Logon User Name Software\Microsoft\Windows\CurrentVersion\Explorer LastWrite Time [Fri Oct 1 14:34:54 2010 (UTC)] ---------------------------------------- Control Panel\Desktop AutoEndTasks value not found. ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\Policies\Explorer not found. ---------------------------------------- Software\Microsoft\Search Assistant\ACMru not found. ---------------------------------------- Adoberdr v.20100218 Adobe Acrobat Reader version 9.0 located. Software\Adobe\Acrobat Reader\9.0\AVGeneral\cRecentFiles Most recent PDF opened: Thu Sep 30 17:31:59 2010 (UTC) c1 /C/Users/Wolfe/Downloads/forensics (1).pdf ---------------------------------------- Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users not found. ---------------------------------------- Applets Software\Microsoft\Windows\CurrentVersion\Applets LastWrite Time Thu Sep 30 16:31:01 2010 (UTC) Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List not found. ---------------------------------------- comdlg32 v.20100402 Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU not found. Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU not found. ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions not found. ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel not found. ---------------------------------------- listsoft v.20080324 List the contents of the Software key in the NTUSER.DAT hive file, in order by LastWrite time. Fri Oct 1 14:17:01 2010Z Microsoft Thu Sep 30 17:31:02 2010Z Adobe Thu Sep 30 17:11:22 2010Z Macromedia Fri Sep 17 17:53:34 2010Z JavaSoft Fri Sep 17 16:45:11 2010Z OpenOffice.org Fri Sep 17 16:44:32 2010Z Netscape Fri Sep 17 16:41:34 2010Z VB and VBA Program Settings Fri Sep 17 16:38:34 2010Z HardDriveEraser Fri Sep 17 15:54:05 2010Z WinRAR SFX Fri Sep 17 15:40:39 2010Z Google Fri Sep 17 15:39:09 2010Z ALWIL Software Fri Sep 17 15:39:09 2010Z MozillaPlugins Thu Sep 16 15:47:44 2010Z AppDataLow Thu Sep 16 15:38:24 2010Z Policies ---------------------------------------- SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run not found. ---------------------------------------- load Software\Microsoft\Windows NT\CurrentVersion\Windows LastWrite Time Thu Sep 16 15:38:26 2010 (UTC) load value not found. run value not found. ---------------------------------------- MMC - Recent File List Software\Microsoft\Microsoft Management Console\Recent File List LastWrite Time Fri Oct 1 14:30:29 2010 (UTC) File1 -> C:\Windows\system32\compmgmt.msc ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU not found. ---------------------------------------- MountPoints2 Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 LastWrite Time Fri Oct 1 13:59:32 2010 (UTC) Remote Drives: Volumes: Fri Oct 1 14:07:43 2010 (UTC) {e8fee801-cd63-11df-b483-001d6005034b} Fri Oct 1 11:49:56 2010 (UTC) {c8274d68-ccac-11df-9d0d-001d6005034b} Thu Sep 30 17:04:48 2010 (UTC) {c8274d6f-ccac-11df-9d0d-001d6005034b} Mon Sep 20 18:48:20 2010 (UTC) {c21c3b82-c1b4-11df-8520-806e6f6e6963} {c21c3b83-c1b4-11df-8520-806e6f6e6963} {c21c3b84-c1b4-11df-8520-806e6f6e6963} {c21c3b85-c1b4-11df-8520-806e6f6e6963} Mon Sep 20 18:27:50 2010 (UTC) {aaa8f891-c4e4-11df-ba4f-806e6f6e6963} {aaa8f892-c4e4-11df-ba4f-806e6f6e6963} Fri Sep 17 17:00:36 2010 (UTC) {c21c3b74-c1b4-11df-8520-806e6f6e6963} Thu Sep 16 15:46:44 2010 (UTC) {c21c3b70-c1b4-11df-8520-806e6f6e6963} {c21c3b71-c1b4-11df-8520-806e6f6e6963} Drives: Thu Sep 30 16:26:03 2010 (UTC) - Z Thu Sep 16 15:38:27 2010 (UTC) - CPC Analysis Tip: Correlate the Volume entries to those found in the MountedDevices entries that begin with "\??\Volume". ---------------------------------------- Software\Microsoft\MediaPlayer\Player\RecentFileList not found. ---------------------------------------- SOFTWARE\Microsoft\MSPaper* not found. ---------------------------------------- officedocs v.20080324 MSOffice version not found. ---------------------------------------- MSOffice version not found. ---------------------------------------- RecentDocs **All values printed in MRUList\MRUListEx order. Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs LastWrite Time Fri Oct 1 14:34:10 2010 (UTC) 6 = Answers 41 = filelist.txt 37 = 301 File Data Examination Challenge 35 = 301 – Encrypted Device Image.doc 40 = TrueCrypt Keypassword.txt 43 = AllfilesDIRfilelist.txt 42 = afnetfilesDIR.txt 18 = Keypass.txt 5 = System and Security 38 = Passwords.txt 39 = Documents 32 = 301 – File Data Examination.doc 36 = Keypass.rtf 34 = files 33 = forensics (1).pdf 28 = 201 File Data Examination Challenge - Copy 31 = 201 File Data Examination Challenge 27 = 201 – File Data Examination.doc 30 = 401 Shadow Volume Challenge 29 = 401 - Shadow Volume Challenge.doc 26 = *.txt 25 = letter.doc Metadata Information.txt 19 = 2011 DF Challenge Data (D:) 24 = eula.1028.txt 21 = IMAGES 23 = self made.jpg 22 = Images with NO Metadata.rtf 20 = Data Exam Images with Metadata.txt 17 = New Text Document.txt 0 = Appearance and Personalization 16 = SppGroupCache 15 = RP13 14 = change.log 4 = Docs 13 = Prgs 12 = dcfldd-1.3.4.x86win32.zip 8 = Obfuscating the path to forensic examination.odt 9 = Hard Drive Eraser.odt 11 = Artifacts Direct, indirect Computer Forensics- Antiforensics_net.htm 10 = BH2005-Catch_Me_If_You_Can.ppt 1 = Network and Internet 7 = All Control Panel Items 3 = Homegroup PW.xps 2 = HomeGroup Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.doc LastWrite Time Fri Oct 1 11:53:56 2010 (UTC) MRUListEx = 3,2,0,1 3 = 301 – Encrypted Device Image.doc 2 = 301 – File Data Examination.doc 0 = 201 – File Data Examination.doc 1 = 401 - Shadow Volume Challenge.doc Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.htm LastWrite Time Fri Sep 17 16:52:16 2010 (UTC) MRUListEx = 0 0 = Artifacts Direct, indirect Computer Forensics- Antiforensics_net.htm Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg LastWrite Time Thu Sep 30 16:31:50 2010 (UTC) MRUListEx = 0 0 = self made.jpg Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.log LastWrite Time Tue Sep 21 13:41:25 2010 (UTC) MRUListEx = 0 0 = change.log Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.odt LastWrite Time Fri Sep 17 17:44:04 2010 (UTC) MRUListEx = 0,1 0 = Obfuscating the path to forensic examination.odt 1 = Hard Drive Eraser.odt Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf LastWrite Time Thu Sep 30 17:31:32 2010 (UTC) MRUListEx = 0 0 = forensics (1).pdf Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.ppt LastWrite Time Fri Sep 17 16:52:06 2010 (UTC) MRUListEx = 0 0 = BH2005-Catch_Me_If_You_Can.ppt Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.rtf LastWrite Time Thu Sep 30 17:44:12 2010 (UTC) MRUListEx = 1,0 1 = Keypass.rtf 0 = Images with NO Metadata.rtf Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt LastWrite Time Fri Oct 1 14:34:10 2010 (UTC) MRUListEx = 8,7,0,9,2,6,5,4,3,1 8 = filelist.txt 7 = TrueCrypt Keypassword.txt 0 = AllfilesDIRfilelist.txt 9 = afnetfilesDIR.txt 2 = Keypass.txt 6 = Passwords.txt 5 = letter.doc Metadata Information.txt 4 = eula.1028.txt 3 = Data Exam Images with Metadata.txt 1 = New Text Document.txt Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xps LastWrite Time Thu Sep 16 15:47:14 2010 (UTC) MRUListEx = 0 0 = Homegroup PW.xps Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.zip LastWrite Time Fri Sep 17 17:53:40 2010 (UTC) MRUListEx = 0 0 = dcfldd-1.3.4.x86win32.zip Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder LastWrite Time Fri Oct 1 14:34:10 2010 (UTC) MRUListEx = 16,17,4,18,15,12,14,13,11,9,10,0,8,7,3,6,1,5,2 16 = Answers 17 = 301 File Data Examination Challenge 4 = System and Security 18 = Documents 15 = files 12 = 201 File Data Examination Challenge - Copy 14 = 201 File Data Examination Challenge 13 = 401 Shadow Volume Challenge 11 = *.txt 9 = 2011 DF Challenge Data (D:) 10 = IMAGES 0 = Appearance and Personalization 8 = SppGroupCache 7 = RP13 3 = Docs 6 = Prgs 1 = Network and Internet 5 = All Control Panel Items 2 = HomeGroup ---------------------------------------- Realplayer6 v.20080324 Software\RealNetworks\RealPlayer\6.0\Preferences not found. ---------------------------------------- RunMru Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU LastWrite Time Thu Sep 16 15:47:14 2010 (UTC) Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU has no values. ---------------------------------------- Software\Microsoft\Terminal Server Client\Default not found. ---------------------------------------- Software\Microsoft\Internet Explorer\Main LastWrite Time Fri Sep 17 18:30:26 2010 (UTC) IE8TourShownTime Thu Sep 16 15:47:59 2010 UTC IE8RunOnceLastShown_TIMESTAMP Fri Sep 17 16:52:17 2010 UTC Enable Browser Extensions yes Start Page Redirect Cache AcceptLangs en-us Play_Animations yes XMLHTTP 1 Start Page Redirect Cache http://www.msn.com/ Search Page http://go.microsoft.com/fwlink/?LinkId=54896 IE8TourShown 1 Display Inline Images yes FullScreen no Show_StatusBar yes CompatibilityFlags 0 Disable Script Debugger yes NoUpdateCheck 1 UseClearType no Local Page C:\Windows\system32\blank.htm IE8RunOncePerInstallCompleted 1 NotifyDownloadComplete no Do404Search 1 Show_ToolBar yes Start Page Redirect Cache_TIMESTAMP ®°CºÒUË Save_Session_History_On_Exit no Show_FullURL no Cache_Update_Frequency Once_Per_Session Show_URLinStatusBar yes IE8RunOnceLastShown 1 Show_URLToolBar yes IE8RunOnceCompletionTime ¹Áº·ˆVË Anchor Underline yes Use_DlgBox_Colors yes Start Page http://go.microsoft.com/fwlink/?LinkId=69157 Play_Background_Sounds yes ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\Internet Settings User Agent = Mozilla/4.0 (compatible; MSIE 8.0; Win32) ZonesSecurityUpgrade = Thu Sep 16 15:38:28 2010 (UTC) ---------------------------------------- TypedURLs Software\Microsoft\Internet Explorer\TypedURLs LastWrite Time Fri Sep 17 18:32:04 2010 (UTC) url1 -> http://www.cyber-cloud.com/ url2 -> http://go.microsoft.com/fwlink/?LinkId=69157 ---------------------------------------- Software\Microsoft\Windows\ShellNoRoam\MUICache not found. ---------------------------------------- UserAssist Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist LastWrite Time Thu Sep 16 15:39:37 2010 (UTC) {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} Fri Oct 1 14:34:10 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\NOTEPAD.EXE (19) Fri Oct 1 14:31:16 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\cmd.exe (13) Fri Oct 1 13:59:53 2010 Z Microsoft.AutoGenerated.{935761F8-94E4-FFA7-A8C0-F1AB2CDEC750} (2) Fri Oct 1 11:51:59 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\OpenOffice.org 3\program\\swriter.exe (6) Fri Oct 1 11:12:10 2010 Z TrueCryptFoundation.TrueCrypt (5) Thu Sep 30 17:40:15 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\OpenOffice.org 3\program\swriter.exe (5) Thu Sep 30 17:06:28 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Windows NT\Accessories\WORDPAD.EXE (2) Thu Sep 30 16:55:50 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\rundll32.exe (2) Thu Sep 30 16:52:13 2010 Z Microsoft.Windows.MediaCenter (15) Thu Sep 30 16:52:03 2010 Z Microsoft.Windows.MediaPlayer32 (1) Thu Sep 30 16:18:36 2010 Z Chrome (2) Thu Sep 30 16:11:44 2010 Z C:\Users\Wolfe\Downloads\TrueCrypt Setup 7.0a.exe (1) Fri Sep 17 18:30:25 2010 Z Microsoft.InternetExplorer.Default (12) Fri Sep 17 17:11:01 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Evidence Eliminator\Ee.exe (2) Fri Sep 17 17:05:24 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\SystemPropertiesProtection.exe (2) Fri Sep 17 16:58:27 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\recdisc.exe (1) Fri Sep 17 16:54:43 2010 Z C:\Users\Wolfe\Documents\timestomp.exe (1) Fri Sep 17 16:54:34 2010 Z C:\Users\Wolfe\Documents\slacker.exe (1) Fri Sep 17 16:52:15 