Trojan.Encoder.26682

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Encrypter_074' = '%APPDATA%\info.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'userinfo' = '%APPDATA%\recovery.txt'

Creates or modifies the following files:

%WINDIR%\win.ini
%WINDIR%\Tasks\How Recovery Files.txt
%WINDIR%\Tasks\SA.DAT
%WINDIR%\system.ini

Changes the following executable system files:

%WINDIR%\XXInstall\vminstall.exe
<SYSTEM32>\xenroll.dll
<SYSTEM32>\xcopy.exe
<SYSTEM32>\xactsrv.dll
<SYSTEM32>\wzcdlg.dll
<SYSTEM32>\wuweb.dll
<SYSTEM32>\wups.dll
<SYSTEM32>\wucltui.dll
<SYSTEM32>\XPSViewer\en-US\XPSViewer.exe.mui
%WINDIR%\srchasst\msgr3en.dll
<SYSTEM32>\wuauserv.dll
<SYSTEM32>\wuaueng1.dll
<SYSTEM32>\wuaueng.dll
<SYSTEM32>\wuaucpl.cpl
<SYSTEM32>\wuauclt1.exe
<SYSTEM32>\xm.dll
<SYSTEM32>\xmlprov.dll
<SYSTEM32>\xmlprovi.dll
<SYSTEM32>\xmlrtl60.bpl
<SYSTEM32>\xolehlp.dll
<SYSTEM32>\xpob2res.dll
<SYSTEM32>\xpsp1res.dll
<SYSTEM32>\xpsshhdr.dll
<SYSTEM32>\xpssvcs.dll
<SYSTEM32>\wupdmgr.exe
<SYSTEM32>\XPSViewer\XPSViewer.exe
<SYSTEM32>\zipfldr.dll
%WINDIR%\srchasst\srchctls.dll
%WINDIR%\srchasst\srchui.dll
%WINDIR%\system\WINSPOOL.DRV
%WINDIR%\TASKMAN.EXE
%WINDIR%\twain_32\wiatwain.ds
<SYSTEM32>\wuauclt.exe
<SYSTEM32>\wship6.dll
<SYSTEM32>\wmstream.dll
<SYSTEM32>\wstpager.ax
<SYSTEM32>\wpnpinst.exe
<SYSTEM32>\wpabaln.exe
%WINDIR%\Resources\Themes\Luna\Shell\NormalColor\shellstyle.dll
<SYSTEM32>\wowfaxui.dll
%WINDIR%\Resources\Themes\Luna\Shell\Metallic\shellstyle.dll
<SYSTEM32>\wowfax.dll
%WINDIR%\Resources\Themes\Luna\luna.msstyles
<SYSTEM32>\wuapi.dll
<SYSTEM32>\wmvds32.ax
<SYSTEM32>\wmvdmoe2.dll
<SYSTEM32>\wmvdmod.dll
<SYSTEM32>\wmvcore.dll
<SYSTEM32>\wmv8ds32.ax
%WINDIR%\regedit.exe
<SYSTEM32>\write.exe
<SYSTEM32>\wscntfy.exe
<SYSTEM32>\wscript.exe
<SYSTEM32>\wscui.cpl
<SYSTEM32>\wsecedit.dll
<SYSTEM32>\wshatm.dll
<SYSTEM32>\wshbth.dll
<SYSTEM32>\wshcon.dll
<SYSTEM32>\wshext.dll
%WINDIR%\twain_32.dll
<SYSTEM32>\wshisn.dll
<SYSTEM32>\wshnetbs.dll
%WINDIR%\sfk.exe
<SYSTEM32>\WshRm.dll
%WINDIR%\sleep.exe
<SYSTEM32>\wsnmp32.dll
<SYSTEM32>\wstdecod.dll
<SYSTEM32>\wstrenderer.ax
%WINDIR%\Resources\Themes\Luna\Shell\Homestead\shellstyle.dll
%WINDIR%\twunk_32.exe
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
%WINDIR%\XXInstall\ps.exe
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
%WINDIR%\XXInstall\hashdeep.exe
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
%WINDIR%\XXInstall\exdir.exe
%WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
%WINDIR%\XXInstall\events.exe
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
%WINDIR%\XXInstall\Scripts\antivm.exe
%WINDIR%\XXInstall\screen.exe
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
%WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll
%WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
%WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll
%WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll
%WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll
%WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll
%WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
%WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll
%WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
%WINDIR%\XXInstall\devcon.exe
%WINDIR%\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
%WINDIR%\winhlp32.exe
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
%WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe
%WINDIR%\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcm80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
%WINDIR%\vmmreg32.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
%WINDIR%\XXInstall\cmdow.exe
<SYSTEM32>\wmspdmoe.dll

Infects the following executable files:

%ProgramFiles%\Windows Media Player\wmpns.dll
%ProgramFiles%\FireFox\updater.exe
%CommonProgramFiles%\Microsoft Shared\Speech\1033\spcplui.dll
%CommonProgramFiles%\Microsoft Shared\MSInfo\msinfo32.exe
<SYSTEM32>\xactsrv.dll
<SYSTEM32>\xcopy.exe
%CommonProgramFiles%\Microsoft Shared\Speech\sapi.cpl
%ProgramFiles%\FireFox\xpcom.dll
<SYSTEM32>\xenroll.dll
%ProgramFiles%\FireFox\xpcshell.exe
<ANALYSETOOLS_DIR>\XueTr_Cmd\PCHunter32.exe
%CommonProgramFiles%\Microsoft Shared\Speech\sapi.dll
<SYSTEM32>\xm.dll
%ProgramFiles%\FireFox\xpidl.exe
%CommonProgramFiles%\Microsoft Shared\Speech\sapisvr.exe
<SYSTEM32>\xmlprov.dll
%ProgramFiles%\FireFox\xpt_dump.exe
<SYSTEM32>\xmlprovi.dll
%CommonProgramFiles%\Microsoft Shared\TextConv\html32.cnv
<SYSTEM32>\xmlrtl60.bpl
%ProgramFiles%\FireFox\xpt_link.exe
%CommonProgramFiles%\Microsoft Shared\TextConv\msconv97.dll
<SYSTEM32>\xolehlp.dll
%CommonProgramFiles%\Microsoft Shared\TextConv\mswrd632.wpc
<SYSTEM32>\xpob2res.dll
<SYSTEM32>\xpsp1res.dll
%CommonProgramFiles%\Microsoft Shared\TextConv\mswrd832.cnv
%CommonProgramFiles%\Microsoft Shared\Triedit\DHTMLED.OCX
<SYSTEM32>\wzcdlg.dll
%CommonProgramFiles%\Microsoft Shared\MSInfo\IEINFO5.OCX
%CommonProgramFiles%\Microsoft Shared\DW\1033\DWINTL20.DLL
%CommonProgramFiles%\Microsoft Shared\DW\1031\DWINTL20.DLL
%CommonProgramFiles%\Microsoft Shared\DW\1036\DWINTL20.DLL
<SYSTEM32>\wuaueng.dll
<ANALYSETOOLS_DIR>\STracer\SimplyTracer.exe
%CommonProgramFiles%\Microsoft Shared\DW\1040\DWINTL20.DLL
%CommonProgramFiles%\Microsoft Shared\DW\2052\DWINTL20.DLL
%CommonProgramFiles%\Microsoft Shared\DW\1042\DWINTL20.DLL
%CommonProgramFiles%\Microsoft Shared\DW\1041\DWINTL20.DLL
%CommonProgramFiles%\Microsoft Shared\DW\3082\DWINTL20.DLL
%ProgramFiles%\FireFox\shlibsign.exe
<SYSTEM32>\wuaueng1.dll
%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE
<ANALYSETOOLS_DIR>\XueTr_Cmd\XueTrCmd.exe
<SYSTEM32>\wuauserv.dll
%WINDIR%\srchasst\msgr3en.dll
%CommonProgramFiles%\Microsoft Shared\DW\DWDCW20.DLL
<SYSTEM32>\wucltui.dll
%CommonProgramFiles%\Microsoft Shared\DW\DWTRIG20.EXE
%CommonProgramFiles%\Microsoft Shared\DAO\dao360.dll
<SYSTEM32>\wupdmgr.exe
%ProgramFiles%\FireFox\softokn3.dll
%ProgramFiles%\FireFox\uninstall\helper.exe
<SYSTEM32>\wups.dll
%ProgramFiles%\FireFox\ssl3.dll
<SYSTEM32>\wuweb.dll
%CommonProgramFiles%\Microsoft Shared\Triedit\TRIEDIT.DLL
%CommonProgramFiles%\Microsoft Shared\TextConv\write32.wpc
<SYSTEM32>\xpsshhdr.dll
%CommonProgramFiles%\System\ado\msader15.dll
%CommonProgramFiles%\System\Ole DB\msdasql.dll
%CommonProgramFiles%\System\msadc\msadce.dll
%CommonProgramFiles%\System\Ole DB\msdasqlr.dll
%CommonProgramFiles%\System\msadc\msadcer.dll
%CommonProgramFiles%\System\Ole DB\msdatl3.dll
%CommonProgramFiles%\System\msadc\msadcf.dll
%WINDIR%\twain_32\wiatwain.ds
%CommonProgramFiles%\System\ado\msado15.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn.dll
%CommonProgramFiles%\System\Ole DB\msdatt.dll
%CommonProgramFiles%\System\ado\msado20.tlb
%CommonProgramFiles%\Microsoft Shared\web server extensions\40\bin\FP4AWEC.DLL
%WINDIR%\twain_32.dll
%CommonProgramFiles%\System\msadc\msadcfr.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
%CommonProgramFiles%\System\Ole DB\msdaurl.dll
%CommonProgramFiles%\System\ado\msado21.tlb
%CommonProgramFiles%\System\msadc\msadco.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
%CommonProgramFiles%\System\Ole DB\msxactps.dll
%CommonProgramFiles%\System\ado\msado25.tlb
%ProgramFiles%\Internet Explorer\Connection Wizard\icwdl.dll
%CommonProgramFiles%\System\msadc\msadcor.dll
%CommonProgramFiles%\System\Ole DB\msdasc.dll
%CommonProgramFiles%\System\Ole DB\msdaps.dll
%CommonProgramFiles%\Microsoft Shared\web server extensions\40\bin\fp4autl.dll
%WINDIR%\TASKMAN.EXE
%CommonProgramFiles%\Microsoft Shared\VC\msdia100.dll
%CommonProgramFiles%\System\Ole DB\MSDAPML.DLL
%CommonProgramFiles%\Microsoft Shared\VC\msdia80.dll
%CommonProgramFiles%\Microsoft Shared\VC\msdia90.dll
<SYSTEM32>\xpssvcs.dll
<SYSTEM32>\XPSViewer\en-US\XPSViewer.exe.mui
<ANALYSETOOLS_DIR>\XueTr_Cmd\PCHunter64.exe
<SYSTEM32>\XPSViewer\XPSViewer.exe
%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll
<ANALYSETOOLS_DIR>\XueTr_Cmd\XueTr.dll
%CommonProgramFiles%\System\Ole DB\msdadc.dll
%CommonProgramFiles%\System\Ole DB\msdaenum.dll
%CommonProgramFiles%\System\Ole DB\msdaer.dll
%ProgramFiles%\FireFox\smime3.dll
<ANALYSETOOLS_DIR>\STracer\ollyext.dll
%WINDIR%\srchasst\srchctls.dll
<ANALYSETOOLS_DIR>\XueTr_Cmd\XueTrCmdOrig.exe
%CommonProgramFiles%\Microsoft Shared\Web Folders\MSONSEXT.DLL
%CommonProgramFiles%\System\Ole DB\MSDAIPP.DLL
%CommonProgramFiles%\System\Ole DB\msdaora.dll
%WINDIR%\srchasst\srchui.dll
<ANALYSETOOLS_DIR>\XueTr_Cmd\XueTrSDK.sys
%CommonProgramFiles%\Microsoft Shared\Web Folders\MSOWS409.DLL
%WINDIR%\system\WINSPOOL.DRV
<ANALYSE_DIR>\_kdump.sys_
%CommonProgramFiles%\System\Ole DB\msdaorar.dll
%CommonProgramFiles%\System\Ole DB\msdaosp.dll
<SYSTEM32>\zipfldr.dll
%CommonProgramFiles%\Microsoft Shared\DW\1028\DWINTL20.DLL
%CommonProgramFiles%\Microsoft Shared\DW\1025\DWINTL20.DLL
<SYSTEM32>\wuaucpl.cpl
%ProgramFiles%\FireFox\nsinstall.exe
%ProgramFiles%\FireFox\nspr4.dll
C:\Far2\Plugins\Network\Network.dll
%WINDIR%\Resources\Themes\Luna\Shell\Homestead\shellstyle.dll
%ProgramFiles%\FireFox\nss3.dll
%ProgramFiles%\FireFox\nssckbi.dll
<SYSTEM32>\wowfax.dll
%ProgramFiles%\FireFox\nssdbm3.dll
<ANALYSER.EXE>.1
<ANALYSETOOLS_DIR>\Angar2\custom_send.exe
%WINDIR%\Resources\Themes\Luna\Shell\Metallic\shellstyle.dll
%ProgramFiles%\FireFox\nssutil3.dll
C:\Far2\Plugins\TmpPanel\TmpPanel.dll
<ANALYSER.EXE>.2
<ANALYSETOOLS_DIR>\Angar2\tools\dumpe_\procdump32.exe
<SYSTEM32>\wowfaxui.dll
%ProgramFiles%\FireFox\plc4.dll
%ProgramFiles%\FireFox\plds4.dll
<ANALYSER.EXE>.3
%WINDIR%\Resources\Themes\Luna\Shell\NormalColor\shellstyle.dll
%ProgramFiles%\FireFox\plugin-container.exe
<ANALYSETOOLS_DIR>\Angar2\tools\dumpe_\procdump64.exe
<SYSTEM32>\wpabaln.exe
<SYSTEM32>\wpnpinst.exe
<ANALYSETOOLS_DIR>\Angar2\tools\th_\dns_serv.dll
%ProgramFiles%\FireFox\mozsqlite3.dll
%WINDIR%\Resources\Themes\Luna\luna.msstyles
%ProgramFiles%\FireFox\mozjs.dll
C:\Far2\Plugins\FileCase\FileCase.dll
C:\Far2\Plugins\Compare\Compare.dll
%WINDIR%\regedit.exe
<SYSTEM32>\wmv8ds32.ax
C:\Far2\Plugins\ExtSearch\esearch.dll
C:\Far2\Plugins\EditCase\EditCase.dll
C:\Far2\Plugins\DrawLine\DrawLine.dll
%ProgramFiles%\FireFox\AccessibleMarshal.dll
%ProgramFiles%\FireFox\crashreporter.exe
C:\Far2\Plugins\EMenu\EMenu.dll
<SYSTEM32>\wmvcore.dll
C:\Far2\Plugins\FTP\FarFtp.dll
<SYSTEM32>\wmvdmod.dll
C:\Far2\Plugins\FTP\lib\ftpProgress.fll
C:\Far2\Plugins\FTP\lib\ftpDirList.fll
<SYSTEM32>\wmvdmoe2.dll
%ProgramFiles%\FireFox\firefox.exe
C:\Far2\Plugins\FarCmds\FARCmds.dll
