3. The experiment

So I decided to make the experiment. I recommend that you do so too, it proves to be quite a learning tool on the inner workings of the Windows system. InstallRite can let you sort the data by "Time after changes" where applicable (files). So the experiment is quite simple: it consists of installing InstallRite on someone's computer in a location where the victim is not likely to find it, configure it so that it stays quiet (no launch at startup, no auto-detect of setup processes), and then do a system scan. Then wait. Let's say we want to track for a period of 24 hours (well, it turns out 48 in this case, because I spent a whole day away from my computer). Then, the day after, you activate InstallRite and proceed to do an analyze process. Where applicable, data can be sorted by the time after, and you will get a pretty good idea of what the user (victim) has been doing on his machine: documents he worked on, programs he used, shortcuts he double-clicked, web sites he visited, all sorted by the time it happened and much much more.

Not having a real job right now, it means I don't have a network to try these things on. It also means that I have a shortage in victims (users :-). So I assumed both roles, the snooper and the victim, pretending that I was not aware that InstallRite was watching me. Here are the results, using ## characters as a field delimiter, just in case this looks all weird in your text viewer. If you don't feel like going all through these log entries, go at the end of the file for a deeper analysis. This data has been sanitized.

Added files

File name##Size Before##Size After##Attrib before##Attrib after##Date before##Date after##Version before##Version after##CRC before##CRC after

D:\WINNT\Profiles\Administrator\Recent\boot.ini.lnk##1KB##A##9/15/00 11:10:10 PM####f66c2a9f
D:\WINNT\Profiles\Administrator\Recent\AdvNotify documentation.htm.lnk##1KB##A##9/16/00 1:07:42 AM####5cdd862e
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\f_Accueil[1].html##1KB##A##9/16/00 1:21:41 AM####d33af3fa
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\f_Accueil_texte[1].html##1KB##A##9/16/00 1:21:42 AM####12bee831
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\M_6_BA_Olympics_468G_Fr[1].gif##16KB##A##9/16/00 1:21:46 AM####9050eb10
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\other;cat=enterprise;ord=736792297648347100[1].html##2KB##A##9/16/00 1:22:02 AM####6861bfd0
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\;sz=1x1;abr=!webtv;site=informit;ord=5851462586903687[1]##1KB##A##9/16/00 1:22:06 AM####b8c0242e
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\informit[1].html##72KB##A##9/16/00 1:22:10 AM####99fb1e
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\Accounts[1].html##23KB##A##9/16/00 1:22:19 AM####65cf282b
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\other;cat=enterprise;ord=427330269033187100[1].html##2KB##A##9/16/00 1:22:20 AM####64d2c58f
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\07987068884[1].html##28KB##A##9/16/00 1:22:28 AM####fe2d1b0e
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\;cat=developer;cat=web_developer;ord=966674423919037700[1].html##2KB##A##9/16/00 1:22:29 AM####cb9db556
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\;sz=1x1;abr=!webtv;site=informit;ord=07753204673714888[1]##1KB##A##9/16/00 1:22:31 AM####f4332d1b
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\;cat=developer;cat=web_developer;ord=572203314287611260[1].html##2KB##A##9/16/00 1:22:39 AM####bc6c359b
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\;sz=1x1;abr=!webtv;site=informit;ord=6648850554683242[1]##1KB##A##9/16/00 1:22:42 AM####9921ba9f
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\element_004[1].html##278KB##A##9/16/00 1:23:30 AM####f5cd0a20
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\element_004_code_19[1].html##1KB##A##9/16/00 1:36:56 AM####39b28baf
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\bofh8[1].html##5KB##A##9/16/00 1:52:44 AM####f098b7ae
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\bofh9[1].html##5KB##A##9/16/00 1:53:14 AM####e3a0c2ba
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\bofh10[1].html##6KB##A##9/16/00 1:53:53 AM####b3a3f7b9
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\bofh11[1].html##5KB##A##9/16/00 2:00:14 AM####fe220b1c
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\bofh12[1].html##6KB##A##9/16/00 2:04:56 AM####949751a1
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\bofh13[1].html##6KB##A##9/16/00 2:10:17 AM####bca88d69
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\bsmh1[1].html##5KB##A##9/16/00 2:15:37 AM####608f406a
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\bsmh2[1].html##4KB##A##9/16/00 2:19:06 AM####559f60a4
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\bofh14[1].html##7KB##A##9/16/00 2:21:26 AM####85fbe4c2
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\bofh15[1].html##10KB##A##9/16/00 2:27:54 AM####911866f5
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\index[1].html##16KB##A##9/16/00 2:38:36 AM####6c8522e
D:\WINNT\Profiles\Administrator\Desktop\perl digest.txt##67KB##A##9/16/00 12:33:08 PM####3be44fcf
D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\AdCache\65f52850.png##1KB##A##9/16/00 1:42:27 PM####52daa48c
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\510[1].png##1KB##A##9/16/00 1:42:27 PM####52daa48c
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\grandstitres[1].html##23KB##A##9/16/00 2:26:51 PM####b7227efa
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\000916gagliano-reunion-lib[1].jpeg##3KB##A##9/16/00 2:26:53 PM####b48bcbe7
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\000916dufresne-j-v-2[1].jpeg##6KB##A##9/16/00 2:26:54 PM####f02ff597
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\000914urgence-reunion-pres[1].jpeg##6KB##A##9/16/00 2:26:57 PM####6cddd42c
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\samaranch2[1].jpeg##14KB##A##9/16/00 2:26:59 PM####2628f982
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\mail.yahoo[1].html##6KB##A##9/16/00 2:27:30 PM####56adba5b
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\login[7]##1KB##A##9/16/00 2:27:57 PM####c36de0d9
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\Navbar[6]##9KB##A##9/16/00 2:27:58 PM####bdeba558
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\login[8]##6KB##A##9/16/00 2:28:00 PM####b4baad39
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\login[1].html##22KB##A##9/16/00 2:28:00 PM####d1c78c83
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\travel[1].gif##2KB##A##9/16/00 2:28:02 PM####e27a502d
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\exit[1].html##4KB##A##9/16/00 2:28:37 PM####e3babc87
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\login[2].html##7KB##A##9/16/00 2:28:42 PM####ad882e8
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\mail[1].html##9KB##A##9/16/00 2:29:20 PM####26a719bf
D:\WINNT\Profiles\Administrator\Cookies\floydman@yahoo[1].txt##1KB##A##9/16/00 2:29:51 PM####9a65ac81
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\login[8]##1KB##A##9/16/00 2:29:55 PM####2acac756
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\Navbar[7]##9KB##A##9/16/00 2:29:58 PM####8db45e6d
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\login[9]##22KB##A##9/16/00 2:30:01 PM####b1fc7b95
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\alloy[1].gif##1KB##A##9/16/00 2:30:02 PM####b1c40de3
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\ShowFolder[6]##24KB##A##9/16/00 2:30:53 PM####db0ba58a
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\HF468x60[1].gif##4KB##A##9/16/00 2:31:22 PM####b7b7b5b7
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5CPKAH6O\ShowFolder[9]##24KB##A##9/16/00 2:31:22 PM####83ab212d
D:\WINNT\Profiles\Administrator\History\History.IE5\MSHist012000091620000917\index.dat##33KB##A##9/16/00 2:52:02 PM####fbe56152
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\www2.sympatico[1].html##29KB##A##9/16/00 2:52:10 PM####620e0fda
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\query[1].html##22KB##A##9/16/00 2:52:47 PM####b1b79f3f
D:\Dev\Perl\Work\Log Agent\newlog.pl##2KB##A##9/16/00 3:44:12 PM####9fe7f1c3
D:\WINNT\Profiles\Administrator\Recent\perl digest.txt.lnk##1KB##A##9/16/00 3:45:21 PM####a369a80e
D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\38625991.mfs##6KB##A##9/16/00 3:50:24 PM####986faeff
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\484[1].png##6KB##A##9/16/00 3:50:24 PM####d887d3fa
D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\AdCache\65d032e8.png##6KB##A##9/16/00 3:50:24 PM####d887d3fa
D:\WINNT\Profiles\Administrator\Recent\Microsoft Office 97, Professional Edition - Deleted Registry.txt.lnk##1KB##A##9/16/00 4:09:45 PM####d8c9b310
D:\WINNT\Profiles\Administrator\Recent\Microsoft Office 97, Professional Edition - Modified Registry.txt.lnk##1KB##A##9/16/00 4:10:50 PM####e71b5111
D:\WINNT\Profiles\Administrator\History\History.IE5\MSHist012000091620000917##1KB##D######

-------------------------------------------------------------------------------------------
Modified files

File name##Size Before##Size After##Attrib before##Attrib after##Date before##Date after##Version before##Version after##CRC before##CRC after