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Internet Explorer\iexplore.exe (1) Fri Sep 17 16:49:18 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\OpenOffice.org 3\program\\simpress.exe (1) Fri Sep 17 16:43:25 2010 Z D:\OOo_3.2.1_Win_x86_install-wJRE_en-US.exe (1) Fri Sep 17 16:39:38 2010 Z D:\Prgs\EvidenceEliminator-6.01.exe (1) Fri Sep 17 16:38:42 2010 Z D:\Prgs\ew_demo.exe (1) Fri Sep 17 16:38:25 2010 Z D:\Prgs\HardDriveEraser.exe (1) Fri Sep 17 15:55:53 2010 Z {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Porn Terminator\Proof_concept.exe (3) Fri Sep 17 15:54:01 2010 Z D:\Prgs\PornTerminator(Demo).exe (2) Fri Sep 17 15:31:29 2010 Z D:\Prgs\setup_av_free.exe (1) Thu Sep 16 19:12:13 2010 Z {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\control.exe (1) Thu Sep 16 15:37:50 2010 Z Microsoft.Windows.GettingStarted (14) {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\calc.exe (12) Microsoft.Windows.StickyNotes (11) {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\SnippingTool.exe (10) {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\mspaint.exe (9) Microsoft.Windows.RemoteDesktop (8) {D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\magnify.exe (7) {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Games\Solitaire\solitaire.exe (6) {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} Fri Oct 1 14:31:16 2010 Z {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Command Prompt.lnk (5) Fri Oct 1 13:59:53 2010 Z C:\Users\Wolfe\Desktop\Computer Management.lnk (1) Fri Oct 1 11:12:10 2010 Z C:\Users\Public\Desktop\TrueCrypt.lnk (5) Fri Oct 1 11:06:28 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Administrative Tools\Computer Management.lnk (1) Thu Sep 30 17:06:28 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Wordpad.lnk (1) Thu Sep 30 16:52:13 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Media Center.lnk (15) Thu Sep 30 16:52:03 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Windows Media Player.lnk (1) Thu Sep 30 16:18:36 2010 Z C:\Users\Public\Desktop\Google Chrome.lnk (2) Tue Sep 21 13:40:14 2010 Z C:\Users\Wolfe\Desktop\cmd - Shortcut.lnk (8) Mon Sep 20 10:22:17 2010 Z C:\Users\Wolfe\Desktop\Processes - Shortcut.lnk (4) Fri Sep 17 18:30:25 2010 Z {9E3995AB-1F9C-4F13-B827-48B24B6C7174}\TaskBar\Internet Explorer.lnk (12) Fri Sep 17 17:11:01 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Evidence Eliminator\Evidence Eliminator.lnk (2) Fri Sep 17 16:58:27 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Maintenance\Create Recovery Disc.lnk (1) Fri Sep 17 15:55:53 2010 Z C:\Users\Public\Desktop\Porn Terminator Demo.lnk (3) Thu Sep 16 19:12:13 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Maintenance\Backup and Restore Center.lnk (1) Thu Sep 16 15:37:50 2010 Z {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Welcome Center.lnk (14) {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Calculator.lnk (12) {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Sticky Notes.lnk (11) {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Snipping Tool.lnk (10) {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Paint.lnk (9) {0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}\Accessories\Remote Desktop Connection.lnk (8) {A77F5D77-2E2B-44C3-A6A2-ABA601054A51}\Accessories\Accessibility\Magnify.lnk (7) ::{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\{00D8862B-6453-4957-A821-3D98D74C76BE} (6) ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\Run LastWrite Time Fri Sep 17 16:41:38 2010 (UTC) Evidence Eliminator -> C:\Program Files\Evidence Eliminator\EEStartupLauncher.exe Software\Microsoft\Windows\CurrentVersion\Run has no subkeys. ---------------------------------------- Software\Microsoft\User Location Service\Client not found. ---------------------------------------- Software\ORL\VNCviewer\MRU not found. ---------------------------------------- Software\Nico