pornographic material on the workplace. There'll be so much evidence in the temp folders and all over the disk drive that they probably won't bother to check the firewall logs to see if there's a match.