D:\WINNT\Profiles\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT##17KB##17KB##A##A##9/5/00 11:07:32 PM##9/5/00 11:07:32 PM######7c6e0##a378abad
D:\Program Files\XNews\Floydman.newsrc.bak##741KB##740KB##A##A##9/12/00 9:06:09 PM##9/13/00 6:34:59 PM######c79fca95##954b2ed
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\453876-br-logo100x60[1].gif##5KB##5KB##A##A##9/15/00 3:50:01 PM##9/16/00 1:22:32 AM######54192513##54192513
D:\Dev\Test\test1.log##1KB##1KB##A##A##9/12/00 9:43:04 PM##9/16/00 1:50:37 AM######49a8b4e5##a6163ce6
D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\37724605.mfs##9KB##9KB##A##A##9/15/00 2:38:49 PM##9/16/00 2:39:19 AM######f4bd8d7f##e14cdde9
D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\36753968.mfs##4KB##4KB##A##A##9/15/00 2:18:55 PM##9/16/00 2:39:19 AM######2f560aeb##f2e997fa
D:\Program Files\Qualcomm\Eudora\Out.toc##2KB##2KB##A##A##9/15/00 2:39:16 PM##9/16/00 2:39:21 AM######3c5e4a3c##81a1bfcd
D:\WINNT\Internet Logs\ZALog.txt##6KB##6KB##A##A##9/15/00 9:14:19 PM##9/16/00 1:42:19 PM######cdd1ab4d##c7c59359
D:\Program Files\XNews\folders\Sent.hdr##1KB##1KB##A##A##9/13/00 5:38:32 PM##9/16/00 1:59:13 PM######308df113##7c41e8af
D:\Program Files\XNews\folders\Sent.mbx##2KB##4KB##A##A##9/13/00 5:38:32 PM##9/16/00 1:59:13 PM######4984fb8d##565906db
D:\Program Files\XNews\Floydman.newsrc##740KB##743KB##A##A##9/13/00 6:34:59 PM##9/16/00 2:25:41 PM######954b2ed##b1eb77ad
D:\Program Files\XNews\Xnews.ini##2KB##2KB##A##A##9/13/00 6:34:59 PM##9/16/00 2:25:41 PM######eaffaa3##50533291
D:\Program Files\Security\Genius3\to do list.dat##2KB##3KB##A##A##9/15/00 7:34:10 PM##9/16/00 2:44:22 PM######6f1c2a56##f3b50627
D:\Program Files\Security\Genius3\genius3.ini##5KB##5KB##A##A##9/15/00 10:41:12 PM##9/16/00 2:44:22 PM######44b8ab9a##44b8ab9a
D:\Program Files\Security\Cookie Crusher\Start.dat##1KB##1KB##A##A##9/15/00 8:44:12 PM##9/16/00 2:52:07 PM######4f4bbee5##4f4bbee5
D:\WINNT\Profiles\Administrator\Desktop\Command Prompt.lnk##2KB##2KB##A##A##9/5/00 10:50:05 AM##9/16/00 3:00:12 PM######d8671bcc##4f579b24
D:\WINNT\Profiles\Administrator\Recent\index.html.lnk##1KB##1KB##A##A##9/15/00 2:54:07 PM##9/16/00 3:08:07 PM######26fc5d5##d0edf178
D:\WINNT\Profiles\Administrator\Recent\test1.log.lnk##1KB##1KB##A##A##9/15/00 3:07:05 PM##9/16/00 3:32:51 PM######dbe50bf5##474425a8
D:\WINNT\Profiles\Administrator\Recent\test2.log.lnk##1KB##1KB##A##A##9/15/00 3:33:16 PM##9/16/00 3:38:03 PM######4a4325b2##a3785a1d
D:\Test\test2.log##1KB##1KB##A##A##9/12/00 9:41:49 PM##9/16/00 3:43:19 PM######ea289125##dddf9936
D:\WINNT\amcdl\cache\index.chc##1KB##1KB##A##A##9/15/00 10:31:29 PM##9/16/00 3:44:47 PM######82f5b60a##82f5b60a
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\index.dat##885KB##902KB##A##A##9/15/00 9:13:57 PM##9/16/00 3:49:10 PM######4a230618##77a5d6b
D:\WINNT\Profiles\Administrator\Cookies\index.dat##33KB##33KB##A##A##9/15/00 9:13:57 PM##9/16/00 3:49:10 PM######196969ff##43a1670
D:\WINNT\Profiles\Administrator\History\History.IE5\index.dat##246KB##246KB##A##A##9/15/00 9:14:32 PM##9/16/00 3:49:10 PM######10b54720##6ff32eb
D:\Program Files\Qualcomm\Eudora\LinkHistory.dat##3KB##3KB##A##A##9/15/00 3:56:57 PM##9/16/00 3:49:31 PM######376ea315##7b5470ce
D:\Program Files\Qualcomm\Eudora\Old.toc##12KB##16KB##A##A##9/15/00 3:56:49 PM##9/16/00 3:50:02 PM######88b00ca4##2fe3c61c
D:\Program Files\Qualcomm\Eudora\Old.mbx##244KB##300KB##A##A##9/15/00 3:56:49 PM##9/16/00 3:50:02 PM######a87fcd3b##3a95c7e9
D:\WINNT\system32\ras\rasphone.pbk##1KB##1KB##A##A##9/15/00 7:49:49 PM##9/16/00 3:50:16 PM######2535be1d##2535be1d
D:\Program Files\Qualcomm\Eudora\updateurl.htm##2KB##2KB##A##A##9/15/00 3:56:45 PM##9/16/00 3:50:20 PM######aa190db6##aa190db6
D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\35994433.mfs##23KB##23KB##A##A##9/15/00 3:56:44 PM##9/16/00 3:50:24 PM######d2c5f012##e0f01994
D:\Program Files\Qualcomm\Eudora\spool\lmos.dat##6KB##3KB##A##A##9/15/00 3:57:00 PM##9/16/00 3:50:53 PM######83d34c70##7b43a806
D:\Program Files\Qualcomm\Eudora\descmap.pce##1KB##1KB##A##A##9/15/00 3:57:01 PM##9/16/00 3:50:54 PM######d99ea161##d99ea161
D:\Program Files\Qualcomm\Eudora\In.mbx##27KB##117KB##A##A##9/15/00 3:57:24 PM##9/16/00 3:50:54 PM######e2f0b8bb##42041d7b
D:\Program Files\Qualcomm\Eudora\In.toc##2KB##2KB##A##A##9/15/00 3:57:24 PM##9/16/00 3:50:55 PM######4c0f5326##8ed1e1c3
D:\Program Files\Qualcomm\Eudora\History.lst##1KB##1KB##A##A##9/15/00 3:57:25 PM##9/16/00 3:51:17 PM######e3eb0d68##e3eb0d68
D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\Eudora.idx##2KB##2KB##A##A##9/15/00 3:57:25 PM##9/16/00 3:51:17 PM######21e276b7##13d75bad
D:\Program Files\Qualcomm\Eudora\EudPriv\Ads\CInfo.dat##2KB##2KB##A##A##9/15/00 3:57:25 PM##9/16/00 3:51:17 PM######5b3fb6ff##894a4c55
D:\Program Files\Qualcomm\Eudora\DsQuery.lst##1KB##1KB##A##A##9/15/00 3:57:25 PM##9/16/00 3:51:17 PM########
D:\Program Files\Qualcomm\Eudora\Audit.log##5KB##5KB##A##A##9/15/00 3:57:25 PM##9/16/00 3:51:17 PM######d183fd5f##bd87731a
D:\Program Files\Qualcomm\Eudora\eudora.ini##13KB##13KB##A##A##9/15/00 3:57:26 PM##9/16/00 3:51:18 PM######b856dbc2##9fcad4c4
D:\Program Files\Multi Medias\Winamp\winamp.m3u##1KB##1KB##A##A##9/14/00 6:58:53 AM##9/16/00 4:16:24 PM######6ff5c11d##279ec30
D:\WINNT\winamp.ini##1KB##1KB##A##A##9/14/00 6:58:53 AM##9/16/00 4:16:25 PM######6fd1e793##7404df6a
D:\RECYCLER\S-1-5-21-1114705054-1084767886-68360779-500\desktop.ini##1KB##1KB##H##H##9/15/00 1:11:00 PM##9/16/00 4:36:58 PM######74221298##74221298
D:\WINNT\system32\config\SysEvent.Evt##66KB##66KB##A##A##9/15/00 10:41:31 PM##9/16/00 5:14:51 PM######5165112f##936fe9d5
D:\WINNT\system32\config\SecEvent.Evt##66KB##66KB##A##A##9/15/00 10:41:31 PM##9/16/00 5:14:51 PM######82cc72b8##f41e7688
D:\WINNT\SchedLog.Txt##4KB##5KB##A##A##9/15/00 10:41:31 PM##9/16/00 5:14:51 PM######9540585b##60ea0f93
D:\WINNT\Tasks\SA.DAT##1KB##1KB##HA##HA##9/15/00 10:42:51 PM##9/17/00 10:26:17 PM######22aa10aa##22aa10aa
D:\WINNT\system32\config\SYSTEM.ALT##1,496KB##1,496KB##A##A##9/15/00 10:43:36 PM##9/17/00 10:26:42 PM########
D:\Program Files\Utils\GetRight\GetRight.ini##1KB##1KB##A##A##9/15/00 10:43:48 PM##9/17/00 10:26:43 PM########
D:\Program Files\Security\Genius3\port guardian log.txt##16KB##19KB##A##A##9/15/00 10:46:24 PM##9/17/00 10:27:03 PM######b48d6fd5##9775971e
D:\Program Files\Multi Medias\Winamp\Winamp.ini##2KB##2KB##A##A##9/15/00 7:20:09 PM##9/17/00 10:27:10 PM######ed4a49fa##4f5fd6ca

-------------------------------------------------------------------------------------------

Deleted files

File name##Size Before##Size After##Attrib before##Attrib after##Date before##Date after##Version before##Version after##CRC before##CRC after

D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\4794H0M5\mail[1].htm##9KB##A##9/12/00 12:36:53 PM####7b253cec
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\query[1].htm##22KB##A##9/12/00 9:52:04 PM####b1b79f3f
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\element_004[1].htm##278KB##A##9/13/00 12:51:53 AM####f5cd0a20
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\grandstitres[1].htm##23KB##A##9/14/00 12:44:45 AM####1e9bdd9a
D:\WINNT\Profiles\Administrator\Recent\moon08.bmp.lnk##1KB##A##9/14/00 5:36:02 AM####7a88c13e
D:\WINNT\Profiles\Administrator\Recent\moon08.jpg.lnk##1KB##A##9/14/00 5:37:48 AM####580f5c45
D:\WINNT\Profiles\Administrator\Recent\027.wav.lnk##1KB##A##9/14/00 6:11:38 AM####2d896d27
D:\WINNT\Profiles\Administrator\Recent\CD Prog.m3u.lnk##1KB##A##9/14/00 6:13:25 AM####19151a5c
D:\WINNT\Profiles\Administrator\Recent\my_page.html.lnk##1KB##A##9/14/00 6:22:30 AM####ba0989f4
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\mail.yahoo[1].htm##6KB##A##9/15/00 2:27:09 PM####2d3503dd
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\exit[2].htm##5KB##A##9/15/00 2:31:01 PM####35feed4a
D:\WINNT\Profiles\Administrator\Cookies\floydman@yahoo[2].txt##1KB##A##9/15/00 2:31:04 PM####a4368dc1
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\login[1].htm##7KB##A##9/15/00 2:31:05 PM####ad882e8
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\informit[2].htm##74KB##A##9/15/00 3:49:57 PM####99fb1e
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\Accounts[1].htm##28KB##A##9/15/00 3:50:15 PM####65cf282b
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\0789708884[1].htm##28KB##A##9/15/00 3:50:22 PM####fe2d1b0e
D:\WINNT\Profiles\All Users\Desktop\Setup for Microsoft Internet Explorer 3.01.lnk##1KB##A##9/15/00 7:46:43 PM####a0f65c17
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\www2.sympatico[1].html##29KB##A##9/15/00 7:50:14 PM####774bdc6e

