Hi,
I wonder if anyone can help with the following please. Apologies for cross posting this but there may be more registry experts hanging out here.
Within a users NTUser.dat I have a series of interesting registry keys and sub keys at Software\Google\Google Toolbar\4.0\Quick Search\.
The sub keys are similar to
Software\Google\Google Toolbar\4.0\Quick Search\http//xxxxxxx.com
where xxxxxxx.com is a web site of interest. Each key has two values, the first has a name that appears to be a search term and the data is in the form
{"debug"null,"ei""QOCUGrerS4XPuDsHfr3zNj","hasEbmTidbits"true,"href""http//xxxxxxx.com", …(rest of value removed).
The second value is named QOCUGrerS4XPuDsHfr3zNj and the value appears to be identical to the first.
There are further sub keys in the form Software\Google\Google Toolbar\4.0\Quick Search\Times\1302222222 which has a series of values the name of which is a URL and the data is what appears to be a search term together with a string of characters in the form ["search term","QOCUGrerS4XPuDsHfr3zNj"].
The 1302222222 subkey name is a Unix timestamp and the search term and the string of characters marry up to the subkeys discussed first in this post.
I surmise that these keys are related to a quick search facility. Version 7 of Internet Explorer together with version 7 of the Google toolbar running on XP are being used on the examined machine.
My question is has anyone else seen these keys and confirmed what created them?
I am not able to create a VM of the examined PC and on a test VM running XP IE7 and Google Toolbar v7 I was not able to replicate these keys.
Regards,