%ProgramFiles%\FireFox\freebl3.dll
%ProgramFiles%\FireFox\IA2Marshal.dll
<SYSTEM32>\wmvds32.ax
%ProgramFiles%\FireFox\js.exe
C:\Far2\Plugins\HlfViewer\HlfViewer.dll
%ProgramFiles%\FireFox\mangle.exe
%ProgramFiles%\FireFox\mozalloc.dll
C:\Far2\Plugins\ProcList\Proclist.dll
C:\Far2\Plugins\MacroView\MacroView.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\icwhelp.dll
<ANALYSETOOLS_DIR>\DbgPrint\EchoDbg.exe
<SYSTEM32>\wscntfy.exe
<ANALYSE_DIR>\dwshield.sys
<ANALYSETOOLS_DIR>\File\regex2.dll
<SYSTEM32>\wstdecod.dll
<ANALYSETOOLS_DIR>\MyNCAP_\npptools.dll
<ANALYSETOOLS_DIR>\FileDisk\loaddrv.exe
<ANALYSETOOLS_DIR>\File\zlib1.dll
<SYSTEM32>\wstpager.ax
<SYSTEM32>\wstrenderer.ax
<ANALYSETOOLS_DIR>\MyNCAP_\Packet.dll
<ANALYSETOOLS_DIR>\KDump\kdump.sys
<APATH_PROCDUMP.EXE>
<ANALYSETOOLS_DIR>\MinArk\minark.exe
<APATH_LOADLIB.EXE>
<APATH_PROCDUMP.EXE>.1
<ANALYSETOOLS_DIR>\KDump\load.exe
<APATH_PROCDUMP.EXE>.2
<SYSTEM32>\wuapi.dll
<APATH_LOADLIB.EXE>_
<ANALYSETOOLS_DIR>\MinArk\phunter.sys
<APATH_PROCDUMP.EXE>.3
<SYSTEM32>\wuauclt.exe
<ANALYSETOOLS_DIR>\MyNCAP_\wpcap.dll
<ANALYSETOOLS_DIR>\MemDump\memdump2.exe
<ANALYSETOOLS_DIR>\NoExit\noexit.exe
<ANALYSETOOLS_DIR>\ProcDump\procdump64.exe
<SYSTEM32>\wuauclt1.exe
<SYSTEM32>\wsnmp32.dll
<ANALYSETOOLS_DIR>\MyNCAP_\myncap.exe
%WINDIR%\sleep.exe
<ANALYSETOOLS_DIR>\FileDisk\filedisk.sys
<ANALYSETOOLS_DIR>\BCode\bcode.exe
<ANALYSE_DIR>\muldrop.sys
<SYSTEM32>\wscript.exe
<ANALYSE_DIR>\muldrop_dbg.sys
<SYSTEM32>\wscui.cpl
C:\Far2\Plugins\WinSCP\WinSCP.dll
<ANALYSETOOLS_DIR>\DbgPrint\dbgprn.dll
<ANALYSETOOLS_DIR>\Angar2\tools\th_\thp.exe
<SYSTEM32>\wsecedit.dll
<SYSTEM32>\wshatm.dll
<ANALYSETOOLS_DIR>\DbgPrint\DbgPrnHk.sys
<SYSTEM32>\wshbth.dll
<SYSTEM32>\wmstream.dll
<APATH_DUMPER_NET.EXE>.1
<SYSTEM32>\wshcon.dll
<ANALYSETOOLS_DIR>\File\file.exe
<SYSTEM32>\wshext.dll
<ANALYSETOOLS_DIR>\MyNCAP_\kdump.exe
<SYSTEM32>\wship6.dll
<SYSTEM32>\wshisn.dll
<ANALYSETOOLS_DIR>\MyNCAP_\mpf.sys
<ANALYSETOOLS_DIR>\FileDisk\filedisk.exe
<SYSTEM32>\wshnetbs.dll
%WINDIR%\sfk.exe
<ANALYSETOOLS_DIR>\File\magic1.dll
<SYSTEM32>\WshRm.dll
<ANALYSETOOLS_DIR>\Angar2\tools\th_\http_serv.dll
<SYSTEM32>\write.exe
%CommonProgramFiles%\System\ado\msado26.tlb
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll
%ProgramFiles%\MSN\MSNCoreFiles\OOBE\obelog.dll
%ProgramFiles%\NetMeeting\nmcom.dll
%WINDIR%\XXInstall\ps.exe
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll
%WINDIR%\XXInstall\Scripts\antivm.exe
%ProgramFiles%\NetMeeting\nmft.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll
%WINDIR%\XXInstall\screen.exe
%ProgramFiles%\Movie Maker\WMM2RES.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
%ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemetal.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll
%ProgramFiles%\NetMeeting\nmoldwb.dll
%ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemtllc.dll
%ProgramFiles%\NetMeeting\nmwb.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll
%ProgramFiles%\Movie Maker\WMM2RES2.dll
%ProgramFiles%\MSN\MSNCoreFiles\OOBE\obepopc.dll
%ProgramFiles%\NetMeeting\rrcm.dll
%ProgramFiles%\NetMeeting\wb32.exe
%ProgramFiles%\Outlook Express\msimn.exe
%ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
<STUBS_DIR>\test.exe
%ProgramFiles%\Windows Media Player\custsat.dll
%ProgramFiles%\Outlook Express\msoe.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll
%ProgramFiles%\Windows Media Player\migrate.exe
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll
%ProgramFiles%\NetMeeting\nmchat.dll
%WINDIR%\XXInstall\events.exe
%ProgramFiles%\NetMeeting\h323cc.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll
%ProgramFiles%\NetMeeting\MST120.DLL
%WINDIR%\XXInstall\exdir.exe
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll
%ProgramFiles%\NetMeeting\MST123.DLL
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
%WINDIR%\XXInstall\hashdeep.exe
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
%ProgramFiles%\NetMeeting\nac.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll
%ProgramFiles%\MSN\MSNCoreFiles\Install\msnsusii.exe
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll
%ProgramFiles%\NetMeeting\nmas.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll
%ProgramFiles%\NetMeeting\nmasnt.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll
%ProgramFiles%\Windows Media Player\mplayer2.exe
%ProgramFiles%\Windows Media Player\mpvis.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll
%ProgramFiles%\Outlook Express\oemiglib.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll
%WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll
%ProgramFiles%\Windows NT\Accessories\write.wpc
%WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll
%ProgramFiles%\Outlook Express\setup50.exe
%ProgramFiles%\Outlook Express\wab.exe
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll
%WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll
%WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
%ProgramFiles%\Windows NT\dialer.exe
%ProgramFiles%\Outlook Express\wabfind.dll
%ProgramFiles%\Windows Media Player\wmpband.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll
%ProgramFiles%\Windows NT\htrn_jis.dll
%ProgramFiles%\Outlook Express\wabimp.dll
%WINDIR%\XXInstall\vminstall.exe
%ProgramFiles%\Windows Media Player\wmplayer.exe
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll
%ProgramFiles%\Outlook Express\wabmig.exe
%ProgramFiles%\Windows NT\hypertrm.exe
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll
%WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll
%ProgramFiles%\Windows NT\Accessories\wordpad.exe
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll
%ProgramFiles%\Outlook Express\oemig50.exe
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll
%ProgramFiles%\Windows Media Player\npdrmv2.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll
%WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll
%ProgramFiles%\Windows Media Player\npdsplay.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
%WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
%ProgramFiles%\Outlook Express\msoeres.dll
%ProgramFiles%\Windows NT\Accessories\mswrd6.wpc
%ProgramFiles%\Windows Media Player\npwmsdrm.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll
%WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll
%ProgramFiles%\Windows NT\Accessories\mswrd8.wpc
%WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll
%ProgramFiles%\Outlook Express\oeimport.dll
%ProgramFiles%\Windows Media Player\setup_wm.exe
%WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
%ProgramFiles%\Movie Maker\WMM2FXB.dll
%CommonProgramFiles%\System\directdb.dll
%ProgramFiles%\FireFox\xul.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\trialoc.dll
%CommonProgramFiles%\System\wab32.dll
%ProgramFiles%\Internet Explorer\HMMAPI.DLL
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll
%CommonProgramFiles%\SpeechEngines\Microsoft\TTS\1033\spttseng.dll
%CommonProgramFiles%\SpeechEngines\Microsoft\spcommon.dll
%CommonProgramFiles%\System\wab32res.dll
%ProgramFiles%\Internet Explorer\iedw.exe
%ProgramFiles%\Internet Explorer\MUI\0409\mscorier.dll
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll
%WINDIR%\winhlp32.exe
%ProgramFiles%\Messenger\custsat.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll
%WINDIR%\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
%ProgramFiles%\Messenger\msgsc.dll
%WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe
%ProgramFiles%\Messenger\msgslang.dll
%ProgramFiles%\Messenger\msmsgs.exe
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
%ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
%CommonProgramFiles%\System\Ole DB\sqlxmlx.rll
%CommonProgramFiles%\System\msadc\msdfmap.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll
%CommonProgramFiles%\System\Ole DB\sqlxmlx.dll
%CommonProgramFiles%\System\ado\msado27.tlb
%WINDIR%\twunk_32.exe
%CommonProgramFiles%\System\msadc\msadds.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\icwres.dll
%CommonProgramFiles%\System\Ole DB\oledb32r.dll
%CommonProgramFiles%\System\ado\msadomd.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
%CommonProgramFiles%\System\msadc\msaddsr.dll
%CommonProgramFiles%\MSSoap\Binaries\mssoap1.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
%CommonProgramFiles%\System\ado\msador15.dll
%CommonProgramFiles%\System\msadc\msdaprsr.dll
%CommonProgramFiles%\System\ado\msadox.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\icwutil.dll
%CommonProgramFiles%\MSSoap\Binaries\Resources\1033\mssoapr.dll
%CommonProgramFiles%\System\msadc\msdaprst.dll
%CommonProgramFiles%\System\Ole DB\sqloledb.dll
%CommonProgramFiles%\System\ado\msadrh15.dll
%CommonProgramFiles%\System\Ole DB\sqloledb.rll
%CommonProgramFiles%\System\msadc\msdarem.dll
%WINDIR%\vmmreg32.dll
%CommonProgramFiles%\System\ado\msjro.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
%CommonProgramFiles%\MSSoap\Binaries\wisc10.dll
%CommonProgramFiles%\System\msadc\msdaremr.dll
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
%CommonProgramFiles%\System\msadc\msadcs.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcm80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
%ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
%WINDIR%\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
%ProgramFiles%\NetMeeting\cb32.exe
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
%ProgramFiles%\Movie Maker\WMM2FILT.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
%ProgramFiles%\NetMeeting\conf.exe
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
%WINDIR%\XXInstall\cmdow.exe
%ProgramFiles%\Movie Maker\WMM2FXA.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll
%WINDIR%\XXInstall\devcon.exe
%ProgramFiles%\NetMeeting\confmrsl.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
%ProgramFiles%\NetMeeting\dcap32.dll
%ProgramFiles%\Movie Maker\WMM2EXT.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll
%ProgramFiles%\NetMeeting\callcont.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
%CommonProgramFiles%\System\Ole DB\oledb32.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
%ProgramFiles%\Movie Maker\moviemk.exe
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
%ProgramFiles%\Movie Maker\WMM2AE.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
%ProgramFiles%\Movie Maker\WMM2ERES.dll
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll
<SYSTEM32>\wmspdmoe.dll