-------------------------------------------------------------------------------------------

INI files
INI filename##Section##Item##Data before##Data after

D:\Program Files\Multi Medias\Winamp\Winamp.ini##Winamp##wx##749##716
D:\Program Files\Multi Medias\Winamp\Winamp.ini##Winamp##eq_wx##749##716
D:\Program Files\Multi Medias\Winamp\Winamp.ini##Winamp##pe_wx##749##716
D:\Program Files\Multi Medias\Winamp\Winamp.ini##Winamp##mb_wx##1014##981
D:\Program Files\Multi Medias\Winamp\Winamp.ini##Winamp##pilp##0##13
D:\Program Files\Multi Medias\Winamp\Winamp.ini##WinampAgent##lastchk##01C01F6B7D5D92A0##01C02117F2BB75F0
D:\Program Files\Qualcomm\Eudora\eudora.ini##Settings##NGBase1##969047799##969133767
D:\Program Files\Qualcomm\Eudora\eudora.ini##Settings##NGLast1##969047799##969133767
D:\Program Files\Qualcomm\Eudora\eudora.ini##Settings##AdToolbarDock##0##2
D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar3##MRUDockRightPos##1025##992
D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar3##MRUHorzDockCX##1024##991
D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar5##Bars##3##4
D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar5##Bar#2##0##59424
D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar5##Bar#3####0
D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar9##MRUWidth##33651##33885
D:\Program Files\Qualcomm\Eudora\eudora.ini##ToolBar-Bar9##PctWidth##1000000##500000
D:\Program Files\Qualcomm\Eudora\eudora.ini##Window Position##AdToolbarWindowPosition##0,0,0,0##933,39,991,82
D:\Program Files\XNews\Xnews.ini##Metrics##S:Floydman##0,3,-1,-1,-1,-1,0,0,890,272##2,3,-1,-1,-1,-1,0,0,890,272
D:\WINNT\winamp.ini##WinampReg##Stats##0000000A,0000C935,00001322,0000B0D0,00000007,00000FB5,00000000,##0000000C,0000F886,00003818,0000DFF1,00000007,0000347B,00000000,

-------------------------------------------------------------------------------------------

Added Registry entries

Key##Value##Data

HKEY_CURRENT_USER\Printers####
HKEY_CURRENT_USER\Printers\Connections####
HKEY_CURRENT_USER\Software\Adaptec\Easy CD Creator\Track_Writer####
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Desktop##BitmapIds##hex:0a,00,0b,00,0c,00,0d,00,00,00,01,00,02,00,03,00,04,00,05,00,06,00,07,00,08,00,09,00,0e,00,
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Programs##BitmapIds##hex:00,00,01,00,02,00,03,00,04,00,05,00,06,00,07,00,08,00,09,00,0a,00,0b,00,0c,00,0d,00,0e,00,0f,00,10,00,11,00,12,00,13,00,
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\205.43.75.146####
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\205.47.73.146##Tag##dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\205.47.73.146##LastModified##dword:39c30365
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\205.47.73.146##Network##"NETWORK0"
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74####
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##Tag##dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##LastModified##dword:39c3037d
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##Network##"NETWORK0"
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112####
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##Tag##dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##LastModified##dword:39c3bb95
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##Network##"NETWORK0"
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140####
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##Tag##dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##LastModified##dword:39c3bb70
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##Network##"NETWORK0"
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com####
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##Tag##dword:00000004
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##LastModified##dword:39c3bbaf
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##Network##"NETWORK0"
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au####
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##Tag##dword:00000004
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##LastModified##dword:39c30aa7
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##Network##"NETWORK0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917####
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CachePath##hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,48,69,73,74,6f,72,79,5c,48,69,73,74,6f,72,79,2e,49,45,35,5c,4d,53,48,69,73,74,30,31,32,30,30,30,30,39,31,36,32,30,30,30,30,39,31,37,5c,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CachePrefix##":2000091620000917: "
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheLimit##dword:00002000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheOptions##dword:0000000b
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheRepair##dword:00000000
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Printers####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Printers\Connections####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Adaptec\Easy CD Creator\Track_Writer####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Desktop##BitmapIds##hex:0a,00,0b,00,0c,00,0d,00,00,00,01,00,02,00,03,00,04,00,05,00,06,00,07,00,08,00,09,00,0e,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Programs##BitmapIds##hex:00,00,01,00,02,00,03,00,04,00,05,00,06,00,07,00,08,00,09,00,0a,00,0b,00,0c,00,0d,00,0e,00,0f,00,10,00,11,00,12,00,13,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\205.43.75.146####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\205.43.75.146##Tag##dword:00000002
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\205.43.75.146##LastModified##dword:39c30365
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\205.43.75.146##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##Tag##dword:00000003
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##LastModified##dword:39c3037d
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\203.164.29.74##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##Tag##dword:00000003
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##LastModified##dword:39c3bb95
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\226.145.106.112##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##Tag##dword:00000002
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##LastModified##dword:39c3bb70
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\206.97.184.140##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##Tag##dword:00000004
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##LastModified##dword:39c3bbaf
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\f43.mail.yahoo.com##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##Tag##dword:00000004
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##LastModified##dword:39c30aa7
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\members.iinet.net.au##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\10##CabView##hex:40,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,9a,00,00,00,9a,00,00,00,6c,01,00,00,63,01,00,00,01,00,00,00,00,00,00,00,c0,00,00,00,00,00,00,00,4c,6b,58,01,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CachePath##hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,48,69,73,74,6f,72,79,5c,48,69,73,74,6f,72,79,2e,49,45,35,5c,4d,53,48,69,73,74,30,31,32,30,30,30,30,39,31,36,32,30,30,30,30,39,31,37,5c,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CachePrefix##":2000091620000917: "
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheLimit##dword:00002000
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheOptions##dword:0000000b
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012000091620000917##CacheRepair##dword:00000000

-------------------------------------------------------------------------------------------

Deleted Registry entries

Key##Value##Data

Autodial\Addresses\207.253.106.137##LastModified##dword:39bfe3eb
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\207.253.106.137##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\a372.g.a.yimg.com####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\a372.g.a.yimg.com##Tag##dword:00000005
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\a372.g.a.yimg.com##LastModified##dword:39bfe594
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\a372.g.a.yimg.com##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\ads.msn.com####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\ads.msn.com##Tag##dword:00000005
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\ads.msn.com##LastModified##dword:39c2b5f7
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\ads.msn.com##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.dilbert.com####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.dilbert.com##Tag##dword:00000005
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.dilbert.com##LastModified##dword:39c269c1
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.dilbert.com##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.msn.com####
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.msn.com##Tag##dword:00000004
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.msn.com##LastModified##dword:39b56b09
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\www.msn.com##Network##"NETWORK0"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\27##CabView##hex:40,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,6e,00,00,00,6e,00,00,00,40,01,00,00,37,01,00,00,04,00,00,00,00,00,00,00,c0,00,00,00,00,00,00,00,4c,6b,58,01,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\28##CabView##hex:40,00,00,00,00,00,00,00,01,00,00,00,00,83,ff,ff,00,83,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,9a,00,00,00,9a,00,00,00,6c,01,00,00,63,01,00,00,01,00,00,00,00,00,00,00,c0,00,00,00,88,3a,13,00,4c,6b,58,01,

-------------------------------------------------------------------------------------------

Deleted Registry entries

Key##Value##Data before##Data after

HKEY_CLASSES_ROOT\AutoRun\5\DefaultIcon##@##"F:\i386\autorun.exe,0"##"F:\ecdc.ICO"
HKEY_CLASSES_ROOT\AutoRun\5\Shell\AutoRun\command##@##"F:\i386\autorun.exe"##"F:\AUTORUN.EXE"
HKEY_CURRENT_USER\Software\JG\EditPad##State##hex:1a,00,00,00,fc,ff,ff,ff,fc,ff,ff,ff,08,04,00,00,ec,02,00,00,04,00,00,00,01,01,##hex:1a,00,00,00,fc,ff,ff,ff,fc,ff,ff,ff,e7,03,00,00,ec,02,00,00,04,00,00,00,01,01,
HKEY_CURRENT_USER\Software\JG\EditPad##LastDir##"D:\Dev\Perl\site\lib\Win32\"##"D:\WINNT\Profiles\Administrator\Desktop\"
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item0##hex:2a,26,30,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,73,69,74,65,5c,6c,69,62,5c,57,69,6e,33,32,5c,41,64,76,4e,6f,74,69,66,79,2e,70,6d,##hex:3a,26,30,20,44,3a,5c,57,49,4e,4e,54,5c,50,72,6f,66,69,6c,65,73,5c,41,64,6d,69,6e,69,73,74,72,61,74,6f,72,5c,44,65,73,6b,74,6f,70,5c,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item3##hex:18,26,33,20,44,3a,5c,44,65,76,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67,##hex:14,26,33,20,44,3a,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item4##hex:29,26,34,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,66,69,6c,65,74,65,73,74,2e,70,6c,##hex:27,26,34,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,6e,65,77,6c,6f,67,2e,70,6c,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item5##hex:1d,26,35,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,63,61,74,2e,68,74,6d,6c,##hex:18,26,35,20,44,3a,5c,44,65,76,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item6##hex:1f,26,36,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,69,6e,64,65,78,2e,68,74,6d,6c,##hex:2a,26,36,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,73,69,74,65,5c,6c,69,62,5c,57,69,6e,33,32,5c,41,64,76,4e,6f,74,69,66,79,2e,70,6d,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item7##hex:2d,26,37,20,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,67,69,6c,65,5c,46,6c,6f,79,64,6d,61,6e,5c,69,6e,64,65,78,2e,68,74,6d,6c,##hex:29,26,37,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,66,69,6c,65,74,65,73,74,2e,70,6c,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item8##hex:21,26,38,20,44,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,58,4e,65,77,73,5c,73,69,67,2e,74,78,74,##hex:1d,26,38,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,63,61,74,2e,68,74,6d,6c,

HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item9##hex:3d,26,39,20,44,3a,5c,64,6f,77,6e,6c,6f,61,64,73,5c,48,61,63,6b,5c,64,6f,63,73,5c,43,6f,6d,6d,6f,6e,20,53,79,73,74,65,6d,20,49,6e,74,72,75,73,69,6f,6e,20,4d,65,74,68,6f,64,73,2e,74,78,74,##hex:1f,26,39,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,69,6e,64,65,78,2e,68,74,6d,6c,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item10##hex:27,26,41,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,65,72,72,6f,72,2e,6c,6f,67,##hex:2d,26,41,20,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,67,69,6c,65,5c,46,6c,6f,79,64,6d,61,6e,5c,69,6e,64,65,78,2e,68,74,6d,6c,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item11##hex:2a,26,42,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,4c,6f,67,20,41,67,65,6e,74,2e,70,6c,##hex:21,26,42,20,44,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,58,4e,65,77,73,5c,73,69,67,2e,74,78,74,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item12##hex:20,26,43,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,41,64,76,4e,6f,74,69,66,79,5c,74,65,73,74,2e,70,6c,##hex:3d,26,43,20,44,3a,5c,64,6f,77,6e,6c,6f,61,64,73,5c,48,61,63,6b,5c,64,6f,63,73,5c,43,6f,6d,6d,6f,6e,20,53,79,73,74,65,6d,20,49,6e,74,72,75,73,69,6f,6e,20,4d,65,74,68,6f,64,73,2e,74,78,74,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item13##hex:26,26,44,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,77,61,74,63,68,2e,70,6c,##hex:27,26,44,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,65,72,72,6f,72,2e,6c,6f,67,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item14##hex:1c,26,45,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,61,6c,70,68,61,2e,70,6c,##hex:2a,26,45,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,4c,6f,67,20,41,67,65,6e,74,2e,70,6c,
HKEY_CURRENT_USER\Software\JG\EditPad\Reopen##Item15##hex:1c,26,46,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,62,6c,61,6e,6b,2e,70,6c,##hex:20,26,46,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,41,64,76,4e,6f,74,69,66,79,5c,74,65,73,74,2e,70,6c,
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU##Cache##hex:af,6f,00,00,d0,00,00,00,b0,04,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,##hex:af,6f,00,00,d7,00,00,00,b0,04,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main##Window_Placement##hex:2c,00,00,00,02,00,00,00,03,00,00,00,00,83,ff,ff,00,83,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,2c,00,00,00,2c,00,00,00,2c,03,00,00,45,02,00,00,##hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,42,00,00,00,42,00,00,00,42,03,00,00,5b,02,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url1##"http://www.microsoft.com"##"http://mail.yahoo.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url2##"http://officeupdate.microsoft.com/downloadDetails/sr1off97detail.htm"##"http://www.informit.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url3##"http://www.microsoft.com/"##"http://www.microsoft.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url4##"http://www.informit.com/"##"http://officeupdate.microsoft.com/downloadDetails/sr1off97detail.htm"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url5##"http://mail22.bigmailbox.com/users/hackeram"##"http://www.microsoft.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs##url6##"http://mail.yahoo.com/"##"http://mail22.bigmailbox.com/users/hackeram"
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Shortcut Bar##LastToolbar##dword:00000000##dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Desktop##Buttons##hex:00,80,80,20,4d,79,20,43,6f,6d,70,75,74,65,72,00,20,4e,65,74,77,6f,72,6b,20,4e,65,69,67,68,62,6f,72,68,6f,6f,64,00,20,52,65,63,79,63,6c,65,20,42,69,6e,00,20,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00,20,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,70,74,2e,6c,6e,6b,00,20,45,64,69,74,50,61,64,20,43,6c,61,73,73,69,63,2e,6c,6e,6b,00,20,45,75,64,6f,72,61,2e,6c,6e,6b,00,20,53,6f,75,6e,64,20,46,6f,72,67,65,20,34,2e,35,2e,6c,6e,6b,00,20,53,79,6d,70,61,74,69,63,6f,2e,6c,6e,6b,00,20,57,49,4e,41,4d,50,2e,4c,4e,4b,00,20,57,69,6e,64,6f,77,73,20,4e,54,20,45,78,70,6c,6f,72,65,72,2e,6c,6e,6b,00,20,57,69,6e,5a,69,70,2e,6c,6e,6b,00,20,58,6e,65,77,73,2e,6c,6e,6b,00,00,05,00,02,00,00,00,##hex:00,80,80,20,4d,79,20,43,6f,6d,70,75,74,65,72,00,20,4e,65,74,77,6f,72,6b,20,4e,65,69,67,68,62,6f,72,68,6f,6f,64,00,20,52,65,63,79,63,6c,65,20,42,69,6e,00,20,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00,20,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,70,74,2e,6c,6e,6b,00,20,45,64,69,74,50,61,64,20,43,6c,61,73,73,69,63,2e,6c,6e,6b,00,20,45,75,64,6f,72,61,2e,6c,6e,6b,00,20,53,6f,75,6e,64,20,46,6f,72,67,65,20,34,2e,35,2e,6c,6e,6b,00,20,53,79,6d,70,61,74,69,63,6f,2e,6c,6e,6b,00,20,57,49,4e,41,4d,50,2e,4c,4e,4b,00,20,57,69,6e,64,6f,77,73,20,4e,54,20,45,78,70,6c,6f,72,65,72,2e,6c,6e,6b,00,20,57,69,6e,5a,69,70,2e,6c,6e,6b,00,20,58,6e,65,77,73,2e,6c,6e,6b,00,20,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74,00,00,05,00,01,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Programs##BtnFaces##"Pro5"##"Pro1"
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\128.11.60.80##Tag##dword:00000004##dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\128.11.60.80##LastModified##dword:39c02c37##dword:39c30387
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\209.226.175.83##Tag##dword:00000003##dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\209.226.175.83##LastModified##dword:39be5507##dword:39c3b104
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\216.94.184.160##Tag##dword:00000004##dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\216.94.184.160##LastModified##dword:39bc6476##dword:39c3bb6a
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\216.95.147.195##Tag##dword:00000003##dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses\216.95.147.195##LastModified##dword:39bc646d##dword:39c3036a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer##DirectoryCols##hex:22,01,3c,00,78,00,78,00,3c,00,##hex:e4,00,68,00,78,00,78,00,3c,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer##Shutdown Setting##dword:00000002##dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##a##hex:68,00,65,00,72,00,6f,00,73,00,2e,00,68,00,74,00,6d,00,6c,00,00,00,1e,00,30,00,00,00,00,00,00,00,00,00,00,00,68,65,72,6f,73,2e,68,74,6d,6c,2e,6c,6e,6b,00,00,00,00,##hex:4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,4f,00,66,00,66,00,69,00,63,00,65,00,20,00,39,00,37,00,2c,00,20,00,50,00,72,00,6f,00,66,00,65,00,73,00,73,00,69,00,6f,00,6e,00,61,00,6c,00,20,00,45,00,64,00,69,00,74,00,69,00,6f,00,6e,00,20,00,2d,00,20,00,4d,00,6f,00,64,00,69,00,66,00,69,00,65,00,64,00,20,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,2e,00,74,00,78,00,74,00,00,00,55,00,30,00,00,00,00,00,00,00,00,00,00,00,4d,69,63,72,6f,73,6f,66,74,20,4f,66,66,69,63,65,20,39,37,2c,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,45,64,69,74,69,6f,6e,20,2d,20,4d,6f,64,69,66,69,65,64,20,52,65,67,69,73,74,72,79,2e,74,78,74,2e,6c,6e,6b,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##MRUList##"dkohbnefmlaijcg"##"aijdkhcgobnefml"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##c##hex:72,00,69,00,63,00,68,00,61,00,72,00,64,00,30,00,38,00,2e,00,6a,00,70,00,67,00,00,00,21,00,30,00,00,00,00,00,00,00,00,00,00,00,72,69,63,68,61,72,64,30,38,2e,6a,70,67,2e,6c,6e,6b,00,00,00,00,##hex:41,00,64,00,76,00,4e,00,6f,00,74,00,69,00,66,00,79,00,20,00,64,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,68,00,74,00,6d,00,00,00,2f,00,30,00,00,00,00,00,00,00,00,00,00,00,41,64,76,4e,6f,74,69,66,79,20,64,6f,63,75,6d,65,6e,74,61,74,69,6f,6e,2e,68,74,6d,2e,6c,6e,6b,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##g##hex:72,00,69,00,63,00,68,00,61,00,72,00,64,00,30,00,38,00,2e,00,62,00,6d,00,70,00,00,00,21,00,30,00,00,00,00,00,00,00,00,00,00,00,72,69,63,68,61,72,64,30,38,2e,62,6d,70,2e,6c,6e,6b,00,00,00,00,##hex:62,00,6f,00,6f,00,74,00,2e,00,69,00,6e,00,69,00,00,00,1c,00,30,00,00,00,00,00,00,00,00,00,00,00,62,6f,6f,74,2e,69,6e,69,2e,6c,6e,6b,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##i##hex:43,00,44,00,20,00,50,00,72,00,6f,00,67,00,2e,00,6d,00,33,00,75,00,00,00,1f,00,30,00,00,00,00,00,00,00,00,00,00,00,43,44,20,50,72,6f,67,2e,6d,33,75,2e,6c,6e,6b,00,00,00,00,##hex:4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,4f,00,66,00,66,00,69,00,63,00,65,00,20,00,39,00,37,00,2c,00,20,00,50,00,72,00,6f,00,66,00,65,00,73,00,73,00,69,00,6f,00,6e,00,61,00,6c,00,20,00,45,00,64,00,69,00,74,00,69,00,6f,00,6e,00,20,00,2d,00,20,00,44,00,65,00,6c,00,65,00,74,00,65,00,64,00,20,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,2e,00,74,00,78,00,74,00,00,00,54,00,30,00,00,00,00,00,00,00,00,00,00,00,4d,69,63,72,6f,73,6f,66,74,20,4f,66,66,69,63,65,20,39,37,2c,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,45,64,69,74,69,6f,6e,20,2d,20,44,65,6c,65,74,65,64,20,52,65,67,69,73,74,72,79,2e,74,78,74,2e,6c,6e,6b,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##j##hex:30,00,32,00,37,00,2e,00,77,00,61,00,76,00,00,00,1b,00,30,00,00,00,00,00,00,00,00,00,00,00,30,32,37,2e,77,61,76,2e,6c,6e,6b,00,00,00,00,##hex:70,00,65,00,72,00,6c,00,20,00,64,00,69,00,67,00,65,00,73,00,74,00,2e,00,74,00,78,00,74,00,00,00,23,00,30,00,00,00,00,00,00,00,00,00,00,00,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74,2e,6c,6e,6b,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_PGYFRFFVBA##hex:19,fa,00,0e,09,00,00,00,##hex:6d,00,01,0e,0b,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_HVGBBYONE##hex:09,00,00,00,e1,00,00,00,20,03,92,6b,80,1f,c0,01,##hex:0a,00,00,00,e5,00,00,00,b0,0e,58,b5,0b,20,c0,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_HVGBBYONE:0k1,120##hex:09,00,00,00,b1,00,00,00,20,03,92,6b,80,1f,c0,01,##hex:0a,00,00,00,b5,00,00,00,b0,0e,58,b5,0b,20,c0,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count##HRZR_PGYFRFFVBA##hex:19,fa,00,0e,09,00,00,00,##hex:6d,00,01,0e,0b,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections##SavedLegacySettings##hex:3c,00,00,00,4d,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,##hex:3c,00,00,00,54,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HKEY_LOCAL_MACHINE\SOFTWARE\Aureate\V3\Servers##@##"http://ans3.adsoftware.com/"##"http://ans2.adsoftware.com/"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\5\DefaultIcon##@##"F:\i386\autorun.exe,0"##"F:\ecdc.ICO"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AutoRun\5\Shell\AutoRun\command##@##"F:\i386\autorun.exe"##"F:\AUTORUN.EXE"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc##UuidSequenceNumber##dword:f9a9302b##dword:f9a9302f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability##LastAliveStamp##hex:d0,07,09,00,06,00,10,00,03,00,07,00,24,00,1c,03,##hex:d0,07,09,00,01,00,12,00,02,00,24,00,00,00,f7,01,
HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm\Registration\2.1.25##LastCheckDate##dword:39c254a0##dword:39c3b0f9
HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData##NetworkAddress##hex:b1,1b,2e,8d,80,02,##hex:ca,4d,5e,cb,91,02,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows##ShutdownTime##hex:49,8d,40,9f,87,1f,c0,01,##hex:49,25,04,27,23,20,c0,01,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad##State##hex:1a,00,00,00,fc,ff,ff,ff,fc,ff,ff,ff,08,04,00,00,ec,02,00,00,04,00,00,00,01,01,##hex:1a,00,00,00,fc,ff,ff,ff,fc,ff,ff,ff,e7,03,00,00,ec,02,00,00,04,00,00,00,01,01,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad##LastDir##"D:\Dev\Perl\site\lib\Win32\"##"D:\WINNT\Profiles\Administrator\Desktop\"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item0##hex:2a,26,30,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,73,69,74,65,5c,6c,69,62,5c,57,69,6e,33,32,5c,41,64,76,4e,6f,74,69,66,79,2e,70,6d,##hex:3a,26,30,20,44,3a,5c,57,49,4e,4e,54,5c,50,72,6f,66,69,6c,65,73,5c,41,64,6d,69,6e,69,73,74,72,61,74,6f,72,5c,44,65,73,6b,74,6f,70,5c,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item3##hex:18,26,33,20,44,3a,5c,44,65,76,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67,##hex:14,26,33,20,44,3a,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item4##hex:29,26,34,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,66,69,6c,65,74,65,73,74,2e,70,6c,##hex:27,26,34,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,6e,65,77,6c,6f,67,2e,70,6c,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item5##hex:1d,26,35,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,63,61,74,2e,68,74,6d,6c,##hex:18,26,35,20,44,3a,5c,44,65,76,5c,54,65,73,74,5c,74,65,73,74,31,2e,6c,6f,67,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item6##hex:1f,26,36,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,69,6e,64,65,78,2e,68,74,6d,6c,##hex:2a,26,36,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,73,69,74,65,5c,6c,69,62,5c,57,69,6e,33,32,5c,41,64,76,4e,6f,74,69,66,79,2e,70,6d,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item7##hex:2d,26,37,20,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,67,69,6c,65,5c,46,6c,6f,79,64,6d,61,6e,5c,69,6e,64,65,78,2e,68,74,6d,6c,##hex:29,26,37,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,66,69,6c,65,74,65,73,74,2e,70,6c,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item8##hex:21,26,38,20,44,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,58,4e,65,77,73,5c,73,69,67,2e,74,78,74,##hex:1d,26,38,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,63,61,74,2e,68,74,6d,6c,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item9##hex:3d,26,39,20,44,3a,5c,64,6f,77,6e,6c,6f,61,64,73,5c,48,61,63,6b,5c,64,6f,63,73,5c,43,6f,6d,6d,6f,6e,20,53,79,73,74,65,6d,20,49,6e,74,72,75,73,69,6f,6e,20,4d,65,74,68,6f,64,73,2e,74,78,74,##hex:1f,26,39,20,44,3a,5c,44,65,76,5c,65,2d,43,6f,6d,6d,65,72,63,65,5c,69,6e,64,65,78,2e,68,74,6d,6c,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item10##hex:27,26,41,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,65,72,72,6f,72,2e,6c,6f,67,##hex:2d,26,41,20,43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,67,69,6c,65,5c,46,6c,6f,79,64,6d,61,6e,5c,69,6e,64,65,78,2e,68,74,6d,6c,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item11##hex:2a,26,42,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,4c,6f,67,20,41,67,65,6e,74,2e,70,6c,##hex:21,26,42,20,44,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,58,4e,65,77,73,5c,73,69,67,2e,74,78,74,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item12##hex:20,26,43,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,41,64,76,4e,6f,74,69,66,79,5c,74,65,73,74,2e,70,6c,##hex:3d,26,43,20,44,3a,5c,64,6f,77,6e,6c,6f,61,64,73,5c,48,61,63,6b,5c,64,6f,63,73,5c,43,6f,6d,6d,6f,6e,20,53,79,73,74,65,6d,20,49,6e,74,72,75,73,69,6f,6e,20,4d,65,74,68,6f,64,73,2e,74,78,74,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item13##hex:26,26,44,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,77,61,74,63,68,2e,70,6c,##hex:27,26,44,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,65,72,72,6f,72,2e,6c,6f,67,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item14##hex:1c,26,45,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,61,6c,70,68,61,2e,70,6c,##hex:2a,26,45,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,4c,6f,67,20,41,67,65,6e,74,5c,4c,6f,67,20,41,67,65,6e,74,2e,70,6c,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\JG\EditPad\Reopen##Item15##hex:1c,26,46,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,57,6f,72,6b,5c,62,6c,61,6e,6b,2e,70,6c,##hex:20,26,46,20,44,3a,5c,44,65,76,5c,50,65,72,6c,5c,41,64,76,4e,6f,74,69,66,79,5c,74,65,73,74,2e,70,6c,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\International\CpMRU##Cache##hex:af,6f,00,00,d0,00,00,00,b0,04,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,##hex:af,6f,00,00,d7,00,00,00,b0,04,00,00,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\Main##Window_Placement##hex:2c,00,00,00,02,00,00,00,03,00,00,00,00,83,ff,ff,00,83,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,2c,00,00,00,2c,00,00,00,2c,03,00,00,45,02,00,00,##hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,42,00,00,00,42,00,00,00,42,03,00,00,5b,02,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url1##"http://www.microsoft.com"##"http://mail.yahoo.com/"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url2##"http://officeupdate.microsoft.com/downloadDetails/sr1off97detail.htm"##"http://www.informit.com/"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url3##"http://www.microsoft.com/"##"http://www.microsoft.com"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url4##"http://www.informit.com/"##"http://officeupdate.microsoft.com/downloadDetails/sr1off97detail.htm"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url5##"http://mail22.bigmailbox.com/users/hackeram"##"http://www.microsoft.com/"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Internet Explorer\TypedURLs##url6##"http://mail.yahoo.com/"##"http://mail22.bigmailbox.com/users/hackeram"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Office\8.0\Shortcut Bar##LastToolbar##dword:00000000##dword:00000001
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Desktop##Buttons##hex:00,80,80,20,4d,79,20,43,6f,6d,70,75,74,65,72,00,20,4e,65,74,77,6f,72,6b,20,4e,65,69,67,68,62,6f,72,68,6f,6f,64,00,20,52,65,63,79,63,6c,65,20,42,69,6e,00,20,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00,20,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,70,74,2e,6c,6e,6b,00,20,45,64,69,74,50,61,64,20,43,6c,61,73,73,69,63,2e,6c,6e,6b,00,20,45,75,64,6f,72,61,2e,6c,6e,6b,00,20,53,6f,75,6e,64,20,46,6f,72,67,65,20,34,2e,35,2e,6c,6e,6b,00,20,53,79,6d,70,61,74,69,63,6f,2e,6c,6e,6b,00,20,57,49,4e,41,4d,50,2e,4c,4e,4b,00,20,57,69,6e,64,6f,77,73,20,4e,54,20,45,78,70,6c,6f,72,65,72,2e,6c,6e,6b,00,20,57,69,6e,5a,69,70,2e,6c,6e,6b,00,20,58,6e,65,77,73,2e,6c,6e,6b,00,00,05,00,02,00,00,00,##hex:00,80,80,20,4d,79,20,43,6f,6d,70,75,74,65,72,00,20,4e,65,74,77,6f,72,6b,20,4e,65,69,67,68,62,6f,72,68,6f,6f,64,00,20,52,65,63,79,63,6c,65,20,42,69,6e,00,20,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,00,20,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,20,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,70,74,2e,6c,6e,6b,00,20,45,64,69,74,50,61,64,20,43,6c,61,73,73,69,63,2e,6c,6e,6b,00,20,45,75,64,6f,72,61,2e,6c,6e,6b,00,20,53,6f,75,6e,64,20,46,6f,72,67,65,20,34,2e,35,2e,6c,6e,6b,00,20,53,79,6d,70,61,74,69,63,6f,2e,6c,6e,6b,00,20,57,49,4e,41,4d,50,2e,4c,4e,4b,00,20,57,69,6e,64,6f,77,73,20,4e,54,20,45,78,70,6c,6f,72,65,72,2e,6c,6e,6b,00,20,57,69,6e,5a,69,70,2e,6c,6e,6b,00,20,58,6e,65,77,73,2e,6c,6e,6b,00,20,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74,00,00,05,00,01,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Office\8.0\Shortcut Bar\Toolbars\Programs##BtnFaces##"Pro5"##"Pro1"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\128.11.60.80##Tag##dword:00000004##dword:00000003
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\128.11.60.80##LastModified##dword:39c02c37##dword:39c30387
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\209.226.175.83##Tag##dword:00000003##dword:00000002
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\209.226.175.83##LastModified##dword:39be5507##dword:39c3b104