Mak Computing\WinZip not found. ---------------------------------------- Software\Microsoft\Windows NT\CurrentVersion\Windows LastWrite Time Thu Sep 16 15:38:26 2010 (UTC) load value = *Should be blank; anything listed gets run when the user logs in. ---------------------------------------- Software\WinRAR\ArcHistory not found. ---------------------------------------- Software\Microsoft\Windows NT\CurrentVersion\Winlogon LastWrite Time Fri Sep 17 16:41:11 2010 (UTC) FirstLogon = 0 ParseAutoexec = 1 BuildNumber = 7600 ExcludeProfileDirs = AppData\Local;AppData\LocalLow;$Recycle.Bin Analysis Tip: Existence of RunGrpConv = 1 value may indicate that the system had been infected with Bredolab (Symantec). ---------------------------------------- System\EnableProfileQuota value not found. ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU not found. ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket LastWrite Time Fri Oct 1 11:02:31 2010 (UTC) LastEnum : 0,{c21c3b70-c1b4-11df-8520-806e6f6e6963} {aaa8f891-c4e4-11df-ba4f-806e6f6e6963} [Mon Sep 20 18:29:41 2010] (UTC) NukeOnDelete 0 {aaa8f892-c4e4-11df-ba4f-806e6f6e6963} [Mon Sep 20 18:29:41 2010] (UTC) NukeOnDelete 0 {c21c3b70-c1b4-11df-8520-806e6f6e6963} [Thu Sep 30 16:09:22 2010] (UTC) NukeOnDelete 0 {c21c3b71-c1b4-11df-8520-806e6f6e6963} [Fri Oct 1 14:33:57 2010] (UTC) NukeOnDelete 0 {c21c3b81-c1b4-11df-8520-806e6f6e6963} [Tue Sep 21 13:39:47 2010] (UTC) NukeOnDelete 0 {c8274d6f-ccac-11df-9d0d-001d6005034b} [Thu Sep 30 16:31:20 2010] (UTC) NukeOnDelete 0 ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders LastWrite Time Thu Sep 16 15:38:38 2010 (UTC) !Do not use this registry key Use the SHGetFolderPath or SHGetKnownFolderPath function instead AppData C:\Users\Wolfe\AppData\Roaming Local AppData C:\Users\Wolfe\AppData\Local My Video C:\Users\Wolfe\Videos {1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE} C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\Libraries My Pictures C:\Users\Wolfe\Pictures Desktop C:\Users\Wolfe\Desktop History C:\Users\Wolfe\AppData\Local\Microsoft\Windows\History NetHood C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\Network Shortcuts {56784854-C6CB-462B-8169-88E350ACB882} C:\Users\Wolfe\Contacts Cookies C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\Cookies Favorites C:\Users\Wolfe\Favorites SendTo C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\SendTo Start Menu C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\Start Menu My Music C:\Users\Wolfe\Music Programs C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs Recent C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\Recent CD Burning C:\Users\Wolfe\AppData\Local\Microsoft\Windows\Burn\Burn PrintHood C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\Printer Shortcuts {7D1D3A04-DEBB-4115-95CF-2F29DA2920DA} C:\Users\Wolfe\Searches {374DE290-123F-4565-9164-39C4925E467B} C:\Users\Wolfe\Downloads {A520A1A4-1780-4FF6-BD18-167343C5AF16} C:\Users\Wolfe\AppData\LocalLow Startup C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Administrative Tools C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools Personal C:\Users\Wolfe\Documents {BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968} C:\Users\Wolfe\Links Cache C:\Users\Wolfe\AppData\Local\Microsoft\Windows\Temporary Internet Files Templates C:\Users\Wolfe\AppData\Roaming\Microsoft\Windows\Templates {4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4} C:\Users\Wolfe\Saved Games Fonts C:\Windows\Fonts ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache not found. ---------------------------------------- ClampiTM plugin Software\Microsoft\Internet Explorer\Settings LastWrite Time Thu Sep 16 15:38:28 2010 (UTC) No Clampi values found. ---------------------------------------- Software\Microsoft\Windows\CurrentVersion\UnreadMail not found. ----------------------------------------