Malicious functions:

To complicate detection of its presence in the operating system,

deletes volume shadow copies.

Modifies file system:

Creates the following files:

%TEMP%\tmp1.tmp
<SYSTEM32>\dllcache\wmm2ae.dll.new
<ANALYSETOOLS_DIR>\KDump\How Recovery Files.txt
<ANALYSETOOLS_DIR>\MinArk\miniark.log
C:\Muldrop\dmp_0x1a4_0x20000
C:\Muldrop\dmp_0x1a4_0x10000
<SYSTEM32>\dllcache\moviemk.exe.new
C:\Muldrop\dmp_0x1a0_0x30000
C:\Muldrop\dmp_0x1a0_0x20000
C:\Muldrop\dmp_0x1a0_0x10000
%CommonProgramFiles%\System\Ole DB\msdaurl.dll.new
%CommonProgramFiles%\System\msadc\msadcfr.dll.new
C:\Muldrop\dmp_0x194_0x30000
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe.new
%CommonProgramFiles%\System\ado\msado20.tlb.new
<ANALYSETOOLS_DIR>\FileDisk\How Recovery Files.txt
<ANALYSETOOLS_DIR>\File\How Recovery Files.txt
C:\Muldrop\dmp_0x194_0x20000
<ANALYSETOOLS_DIR>\LoadLib\How Recovery Files.txt
%WINDIR%\twain_32.dll.new
C:\Muldrop\dmp_0x1a4_0x30000
C:\Muldrop\dmp_0x1b4_0x10000
%ProgramFiles%\Internet Explorer\Connection Wizard\icwdl.dll.new
C:\Muldrop\dmp_0x1b8_0x30000
%CommonProgramFiles%\System\ado\msado25.tlb.new
C:\Muldrop\dmp_0x1b8_0x20000
<ANALYSETOOLS_DIR>\ProcDump\How Recovery Files.txt
%CommonProgramFiles%\System\Ole DB\msxactps.dll.new
<ANALYSETOOLS_DIR>\NoExit\How Recovery Files.txt
C:\Muldrop\dmp_0x1b8_0x10000
<ANALYSETOOLS_DIR>\MemDump\How Recovery Files.txt
<ANALYSETOOLS_DIR>\MyNCAP_\How Recovery Files.txt
<ANALYSETOOLS_DIR>\MinArk\How Recovery Files.txt
<ANALYSETOOLS_DIR>\MinArk\validdrv.dat
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe.new
C:\Muldrop\dmp_0x1b4_0x30000
%CommonProgramFiles%\System\msadc\msadco.dll.new
C:\Muldrop\dmp_0x1b4_0x20000
%CommonProgramFiles%\System\ado\msado21.tlb.new
<SYSTEM32>\dllcache\wmm2eres.dll.new
%CommonProgramFiles%\System\Ole DB\msdatt.dll.new
C:\Muldrop\dmp_0x194_0x10000
%CommonProgramFiles%\System\Ole DB\msdatl3.dll.new
%WINDIR%\system\winspool.drv.new
%CommonProgramFiles%\System\Ole DB\msdaora.dll.new
%WINDIR%\srchasst\srchui.dll.new
%WINDIR%\system\wfwnet.drv.new
%WINDIR%\srchasst\srchctls.dll.new
C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_1
%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll.new
%CommonProgramFiles%\System\Ole DB\msdaer.dll.new
<SYSTEM32>\zipfldr.dll.new
C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_0
%WINDIR%\system\vga.drv.new
%CommonProgramFiles%\System\Ole DB\msdadc.dll.new
%WINDIR%\system\ver.dll.new
%WINDIR%\system\timer.drv.new
%WINDIR%\system\tapi.dll.new
%WINDIR%\SoftwareDistribution\DataStore\Logs\How Recovery Files.txt
%CommonProgramFiles%\System\Ole DB\msdaenum.dll.new
%CommonProgramFiles%\System\Ole DB\msdaorar.dll.new
%CommonProgramFiles%\System\Ole DB\msdaosp.dll.new
%CommonProgramFiles%\Microsoft Shared\web server extensions\40\bin\fp4autl.dll.new
%ProgramFiles%\FireFox\res\fonts\How Recovery Files.txt
%CommonProgramFiles%\System\msadc\msadcf.dll.new
C:\Muldrop\dmp_0x148_0x30000
%CommonProgramFiles%\System\msadc\msadcer.dll.new
%CommonProgramFiles%\System\ado\msado15.dll.new
%CommonProgramFiles%\System\Ole DB\msdasqlr.dll.new
C:\Muldrop\dmp_0x148_0x20000
%CommonProgramFiles%\System\msadc\msadcor.dll.new
%CommonProgramFiles%\System\Ole DB\msdasql.dll.new
C:\Muldrop\dmp_0x1bc_0x10000
%CommonProgramFiles%\System\ado\msader15.dll.new
%WINDIR%\twain.dll.new
%WINDIR%\SoftwareDistribution\How Recovery Files.txt
%CommonProgramFiles%\System\Ole DB\msdasc.dll.new
%ProgramFiles%\FireFox\res\html\How Recovery Files.txt
%CommonProgramFiles%\System\Ole DB\msdaps.dll.new
%WINDIR%\taskman.exe.new
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn.dll.new
%WINDIR%\SoftwareDistribution\DataStore\How Recovery Files.txt
C:\Muldrop\dmp_0x148_0x10000
C:\Muldrop\npgdpnq.mph_5
%CommonProgramFiles%\System\msadc\msadce.dll.new
%CommonProgramFiles%\System\msadc\msadds.dll.new
%CommonProgramFiles%\System\msadc\msdarem.dll.new
%CommonProgramFiles%\System\ado\msadrh15.dll.new
<SYSTEM32>\dllcache\mst120.dll.new
<SYSTEM32>\dllcache\wmm2res.dll.new
%CommonProgramFiles%\Microsoft Shared\MSInfo\How Recovery Files.txt
%CommonProgramFiles%\Microsoft Shared\Speech\1033\How Recovery Files.txt
%CommonProgramFiles%\System\msadc\msdaprst.dll.new
%CommonProgramFiles%\System\ado\msadox.dll.new
%CommonProgramFiles%\MSSoap\Binaries\Resources\1033\mssoapr.dll.new
%ProgramFiles%\Internet Explorer\Connection Wizard\icwutil.dll.new
%CommonProgramFiles%\System\msadc\msdaprsr.dll.new
%CommonProgramFiles%\System\ado\msador15.dll.new
<SYSTEM32>\dllcache\h323cc.dll.new
%ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe.new
%CommonProgramFiles%\System\msadc\msaddsr.dll.new
%ProgramFiles%\FireFox\uninstall\How Recovery Files.txt
<SYSTEM32>\dllcache\dcap32.dll.new
%WINDIR%\vmmreg32.dll.new
%ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe.new
%CommonProgramFiles%\System\ado\msjro.dll.new
%CommonProgramFiles%\MSSoap\Binaries\wisc10.dll.new
<SYSTEM32>\dllcache\nmasnt.dll.new
C:\Muldrop\npgdpnq.mph_4
%CommonProgramFiles%\System\msadc\msdfmap.dll.new
%WINDIR%\Web\printers\images\How Recovery Files.txt
C:\Muldrop\npgdpnq.mph_3
%CommonProgramFiles%\System\Ole DB\sqlxmlx.dll.new
%CommonProgramFiles%\System\directdb.dll.new
C:\Muldrop\npgdpnq.mph_2
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe.new
%CommonProgramFiles%\Microsoft Shared\Stationery\How Recovery Files.txt
<SYSTEM32>\dllcache\nmas.dll.new
C:\Muldrop\npgdpnq.mph_1
%CommonProgramFiles%\Microsoft Shared\Speech\How Recovery Files.txt
%CommonProgramFiles%\System\msadc\msdaremr.dll.new
%ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe.new
C:\Muldrop\npgdpnq.mph_0
<SYSTEM32>\dllcache\nac.dll.new
<SYSTEM32>\dllcache\mst123.dll.new
%CommonProgramFiles%\MSSoap\Binaries\mssoap1.dll.new
<SYSTEM32>\dllcache\wmm2fxb.dll.new
%CommonProgramFiles%\System\ado\msadomd.dll.new
%CommonProgramFiles%\Microsoft Shared\DW\1033\How Recovery Files.txt
<SYSTEM32>\dllcache\cb32.exe.new
C:\Muldrop\dmp_0x88_0x30000
<SYSTEM32>\dllcache\wmm2ext.dll.new
%CommonProgramFiles%\System\msadc\msadcs.dll.new
%CommonProgramFiles%\System\ado\msado26.tlb.new
<SYSTEM32>\dllcache\callcont.dll.new
%WINDIR%\srchasst\chars\How Recovery Files.txt
%CommonProgramFiles%\Microsoft Shared\DW\1028\How Recovery Files.txt
%ProgramFiles%\FireFox\res\How Recovery Files.txt
C:\Muldrop\dmp_0x88_0x20000
%WINDIR%\twunk_16.exe.new
%CommonProgramFiles%\Microsoft Shared\DW\1025\How Recovery Files.txt
C:\Muldrop\dmp_0x88_0x10000
%ProgramFiles%\Internet Explorer\Connection Wizard\icwhelp.dll.new
<ANALYSETOOLS_DIR>\THP\www\How Recovery Files.txt
%CommonProgramFiles%\System\Ole DB\oledb32.dll.new
%CommonProgramFiles%\Microsoft Shared\DW\1031\How Recovery Files.txt
%CommonProgramFiles%\Microsoft Shared\DW\1036\How Recovery Files.txt
<SYSTEM32>\dllcache\wmm2filt.dll.new
<ANALYSETOOLS_DIR>\STracer\How Recovery Files.txt
%CommonProgramFiles%\Microsoft Shared\DAO\How Recovery Files.txt
%CommonProgramFiles%\Microsoft Shared\DW\How Recovery Files.txt
%CommonProgramFiles%\System\Ole DB\oledb32r.dll.new
<SYSTEM32>\dllcache\confmrsl.dll.new
%ProgramFiles%\Internet Explorer\Connection Wizard\icwres.dll.new
%WINDIR%\twunk_32.exe.new
C:\Muldrop\dmp_0x1bc_0x30000
<SYSTEM32>\dllcache\wmm2fxa.dll.new
C:\Muldrop\dmp_0x1bc_0x20000
%CommonProgramFiles%\Microsoft Shared\DW\3082\How Recovery Files.txt
%CommonProgramFiles%\Microsoft Shared\DW\1042\How Recovery Files.txt
%CommonProgramFiles%\Microsoft Shared\DW\2052\How Recovery Files.txt
<SYSTEM32>\dllcache\conf.exe.new
%CommonProgramFiles%\Microsoft Shared\DW\1040\How Recovery Files.txt
%ProgramFiles%\FireFox\searchplugins\How Recovery Files.txt
%CommonProgramFiles%\System\ado\msado27.tlb.new
C:\Muldrop\jogp.fyf_0
<ANALYSETOOLS_DIR>\THP\How Recovery Files.txt
%CommonProgramFiles%\Microsoft Shared\DW\1041\How Recovery Files.txt
<SYSTEM32>\dllcache\nmchat.dll.new
<SYSTEM32>\dllcache\winhlp32.exe.new
<ANALYSE_DIR>\PET-DUMP\How Recovery Files.txt
C:\Far2\Plugins\ExtSearch\sources\RegExp\How Recovery Files.txt
%ProgramFiles%\FireFox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\How Recovery Files.txt
<SYSTEM32>\dllcache\msdaprsr.dll.new
%CommonProgramFiles%\Microsoft Shared\MSInfo\msinfo32.exe.new
%CommonProgramFiles%\Microsoft Shared\Speech\1033\spcplui.dll.new
%ProgramFiles%\FireFox\defaults\profile\How Recovery Files.txt
%WINDIR%\system\avifile.dll.new
<SYSTEM32>\wuweb.dll.new
%ProgramFiles%\FireFox\modules\services-sync\How Recovery Files.txt
<SYSTEM32>\dllcache\msador15.dll.new
<SYSTEM32>\wzcdlg.dll.new
C:\Far2\Plugins\ExtSearch\sources\How Recovery Files.txt
%ProgramFiles%\FireFox\defaults\profile\chrome\How Recovery Files.txt
<SYSTEM32>\dllcache\icwtutor.exe.new
%ProgramFiles%\FireFox\defaults\pref\How Recovery Files.txt
<SYSTEM32>\dllcache\msaddsr.dll.new
%ProgramFiles%\FireFox\dictionaries\How Recovery Files.txt
C:\Far2\Plugins\EMenu\How Recovery Files.txt
%ProgramFiles%\FireFox\modules\services-crypto\How Recovery Files.txt
%CommonProgramFiles%\Microsoft Shared\MSInfo\ieinfo5.ocx.new
<SYSTEM32>\dllcache\mssoapr.dll.new
%WINDIR%\system\lzexpand.dll.new
<SYSTEM32>\xenroll.dll.new
%CommonProgramFiles%\Microsoft Shared\Speech\sapi.dll.new
<SYSTEM32>\dllcache\msadrh15.dll.new
%ProgramFiles%\FireFox\modules\How Recovery Files.txt
%WINDIR%\system\keyboard.drv.new
C:\Far2\Plugins\FTP\lib\How Recovery Files.txt
C:\Far2\Plugins\FarCmds\How Recovery Files.txt
<SYSTEM32>\xcopy.exe.new
%CommonProgramFiles%\Microsoft Shared\Speech\sapi.cpl.new
%WINDIR%\system\commdlg.dll.new
<ANALYSETOOLS_DIR>\Angar2\scripts\main.bin
<SYSTEM32>\xactsrv.dll.new
<SYSTEM32>\dllcache\msdaprst.dll.new
<SYSTEM32>\dllcache\msadox.dll.new
<SYSTEM32>\dllcache\icwutil.dll.new
<SYSTEM32>\dllcache\vmmreg32.dll.new
%ProgramFiles%\FireFox\modules\tabview\How Recovery Files.txt
%ProgramFiles%\Windows Media Player\mplayer2.exe.new
%ProgramFiles%\FireFox\defaults\autoconfig\How Recovery Files.txt
%ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\update\How Recovery Files.txt
C:\Far2\Plugins\Compare\How Recovery Files.txt
<SYSTEM32>\dllcache\msado27.tlb.new
%ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\profile\How Recovery Files.txt
C:\Far2\Plugins\ExtSearch\doc\How Recovery Files.txt
%WINDIR%\srchasst\msgr3en.dll.new
%ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\plugins\How Recovery Files.txt
%ProgramFiles%\FireFox\modules\services-sync\engines\How Recovery Files.txt
%WINDIR%\system\avicap.dll.new
<SYSTEM32>\dllcache\msadcs.dll.new
<SYSTEM32>\dllcache\msado26.tlb.new
<SYSTEM32>\dllcache\oledb32.dll.new
C:\Far2\Plugins\Colorer\How Recovery Files.txt
C:\Far2\Plugins\Brackets\How Recovery Files.txt
C:\Far2\Plugins\AutoWrap\How Recovery Files.txt
<SYSTEM32>\dllcache\twunk_16.exe.new
%ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\viewsource\How Recovery Files.txt
<SYSTEM32>\dllcache\msadds.dll.new
<SYSTEM32>\wuaueng1.dll.new
<SYSTEM32>\wuauserv.dll.new
C:\Far2\Plugins\ExtSearch\How Recovery Files.txt
<SYSTEM32>\dllcache\icwrmind.exe.new
<SYSTEM32>\wups.dll.new
C:\Far2\Plugins\DrawLine\How Recovery Files.txt
<SYSTEM32>\dllcache\msadomd.dll.new
C:\Far2\Plugins\EditCase\How Recovery Files.txt
%ProgramFiles%\FireFox\components\How Recovery Files.txt
<SYSTEM32>\wupdmgr.exe.new
C:\Far2\Plugins\MacroView\How Recovery Files.txt
%ProgramFiles%\FireFox\chrome\How Recovery Files.txt
<SYSTEM32>\dllcache\msdarem.dll.new
<SYSTEM32>\dllcache\oledb32r.dll.new
<SYSTEM32>\wucltui.dll.new
%CommonProgramFiles%\Microsoft Shared\DAO\dao360.dll.new
%ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\xpinstall\How Recovery Files.txt
%ProgramFiles%\FireFox\modules\services-sync\ext\How Recovery Files.txt
<SYSTEM32>\dllcache\icwres.dll.new
<SYSTEM32>\dllcache\twunk_32.exe.new
%WINDIR%\Registration\How Recovery Files.txt
<SYSTEM32>\dllcache\mssoap1.dll.new
C:\Far2\Plugins\ExtSearch\keys\How Recovery Files.txt
<ANALYSETOOLS_DIR>\DbgPrint\How Recovery Files.txt
%WINDIR%\system\system.drv.new
C:\Far2\Plugins\HlfViewer\How Recovery Files.txt
%ProgramFiles%\FireFox\res\entityTables\How Recovery Files.txt
<SYSTEM32>\dllcache\spcommon.dll.new
%CommonProgramFiles%\Microsoft Shared\Triedit\triedit.dll.new
%WINDIR%\system\olesvr.dll.new
<ANALYSE_DIR>\PET-DUMP\0B3C_pet_cmd.exe
<SYSTEM32>\dllcache\spttseng.dll.new
C:\Far2\PluginSDK\Headers.c\How Recovery Files.txt
<SYSTEM32>\dllcache\trialoc.dll.new
<APATH_DUMPS_DIR>\How Recovery Files.txt
%WINDIR%\system\olecli.dll.new
%CommonProgramFiles%\Microsoft Shared\Triedit\dhtmled.ocx.new
<SYSTEM32>\xpsp1res.dll.new
<SYSTEM32>\dllcache\r1033tts.lxa.new
<SYSTEM32>\dllcache\sam.spd.new
%WINDIR%\system\msvideo.dll.new
C:\Far2\Plugins\WinSCP\How Recovery Files.txt
C:\Far2\PluginSDK\Headers.pas\How Recovery Files.txt
<ANALYSE_DIR>\PET-DUMP\0B44_pet_vssadmin.exe
%WINDIR%\system\mouse.drv.new
<SYSTEM32>\dllcache\wab32.dll.new
<SYSTEM32>\dllcache\ltts1033.lxa.new
<SYSTEM32>\dllcache\iexplore.exe.new
<ANALYSE_DIR>\PET-DUMP\0B84_pet_SCHTASKS.exe
<ANALYSETOOLS_DIR>\BCode\script\How Recovery Files.txt
%WINDIR%\system\stdole.tlb.new
%WINDIR%\security\templates\How Recovery Files.txt
%WINDIR%\system\sound.drv.new
<SYSTEM32>\dllcache\iedw.exe.new
C:\Far2\How Recovery Files.txt
<ANALYSE_DIR>\PET-DUMP\0B64_pet_cmd.exe
<ANALYSETOOLS_DIR>\Angar2\tools\th_\How Recovery Files.txt
%WINDIR%\system\shell.dll.new
<ANALYSETOOLS_DIR>\Angar2\tools\th_\www\How Recovery Files.txt
<ANALYSETOOLS_DIR>\BCode\How Recovery Files.txt
<SYSTEM32>\dllcache\wab32res.dll.new
%WINDIR%\srchasst\nls302en.lex.new
<SYSTEM32>\dllcache\winhelp.exe.new
<ANALYSETOOLS_DIR>\DumpNet\How Recovery Files.txt
<ANALYSE_DIR>\PET-DUMP\0B50_pet_cmd.exe
<SYSTEM32>\xpob2res.dll.new
%WINDIR%\system\mciwave.drv.new
<ANALYSE_DIR>\DWS-DUMP\0B84_dws_SCHTASKS.exe
<ANALYSE_DIR>\DWS-DUMP\0B3C_dws_cmd.exe
<ANALYSETOOLS_DIR>\Angar2\How Recovery Files.txt
<ANALYSETOOLS_DIR>\Angar2\scripts\How Recovery Files.txt
<SYSTEM32>\dllcache\inetwiz.exe.new
<SYSTEM32>\xmlprov.dll.new
%WINDIR%\Resources\Themes\Luna\Shell\Homestead\How Recovery Files.txt
<SYSTEM32>\dllcache\hmmapi.dll.new
C:\Far2\Plugins\Network\How Recovery Files.txt
C:\Far2\Plugins\ProcList\How Recovery Files.txt
%CommonProgramFiles%\Microsoft Shared\Speech\sapisvr.exe.new
%WINDIR%\system\mciseq.drv.new
<SYSTEM32>\dllcache\wisc10.dll.new
%WINDIR%\system\mciavi.drv.new
C:\Far2\Plugins\FTP\How Recovery Files.txt
C:\Far2\Plugins\TmpPanel\How Recovery Files.txt
<SYSTEM32>\dllcache\isignup.exe.new
%WINDIR%\Resources\Themes\Luna\How Recovery Files.txt
<SYSTEM32>\dllcache\msdaremr.dll.new
%WINDIR%\Resources\Themes\Luna\Shell\Metallic\How Recovery Files.txt
<ANALYSE_DIR>\DWS-DUMP\0B44_dws_vssadmin.exe
%WINDIR%\system\mmsystem.dll.new
%ProgramFiles%\FireFox\res\dtd\How Recovery Files.txt
%WINDIR%\security\logs\How Recovery Files.txt
<SYSTEM32>\xolehlp.dll.new
%WINDIR%\security\Database\How Recovery Files.txt
%WINDIR%\system\mmtask.tsk.new
<SYSTEM32>\dllcache\msjro.dll.new
<SYSTEM32>\dllcache\msdfmap.dll.new
%WINDIR%\Resources\Themes\How Recovery Files.txt
C:\Far2\Plugins\FileCase\How Recovery Files.txt
<SYSTEM32>\dllcache\sqlxmlx.dll.new
<ANALYSETOOLS_DIR>\Angar2\tools\dumpe_\How Recovery Files.txt
<ANALYSE_DIR>\DWS-DUMP\0B50_dws_cmd.exe
%WINDIR%\repair\How Recovery Files.txt
%WINDIR%\Resources\Themes\Luna\Shell\NormalColor\How Recovery Files.txt
<SYSTEM32>\xmlprovi.dll.new
<ANALYSE_DIR>\DWS-DUMP\0B64_dws_cmd.exe
<SYSTEM32>\dllcache\sam.sdf.new
<ANALYSE_DIR>\DWS-DUMP\How Recovery Files.txt