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\216.94.184.160##Tag##dword:00000004##dword:00000003
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\216.94.184.160##LastModified##dword:39bc6476##dword:39c3bb6a
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\216.95.147.195##Tag##dword:00000003##dword:00000002
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\RAS Autodial\Addresses\216.95.147.195##LastModified##dword:39bc646d##dword:39c3036a
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer##DirectoryCols##hex:22,01,3c,00,78,00,78,00,3c,00,##hex:e4,00,68,00,78,00,78,00,3c,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer##Shutdown Setting##dword:00000002##dword:00000001
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\DesktopStreams\1##CabView##hex:40,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,00,00,00,00,30,1b,5a,01,00,00,00,00,fe,ff,ff,ff,e4,02,00,00,02,04,00,00,02,03,00,00,d4,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,##hex:40,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,00,00,00,00,30,1b,5a,01,00,00,00,00,fe,ff,ff,ff,e4,02,00,00,02,04,00,00,02,03,00,00,bc,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\DesktopStreams\1##ViewView##hex:1c,00,13,00,01,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,15,00,00,00,02,00,00,00,14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,15,00,00,00,4d,00,00,00,14,00,1f,00,60,2c,8d,20,ea,3a,69,10,a2,d7,08,00,2b,30,30,9d,15,00,00,00,98,00,00,00,14,00,1f,00,42,3b,f2,fb,f0,e3,1b,10,84,88,00,aa,00,3e,56,f8,15,00,00,00,e3,00,00,00,14,00,1f,00,40,f0,5f,64,81,50,1b,10,9f,08,00,aa,00,2f,95,4e,60,00,00,00,2e,01,00,00,32,00,3a,00,9f,02,00,00,27,29,a5,a8,20,00,41,63,72,6f,62,61,74,20,52,65,61,64,65,72,20,34,2e,30,2e,6c,6e,6b,00,41,43,52,4f,42,41,7e,31,2e,4c,4e,4b,00,60,00,00,00,c4,01,00,00,4a,00,3a,00,22,01,00,00,2f,29,d6,bd,20,00,53,65,74,75,70,20,66,6f,72,20,4d,69,63,72,6f,73,6f,66,74,20,49,6e,74,65,72,6e,65,74,20,45,78,70,6c,6f,72,65,72,20,33,2e,30,31,2e,6c,6e,6b,00,53,45,54,55,50,46,7e,31,2e,4c,4e,4b,00,15,00,00,00,2e,01,00,00,26,00,32,00,02,02,00,00,2c,29,d3,19,20,00,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,41,56,47,36,30,7e,31,2e,4c,4e,4b,00,15,00,00,00,79,01,00,00,2e,00,32,00,##hex:1c,00,13,00,01,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,15,00,00,00,02,00,00,00,14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,15,00,00,00,4d,00,00,00,14,00,1f,00,60,2c,8d,20,ea,3a,69,10,a2,d7,08,00,2b,30,30,9d,15,00,00,00,98,00,00,00,14,00,1f,00,42,3b,f2,fb,f0,e3,1b,10,84,88,00,aa,00,3e,56,f8,15,00,00,00,e3,00,00,00,14,00,1f,00,40,f0,5f,64,81,50,1b,10,9f,08,00,aa,00,2f,95,4e,60,00,00,00,2e,01,00,00,32,00,3a,00,9f,02,00,00,27,29,a5,a8,20,00,41,63,72,6f,62,61,74,20,52,65,61,64,65,72,20,34,2e,30,2e,6c,6e,6b,00,41,43,52,4f,42,41,7e,31,2e,4c,4e,4b,00,15,00,00,00,2e,01,00,00,26,00,32,00,02,02,00,00,2c,29,d3,19,20,00,41,56,47,20,36,2e,30,2e,6c,6e,6b,00,41,56,47,36,30,7e,31,2e,4c,4e,4b,00,15,00,00,00,79,01,00,00,2e,00,32,00,ac,05,00,00,30,29,07,98,20,00,43,6f,6d,6d,61,6e,64,20,50,72,6f,6d,70,74,2e,6c,6e,6b,00,43,4f,4d,4d,41,4e,7e,31,2e,4c,4e,4b,00,60,00,00,00,4d,00,00,00,2f,00,32,00,67,02,00,00,2e,29,64,28,20,00,45,64,69,74,50,61,64,20,43,6c,61,73,73,69,63,2e,6c,6e,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ExpView##Settings##hex:40,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,7f,00,00,00,51,00,00,00,df,03,00,00,81,02,00,00,04,00,00,00,00,00,00,00,51,01,00,00,68,3a,13,00,5d,6c,58,01,##hex:40,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,7f,00,00,00,51,00,00,00,df,03,00,00,81,02,00,00,04,00,00,00,00,00,00,00,51,01,00,00,c0,3a,13,00,5d,6c,58,01,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##a##hex:68,00,65,00,72,00,6f,00,73,00,2e,00,68,00,74,00,6d,00,6c,00,00,00,1e,00,30,00,00,00,00,00,00,00,00,00,00,00,68,65,72,6f,73,2e,68,74,6d,6c,2e,6c,6e,6b,00,00,00,00,##hex:4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,4f,00,66,00,66,00,69,00,63,00,65,00,20,00,39,00,37,00,2c,00,20,00,50,00,72,00,6f,00,66,00,65,00,73,00,73,00,69,00,6f,00,6e,00,61,00,6c,00,20,00,45,00,64,00,69,00,74,00,69,00,6f,00,6e,00,20,00,2d,00,20,00,4d,00,6f,00,64,00,69,00,66,00,69,00,65,00,64,00,20,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,2e,00,74,00,78,00,74,00,00,00,55,00,30,00,00,00,00,00,00,00,00,00,00,00,4d,69,63,72,6f,73,6f,66,74,20,4f,66,66,69,63,65,20,39,37,2c,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,45,64,69,74,69,6f,6e,20,2d,20,4d,6f,64,69,66,69,65,64,20,52,65,67,69,73,74,72,79,2e,74,78,74,2e,6c,6e,6b,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##MRUList##"dkohbnefmlaijcg"##"aijdkhcgobnefml"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##c##hex:72,00,69,00,63,00,68,00,61,00,72,00,64,00,30,00,38,00,2e,00,6a,00,70,00,67,00,00,00,21,00,30,00,00,00,00,00,00,00,00,00,00,00,72,69,63,68,61,72,64,30,38,2e,6a,70,67,2e,6c,6e,6b,00,00,00,00,##hex:41,00,64,00,76,00,4e,00,6f,00,74,00,69,00,66,00,79,00,20,00,64,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,61,00,74,00,69,00,6f,00,6e,00,2e,00,68,00,74,00,6d,00,00,00,2f,00,30,00,00,00,00,00,00,00,00,00,00,00,41,64,76,4e,6f,74,69,66,79,20,64,6f,63,75,6d,65,6e,74,61,74,69,6f,6e,2e,68,74,6d,2e,6c,6e,6b,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##g##hex:72,00,69,00,63,00,68,00,61,00,72,00,64,00,30,00,38,00,2e,00,62,00,6d,00,70,00,00,00,21,00,30,00,00,00,00,00,00,00,00,00,00,00,72,69,63,68,61,72,64,30,38,2e,62,6d,70,2e,6c,6e,6b,00,00,00,00,##hex:62,00,6f,00,6f,00,74,00,2e,00,69,00,6e,00,69,00,00,00,1c,00,30,00,00,00,00,00,00,00,00,00,00,00,62,6f,6f,74,2e,69,6e,69,2e,6c,6e,6b,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##i##hex:43,00,44,00,20,00,50,00,72,00,6f,00,67,00,2e,00,6d,00,33,00,75,00,00,00,1f,00,30,00,00,00,00,00,00,00,00,00,00,00,43,44,20,50,72,6f,67,2e,6d,33,75,2e,6c,6e,6b,00,00,00,00,##hex:4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,4f,00,66,00,66,00,69,00,63,00,65,00,20,00,39,00,37,00,2c,00,20,00,50,00,72,00,6f,00,66,00,65,00,73,00,73,00,69,00,6f,00,6e,00,61,00,6c,00,20,00,45,00,64,00,69,00,74,00,69,00,6f,00,6e,00,20,00,2d,00,20,00,44,00,65,00,6c,00,65,00,74,00,65,00,64,00,20,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,00,2e,00,74,00,78,00,74,00,00,00,54,00,30,00,00,00,00,00,00,00,00,00,00,00,4d,69,63,72,6f,73,6f,66,74,20,4f,66,66,69,63,65,20,39,37,2c,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,45,64,69,74,69,6f,6e,20,2d,20,44,65,6c,65,74,65,64,20,52,65,67,69,73,74,72,79,2e,74,78,74,2e,6c,6e,6b,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs##j##hex:30,00,32,00,37,00,2e,00,77,00,61,00,76,00,00,00,1b,00,30,00,00,00,00,00,00,00,00,00,00,00,30,32,37,2e,77,61,76,2e,6c,6e,6b,00,00,00,00,##hex:70,00,65,00,72,00,6c,00,20,00,64,00,69,00,67,00,65,00,73,00,74,00,2e,00,74,00,78,00,74,00,00,00,23,00,30,00,00,00,00,00,00,00,00,00,00,00,70,65,72,6c,20,64,69,67,65,73,74,2e,74,78,74,2e,6c,6e,6b,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##a##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,21,00,31,00,00,00,00,00,b6,22,a6,9b,11,00,57,69,6e,76,65,72,69,66,79,00,57,49,4e,56,45,7e,31,44,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,53,1d,00,31,00,00,00,00,00,fa,28,2a,b7,11,00,64,65,6d,6f,20,32,00,44,45,4d,4f,32,7e,37,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##MRUList##"mhrejac{ytguxl|qzwnibfksvop}d"##"w|rhme{jacyztgqsbnifkvdulx}op"
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##b##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,09,47,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,42,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##c##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,31,00,31,00,00,00,00,00,b6,22,a6,9b,11,00,57,69,6e,64,6f,77,73,20,39,35,20,53,65,72,76,69,63,65,20,50,61,63,6b,20,31,00,57,49,4e,44,4f,7e,31,41,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,53,14,00,31,00,00,00,00,00,f9,28,e6,8c,11,00,64,65,6d,6f,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##d##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,25,00,31,00,00,00,00,00,27,29,ce,81,30,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,22,00,31,00,00,00,00,00,2e,29,d5,10,10,00,65,2d,43,6f,6d,6d,65,72,63,65,00,45,2d,43,4f,4d,4d,7e,31,00,29,00,31,00,00,00,00,00,2e,29,d5,10,10,00,57,65,62,47,65,6e,69,65,20,53,6f,66,74,77,61,72,65,00,57,45,42,47,45,4e,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##e##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,46,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,45,8a,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##f##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,21,00,31,00,00,00,00,00,26,29,c8,95,30,00,64,6f,77,6e,6c,6f,61,64,73,00,44,4f,57,4e,4c,4f,7e,31,00,15,00,31,00,00,00,00,00,26,29,c7,81,30,80,55,74,69,6c,73,00,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,25,00,31,00,00,00,00,00,2f,29,db,bd,30,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,15,00,31,00,00,00,00,00,2b,29,25,09,30,00,55,74,69,6c,73,00,00,27,00,31,00,00,00,00,00,1e,29,cf,bc,30,00,45,70,73,69,6c,6f,6e,20,53,71,75,61,72,65,64,00,45,50,53,49,4c,4f,7e,31,00,23,00,31,00,00,00,00,00,30,29,5b,a1,30,00,49,6e,73,74,61,6c,6c,52,69,74,65,00,49,4e,53,54,41,4c,7e,31,00,21,00,31,00,00,00,00,00,30,29,14,18,30,00,53,6e,61,70,73,68,6f,74,73,00,53,4e,41,50,53,48,7e,31,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##g##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,48,21,00,31,00,00,00,00,00,19,29,66,8c,11,00,44,65,6d,6f,73,20,4d,50,33,00,44,45,4d,4f,53,4d,7e,39,00,00,00,

HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##h##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,21,00,31,00,00,00,00,00,26,29,c8,95,30,00,64,6f,77,6e,6c,6f,61,64,73,00,44,4f,57,4e,4c,4f,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,65,4b,00,00,

HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##i##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,09,45,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,42,21,00,31,00,00,00,00,00,01,29,a8,a2,11,00,44,61,74,61,62,61,73,65,73,00,44,41,54,41,42,41,7e,33,00,00,00,

HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##j##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,16,00,31,00,00,00,00,00,b6,22,a6,9b,11,00,57,69,6e,7a,69,70,00,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,53,16,00,31,00,00,00,00,00,fa,28,33,b7,11,00,75,70,64,61,74,65,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##k##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,25,00,31,00,00,00,00,00,27,29,ce,81,30,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,14,00,2e,00,80,a2,27,22,ea,3a,69,10,a2,de,08,00,2b,30,30,9d,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##m##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,21,00,31,00,00,00,00,00,26,29,c8,95,30,00,64,6f,77,6e,6c,6f,61,64,73,00,44,4f,57,4e,4c,4f,7e,31,00,26,00,31,00,00,00,00,00,30,29,ea,13,10,00,4f,66,66,69,63,65,20,75,70,64,61,74,65,73,00,4f,46,46,49,43,45,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,65,4b,14,00,31,00,00,00,00,00,f1,28,ad,b4,11,00,61,64,61,6d,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##n##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,4a,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,42,21,00,31,00,00,00,00,00,01,29,95,a2,11,00,53,6e,61,70,73,68,6f,74,73,00,53,4e,41,50,53,48,7e,35,00,00,00,

HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##o##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,1a,00,31,00,00,00,00,00,87,28,b1,00,10,00,41,67,69,6c,65,00,41,47,49,4c,45,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,13,00,31,00,00,00,00,00,2e,29,4f,21,10,00,44,65,76,00,00,14,00,31,00,00,00,00,00,2d,29,c5,0c,10,00,50,65,72,6c,00,00,14,00,31,00,00,00,00,00,2d,29,0b,09,10,00,57,6f,72,6b,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##p##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,1a,00,31,00,00,00,00,00,87,28,b1,00,10,00,41,67,69,6c,65,00,41,47,49,4c,45,00,1e,00,31,00,00,00,00,00,87,28,e7,8b,10,00,47,65,6d,69,6e,69,39,00,47,45,4d,49,4e,49,39,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,13,00,31,00,00,00,00,00,2e,29,4f,21,10,00,44,65,76,00,00,14,00,31,00,00,00,00,00,2d,29,c5,0c,10,00,50,65,72,6c,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##q##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,13,00,31,00,00,00,00,00,2d,29,3a,0c,10,00,44,65,76,00,00,22,00,31,00,00,00,00,00,2e,29,48,21,10,00,65,2d,43,6f,6d,6d,65,72,63,65,00,45,2d,43,4f,4d,4d,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,48,15,00,31,00,00,00,00,00,1e,29,36,ad,11,00,63,6c,69,70,73,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##s##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,25,00,31,00,00,00,00,00,27,29,ce,81,30,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,22,00,31,00,00,00,00,00,2e,29,d5,10,10,00,65,2d,43,6f,6d,6d,65,72,63,65,00,45,2d,43,4f,4d,4d,7e,31,00,29,00,31,00,00,00,00,00,2e,29,d5,10,10,00,57,65,62,47,65,6e,69,65,20,53,6f,66,74,77,61,72,65,00,57,45,42,47,45,4e,7e,31,00,3e,00,31,00,00,00,00,00,2e,29,ed,10,10,00,57,65,62,47,65,6e,69,65,20,53,68,6f,70,70,69,6e,67,20,43,61,72,74,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,20,76,33,00,57,45,42,47,45,4e,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,25,00,31,00,00,00,00,00,2f,29,db,bd,30,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,15,00,31,00,00,00,00,00,2b,29,25,09,30,00,55,74,69,6c,73,00,00,27,00,31,00,00,00,00,00,1e,29,cf,bc,30,00,45,70,73,69,6c,6f,6e,20,53,71,75,61,72,65,64,00,45,50,53,49,4c,4f,7e,31,00,23,00,31,00,00,00,00,00,30,29,5b,a1,30,00,49,6e,73,74,61,6c,6c,52,69,74,65,00,49,4e,53,54,41,4c,7e,31,00,24,00,31,00,00,00,00,00,30,29,c4,a1,30,00,49,6e,73,74,61,6c,6c,20,4b,69,74,73,00,49,4e,53,54,41,4c,7e,31,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##t##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,18,00,31,00,00,00,00,00,b6,22,a6,9b,11,00,4d,53,4f,66,66,69,63,65,00,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,48,21,00,31,00,00,00,00,00,19,29,25,8c,11,00,64,6f,77,6e,6c,6f,61,64,73,00,44,4f,57,4e,4c,4f,7e,42,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##v##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,17,00,31,00,00,00,00,00,44,25,d7,ab,10,80,57,69,6e,64,6f,77,73,00,00,1e,00,31,00,00,00,00,00,44,25,2c,ac,10,00,44,65,73,6b,74,6f,70,00,44,45,53,4b,54,4f,50,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##y##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,22,00,31,00,00,00,00,00,b6,22,a6,9b,11,00,4d,53,49,6e,74,65,72,6e,65,74,00,4d,53,49,4e,54,45,7e,45,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,65,59,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##z##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,f1,8a,25,00,31,00,00,00,00,00,44,25,dd,ab,11,00,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,00,50,52,4f,47,52,41,7e,31,00,1a,00,31,00,00,00,00,00,87,28,b1,00,10,00,41,67,69,6c,65,00,41,47,49,4c,45,00,1e,00,31,00,00,00,00,00,87,28,e7,8b,10,00,47,65,6d,69,6e,69,39,00,47,45,4d,49,4e,49,39,00,21,00,31,00,00,00,00,00,b0,28,6b,94,10,00,53,79,6d,70,61,74,69,63,6f,00,53,59,4d,50,41,54,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,05,48,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##{##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,e9,0a,15,00,31,00,00,00,00,00,b6,22,a6,9b,11,80,57,69,6e,39,35,00,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,85,53,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##|##hex:14,00,1f,00,40,f0,5f,64,81,50,1b,10,9f,08,00,aa,00,2f,95,4e,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,25,46,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,65,47,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU##}##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,15,00,31,00,00,00,00,00,2e,29,eb,10,30,80,57,69,6e,6e,74,00,00,18,00,31,00,00,00,00,00,1e,29,04,b5,30,00,50,72,6f,66,69,6c,65,73,00,00,21,00,31,00,00,00,00,00,26,29,9c,92,30,00,41,6c,6c,20,55,73,65,72,73,00,41,4c,4c,55,53,45,7e,31,00,22,00,31,00,00,00,00,00,1e,29,48,92,30,00,53,74,61,72,74,20,4d,65,6e,75,00,53,54,41,52,54,4d,7e,31,00,18,00,31,00,00,00,00,00,27,29,63,be,30,00,50,72,6f,67,72,61,6d,73,00,00,18,00,31,00,00,00,00,00,2e,29,f1,10,10,00,53,65,63,75,72,69,74,79,00,00,22,00,31,00,00,00,00,00,2e,29,f1,10,10,00,65,2d,43,6f,6d,6d,65,72,63,65,00,45,2d,43,4f,4d,4d,7e,31,00,29,00,31,00,00,00,00,00,2e,29,f1,10,10,00,57,65,62,47,65,6e,69,65,20,53,6f,66,74,77,61,72,65,00,57,45,42,47,45,4e,7e,31,00,00,00,##hex:14,00,1f,00,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,23,44,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8d,33,13,00,31,00,00,00,00,00,2e,29,4f,21,10,00,44,65,76,00,00,14,00,31,00,00,00,00,00,2d,29,c5,0c,10,00,50,65,72,6c,00,00,14,00,31,00,00,00,00,00,2d,29,0b,09,10,00,57,6f,72,6b,00,00,21,00,31,00,00,00,00,00,2f,29,58,98,10,00,4c,6f,67,20,41,67,65,6e,74,00,4c,4f,47,41,47,45,7e,31,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\1##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,15,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\10##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,13,00,01,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\11##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\13##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\14##ViewView##hex:1c,00,18,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,14,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\15##ViewView##hex:1c,00,18,00,04,00,00,00,00,00,18,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,17,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\16##ViewView##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,15,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\18##ViewView##hex:1c,00,18,00,04,00,00,00,00,00,27,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\19##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\2##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\20##ViewView##hex:1c,00,14,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\21##ViewView##hex:1c,00,18,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,15,00,04,00,00,00,00,00,12,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\22##ViewView##hex:1c,00,17,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\23##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,14,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\24##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\25##ViewView##hex:1c,00,16,00,04,00,00,00,00,00,19,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,15,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\26##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\27##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\28##ViewView##hex:1c,00,17,00,01,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,15,00,00,00,02,00,00,00,42,00,32,00,94,03,00,00,2e,29,f1,10,20,00,57,65,62,47,65,6e,69,65,20,53,68,6f,70,70,69,6e,67,43,61,72,74,20,50,72,6f,66,65,73,73,69,6f,6e,61,6c,2e,6c,6e,6b,00,57,45,42,47,45,4e,7e,31,2e,4c,4e,4b,00,15,00,00,00,02,00,00,00,00,00,00,00,##hex:1c,00,17,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\3##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,17,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\30##CabView##hex:5c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,42,00,00,00,42,00,00,00,42,03,00,00,5b,02,00,00,01,00,00,00,00,00,00,00,78,38,fe,70,00,00,00,00,5e,6b,0b,00,06,00,00,00,00,00,00,00,88,c8,06,00,93,9c,fe,70,c0,11,b7,01,01,00,00,00,00,00,00,00,##hex:5c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,42,00,00,00,42,00,00,00,42,03,00,00,5b,02,00,00,01,00,00,00,00,00,00,00,78,38,fe,70,00,00,00,00,7e,8e,0f,00,06,00,00,00,00,00,00,00,88,c8,06,00,93,9c,fe,70,70,0f,9f,01,01,00,00,00,00,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\4##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\5##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,16,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\6##ViewView##hex:1c,00,13,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,##hex:1c,00,15,00,04,00,00,00,00,00,00,00,00,00,1c,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_PGYFRFFVBA##hex:19,fa,00,0e,09,00,00,00,##hex:6d,00,01,0e,0b,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_HVGBBYONE##hex:09,00,00,00,e1,00,00,00,20,03,92,6b,80,1f,c0,01,##hex:0a,00,00,00,e5,00,00,00,b0,0e,58,b5,0b,20,c0,01,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count##HRZR_HVGBBYONE:0k1,120##hex:09,00,00,00,b1,00,00,00,20,03,92,6b,80,1f,c0,01,##hex:0a,00,00,00,b5,00,00,00,b0,0e,58,b5,0b,20,c0,01,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count##HRZR_PGYFRFFVBA##hex:19,fa,00,0e,09,00,00,00,##hex:6d,00,01,0e,0b,00,00,00,
HKEY_USERS\S-1-5-21-1114705054-1084767886-68360779-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections##SavedLegacySettings##hex:3c,00,00,00,4d,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,##hex:3c,00,00,00,54,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,