<SYSTEM32>\dllcache\directdb.dll.new
<SYSTEM32>\dllcache\nmcom.dll.new
%CommonProgramFiles%\SpeechEngines\Microsoft\TTS\1033\sam.sdf.new
%CommonProgramFiles%\SpeechEngines\Microsoft\Lexicon\1033\ltts1033.lxa.new
<STUBS_DIR>\GUARD\How Recovery Files.txt
<STUBS_DIR>\GVOnline\How Recovery Files.txt
<STUBS_DIR>\googletalk\How Recovery Files.txt
<STUBS_DIR>\ge\How Recovery Files.txt
<STUBS_DIR>\gc\How Recovery Files.txt
<STUBS_DIR>\fsavgui\How Recovery Files.txt
<STUBS_DIR>\fsavaui\How Recovery Files.txt
<STUBS_DIR>\fsav32\How Recovery Files.txt
%ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\How Recovery Files.txt
<STUBS_DIR>\firefox\How Recovery Files.txt
<STUBS_DIR>\fsav\How Recovery Files.txt
<STUBS_DIR>\el_cli\How Recovery Files.txt
<STUBS_DIR>\elementclient\How Recovery Files.txt
<STUBS_DIR>\elbank\How Recovery Files.txt
<STUBS_DIR>\ekrn\How Recovery Files.txt
<STUBS_DIR>\egni\How Recovery Files.txt
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\How Recovery Files.txt
<STUBS_DIR>\ecmd\How Recovery Files.txt
<STUBS_DIR>\inbank-start-ff\How Recovery Files.txt
<STUBS_DIR>\ICQ\How Recovery Files.txt
<STUBS_DIR>\maplestory\How Recovery Files.txt
<STUBS_DIR>\magent\How Recovery Files.txt
<STUBS_DIR>\lotroclient\How Recovery Files.txt
<STUBS_DIR>\loadmain\How Recovery Files.txt
<STUBS_DIR>\lin\How Recovery Files.txt
%ProgramFiles%\MSN\MSNCoreFiles\Install\How Recovery Files.txt
<STUBS_DIR>\java\How Recovery Files.txt
<STUBS_DIR>\l2\How Recovery Files.txt
<STUBS_DIR>\javaw\How Recovery Files.txt
<STUBS_DIR>\kb_cli\How Recovery Files.txt
<STUBS_DIR>\iscc\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\How Recovery Files.txt
<STUBS_DIR>\intpro\How Recovery Files.txt
<STUBS_DIR>\ISClient\How Recovery Files.txt
<STUBS_DIR>\InphaseNXD\How Recovery Files.txt
<STUBS_DIR>\iexplore\How Recovery Files.txt
<STUBS_DIR>\httplook\How Recovery Files.txt
<STUBS_DIR>\Drwebupw\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\How Recovery Files.txt
<STUBS_DIR>\Drwebwcl\How Recovery Files.txt
<STUBS_DIR>\bclient\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\How Recovery Files.txt
<STUBS_DIR>\BBClient\How Recovery Files.txt
<STUBS_DIR>\bankcl\How Recovery Files.txt
<STUBS_DIR>\AVSYNMGR\How Recovery Files.txt
<STUBS_DIR>\AVPCC\How Recovery Files.txt
<STUBS_DIR>\AVPM\How Recovery Files.txt
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\How Recovery Files.txt
<STUBS_DIR>\AVP32\How Recovery Files.txt
<STUBS_DIR>\AVGCTRL\How Recovery Files.txt
<STUBS_DIR>\AVGCC32\How Recovery Files.txt
<STUBS_DIR>\avgcc\How Recovery Files.txt
<STUBS_DIR>\ashAvSrv\How Recovery Files.txt
<STUBS_DIR>\ageofconan\How Recovery Files.txt
<STUBS_DIR>\aion\How Recovery Files.txt
<STUBS_DIR>\bc_loader\How Recovery Files.txt
<STUBS_DIR>\bdagent\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\How Recovery Files.txt
<STUBS_DIR>\cabalmain\How Recovery Files.txt
<STUBS_DIR>\bdsubmit\How Recovery Files.txt
<STUBS_DIR>\Drweb32w\How Recovery Files.txt
<STUBS_DIR>\drweb\How Recovery Files.txt
<STUBS_DIR>\dekaron\How Recovery Files.txt
<STUBS_DIR>\contactNG\How Recovery Files.txt
<STUBS_DIR>\dnf\How Recovery Files.txt
<STUBS_DIR>\clntw32\How Recovery Files.txt
<STUBS_DIR>\client7\How Recovery Files.txt
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\How Recovery Files.txt
<STUBS_DIR>\clbank\How Recovery Files.txt
<STUBS_DIR>\ash\How Recovery Files.txt
<STUBS_DIR>\ClamWin\How Recovery Files.txt
<STUBS_DIR>\ccapp\How Recovery Files.txt
<STUBS_DIR>\cbsmain\How Recovery Files.txt
<STUBS_DIR>\cbmain\How Recovery Files.txt
<STUBS_DIR>\cbank\How Recovery Files.txt
<STUBS_DIR>\bk\How Recovery Files.txt
<STUBS_DIR>\bdss\How Recovery Files.txt
<STUBS_DIR>\clmain\How Recovery Files.txt
<STUBS_DIR>\drweb386\How Recovery Files.txt
<STUBS_DIR>\chrome\How Recovery Files.txt
<STUBS_DIR>\AVP\How Recovery Files.txt
<STUBS_DIR>\Mir3Game\How Recovery Files.txt
<STUBS_DIR>\nod\How Recovery Files.txt
<STUBS_DIR>\wow\How Recovery Files.txt
<STUBS_DIR>\woool\How Recovery Files.txt
<STUBS_DIR>\winbaram\How Recovery Files.txt
<STUBS_DIR>\webmoney\How Recovery Files.txt
<STUBS_DIR>\wclnt\How Recovery Files.txt
<STUBS_DIR>\UniStream\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\How Recovery Files.txt
%WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\How Recovery Files.txt
%WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\How Recovery Files.txt
<STUBS_DIR>\TwelveSky2\How Recovery Files.txt
<STUBS_DIR>\trillian\How Recovery Files.txt
<STUBS_DIR>\translink\How Recovery Files.txt
<STUBS_DIR>\tiny\How Recovery Files.txt
%ProgramFiles%\Windows Media Player\Skins\How Recovery Files.txt
<STUBS_DIR>\How Recovery Files.txt
%ProgramFiles%\Windows NT\Accessories\How Recovery Files.txt
<STUBS_DIR>\wsm\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\How Recovery Files.txt
%ProgramFiles%\Outlook Express\How Recovery Files.txt
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\How Recovery Files.txt
%APPDATA%\info.exe
%TEMP%\tmp2.tmp
%TEMP%\tmp3.tmp
%TEMP%\tmp4.tmp
%APPDATA%\recovery.txt
C:\How Recovery Files.txt
%WINDIR%\How Recovery Files.txt
<STUBS_DIR>\ZONEALARM\How Recovery Files.txt
<STUBS_DIR>\__cd75efb816b2cc__\How Recovery Files.txt
<STUBS_DIR>\zlclient\How Recovery Files.txt
<STUBS_DIR>\ZZ__cd75efb816b2cc__\How Recovery Files.txt
<STUBS_DIR>\zapro\How Recovery Files.txt
<STUBS_DIR>\YahooMessenger\How Recovery Files.txt
%ProgramFiles%\Windows Media Player\How Recovery Files.txt
C:\RECYCLER\S-1-5-21-2052111302-484763869-725345543-1003\How Recovery Files.txt
%ProgramFiles%\Windows NT\How Recovery Files.txt
<STUBS_DIR>\ybclient\How Recovery Files.txt
%ProgramFiles%\Windows NT\Pinball\How Recovery Files.txt
%WINDIR%\XXInstall\Scripts\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\How Recovery Files.txt
%ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\How Recovery Files.txt
<STUBS_DIR>\qip\How Recovery Files.txt
<STUBS_DIR>\putty\How Recovery Files.txt
<STUBS_DIR>\pidgin\How Recovery Files.txt
<STUBS_DIR>\outpost\How Recovery Files.txt
<STUBS_DIR>\opera\How Recovery Files.txt
<STUBS_DIR>\oncbcli\How Recovery Files.txt
<STUBS_DIR>\ntvdm\How Recovery Files.txt
%WINDIR%\XXInstall\How Recovery Files.txt
<STUBS_DIR>\nod32\How Recovery Files.txt
<STUBS_DIR>\netxray\How Recovery Files.txt
<STUBS_DIR>\NAVAPW32\How Recovery Files.txt
<STUBS_DIR>\miranda32\How Recovery Files.txt
<STUBS_DIR>\msn6\How Recovery Files.txt
<STUBS_DIR>\msnmsgr\How Recovery Files.txt
<STUBS_DIR>\mpftray\How Recovery Files.txt
%ProgramFiles%\Movie Maker\How Recovery Files.txt
<STUBS_DIR>\Ragexe\How Recovery Files.txt
<STUBS_DIR>\RagFree\How Recovery Files.txt
<STUBS_DIR>\rclient\How Recovery Files.txt
%ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\How Recovery Files.txt
<STUBS_DIR>\sro_client\How Recovery Files.txt
<STUBS_DIR>\MCAGENT\How Recovery Files.txt
<STUBS_DIR>\startclient7\How Recovery Files.txt
<STUBS_DIR>\ashAvast\How Recovery Files.txt
<STUBS_DIR>\spidernt\How Recovery Files.txt
<STUBS_DIR>\skype\How Recovery Files.txt
<STUBS_DIR>\sgbclient\How Recovery Files.txt
<STUBS_DIR>\safari\How Recovery Files.txt
%ProgramFiles%\NetMeeting\How Recovery Files.txt
%ProgramFiles%\Online Services\How Recovery Files.txt
%ProgramFiles%\MSN\MSNCoreFiles\OOBE\How Recovery Files.txt
<STUBS_DIR>\smc\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\How Recovery Files.txt
<STUBS_DIR>\so3d\How Recovery Files.txt
<STUBS_DIR>\gw\How Recovery Files.txt
<STUBS_DIR>\360tray\How Recovery Files.txt
<SYSTEM32>\dllcache\wabmig.exe.new
<SYSTEM32>\dllcache\htrn_jis.dll.new
<SYSTEM32>\dllcache\wabimp.dll.new
<SYSTEM32>\dllcache\wabfind.dll.new
<SYSTEM32>\dllcache\wmpband.dll.new
<SYSTEM32>\dllcache\dialer.exe.new
<SYSTEM32>\dllcache\wab.exe.new
%WINDIR%\Temp\How Recovery Files.txt
<SYSTEM32>\dllcache\setup50.exe.new
<SYSTEM32>\dllcache\oemiglib.dll.new
%CommonProgramFiles%\Microsoft Shared\web server extensions\40\bin\1033\How Recovery Files.txt
<SYSTEM32>\dllcache\wordpad.exe.new
%CommonProgramFiles%\Microsoft Shared\Web Folders\How Recovery Files.txt
<ANALYSE_DIR>\How Recovery Files.txt
<SYSTEM32>\dllcache\oemig50.exe.new
%WINDIR%\system\How Recovery Files.txt
%WINDIR%\twain_32\How Recovery Files.txt
<SYSTEM32>\dllcache\wmpns.dll.new
<SYSTEM32>\dllcache\wmplayer.exe.new
<SYSTEM32>\dllcache\oeimport.dll.new
<ANALYSETOOLS_DIR>\XueTr_Cmd\How Recovery Files.txt
%WINDIR%\srchasst\How Recovery Files.txt
%ProgramFiles%\NetMeeting\h323cc.dll.new
%ProgramFiles%\NetMeeting\dcap32.dll.new
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\fifo.log
%ProgramFiles%\Movie Maker\wmm2fxb.dll.new
C:\Muldrop\unq2.unq_0
%ProgramFiles%\NetMeeting\confmrsl.dll.new
%ProgramFiles%\Movie Maker\wmm2fxa.dll.new
%ProgramFiles%\NetMeeting\conf.exe.new
C:\Muldrop\unq1.unq_0
%ProgramFiles%\Movie Maker\wmm2filt.dll.new
%ProgramFiles%\NetMeeting\cb32.exe.new
%ProgramFiles%\Movie Maker\wmm2ext.dll.new
%ProgramFiles%\NetMeeting\callcont.dll.new
%CommonProgramFiles%\Microsoft Shared\web server extensions\40\bin\How Recovery Files.txt
%ProgramFiles%\Movie Maker\wmm2eres.dll.new
%ProgramFiles%\Movie Maker\moviemk.exe.new
%CommonProgramFiles%\MSSoap\Binaries\Resources\1033\How Recovery Files.txt
%ProgramFiles%\Movie Maker\wmm2ae.dll.new
<SYSTEM32>\dllcache\setup_wm.exe.new
%CommonProgramFiles%\Microsoft Shared\TextConv\How Recovery Files.txt
<SYSTEM32>\dllcache\npdsplay.dll.new
%CommonProgramFiles%\System\wab32res.dll.new
%WINDIR%\winhelp.exe.new
%ProgramFiles%\Internet Explorer\hmmapi.dll.new
%CommonProgramFiles%\SpeechEngines\Microsoft\spcommon.dll.new
<SYSTEM32>\dllcache\wmm2res2.dll.new
%WINDIR%\srchasst\mui\0409\How Recovery Files.txt
%ProgramFiles%\NetMeeting\mst123.dll.new
%CommonProgramFiles%\SpeechEngines\Microsoft\TTS\1033\spttseng.dll.new
<SYSTEM32>\dllcache\nmwb.dll.new
<SYSTEM32>\dllcache\nmoldwb.dll.new
%CommonProgramFiles%\SpeechEngines\Microsoft\Lexicon\1033\r1033tts.lxa.new
<SYSTEM32>\dllcache\nmft.dll.new
%CommonProgramFiles%\SpeechEngines\Microsoft\TTS\1033\sam.spd.new
%CommonProgramFiles%\System\wab32.dll.new
<SYSTEM32>\dllcache\wb32.exe.new
%ProgramFiles%\Internet Explorer\iedw.exe.new
%ProgramFiles%\Internet Explorer\Connection Wizard\trialoc.dll.new
<SYSTEM32>\dllcache\rrcm.dll.new
%CommonProgramFiles%\Microsoft Shared\Triedit\How Recovery Files.txt
<SYSTEM32>\dllcache\msimn.exe.new
<SYSTEM32>\dllcache\pinball.exe.new
<SYSTEM32>\dllcache\npdrmv2.dll.new
<SYSTEM32>\XPSViewer\How Recovery Files.txt
<SYSTEM32>\dllcache\mpvis.dll.new
%CommonProgramFiles%\Microsoft Shared\VGX\How Recovery Files.txt
<SYSTEM32>\dllcache\msoeres.dll.new
%WINDIR%\Web\Wallpaper\How Recovery Files.txt
<SYSTEM32>\dllcache\mplayer2.exe.new
%WINDIR%\winhlp32.exe.new
%ProgramFiles%\Movie Maker\wmm2res.dll.new
%CommonProgramFiles%\Microsoft Shared\VC\How Recovery Files.txt
<SYSTEM32>\dllcache\migrate.exe.new
<SYSTEM32>\dllcache\custsat.dll.new
%ProgramFiles%\Internet Explorer\iexplore.exe.new
%WINDIR%\Web\printers\How Recovery Files.txt
<SYSTEM32>\dllcache\msoe.dll.new
<SYSTEM32>\XPSViewer\en-US\How Recovery Files.txt
<SYSTEM32>\How Recovery Files.txt
<SYSTEM32>\dllcache\npwmsdrm.dll.new
%WINDIR%\Web\How Recovery Files.txt
%ProgramFiles%\NetMeeting\mst120.dll.new
%ProgramFiles%\NetMeeting\nac.dll.new
%ProgramFiles%\Movie Maker\Shared\How Recovery Files.txt
%ProgramFiles%\Windows Media Player\wmpns.dll.new
%WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\How Recovery Files.txt
%ProgramFiles%\Outlook Express\wabmig.exe.new
%ProgramFiles%\Windows Media Player\wmplayer.exe.new
%ProgramFiles%\Windows NT\htrn_jis.dll.new
%ProgramFiles%\Outlook Express\wabimp.dll.new
%ProgramFiles%\Outlook Express\wabfind.dll.new
%ProgramFiles%\Windows Media Player\wmpband.dll.new
%ProgramFiles%\Windows NT\dialer.exe.new
%ProgramFiles%\Outlook Express\wab.exe.new
%ProgramFiles%\Outlook Express\setup50.exe.new
%ProgramFiles%\Outlook Express\oemiglib.dll.new
%ProgramFiles%\Windows NT\Accessories\wordpad.exe.new
%WINDIR%\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\How Recovery Files.txt
%ProgramFiles%\Microsoft.NET\RedistList\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-ww_5f0bbcff\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-ww_4ee8bb30\How Recovery Files.txt
%ProgramFiles%\Movie Maker\Shared\Profiles\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\How Recovery Files.txt
%WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_x-ww_6ad67377\How Recovery Files.txt
%ProgramFiles%\Outlook Express\oemig50.exe.new
<SYSTEM32>\wuaueng.dll.new
%WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_x-ww_b8438ace\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\How Recovery Files.txt
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\How Recovery Files.txt
%ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-ww_0f75c32e\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_x-ww_caeee150\How Recovery Files.txt
%ProgramFiles%\Movie Maker\MUI\0409\How Recovery Files.txt
%WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\How Recovery Files.txt
%WINDIR%\pss\How Recovery Files.txt
%WINDIR%\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\How Recovery Files.txt
%WINDIR%\WinSxS\Manifests\How Recovery Files.txt
%ProgramFiles%\Movie Maker\wmm2res2.dll.new
%ProgramFiles%\Internet Explorer\Connection Wizard\How Recovery Files.txt
%CommonProgramFiles%\SpeechEngines\Microsoft\Lexicon\1033\How Recovery Files.txt
%CommonProgramFiles%\Services\How Recovery Files.txt
%ProgramFiles%\NetMeeting\nmwb.dll.new
%ProgramFiles%\NetMeeting\nmoldwb.dll.new
%ProgramFiles%\Messenger\How Recovery Files.txt
%ProgramFiles%\NetMeeting\nmft.dll.new
%CommonProgramFiles%\System\Ole DB\How Recovery Files.txt
%ProgramFiles%\NetMeeting\nmchat.dll.new
%CommonProgramFiles%\System\msadc\How Recovery Files.txt
%ProgramFiles%\NetMeeting\nmasnt.dll.new
%CommonProgramFiles%\MSSoap\Binaries\How Recovery Files.txt
%ProgramFiles%\NetMeeting\nmas.dll.new
%CommonProgramFiles%\System\ado\How Recovery Files.txt
C:\Muldrop\How Recovery Files.txt
%ProgramFiles%\NetMeeting\nmcom.dll.new
%ProgramFiles%\NetMeeting\rrcm.dll.new
%ProgramFiles%\NetMeeting\wb32.exe.new
%ProgramFiles%\Outlook Express\msimn.exe.new
%CommonProgramFiles%\SpeechEngines\Microsoft\TTS\1033\How Recovery Files.txt
%ProgramFiles%\Windows Media Player\setup_wm.exe.new
%ProgramFiles%\Windows Media Player\npwmsdrm.dll.new
%ProgramFiles%\Windows Media Player\npdsplay.dll.new
%ProgramFiles%\Windows Media Player\npdrmv2.dll.new
%ProgramFiles%\Windows Media Player\mpvis.dll.new
%ProgramFiles%\Outlook Express\msoeres.dll.new
%WINDIR%\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\How Recovery Files.txt
%ProgramFiles%\Internet Explorer\SIGNUP\How Recovery Files.txt
%WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\How Recovery Files.txt
%ProgramFiles%\Internet Explorer\How Recovery Files.txt
%ProgramFiles%\Internet Explorer\MUI\0409\How Recovery Files.txt
%ProgramFiles%\Windows Media Player\custsat.dll.new
%CommonProgramFiles%\System\How Recovery Files.txt
%ProgramFiles%\FireFox\How Recovery Files.txt
%ProgramFiles%\Outlook Express\msoe.dll.new
%CommonProgramFiles%\SpeechEngines\Microsoft\How Recovery Files.txt
%ProgramFiles%\Outlook Express\oeimport.dll.new
%ProgramFiles%\Windows NT\Pinball\pinball.exe.new
%ProgramFiles%\Windows Media Player\migrate.exe.new
C:\Far2\Plugins\Colorer\hrc\How Recovery Files.txt

Deletes the following files:

%TEMP%\tmp1.tmp
%TEMP%\tmp2.tmp

Moves the following system files:

from %WINDIR%\_default.pif to %WINDIR%\_default.pif.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2.cat.no_more_ransom
from %WINDIR%\system\COMMDLG.DLL to %WINDIR%\system\COMMDLG.DLL.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lcladv.xml to %WINDIR%\srchasst\mui\0409\lcladv.xml.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lcladvd.xml to %WINDIR%\srchasst\mui\0409\lcladvd.xml.no_more_ransom
from <SYSTEM32>\xcopy.exe to <SYSTEM32>\xcopy.exe.no_more_ransom
from %WINDIR%\system\KEYBOARD.DRV to %WINDIR%\system\KEYBOARD.DRV.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2.manifest.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lcladvdf.xml to %WINDIR%\srchasst\mui\0409\lcladvdf.xml.no_more_ransom
from %WINDIR%\Web\printers\images\ipp_0002.gif to %WINDIR%\Web\printers\images\ipp_0002.gif.no_more_ransom
from %WINDIR%\system\LZEXPAND.DLL to %WINDIR%\system\LZEXPAND.DLL.no_more_ransom
from <SYSTEM32>\xenroll.dll to <SYSTEM32>\xenroll.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.cat.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lcladvmm.xml to %WINDIR%\srchasst\mui\0409\lcladvmm.xml.no_more_ransom
from %WINDIR%\Web\printers\images\ipp_0003.gif to %WINDIR%\Web\printers\images\ipp_0003.gif.no_more_ransom
from %WINDIR%\system\MCIAVI.DRV to %WINDIR%\system\MCIAVI.DRV.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lclcomp.xml to %WINDIR%\srchasst\mui\0409\lclcomp.xml.no_more_ransom
from %WINDIR%\Web\printers\images\ipp_0004.gif to %WINDIR%\Web\printers\images\ipp_0004.gif.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lcldate.xml to %WINDIR%\srchasst\mui\0409\lcldate.xml.no_more_ransom
from <SYSTEM32>\xm.dll to <SYSTEM32>\xm.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest.no_more_ransom
from %WINDIR%\system\MCISEQ.DRV to %WINDIR%\system\MCISEQ.DRV.no_more_ransom
from <SYSTEM32>\xactsrv.dll to <SYSTEM32>\xactsrv.dll.no_more_ransom
from %WINDIR%\srchasst\mui\0409\intro.xml to %WINDIR%\srchasst\mui\0409\intro.xml.no_more_ransom
from %WINDIR%\srchasst\mui\0409\intents.xml to %WINDIR%\srchasst\mui\0409\intents.xml.no_more_ransom
from %WINDIR%\srchasst\mui\0409\inetsrch.xml to %WINDIR%\srchasst\mui\0409\inetsrch.xml.no_more_ransom
from <SYSTEM32>\wuauserv.dll to <SYSTEM32>\wuauserv.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat.no_more_ransom
from <SYSTEM32>\wucltui.dll to <SYSTEM32>\wucltui.dll.no_more_ransom
from %WINDIR%\srchasst\mui\0409\balloon.xsl to %WINDIR%\srchasst\mui\0409\balloon.xsl.no_more_ransom
from <SYSTEM32>\wupdmgr.exe to <SYSTEM32>\wupdmgr.exe.no_more_ransom
from %WINDIR%\srchasst\mui\0409\bar.xsl to %WINDIR%\srchasst\mui\0409\bar.xsl.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest.no_more_ransom
from %WINDIR%\srchasst\mui\0409\charchsr.xml to %WINDIR%\srchasst\mui\0409\charchsr.xml.no_more_ransom
from %WINDIR%\srchasst\mui\0409\charctxt.xml to %WINDIR%\srchasst\mui\0409\charctxt.xml.no_more_ransom
from <SYSTEM32>\wups.dll to <SYSTEM32>\wups.dll.no_more_ransom
from %WINDIR%\srchasst\mui\0409\error.xml to %WINDIR%\srchasst\mui\0409\error.xml.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.cat.no_more_ransom
from %WINDIR%\srchasst\mui\0409\finish.xml to %WINDIR%\srchasst\mui\0409\finish.xml.no_more_ransom
from %WINDIR%\srchasst\mui\0409\indxsvc.xml to %WINDIR%\srchasst\mui\0409\indxsvc.xml.no_more_ransom
from %WINDIR%\system\AVICAP.DLL to %WINDIR%\system\AVICAP.DLL.no_more_ransom
from <SYSTEM32>\wuweb.dll to <SYSTEM32>\wuweb.dll.no_more_ransom
from %WINDIR%\srchasst\mui\0409\inetfind.xml to %WINDIR%\srchasst\mui\0409\inetfind.xml.no_more_ransom
from %WINDIR%\srchasst\mui\0409\inetopts.xml to %WINDIR%\srchasst\mui\0409\inetopts.xml.no_more_ransom
from <SYSTEM32>\wzcdlg.dll to <SYSTEM32>\wzcdlg.dll.no_more_ransom
from %WINDIR%\system\AVIFILE.DLL to %WINDIR%\system\AVIFILE.DLL.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.manifest.no_more_ransom
from %WINDIR%\srchasst\mui\0409\inetpref.xml to %WINDIR%\srchasst\mui\0409\inetpref.xml.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.manifest.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lcldocs.xml to %WINDIR%\srchasst\mui\0409\lcldocs.xml.no_more_ransom
from %WINDIR%\Web\printers\images\ipp_0005.gif to %WINDIR%\Web\printers\images\ipp_0005.gif.no_more_ransom
from <SYSTEM32>\xmlprov.dll to <SYSTEM32>\xmlprov.dll.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lclsize.xml to %WINDIR%\srchasst\mui\0409\lclsize.xml.no_more_ransom
from %WINDIR%\system\OLECLI.DLL to %WINDIR%\system\OLECLI.DLL.no_more_ransom
from %WINDIR%\Web\printers\ipp_0005.asp to %WINDIR%\Web\printers\ipp_0005.asp.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313.manifest.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lclsrch.xml to %WINDIR%\srchasst\mui\0409\lclsrch.xml.no_more_ransom
from %WINDIR%\Web\printers\ipp_0006.asp to %WINDIR%\Web\printers\ipp_0006.asp.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lcltechy.xml to %WINDIR%\srchasst\mui\0409\lcltechy.xml.no_more_ransom
from %WINDIR%\Web\printers\ipp_0007.asp to %WINDIR%\Web\printers\ipp_0007.asp.no_more_ransom
from %WINDIR%\system\OLESVR.DLL to %WINDIR%\system\OLESVR.DLL.no_more_ransom
from <SYSTEM32>\xpsshhdr.dll to <SYSTEM32>\xpsshhdr.dll.no_more_ransom
from %WINDIR%\Web\printers\ipp_0010.asp to %WINDIR%\Web\printers\ipp_0010.asp.no_more_ransom
from %WINDIR%\srchasst\nls302en.lex to %WINDIR%\srchasst\nls302en.lex.no_more_ransom
from %WINDIR%\system\setup.inf to %WINDIR%\system\setup.inf.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53.cat.no_more_ransom
from %WINDIR%\Web\printers\ipp_0013.asp to %WINDIR%\Web\printers\ipp_0013.asp.no_more_ransom
from %WINDIR%\Web\printers\ipp_0014.asp to %WINDIR%\Web\printers\ipp_0014.asp.no_more_ransom
from %WINDIR%\Web\printers\ipp_0015.asp to %WINDIR%\Web\printers\ipp_0015.asp.no_more_ransom
from %WINDIR%\Web\printers\ipp_adsi.inc to %WINDIR%\Web\printers\ipp_adsi.inc.no_more_ransom
from %WINDIR%\system\SHELL.DLL to %WINDIR%\system\SHELL.DLL.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53.manifest.no_more_ransom
from %WINDIR%\Web\printers\ipp_res.inc to %WINDIR%\Web\printers\ipp_res.inc.no_more_ransom
from <SYSTEM32>\xpsp1res.dll to <SYSTEM32>\xpsp1res.dll.no_more_ransom
from %WINDIR%\Web\printers\ipp_0004.asp to %WINDIR%\Web\printers\ipp_0004.asp.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313.cat.no_more_ransom
from %WINDIR%\system\MSVIDEO.DLL to %WINDIR%\system\MSVIDEO.DLL.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lclkwrds.xml to %WINDIR%\srchasst\mui\0409\lclkwrds.xml.no_more_ransom
from %WINDIR%\Web\printers\images\ipp_0012.gif to %WINDIR%\Web\printers\images\ipp_0012.gif.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lcllook.xml to %WINDIR%\srchasst\mui\0409\lcllook.xml.no_more_ransom
from %WINDIR%\system\MMSYSTEM.DLL to %WINDIR%\system\MMSYSTEM.DLL.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.cat.no_more_ransom
from <SYSTEM32>\xmlprovi.dll to <SYSTEM32>\xmlprovi.dll.no_more_ransom
from %WINDIR%\Web\printers\images\ipp_0015.gif to %WINDIR%\Web\printers\images\ipp_0015.gif.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lclmm.xml to %WINDIR%\srchasst\mui\0409\lclmm.xml.no_more_ransom
from <SYSTEM32>\xmlrtl60.bpl to <SYSTEM32>\xmlrtl60.bpl.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lclmode.xml to %WINDIR%\srchasst\mui\0409\lclmode.xml.no_more_ransom
from %WINDIR%\Web\printers\ipp_0000.inc to %WINDIR%\Web\printers\ipp_0000.inc.no_more_ransom
from %WINDIR%\system\MMTASK.TSK to %WINDIR%\system\MMTASK.TSK.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lclother.xml to %WINDIR%\srchasst\mui\0409\lclother.xml.no_more_ransom
from <SYSTEM32>\xolehlp.dll to <SYSTEM32>\xolehlp.dll.no_more_ransom
from %WINDIR%\Web\printers\ipp_0001.asp to %WINDIR%\Web\printers\ipp_0001.asp.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.manifest.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lclprog.xml to %WINDIR%\srchasst\mui\0409\lclprog.xml.no_more_ransom
from %WINDIR%\Web\printers\ipp_0002.asp to %WINDIR%\Web\printers\ipp_0002.asp.no_more_ransom
from <SYSTEM32>\xpob2res.dll to <SYSTEM32>\xpob2res.dll.no_more_ransom
from %WINDIR%\system\MOUSE.DRV to %WINDIR%\system\MOUSE.DRV.no_more_ransom
from %WINDIR%\srchasst\mui\0409\lclrfine.xml to %WINDIR%\srchasst\mui\0409\lclrfine.xml.no_more_ransom
from %WINDIR%\Web\printers\ipp_0003.asp to %WINDIR%\Web\printers\ipp_0003.asp.no_more_ransom
from %WINDIR%\system\MCIWAVE.DRV to %WINDIR%\system\MCIWAVE.DRV.no_more_ransom
from <SYSTEM32>\wship6.dll to <SYSTEM32>\wship6.dll.no_more_ransom
from %WINDIR%\pss\system.ini.backup to %WINDIR%\pss\system.ini.backup.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest.no_more_ransom
from <SYSTEM32>\wowfax.dll to <SYSTEM32>\wowfax.dll.no_more_ransom
from %WINDIR%\Resources\Themes\Luna\Shell\Homestead\shellstyle.dll to %WINDIR%\Resources\Themes\Luna\Shell\Homestead\shellstyle.dll.no_more_ransom
from %WINDIR%\Resources\Themes\Luna\Shell\Metallic\shellstyle.dll to %WINDIR%\Resources\Themes\Luna\Shell\Metallic\shellstyle.dll.no_more_ransom
from <SYSTEM32>\wowfaxui.dll to <SYSTEM32>\wowfaxui.dll.no_more_ransom
from %WINDIR%\repair\system to %WINDIR%\repair\system.no_more_ransom
from %WINDIR%\Resources\Themes\Luna\Shell\NormalColor\shellstyle.dll to %WINDIR%\Resources\Themes\Luna\Shell\NormalColor\shellstyle.dll.no_more_ransom
from <SYSTEM32>\wpa.dbl to <SYSTEM32>\wpa.dbl.no_more_ransom
from %WINDIR%\security\Database\secedit.sdb to %WINDIR%\security\Database\secedit.sdb.no_more_ransom
from %WINDIR%\security\logs\backup.log to %WINDIR%\security\logs\backup.log.no_more_ransom
from <SYSTEM32>\wpabaln.exe to <SYSTEM32>\wpabaln.exe.no_more_ransom
from %WINDIR%\Resources\Themes\Luna.theme to %WINDIR%\Resources\Themes\Luna.theme.no_more_ransom
from %WINDIR%\security\logs\SceRoot.log to %WINDIR%\security\logs\SceRoot.log.no_more_ransom
from %WINDIR%\Resources\Themes\Windows Classic.theme to %WINDIR%\Resources\Themes\Windows Classic.theme.no_more_ransom
from <SYSTEM32>\wpnpinst.exe to <SYSTEM32>\wpnpinst.exe.no_more_ransom
from %WINDIR%\security\logs\scesetup.log to %WINDIR%\security\logs\scesetup.log.no_more_ransom
from <SYSTEM32>\write.exe to <SYSTEM32>\write.exe.no_more_ransom
from %WINDIR%\security\templates\compatws.inf to %WINDIR%\security\templates\compatws.inf.no_more_ransom
from %WINDIR%\security\templates\hisecdc.inf to %WINDIR%\security\templates\hisecdc.inf.no_more_ransom
from <SYSTEM32>\wscntfy.exe to <SYSTEM32>\wscntfy.exe.no_more_ransom
from <SYSTEM32>\wscript.exe to <SYSTEM32>\wscript.exe.no_more_ransom
from %WINDIR%\security\templates\hisecws.inf to %WINDIR%\security\templates\hisecws.inf.no_more_ransom
from <SYSTEM32>\wowexec.exe to <SYSTEM32>\wowexec.exe.no_more_ransom
from %WINDIR%\Resources\Themes\Luna\luna.msstyles to %WINDIR%\Resources\Themes\Luna\luna.msstyles.no_more_ransom
from %WINDIR%\repair\software to %WINDIR%\repair\software.no_more_ransom
from <SYSTEM32>\wowdeb.exe to <SYSTEM32>\wowdeb.exe.no_more_ransom
from <SYSTEM32>\wmstream.dll to <SYSTEM32>\wmstream.dll.no_more_ransom
from %WINDIR%\pss\win.ini.backup to %WINDIR%\pss\win.ini.backup.no_more_ransom
from %WINDIR%\regedit.exe to %WINDIR%\regedit.exe.no_more_ransom
from <SYSTEM32>\wmv8ds32.ax to <SYSTEM32>\wmv8ds32.ax.no_more_ransom
from %WINDIR%\Registration\R000000000007.clb to %WINDIR%\Registration\R000000000007.clb.no_more_ransom
from %WINDIR%\Registration\R00000000000a.clb to %WINDIR%\Registration\R00000000000a.clb.no_more_ransom
from <SYSTEM32>\wmvcore.dll to <SYSTEM32>\wmvcore.dll.no_more_ransom
from %WINDIR%\Registration\R00000000000b.clb to %WINDIR%\Registration\R00000000000b.clb.no_more_ransom
from %WINDIR%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BF4C4D5C-6924-41E8-9BF1-DCC37DF6F31D}.crmlog to %WINDIR%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BF4C4D5C-6924-41E8-9BF1-DCC37DF6F31D}.crmlog.no_more_ransom
from %WINDIR%\REGLOCS.OLD to %WINDIR%\REGLOCS.OLD.no_more_ransom
from %WINDIR%\repair\autoexec.nt to %WINDIR%\repair\autoexec.nt.no_more_ransom
from %WINDIR%\regopt.log to %WINDIR%\regopt.log.no_more_ransom
from %WINDIR%\repair\config.nt to %WINDIR%\repair\config.nt.no_more_ransom
from <SYSTEM32>\wmvdmod.dll to <SYSTEM32>\wmvdmod.dll.no_more_ransom
from %WINDIR%\repair\default to %WINDIR%\repair\default.no_more_ransom
from %WINDIR%\repair\ntuser.dat to %WINDIR%\repair\ntuser.dat.no_more_ransom
from <SYSTEM32>\wmvdmoe2.dll to <SYSTEM32>\wmvdmoe2.dll.no_more_ransom
from %WINDIR%\repair\sam to %WINDIR%\repair\sam.no_more_ransom
from %WINDIR%\repair\secsetup.inf to %WINDIR%\repair\secsetup.inf.no_more_ransom
from <SYSTEM32>\wmvds32.ax to <SYSTEM32>\wmvds32.ax.no_more_ransom
from %WINDIR%\repair\security to %WINDIR%\repair\security.no_more_ransom
from %WINDIR%\repair\setup.log to %WINDIR%\repair\setup.log.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.cat.no_more_ransom
from <SYSTEM32>\xpssvcs.dll to <SYSTEM32>\xpssvcs.dll.no_more_ransom
from %WINDIR%\security\templates\rootsec.inf to %WINDIR%\security\templates\rootsec.inf.no_more_ransom
from %WINDIR%\security\templates\securedc.inf to %WINDIR%\security\templates\securedc.inf.no_more_ransom
from %WINDIR%\spupdsvc.log to %WINDIR%\spupdsvc.log.no_more_ransom
from %WINDIR%\srchasst\chars\courtney.acs to %WINDIR%\srchasst\chars\courtney.acs.no_more_ransom
from <SYSTEM32>\wstdecod.dll to <SYSTEM32>\wstdecod.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.Manifest.no_more_ransom
from <SYSTEM32>\wstpager.ax to <SYSTEM32>\wstpager.ax.no_more_ransom
from <SYSTEM32>\wstrenderer.ax to <SYSTEM32>\wstrenderer.ax.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat.no_more_ransom
from %WINDIR%\srchasst\chars\earl.acs to %WINDIR%\srchasst\chars\earl.acs.no_more_ransom
from <SYSTEM32>\wuapi.dll to <SYSTEM32>\wuapi.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca.cat.no_more_ransom
from <SYSTEM32>\wuauclt.exe to <SYSTEM32>\wuauclt.exe.no_more_ransom
from %WINDIR%\srchasst\chars\rover.acs to %WINDIR%\srchasst\chars\rover.acs.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca.manifest.no_more_ransom
from <SYSTEM32>\wuauclt1.exe to <SYSTEM32>\wuauclt1.exe.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat.no_more_ransom
from <SYSTEM32>\wuaucpl.cpl to <SYSTEM32>\wuaucpl.cpl.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest.no_more_ransom
from <SYSTEM32>\wuaueng.dll to <SYSTEM32>\wuaueng.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat.no_more_ransom
from %WINDIR%\srchasst\msgr3en.dll to %WINDIR%\srchasst\msgr3en.dll.no_more_ransom
from <SYSTEM32>\wsnmp32.dll to <SYSTEM32>\wsnmp32.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5.manifest to %WINDIR%\WinSxS\Manifests\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5.manifest.no_more_ransom
from %WINDIR%\SoftwareDistribution\ReportingEvents.log to %WINDIR%\SoftwareDistribution\ReportingEvents.log.no_more_ransom
from %WINDIR%\sleep.exe to %WINDIR%\sleep.exe.no_more_ransom
from %WINDIR%\security\templates\securews.inf to %WINDIR%\security\templates\securews.inf.no_more_ransom
from <SYSTEM32>\wshatm.dll to <SYSTEM32>\wshatm.dll.no_more_ransom
from %WINDIR%\security\templates\setup security.inf to %WINDIR%\security\templates\setup security.inf.no_more_ransom
from <SYSTEM32>\wshbth.dll to <SYSTEM32>\wshbth.dll.no_more_ransom
from <SYSTEM32>\wshcon.dll to <SYSTEM32>\wshcon.dll.no_more_ransom
from %WINDIR%\sessmgr.setup.log to %WINDIR%\sessmgr.setup.log.no_more_ransom
from %WINDIR%\setupact.log to %WINDIR%\setupact.log.no_more_ransom
from %WINDIR%\setupapi.log to %WINDIR%\setupapi.log.no_more_ransom
from <SYSTEM32>\wshext.dll to <SYSTEM32>\wshext.dll.no_more_ransom
from %WINDIR%\setuperr.log to %WINDIR%\setuperr.log.no_more_ransom
from <SYSTEM32>\wuaueng1.dll to <SYSTEM32>\wuaueng1.dll.no_more_ransom
from %WINDIR%\setuplog.txt to %WINDIR%\setuplog.txt.no_more_ransom
from %WINDIR%\sfk.exe to %WINDIR%\sfk.exe.no_more_ransom
from <SYSTEM32>\wshisn.dll to <SYSTEM32>\wshisn.dll.no_more_ransom
from %WINDIR%\SoftwareDistribution\DataStore\Logs\edb.chk to %WINDIR%\SoftwareDistribution\DataStore\Logs\edb.chk.no_more_ransom
from %WINDIR%\SoftwareDistribution\DataStore\Logs\edb.log to %WINDIR%\SoftwareDistribution\DataStore\Logs\edb.log.no_more_ransom