End of log files

OK, here's all of it, skimmed version. First of all, I make this analysis by looking at each of these export files, but for a more precise result for time tracking, you should combine Added files and Modifies files together in an Excel file, and sort it by Time after. This will give you a better chronological picture of what follows here. Also note that when I ran my test, skipit.dll was present in my InstallRite program folder. This .dll file lets the program to skip certain specific items, like pagefile.sys, win386.swp, Temporary Internet files, and the InstallRite program folder itself (I may have forgotten one or two here). Removing skipit.dll from this folder will let you consider 100% of the machine. This means that if I had erased skipit.dll (I actually forgot when I did ny test), there would be even more data being collected.

So, as you noticed, there's a lot of data, and I didn't use my computer all that much in that time frame. Much less than say, a guy working in an office working on all sorts of documents and contracts for his company on his computer. I will treat this data sequentially, as if this was all in the "same day", because as you can tell, I did this after regular work hours. Interpreting it all as 1 "work day" will keep things simplified here.

In Added files, we can see that I worked in my boot.ini file that is in my Windows 95 partition (C:/ on a dual-boot machine). I mention this because it was out of the scan scope, but it still found a way in the Recent files, thus leaving a trace. Then I proceeded to read the AdvNotify documentation (a Perl module I use for my tool Log Agent). Then, I needed some help with my Perl, so I launched Internet Explorer, which loaded my default page. I then proceeded to InformIT, and we even can tell that I was checking for a book in the web_developer category. We can't tell the title of the book I viewed, but you can tell that I checked chapter 4.

D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\;cat=developer;cat=web_developer;ord=572203314287611260[1].html##2KB##A##9/16/00 1:22:39 AM####bc6c359b
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\5U7WUVTX\;sz=1x1;abr=!webtv;site=informit;ord=6648850554683242[1]##1KB##A##9/16/00 1:22:42 AM####9921ba9f
D:\TEMP\Temporary Internet Files\Temporary Internet Files\Content.IE5\IU46YERF\element_004[1].html##278KB##A##9/16/00 1:23:30 AM####f5cd0a20

You could probably use the information found there (the original data, not the sanitized) to recreate the original URL and get the exact book title and chapter content. Then I was tired and needed some relaxing, so I went on and read a couple of BOFH (Bastard Operator From Hell). Then I made a file called Perl digest, containing effectively the digest of the day of a Perl mailing list. I was working hard on learning and debugging Perl at the time...

Then I checked my mail with Eudora, did the same thing with mail.yahoo.com (notice that I had closed and re-launched IE, since the default homepage is showing again). My Yahoo cookie has been used by the site, so it shows here also. Then I worked with Log Agent (newlog.pl) before checking my mail one last time. In Recent files, you see some Export file from InstallRite (as I was working on another project, I previously hid the snapshot file so InstallRite would behave as if nothing happened).

In modified files, we can see here again that I effectively launched IE and Eudora, but also XNews. You know that I sent some mail (entry with out.toc). Some event got logged in ZoneAlarm log file. Then I updated my various projects status in the To Do utility in Genius3 (which I'm currently trying). There's some data from Cookie Crusher. Then I launched the Command prompt (I actually launched it twice, but since it was the same icon, only the last instance is spotted). For some reason I don't remember, I checked something on one of my homepages, probably adding a link or something (I'm just too multitasking sometimes...). test1.log and test2.log are test files I used with Log Agent. Then there's some data about WinAmp, the Event Viewer logs, GetRight and Port Guardian log (a Genius3 utility). These last items are modified at each boot, so what is showing is the last boot.

One wouldn't expect to find much in the deleted files, and one would be mistaken to think this. This is a little gravy, thanks to the way Windows works. You actually have some data relating to uses PRIOR to the snooping window. Mostly old "Recent" files being deleted to make place for new ones, and some Internet temporary files, always useful to get some info about internet usage. Namely, you can see that I recently worked with a JPG/BMP file, a WAV file and a MP3 playlist (M3U). You can also see that I deleted that stupid icon to install IE3.0 that goes automatically on your desktop when you install MS-Office.

The INI files, on the other hand, prove to be rather thin. It just gives us some info about window positioning for some software packages, nothing really relevant.

Now, the icing on the cake: the traces left in the Registry. Unfortunately, registry entries don't carry a date to track their last modification, which makes it impossible to determine the chronological order of the events. But it still provides a wealth of information, and matched with what we already gathered from the file trace, we should be able to define pretty accurately how our victim spent his time at the computer.

Added Registry shows that I tried to install a printer, but it didn't work because I turned the RPC services off on my machine (why would I remotely call procedures on my local machine?). There's an entry about Adaptec CD-Creator that I have no idea what it does there. Then some modification the MS Office shortcut bar. What comes next aroused my curiosity.

There is a series of RAS Autodial entries which contains IP addresses and some domain names. I checked the IP addresses, and they came from several locations: my ISP news server, one of the servers at Yahoo, some routers, a web-based ad distributor server (ugh!), a time-out...

Deleted registry entries looks pretty much the same in structure, be with different data. We can assume that this works on a similar way than the "Recent" folder. So we see more IP addresses relating this time to Topica, InfiniT, MSN.com and Dilbert, all sites I visited recently.

Modified registry entries reveal a little more. We can see information related to the files I opened with EditPad (a Notepad replacement). It is hexadecimal data, but it would probably be easy to find out the file names and path by using EditPad ourselves and importing this data in our registry. We could probably be able to use the re-open menu in EditPad and it will show us the file list. Then we get to see clearly some of my recently visited web sites, as they get bumped by one position in the list. Note that I didn't have to visit these sites for them to appear here. Then there's some Autodial entries, and some configuration entries for running software.

What comes next, I don't know. If someone know what these entries relating to "Streams" and "StreamsMRU" are about, please let me know. I first spotted these entries when I made my first experiment for the Tripwire system. I don't know exactly what they are, but they get generated a lot, and sometimes even if you're not doing anything with your machine between the scan and analyze.

2. A different goal in mind
4. Conclusion

Table of contents