from %WINDIR%\SoftwareDistribution\DataStore\Logs\res1.log to %WINDIR%\SoftwareDistribution\DataStore\Logs\res1.log.no_more_ransom
from %WINDIR%\SoftwareDistribution\DataStore\DataStore.edb to %WINDIR%\SoftwareDistribution\DataStore\DataStore.edb.no_more_ransom
from <SYSTEM32>\wshnetbs.dll to <SYSTEM32>\wshnetbs.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e.manifest to %WINDIR%\WinSxS\Manifests\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e.manifest.no_more_ransom
from %WINDIR%\SoftwareDistribution\DataStore\Logs\res2.log to %WINDIR%\SoftwareDistribution\DataStore\Logs\res2.log.no_more_ransom
from <SYSTEM32>\WshRm.dll to <SYSTEM32>\WshRm.dll.no_more_ransom
from <SYSTEM32>\wsecedit.dll to <SYSTEM32>\wsecedit.dll.no_more_ransom
from <SYSTEM32>\wscui.cpl to <SYSTEM32>\wscui.cpl.no_more_ransom
from %WINDIR%\system\SOUND.DRV to %WINDIR%\system\SOUND.DRV.no_more_ransom
from %WINDIR%\vb.ini to %WINDIR%\vb.ini.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll.no_more_ransom
from %WINDIR%\XXInstall\cmdow.exe to %WINDIR%\XXInstall\cmdow.exe.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll.no_more_ransom
from %WINDIR%\XXInstall\devcon.exe to %WINDIR%\XXInstall\devcon.exe.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll.no_more_ransom
from %WINDIR%\XXInstall\events.exe to %WINDIR%\XXInstall\events.exe.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll.no_more_ransom
from %WINDIR%\XXInstall\exdir.exe to %WINDIR%\XXInstall\exdir.exe.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll.no_more_ransom
from %WINDIR%\XXInstall\hashdeep.exe to %WINDIR%\XXInstall\hashdeep.exe.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-ww_4ee8bb30\9.0.30729.4148.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-ww_4ee8bb30\9.0.30729.4148.policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_x-ww_b8438ace\9.0.30729.4148.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_x-ww_b8438ace\9.0.30729.4148.policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.4148.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.4148.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.21022.8.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.21022.8.policy.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.4148.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.4148.policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.4148.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.4148.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.4148.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.4148.policy.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcm80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcm80.dll.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_x-ww_6ad67377\9.0.30729.4148.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_x-ww_6ad67377\9.0.30729.4148.cat.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_x-ww_6ad67377\9.0.30729.4148.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_x-ww_6ad67377\9.0.30729.4148.policy.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.21022.8.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.21022.8.cat.no_more_ransom
from %WINDIR%\XXInstall\install.bat to %WINDIR%\XXInstall\install.bat.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll.no_more_ransom
from %WINDIR%\XXInstall\install_ar.bat to %WINDIR%\XXInstall\install_ar.bat.no_more_ransom
from %WINDIR%\XXInstall\Scripts\prefs.js to %WINDIR%\XXInstall\Scripts\prefs.js.no_more_ransom
from %WINDIR%\XXInstall\Scripts\reboot_on_bsod.reg to %WINDIR%\XXInstall\Scripts\reboot_on_bsod.reg.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll.no_more_ransom
from %WINDIR%\XXInstall\Scripts\safely.reg to %WINDIR%\XXInstall\Scripts\safely.reg.no_more_ransom
from %WINDIR%\XXInstall\Scripts\smart_assembly_fix.reg to %WINDIR%\XXInstall\Scripts\smart_assembly_fix.reg.no_more_ransom
from %WINDIR%\XXInstall\Scripts\startup_ar.bat to %WINDIR%\XXInstall\Scripts\startup_ar.bat.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll.no_more_ransom
from %WINDIR%\XXInstall\Scripts\startup_bsod.bat to %WINDIR%\XXInstall\Scripts\startup_bsod.bat.no_more_ransom
from %WINDIR%\XXInstall\Scripts\taskmgr.reg to %WINDIR%\XXInstall\Scripts\taskmgr.reg.no_more_ransom
from %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll to %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll.no_more_ransom
from %WINDIR%\XXInstall\Scripts\WindowsKiller.ini to %WINDIR%\XXInstall\Scripts\WindowsKiller.ini.no_more_ransom
from %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll to %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll.no_more_ransom
from %WINDIR%\XXInstall\vminstall.exe to %WINDIR%\XXInstall\vminstall.exe.no_more_ransom
from %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll to %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll to %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll.no_more_ransom
from %WINDIR%\wmsetup.log to %WINDIR%\wmsetup.log.no_more_ransom
from %WINDIR%\WMSysPr9.prx to %WINDIR%\WMSysPr9.prx.no_more_ransom
from %WINDIR%\Zapotec.bmp to %WINDIR%\Zapotec.bmp.no_more_ransom
from %WINDIR%\XXInstall\Scripts\perf.reg to %WINDIR%\XXInstall\Scripts\perf.reg.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll.no_more_ransom
from %WINDIR%\XXInstall\Scripts\not_collect_offline.reg to %WINDIR%\XXInstall\Scripts\not_collect_offline.reg.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll.no_more_ransom
from %WINDIR%\XXInstall\ps.exe to %WINDIR%\XXInstall\ps.exe.no_more_ransom
from %WINDIR%\XXInstall\Scripts\antivm.bat to %WINDIR%\XXInstall\Scripts\antivm.bat.no_more_ransom
from %WINDIR%\XXInstall\screen.exe to %WINDIR%\XXInstall\screen.exe.no_more_ransom
from %WINDIR%\XXInstall\Scripts\antivm.exe to %WINDIR%\XXInstall\Scripts\antivm.exe.no_more_ransom
from %WINDIR%\XXInstall\Scripts\apply_theme.vbs to %WINDIR%\XXInstall\Scripts\apply_theme.vbs.no_more_ransom
from %WINDIR%\XXInstall\Scripts\bcode-start-stop.vbs to %WINDIR%\XXInstall\Scripts\bcode-start-stop.vbs.no_more_ransom
from %WINDIR%\XXInstall\Scripts\bcode-start.vbs to %WINDIR%\XXInstall\Scripts\bcode-start.vbs.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll.no_more_ransom
from %WINDIR%\XXInstall\Scripts\bcode-stop.vbs to %WINDIR%\XXInstall\Scripts\bcode-stop.vbs.no_more_ransom
from %WINDIR%\XXInstall\Scripts\CompleteDump.reg to %WINDIR%\XXInstall\Scripts\CompleteDump.reg.no_more_ransom
from %WINDIR%\XXInstall\Scripts\eventmon-startlog.vbs to %WINDIR%\XXInstall\Scripts\eventmon-startlog.vbs.no_more_ransom
from %WINDIR%\XXInstall\Scripts\eventmon-setup.vbs to %WINDIR%\XXInstall\Scripts\eventmon-setup.vbs.no_more_ransom
from %WINDIR%\XXInstall\Scripts\ipv6_disable.reg to %WINDIR%\XXInstall\Scripts\ipv6_disable.reg.no_more_ransom
from %WINDIR%\XXInstall\Scripts\KernelDump.reg to %WINDIR%\XXInstall\Scripts\KernelDump.reg.no_more_ransom
from %WINDIR%\XXInstall\Scripts\kill_saves.vbs to %WINDIR%\XXInstall\Scripts\kill_saves.vbs.no_more_ransom
from %WINDIR%\XXInstall\Scripts\kill_windows.vbs to %WINDIR%\XXInstall\Scripts\kill_windows.vbs.no_more_ransom
from %WINDIR%\XXInstall\Scripts\LanDisabler.vbs to %WINDIR%\XXInstall\Scripts\LanDisabler.vbs.no_more_ransom
from %WINDIR%\XXInstall\Scripts\ncsi_disable.reg to %WINDIR%\XXInstall\Scripts\ncsi_disable.reg.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll.no_more_ransom
from %WINDIR%\XXInstall\Scripts\noballon.reg to %WINDIR%\XXInstall\Scripts\noballon.reg.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll.no_more_ransom
from %WINDIR%\XXInstall\Scripts\norun.reg to %WINDIR%\XXInstall\Scripts\norun.reg.no_more_ransom
from %WINDIR%\XXInstall\install_small.bat to %WINDIR%\XXInstall\install_small.bat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.cat to %WINDIR%\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.cat.no_more_ransom
from %WINDIR%\Web\printers\ipp_util.inc to %WINDIR%\Web\printers\ipp_util.inc.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll.no_more_ransom
from %WINDIR%\srchasst\srchui.dll to %WINDIR%\srchasst\srchui.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13.Manifest.no_more_ransom
from %WINDIR%\system\WINSPOOL.DRV to %WINDIR%\system\WINSPOOL.DRV.no_more_ransom
from %WINDIR%\Sti_Trace.log to %WINDIR%\Sti_Trace.log.no_more_ransom
from %WINDIR%\system.ini to %WINDIR%\system.ini.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.cat.no_more_ransom
from %WINDIR%\tabletoc.log to %WINDIR%\tabletoc.log.no_more_ransom
from %WINDIR%\Temp\Perflib_Perfdata_7e8.dat to %WINDIR%\Temp\Perflib_Perfdata_7e8.dat.no_more_ransom
from %WINDIR%\TASKMAN.EXE to %WINDIR%\TASKMAN.EXE.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.Manifest.no_more_ransom
from %WINDIR%\tsoc.log to %WINDIR%\tsoc.log.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.cat.no_more_ransom
from %WINDIR%\twain.dll to %WINDIR%\twain.dll.no_more_ransom
from %WINDIR%\twain_32\wiatwain.ds to %WINDIR%\twain_32\wiatwain.ds.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.Manifest.no_more_ransom
from %WINDIR%\twain_32.dll to %WINDIR%\twain_32.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.cat.no_more_ransom
from %WINDIR%\twunk_16.exe to %WINDIR%\twunk_16.exe.no_more_ransom
from %WINDIR%\twunk_32.exe to %WINDIR%\twunk_32.exe.no_more_ransom
from %WINDIR%\updspapi.log to %WINDIR%\updspapi.log.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.Manifest.no_more_ransom
from %WINDIR%\system\WFWNET.DRV to %WINDIR%\system\WFWNET.DRV.no_more_ransom
from %WINDIR%\srchasst\srchctls.dll to %WINDIR%\srchasst\srchctls.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.Manifest.no_more_ransom
from <SYSTEM32>\zipfldr.dll to <SYSTEM32>\zipfldr.dll.no_more_ransom
from %WINDIR%\Web\printers\page1.asp to %WINDIR%\Web\printers\page1.asp.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.manifest.no_more_ransom
from %WINDIR%\Web\bullet.gif to %WINDIR%\Web\bullet.gif.no_more_ransom
from %WINDIR%\system\stdole.tlb to %WINDIR%\system\stdole.tlb.no_more_ransom
from %WINDIR%\Web\printers\prtwebvw.css to %WINDIR%\Web\printers\prtwebvw.css.no_more_ransom
from %WINDIR%\Web\deskmovr.htt to %WINDIR%\Web\deskmovr.htt.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a.Manifest.no_more_ransom
from %WINDIR%\Web\exclam.gif to %WINDIR%\Web\exclam.gif.no_more_ransom
from %WINDIR%\system\SYSTEM.DRV to %WINDIR%\system\SYSTEM.DRV.no_more_ransom
from %WINDIR%\Web\safemode.htt to %WINDIR%\Web\safemode.htt.no_more_ransom
from %WINDIR%\Web\tips.gif to %WINDIR%\Web\tips.gif.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.cat.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest.no_more_ransom
from <SYSTEM32>\XPSViewer\en-US\XPSViewer.exe.mui to <SYSTEM32>\XPSViewer\en-US\XPSViewer.exe.mui.no_more_ransom
from %WINDIR%\system\TAPI.DLL to %WINDIR%\system\TAPI.DLL.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a.Manifest.no_more_ransom
from <SYSTEM32>\XPSViewer\XPSViewer.exe to <SYSTEM32>\XPSViewer\XPSViewer.exe.no_more_ransom
from %WINDIR%\system\TIMER.DRV to %WINDIR%\system\TIMER.DRV.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.cat.no_more_ransom
from %WINDIR%\system\VER.DLL to %WINDIR%\system\VER.DLL.no_more_ransom
from <SYSTEM32>\XPSViewer\XPSViewerManifest.xml to <SYSTEM32>\XPSViewer\XPSViewerManifest.xml.no_more_ransom
from %WINDIR%\system\VGA.DRV to %WINDIR%\system\VGA.DRV.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\8.0.50727.762.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\8.0.50727.762.policy.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.cat.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0.cat.no_more_ransom
from %WINDIR%\vbaddin.ini to %WINDIR%\vbaddin.ini.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy to %WINDIR%\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.42.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.42.policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_x-ww_caeee150\8.0.50727.762.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_x-ww_caeee150\8.0.50727.762.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-ww_5f0bbcff\8.0.50727.762.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-ww_5f0bbcff\8.0.50727.762.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-ww_0f75c32e\8.0.50727.762.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-ww_0f75c32e\8.0.50727.762.cat.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.cat to %WINDIR%\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.cat.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-ww_5f0bbcff\8.0.50727.762.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-ww_5f0bbcff\8.0.50727.762.policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_x-ww_caeee150\8.0.50727.762.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_x-ww_caeee150\8.0.50727.762.policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-ww_0f75c32e\8.0.50727.762.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-ww_0f75c32e\8.0.50727.762.policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.Policy to %WINDIR%\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.Policy.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\8.0.50727.762.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\8.0.50727.762.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-ww_4ee8bb30\9.0.30729.4148.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-ww_4ee8bb30\9.0.30729.4148.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_x-ww_b8438ace\9.0.30729.4148.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_x-ww_b8438ace\9.0.30729.4148.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.Policy to %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.Policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.42.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.42.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.cat to %WINDIR%\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.3053.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.3053.policy.no_more_ransom
from %WINDIR%\vmmreg32.dll to %WINDIR%\vmmreg32.dll.no_more_ransom
from %WINDIR%\wiadebug.log to %WINDIR%\wiadebug.log.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.0.0_x-ww_fc342b0b.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.0.0_x-ww_fc342b0b.Manifest.no_more_ransom
from %WINDIR%\wiaservc.log to %WINDIR%\wiaservc.log.no_more_ransom
from %WINDIR%\win.ini to %WINDIR%\win.ini.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.cat.no_more_ransom
from %WINDIR%\WindowsUpdate.log to %WINDIR%\WindowsUpdate.log.no_more_ransom
from %WINDIR%\winhelp.exe to %WINDIR%\winhelp.exe.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.Manifest.no_more_ransom
from %WINDIR%\winhlp32.exe to %WINDIR%\winhlp32.exe.no_more_ransom
from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790.manifest to %WINDIR%\WinSxS\Manifests\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790.manifest.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.cat to %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.cat to %WINDIR%\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.cat.no_more_ransom
from %WINDIR%\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll to %WINDIR%\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492.manifest to %WINDIR%\WinSxS\Manifests\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492.manifest.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.Policy to %WINDIR%\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.Policy.no_more_ransom
from %WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe to %WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.Policy to %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.Policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.Policy to %WINDIR%\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.Policy.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.3053.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.3053.cat.no_more_ransom
from %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.cat to %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.cat.no_more_ransom
from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0.Manifest.no_more_ransom
from %WINDIR%\pss\boot.ini.backup to %WINDIR%\pss\boot.ini.backup.no_more_ransom

Moves the following files:

from %ProgramFiles%\Windows NT\Pinball\table.bmp to %ProgramFiles%\Windows NT\Pinball\table.bmp.no_more_ransom
from <ANALYSE_DIR>\PET-DUMP\0B50_pet_cmd.exe to <ANALYSE_DIR>\PET-DUMP\0B50_pet_cmd.exe.no_more_ransom
from %ProgramFiles%\FireFox\res\fonts\mathfont.properties to %ProgramFiles%\FireFox\res\fonts\mathfont.properties.no_more_ransom
from %ProgramFiles%\FireFox\res\fonts\mathfontStandardSymbolsL.properties to %ProgramFiles%\FireFox\res\fonts\mathfontStandardSymbolsL.properties.no_more_ransom
from <ANALYSE_DIR>\PET-DUMP\0B64_pet_cmd.exe to <ANALYSE_DIR>\PET-DUMP\0B64_pet_cmd.exe.no_more_ransom
from %ProgramFiles%\FireFox\res\fonts\mathfontSTIXNonUnicode.properties to %ProgramFiles%\FireFox\res\fonts\mathfontSTIXNonUnicode.properties.no_more_ransom
from <ANALYSE_DIR>\PET-DUMP\0B84_pet_SCHTASKS.exe to <ANALYSE_DIR>\PET-DUMP\0B84_pet_SCHTASKS.exe.no_more_ransom
from %ProgramFiles%\FireFox\res\fonts\mathfontSTIXSize1.properties to %ProgramFiles%\FireFox\res\fonts\mathfontSTIXSize1.properties.no_more_ransom
from %ProgramFiles%\FireFox\res\fonts\mathfontSTIXSizeOneSym.properties to %ProgramFiles%\FireFox\res\fonts\mathfontSTIXSizeOneSym.properties.no_more_ransom
from C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_0 to C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_0.no_more_ransom
from C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_1 to C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_1.no_more_ransom
from %ProgramFiles%\FireFox\res\fonts\mathfontSymbol.properties to %ProgramFiles%\FireFox\res\fonts\mathfontSymbol.properties.no_more_ransom
from %ProgramFiles%\FireFox\res\fonts\mathfontUnicode.properties to %ProgramFiles%\FireFox\res\fonts\mathfontUnicode.properties.no_more_ransom
from %ProgramFiles%\FireFox\res\grabber.gif to %ProgramFiles%\FireFox\res\grabber.gif.no_more_ransom
from C:\Muldrop\dmp_0x148_0x20000 to C:\Muldrop\dmp_0x148_0x20000.no_more_ransom
from %ProgramFiles%\FireFox\res\entityTables\transliterate.properties to %ProgramFiles%\FireFox\res\entityTables\transliterate.properties.no_more_ransom
from %ProgramFiles%\FireFox\res\langGroups.properties to %ProgramFiles%\FireFox\res\langGroups.properties.no_more_ransom
from C:\Muldrop\dmp_0x148_0x30000 to C:\Muldrop\dmp_0x148_0x30000.no_more_ransom
from C:\Muldrop\dmp_0x194_0x10000 to C:\Muldrop\dmp_0x194_0x10000.no_more_ransom
from %ProgramFiles%\FireFox\res\language.properties to %ProgramFiles%\FireFox\res\language.properties.no_more_ransom
from C:\Muldrop\dmp_0x194_0x20000 to C:\Muldrop\dmp_0x194_0x20000.no_more_ransom
from %ProgramFiles%\FireFox\res\svg.css to %ProgramFiles%\FireFox\res\svg.css.no_more_ransom
from C:\Muldrop\dmp_0x194_0x30000 to C:\Muldrop\dmp_0x194_0x30000.no_more_ransom
from C:\Muldrop\dmp_0x1a0_0x10000 to C:\Muldrop\dmp_0x1a0_0x10000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-column-after-active.gif to %ProgramFiles%\FireFox\res\table-add-column-after-active.gif.no_more_ransom
from C:\Muldrop\dmp_0x1a0_0x20000 to C:\Muldrop\dmp_0x1a0_0x20000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-column-after-hover.gif to %ProgramFiles%\FireFox\res\table-add-column-after-hover.gif.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-column-after.gif to %ProgramFiles%\FireFox\res\table-add-column-after.gif.no_more_ransom
from C:\Muldrop\dmp_0x148_0x10000 to C:\Muldrop\dmp_0x148_0x10000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-row-before.gif to %ProgramFiles%\FireFox\res\table-add-row-before.gif.no_more_ransom
from <ANALYSE_DIR>\PET-DUMP\0B3C_pet_cmd.exe to <ANALYSE_DIR>\PET-DUMP\0B3C_pet_cmd.exe.no_more_ransom
from %ProgramFiles%\FireFox\nssckbi.dll to %ProgramFiles%\FireFox\nssckbi.dll.no_more_ransom
from %ProgramFiles%\FireFox\nssdbm3.chk to %ProgramFiles%\FireFox\nssdbm3.chk.no_more_ransom
from %ProgramFiles%\FireFox\nssdbm3.dll to %ProgramFiles%\FireFox\nssdbm3.dll.no_more_ransom
from <ANALYSE_DIR>\DWS-DUMP\0B3C_dws_cmd.exe to <ANALYSE_DIR>\DWS-DUMP\0B3C_dws_cmd.exe.no_more_ransom
from %ProgramFiles%\FireFox\nssutil3.dll to %ProgramFiles%\FireFox\nssutil3.dll.no_more_ransom
from %ProgramFiles%\FireFox\platform.ini to %ProgramFiles%\FireFox\platform.ini.no_more_ransom
from %ProgramFiles%\FireFox\plc4.dll to %ProgramFiles%\FireFox\plc4.dll.no_more_ransom
from <ANALYSE_DIR>\DWS-DUMP\0B44_dws_vssadmin.exe to <ANALYSE_DIR>\DWS-DUMP\0B44_dws_vssadmin.exe.no_more_ransom
from %ProgramFiles%\FireFox\plds4.dll to %ProgramFiles%\FireFox\plds4.dll.no_more_ransom
from %ProgramFiles%\FireFox\plugin-container.exe to %ProgramFiles%\FireFox\plugin-container.exe.no_more_ransom
from <ANALYSE_DIR>\DWS-DUMP\0B50_dws_cmd.exe to <ANALYSE_DIR>\DWS-DUMP\0B50_dws_cmd.exe.no_more_ransom
from %ProgramFiles%\FireFox\README.txt to %ProgramFiles%\FireFox\README.txt.no_more_ransom
from %ProgramFiles%\FireFox\res\contenteditable.css to %ProgramFiles%\FireFox\res\contenteditable.css.no_more_ransom
from C:\Muldrop\dmp_0x1a0_0x30000 to C:\Muldrop\dmp_0x1a0_0x30000.no_more_ransom
from <ANALYSE_DIR>\PET-DUMP\0B44_pet_vssadmin.exe to <ANALYSE_DIR>\PET-DUMP\0B44_pet_vssadmin.exe.no_more_ransom
from %ProgramFiles%\FireFox\res\dtd\mathml.dtd to %ProgramFiles%\FireFox\res\dtd\mathml.dtd.no_more_ransom
from <ANALYSE_DIR>\DWS-DUMP\0B84_dws_SCHTASKS.exe to <ANALYSE_DIR>\DWS-DUMP\0B84_dws_SCHTASKS.exe.no_more_ransom
from <APATH_DUMPS_DIR>\0B3C_cmd.exe_0.ndmp to <APATH_DUMPS_DIR>\0B3C_cmd.exe_0.ndmp.no_more_ransom
from %ProgramFiles%\FireFox\res\dtd\xhtml11.dtd to %ProgramFiles%\FireFox\res\dtd\xhtml11.dtd.no_more_ransom
from %ProgramFiles%\FireFox\res\EditorOverride.css to %ProgramFiles%\FireFox\res\EditorOverride.css.no_more_ransom
from %ProgramFiles%\FireFox\res\entityTables\html40Latin1.properties to %ProgramFiles%\FireFox\res\entityTables\html40Latin1.properties.no_more_ransom
from <APATH_DUMPS_DIR>\0B44_vssadmin.exe_0.ndmp to <APATH_DUMPS_DIR>\0B44_vssadmin.exe_0.ndmp.no_more_ransom
from %ProgramFiles%\FireFox\res\entityTables\html40Special.properties to %ProgramFiles%\FireFox\res\entityTables\html40Special.properties.no_more_ransom
from <APATH_DUMPS_DIR>\0B50_cmd.exe_0.ndmp to <APATH_DUMPS_DIR>\0B50_cmd.exe_0.ndmp.no_more_ransom
from <APATH_DUMPS_DIR>\0B64_cmd.exe_0.ndmp to <APATH_DUMPS_DIR>\0B64_cmd.exe_0.ndmp.no_more_ransom
from %ProgramFiles%\FireFox\res\entityTables\html40Symbols.properties to %ProgramFiles%\FireFox\res\entityTables\html40Symbols.properties.no_more_ransom
from <APATH_DUMPS_DIR>\0B84_schtasks.exe_0.ndmp to <APATH_DUMPS_DIR>\0B84_schtasks.exe_0.ndmp.no_more_ransom
from %ProgramFiles%\FireFox\res\entityTables\htmlEntityVersions.properties to %ProgramFiles%\FireFox\res\entityTables\htmlEntityVersions.properties.no_more_ransom
from %ProgramFiles%\FireFox\res\designmode.css to %ProgramFiles%\FireFox\res\designmode.css.no_more_ransom
from %ProgramFiles%\FireFox\res\entityTables\mathml20.properties to %ProgramFiles%\FireFox\res\entityTables\mathml20.properties.no_more_ransom
from C:\Muldrop\dmp_0x1a4_0x10000 to C:\Muldrop\dmp_0x1a4_0x10000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-column-before-active.gif to %ProgramFiles%\FireFox\res\table-add-column-before-active.gif.no_more_ransom
from C:\Muldrop\dmp_0x1a4_0x20000 to C:\Muldrop\dmp_0x1a4_0x20000.no_more_ransom
from %ProgramFiles%\FireFox\xpcshell.exe to %ProgramFiles%\FireFox\xpcshell.exe.no_more_ransom
from %ProgramFiles%\FireFox\searchplugins\wikipedia.xml to %ProgramFiles%\FireFox\searchplugins\wikipedia.xml.no_more_ransom
from %ProgramFiles%\FireFox\searchplugins\yahoo.xml to %ProgramFiles%\FireFox\searchplugins\yahoo.xml.no_more_ransom
from %ProgramFiles%\FireFox\shlibsign.exe to %ProgramFiles%\FireFox\shlibsign.exe.no_more_ransom
from %ProgramFiles%\FireFox\smime3.dll to %ProgramFiles%\FireFox\smime3.dll.no_more_ransom
from %ProgramFiles%\FireFox\softokn3.chk to %ProgramFiles%\FireFox\softokn3.chk.no_more_ransom
from %ProgramFiles%\FireFox\uninstall\helper.exe to %ProgramFiles%\FireFox\uninstall\helper.exe.no_more_ransom
from %ProgramFiles%\FireFox\softokn3.dll to %ProgramFiles%\FireFox\softokn3.dll.no_more_ransom
from C:\Muldrop\jogp.fyf_0 to C:\Muldrop\jogp.fyf_0.no_more_ransom
from %ProgramFiles%\FireFox\ssl3.dll to %ProgramFiles%\FireFox\ssl3.dll.no_more_ransom
from %ProgramFiles%\FireFox\update.locale to %ProgramFiles%\FireFox\update.locale.no_more_ransom
from %ProgramFiles%\FireFox\updater.exe to %ProgramFiles%\FireFox\updater.exe.no_more_ransom
from %ProgramFiles%\FireFox\updater.ini to %ProgramFiles%\FireFox\updater.ini.no_more_ransom
from %ProgramFiles%\FireFox\nss3.dll to %ProgramFiles%\FireFox\nss3.dll.no_more_ransom
from %ProgramFiles%\FireFox\searchplugins\eBay.xml to %ProgramFiles%\FireFox\searchplugins\eBay.xml.no_more_ransom
from %ProgramFiles%\FireFox\xpidl.exe to %ProgramFiles%\FireFox\xpidl.exe.no_more_ransom
from C:\Muldrop\npgdpnq.mph_0 to C:\Muldrop\npgdpnq.mph_0.no_more_ransom
from %ProgramFiles%\FireFox\xpt_dump.exe to %ProgramFiles%\FireFox\xpt_dump.exe.no_more_ransom
from C:\Muldrop\npgdpnq.mph_1 to C:\Muldrop\npgdpnq.mph_1.no_more_ransom
from C:\Muldrop\npgdpnq.mph_2 to C:\Muldrop\npgdpnq.mph_2.no_more_ransom
from %ProgramFiles%\FireFox\xpt_link.exe to %ProgramFiles%\FireFox\xpt_link.exe.no_more_ransom
from C:\Muldrop\npgdpnq.mph_3 to C:\Muldrop\npgdpnq.mph_3.no_more_ransom
from C:\Muldrop\npgdpnq.mph_4 to C:\Muldrop\npgdpnq.mph_4.no_more_ransom
from %ProgramFiles%\FireFox\xul.dll to %ProgramFiles%\FireFox\xul.dll.no_more_ransom
from C:\Muldrop\npgdpnq.mph_5 to C:\Muldrop\npgdpnq.mph_5.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn.dll.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe.no_more_ransom
from %ProgramFiles%\FireFox\xpcom.dll to %ProgramFiles%\FireFox\xpcom.dll.no_more_ransom
from <ANALYSE_DIR>\DWS-DUMP\0B64_dws_cmd.exe to <ANALYSE_DIR>\DWS-DUMP\0B64_dws_cmd.exe.no_more_ransom
from %ProgramFiles%\FireFox\searchplugins\bing.xml to %ProgramFiles%\FireFox\searchplugins\bing.xml.no_more_ransom
from C:\Muldrop\dmp_0x88_0x20000 to C:\Muldrop\dmp_0x88_0x20000.no_more_ransom
from %ProgramFiles%\FireFox\searchplugins\amazondotcom.xml to %ProgramFiles%\FireFox\searchplugins\amazondotcom.xml.no_more_ransom
from <ANALYSETOOLS_DIR>\MinArk\miniark.log to <ANALYSETOOLS_DIR>\MinArk\miniark.log.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-column-before-hover.gif to %ProgramFiles%\FireFox\res\table-add-column-before-hover.gif.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-column-before.gif to %ProgramFiles%\FireFox\res\table-add-column-before.gif.no_more_ransom
from C:\Muldrop\dmp_0x1a4_0x30000 to C:\Muldrop\dmp_0x1a4_0x30000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-row-after-active.gif to %ProgramFiles%\FireFox\res\table-add-row-after-active.gif.no_more_ransom
from C:\Muldrop\dmp_0x1b4_0x10000 to C:\Muldrop\dmp_0x1b4_0x10000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-row-after-hover.gif to %ProgramFiles%\FireFox\res\table-add-row-after-hover.gif.no_more_ransom
from C:\Muldrop\dmp_0x1b4_0x20000 to C:\Muldrop\dmp_0x1b4_0x20000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-row-after.gif to %ProgramFiles%\FireFox\res\table-add-row-after.gif.no_more_ransom
from C:\Muldrop\dmp_0x1b4_0x30000 to C:\Muldrop\dmp_0x1b4_0x30000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-row-before-active.gif to %ProgramFiles%\FireFox\res\table-add-row-before-active.gif.no_more_ransom
from <ANALYSETOOLS_DIR>\MinArk\validdrv.dat to <ANALYSETOOLS_DIR>\MinArk\validdrv.dat.no_more_ransom
from C:\Muldrop\dmp_0x88_0x30000 to C:\Muldrop\dmp_0x88_0x30000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-add-row-before-hover.gif to %ProgramFiles%\FireFox\res\table-add-row-before-hover.gif.no_more_ransom
from %ProgramFiles%\FireFox\searchplugins\google.xml to %ProgramFiles%\FireFox\searchplugins\google.xml.no_more_ransom
from C:\Muldrop\dmp_0x1b8_0x20000 to C:\Muldrop\dmp_0x1b8_0x20000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-remove-column-active.gif to %ProgramFiles%\FireFox\res\table-remove-column-active.gif.no_more_ransom
from C:\Muldrop\dmp_0x1b8_0x30000 to C:\Muldrop\dmp_0x1b8_0x30000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-remove-column-hover.gif to %ProgramFiles%\FireFox\res\table-remove-column-hover.gif.no_more_ransom
from C:\Muldrop\dmp_0x1bc_0x10000 to C:\Muldrop\dmp_0x1bc_0x10000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-remove-column.gif to %ProgramFiles%\FireFox\res\table-remove-column.gif.no_more_ransom
from C:\Muldrop\dmp_0x1bc_0x20000 to C:\Muldrop\dmp_0x1bc_0x20000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-remove-row-active.gif to %ProgramFiles%\FireFox\res\table-remove-row-active.gif.no_more_ransom
from C:\Muldrop\dmp_0x1bc_0x30000 to C:\Muldrop\dmp_0x1bc_0x30000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-remove-row-hover.gif to %ProgramFiles%\FireFox\res\table-remove-row-hover.gif.no_more_ransom
from C:\Muldrop\dmp_0x88_0x10000 to C:\Muldrop\dmp_0x88_0x10000.no_more_ransom
from %ProgramFiles%\FireFox\res\table-remove-row.gif to %ProgramFiles%\FireFox\res\table-remove-row.gif.no_more_ransom
from C:\Muldrop\dmp_0x1b8_0x10000 to C:\Muldrop\dmp_0x1b8_0x10000.no_more_ransom
from %ProgramFiles%\FireFox\nspr4.dll to %ProgramFiles%\FireFox\nspr4.dll.no_more_ransom
from %ProgramFiles%\FireFox\nsinstall.exe to %ProgramFiles%\FireFox\nsinstall.exe.no_more_ransom
from %ProgramFiles%\FireFox\mozsqlite3.dll to %ProgramFiles%\FireFox\mozsqlite3.dll.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\engines.js to %ProgramFiles%\FireFox\modules\services-sync\engines.js.no_more_ransom
from %ProgramFiles%\FireFox\components\widget.xpt to %ProgramFiles%\FireFox\components\widget.xpt.no_more_ransom
from %ProgramFiles%\FireFox\components\windowds.xpt to %ProgramFiles%\FireFox\components\windowds.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\LightweightThemeConsumer.jsm to %ProgramFiles%\FireFox\modules\LightweightThemeConsumer.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\windowwatcher.xpt to %ProgramFiles%\FireFox\components\windowwatcher.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\ext\Observers.js to %ProgramFiles%\FireFox\modules\services-sync\ext\Observers.js.no_more_ransom
from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\update\updates.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\update\updates.css.no_more_ransom
from %ProgramFiles%\FireFox\components\xpcom_base.xpt to %ProgramFiles%\FireFox\components\xpcom_base.xpt.no_more_ransom
from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\viewsource\viewsource.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\viewsource\viewsource.css.no_more_ransom
from %ProgramFiles%\FireFox\modules\LightweightThemeManager.jsm to %ProgramFiles%\FireFox\modules\LightweightThemeManager.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\xpcom_components.xpt to %ProgramFiles%\FireFox\components\xpcom_components.xpt.no_more_ransom
from %ProgramFiles%\FireFox\components\xpcom_ds.xpt to %ProgramFiles%\FireFox\components\xpcom_ds.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\ext\Preferences.js to %ProgramFiles%\FireFox\modules\services-sync\ext\Preferences.js.no_more_ransom
from %ProgramFiles%\FireFox\components\webshell_idls.xpt to %ProgramFiles%\FireFox\components\webshell_idls.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\Microformats.js to %ProgramFiles%\FireFox\modules\Microformats.js.no_more_ransom
from %ProgramFiles%\FireFox\components\xpcom_system.xpt to %ProgramFiles%\FireFox\components\xpcom_system.xpt.no_more_ransom
from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\xpinstall\xpinstallConfirm.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\xpinstall\xpinstallConfirm.css.no_more_ransom
from %ProgramFiles%\FireFox\modules\NetUtil.jsm to %ProgramFiles%\FireFox\modules\NetUtil.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\xpcom_threads.xpt to %ProgramFiles%\FireFox\components\xpcom_threads.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\ext\StringBundle.js to %ProgramFiles%\FireFox\modules\services-sync\ext\StringBundle.js.no_more_ransom
from %ProgramFiles%\FireFox\components\xpcom_xpti.xpt to %ProgramFiles%\FireFox\components\xpcom_xpti.xpt.no_more_ransom
from %ProgramFiles%\FireFox\components\xpconnect.xpt to %ProgramFiles%\FireFox\components\xpconnect.xpt.no_more_ransom
from %ProgramFiles%\FireFox\components\xulapp.xpt to %ProgramFiles%\FireFox\components\xulapp.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\NetworkHelper.jsm to %ProgramFiles%\FireFox\modules\NetworkHelper.jsm.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\identity.js to %ProgramFiles%\FireFox\modules\services-sync\identity.js.no_more_ransom
from %ProgramFiles%\FireFox\AccessibleMarshal.dll to %ProgramFiles%\FireFox\AccessibleMarshal.dll.no_more_ransom
from %ProgramFiles%\FireFox\components\xuldoc.xpt to %ProgramFiles%\FireFox\components\xuldoc.xpt.no_more_ransom
from %ProgramFiles%\FireFox\chrome\toolkit.manifest to %ProgramFiles%\FireFox\chrome\toolkit.manifest.no_more_ransom
from %ProgramFiles%\FireFox\components\xpcom_io.xpt to %ProgramFiles%\FireFox\components\xpcom_io.xpt.no_more_ransom
from %ProgramFiles%\FireFox\components\update.xpt to %ProgramFiles%\FireFox\components\update.xpt.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwdl.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\icwdl.dll.no_more_ransom
from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\profile\profileSelection.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\profile\profileSelection.css.no_more_ransom
from %ProgramFiles%\FireFox\modules\DownloadPaths.jsm to %ProgramFiles%\FireFox\modules\DownloadPaths.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\toolkitsearch.manifest to %ProgramFiles%\FireFox\components\toolkitsearch.manifest.no_more_ransom
from %ProgramFiles%\FireFox\components\txEXSLTRegExFunctions.js to %ProgramFiles%\FireFox\components\txEXSLTRegExFunctions.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\engines\history.js to %ProgramFiles%\FireFox\modules\services-sync\engines\history.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\DownloadTaskbarProgress.jsm to %ProgramFiles%\FireFox\modules\DownloadTaskbarProgress.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\txEXSLTRegExFunctions.manifest to %ProgramFiles%\FireFox\components\txEXSLTRegExFunctions.manifest.no_more_ransom
from %ProgramFiles%\FireFox\components\txmgr.xpt to %ProgramFiles%\FireFox\components\txmgr.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\DownloadUtils.jsm to %ProgramFiles%\FireFox\modules\DownloadUtils.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\txtsvc.xpt to %ProgramFiles%\FireFox\components\txtsvc.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\engines\passwords.js to %ProgramFiles%\FireFox\modules\services-sync\engines\passwords.js.no_more_ransom
from %ProgramFiles%\FireFox\components\uconv.xpt to %ProgramFiles%\FireFox\components\uconv.xpt.no_more_ransom
from %ProgramFiles%\FireFox\components\unicharutil.xpt to %ProgramFiles%\FireFox\components\unicharutil.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\FileUtils.jsm to %ProgramFiles%\FireFox\modules\FileUtils.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\xultmpl.xpt to %ProgramFiles%\FireFox\components\xultmpl.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\engines\prefs.js to %ProgramFiles%\FireFox\modules\services-sync\engines\prefs.js.no_more_ransom
from %ProgramFiles%\FireFox\components\uriloader.xpt to %ProgramFiles%\FireFox\components\uriloader.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\Geometry.jsm to %ProgramFiles%\FireFox\modules\Geometry.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\url-classifier.xpt to %ProgramFiles%\FireFox\components\url-classifier.xpt.no_more_ransom
from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\plugins\pluginInstallerWizard.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\plugins\pluginInstallerWizard.css.no_more_ransom
from %ProgramFiles%\FireFox\components\urlformatter.xpt to %ProgramFiles%\FireFox\components\urlformatter.xpt.no_more_ransom
from %ProgramFiles%\FireFox\components\Weave.js to %ProgramFiles%\FireFox\components\Weave.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\HUDService.jsm to %ProgramFiles%\FireFox\modules\HUDService.jsm.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\engines\tabs.js to %ProgramFiles%\FireFox\modules\services-sync\engines\tabs.js.no_more_ransom
from %ProgramFiles%\FireFox\components\webapps.xpt to %ProgramFiles%\FireFox\components\webapps.xpt.no_more_ransom
from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\plugins\pluginProblem.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\plugins\pluginProblem.css.no_more_ransom
from %ProgramFiles%\FireFox\components\webbrowserpersist.xpt to %ProgramFiles%\FireFox\components\webbrowserpersist.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\InlineSpellChecker.jsm to %ProgramFiles%\FireFox\modules\InlineSpellChecker.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\webBrowser_core.xpt to %ProgramFiles%\FireFox\components\webBrowser_core.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\ISO8601DateUtils.jsm to %ProgramFiles%\FireFox\modules\ISO8601DateUtils.jsm.no_more_ransom
from %ProgramFiles%\FireFox\defaults\pref\channel-prefs.js to %ProgramFiles%\FireFox\defaults\pref\channel-prefs.js.no_more_ransom
from %ProgramFiles%\FireFox\application.ini to %ProgramFiles%\FireFox\application.ini.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\status.js to %ProgramFiles%\FireFox\modules\services-sync\status.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-crypto\WeaveCrypto.js to %ProgramFiles%\FireFox\modules\services-crypto\WeaveCrypto.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\PropertyPanel.jsm to %ProgramFiles%\FireFox\modules\PropertyPanel.jsm.no_more_ransom
from %ProgramFiles%\FireFox\defaults\profile\prefs.js to %ProgramFiles%\FireFox\defaults\profile\prefs.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\Services.jsm to %ProgramFiles%\FireFox\modules\Services.jsm.no_more_ransom
from %ProgramFiles%\FireFox\modules\tabview\AllTabs.jsm to %ProgramFiles%\FireFox\modules\tabview\AllTabs.jsm.no_more_ransom
from %ProgramFiles%\FireFox\dependentlibs.list to %ProgramFiles%\FireFox\dependentlibs.list.no_more_ransom
from %ProgramFiles%\FireFox\dictionaries\en-US.aff to %ProgramFiles%\FireFox\dictionaries\en-US.aff.no_more_ransom
from %ProgramFiles%\FireFox\modules\SpatialNavigation.js to %ProgramFiles%\FireFox\modules\SpatialNavigation.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\tabview\utils.jsm to %ProgramFiles%\FireFox\modules\tabview\utils.jsm.no_more_ransom
from %ProgramFiles%\FireFox\dictionaries\en-US.dic to %ProgramFiles%\FireFox\dictionaries\en-US.dic.no_more_ransom
from %ProgramFiles%\FireFox\modules\stylePanel.jsm to %ProgramFiles%\FireFox\modules\stylePanel.jsm.no_more_ransom
from %ProgramFiles%\FireFox\firefox.exe to %ProgramFiles%\FireFox\firefox.exe.no_more_ransom
from %ProgramFiles%\FireFox\modules\utils.js to %ProgramFiles%\FireFox\modules\utils.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\util.js to %ProgramFiles%\FireFox\modules\services-sync\util.js.no_more_ransom
from %ProgramFiles%\FireFox\freebl3.chk to %ProgramFiles%\FireFox\freebl3.chk.no_more_ransom
from %ProgramFiles%\FireFox\modules\WindowDraggingUtils.jsm to %ProgramFiles%\FireFox\modules\WindowDraggingUtils.jsm.no_more_ransom
from %ProgramFiles%\FireFox\greprefs.js to %ProgramFiles%\FireFox\greprefs.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\WindowsJumpLists.jsm to %ProgramFiles%\FireFox\modules\WindowsJumpLists.jsm.no_more_ransom
from %ProgramFiles%\FireFox\IA2Marshal.dll to %ProgramFiles%\FireFox\IA2Marshal.dll.no_more_ransom
from <ANALYSETOOLS_DIR>\Angar2\scripts\main.bin to <ANALYSETOOLS_DIR>\Angar2\scripts\main.bin.no_more_ransom
from %ProgramFiles%\FireFox\modules\WindowsPreviewPerTab.jsm to %ProgramFiles%\FireFox\modules\WindowsPreviewPerTab.jsm.no_more_ransom
from %ProgramFiles%\FireFox\js.exe to %ProgramFiles%\FireFox\js.exe.no_more_ransom
from %ProgramFiles%\FireFox\modules\XPCOMUtils.jsm to %ProgramFiles%\FireFox\modules\XPCOMUtils.jsm.no_more_ransom
from %ProgramFiles%\FireFox\modules\XPIProvider.jsm to %ProgramFiles%\FireFox\modules\XPIProvider.jsm.no_more_ransom
from %ProgramFiles%\FireFox\js.log to %ProgramFiles%\FireFox\js.log.no_more_ransom
from %ProgramFiles%\FireFox\mangle.exe to %ProgramFiles%\FireFox\mangle.exe.no_more_ransom
from %ProgramFiles%\FireFox\mozalloc.dll to %ProgramFiles%\FireFox\mozalloc.dll.no_more_ransom
from %ProgramFiles%\FireFox\mozjs.dll to %ProgramFiles%\FireFox\mozjs.dll.no_more_ransom
from %ProgramFiles%\FireFox\freebl3.dll to %ProgramFiles%\FireFox\freebl3.dll.no_more_ransom
from %ProgramFiles%\FireFox\components\toolkitprofile.xpt to %ProgramFiles%\FireFox\components\toolkitprofile.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\NetworkPrioritizer.jsm to %ProgramFiles%\FireFox\modules\NetworkPrioritizer.jsm.no_more_ransom
from %ProgramFiles%\FireFox\modules\PluralForm.jsm to %ProgramFiles%\FireFox\modules\PluralForm.jsm.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\jpakeclient.js to %ProgramFiles%\FireFox\modules\services-sync\jpakeclient.js.no_more_ransom
from %ProgramFiles%\FireFox\blocklist.xml to %ProgramFiles%\FireFox\blocklist.xml.no_more_ransom
from %ProgramFiles%\FireFox\chrome.manifest to %ProgramFiles%\FireFox\chrome.manifest.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\log4moz.js to %ProgramFiles%\FireFox\modules\services-sync\log4moz.js.no_more_ransom
from %ProgramFiles%\FireFox\defaults\autoconfig\platform.js to %ProgramFiles%\FireFox\defaults\autoconfig\platform.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\nsFormAutoCompleteResult.jsm to %ProgramFiles%\FireFox\modules\nsFormAutoCompleteResult.jsm.no_more_ransom
from %ProgramFiles%\FireFox\crashreporter-override.ini to %ProgramFiles%\FireFox\crashreporter-override.ini.no_more_ransom
from %ProgramFiles%\FireFox\crashreporter.exe to %ProgramFiles%\FireFox\crashreporter.exe.no_more_ransom
from %ProgramFiles%\FireFox\defaults\autoconfig\prefcalls.js to %ProgramFiles%\FireFox\defaults\autoconfig\prefcalls.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\openLocationLastURL.jsm to %ProgramFiles%\FireFox\modules\openLocationLastURL.jsm.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\main.js to %ProgramFiles%\FireFox\modules\services-sync\main.js.no_more_ransom
from %ProgramFiles%\FireFox\crashreporter.ini to %ProgramFiles%\FireFox\crashreporter.ini.no_more_ransom
from %ProgramFiles%\FireFox\modules\PerfMeasurement.jsm to %ProgramFiles%\FireFox\modules\PerfMeasurement.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\zipwriter.xpt to %ProgramFiles%\FireFox\components\zipwriter.xpt.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\notifications.js to %ProgramFiles%\FireFox\modules\services-sync\notifications.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\PlacesDBUtils.jsm to %ProgramFiles%\FireFox\modules\PlacesDBUtils.jsm.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\record.js to %ProgramFiles%\FireFox\modules\services-sync\record.js.no_more_ransom
from %ProgramFiles%\FireFox\defaults\pref\firefox-branding.js to %ProgramFiles%\FireFox\defaults\pref\firefox-branding.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\PlacesUIUtils.jsm to %ProgramFiles%\FireFox\modules\PlacesUIUtils.jsm.no_more_ransom
from %ProgramFiles%\FireFox\defaults\pref\firefox-l10n.js to %ProgramFiles%\FireFox\defaults\pref\firefox-l10n.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\resource.js to %ProgramFiles%\FireFox\modules\services-sync\resource.js.no_more_ransom
from %ProgramFiles%\FireFox\defaults\profile\chrome\userChrome-example.css to %ProgramFiles%\FireFox\defaults\profile\chrome\userChrome-example.css.no_more_ransom
from %ProgramFiles%\FireFox\defaults\pref\firefox.js to %ProgramFiles%\FireFox\defaults\pref\firefox.js.no_more_ransom
from %ProgramFiles%\FireFox\modules\PlacesUtils.jsm to %ProgramFiles%\FireFox\modules\PlacesUtils.jsm.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\service.js to %ProgramFiles%\FireFox\modules\services-sync\service.js.no_more_ransom
from %ProgramFiles%\FireFox\defaults\pref\services-sync.js to %ProgramFiles%\FireFox\defaults\pref\services-sync.js.no_more_ransom
from %ProgramFiles%\FireFox\defaults\profile\chrome\userContent-example.css to %ProgramFiles%\FireFox\defaults\profile\chrome\userContent-example.css.no_more_ransom
from %ProgramFiles%\FireFox\modules\PluginProvider.jsm to %ProgramFiles%\FireFox\modules\PluginProvider.jsm.no_more_ransom
from %ProgramFiles%\FireFox\modules\PopupNotifications.jsm to %ProgramFiles%\FireFox\modules\PopupNotifications.jsm.no_more_ransom
from %ProgramFiles%\FireFox\components\WebContentConverter.js to %ProgramFiles%\FireFox\components\WebContentConverter.js.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwhelp.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\icwhelp.dll.no_more_ransom
from %ProgramFiles%\Messenger\lvback.gif to %ProgramFiles%\Messenger\lvback.gif.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND17.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND17.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND18.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND18.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND181.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND181.WAV.no_more_ransom
from %ProgramFiles%\Windows Media Player\npdrmv2.zip to %ProgramFiles%\Windows Media Player\npdrmv2.zip.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND19.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND19.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND20.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND20.WAV.no_more_ransom
from %ProgramFiles%\Windows Media Player\npds.zip to %ProgramFiles%\Windows Media Player\npds.zip.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND21.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND21.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND22.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND22.WAV.no_more_ransom
from %ProgramFiles%\Windows Media Player\npdsplay.dll to %ProgramFiles%\Windows Media Player\npdsplay.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND14.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND14.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND240.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND240.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND243.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND243.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND25.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND25.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND26.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND26.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND27.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND27.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND28.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND28.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Accessories\mswrd6.wpc to %ProgramFiles%\Windows NT\Accessories\mswrd6.wpc.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND29.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND29.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll.no_more_ransom
from %ProgramFiles%\Windows Media Player\npwmsdrm.dll to %ProgramFiles%\Windows Media Player\npwmsdrm.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND24.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND24.WAV.no_more_ransom
from %ProgramFiles%\Outlook Express\oemig50.exe to %ProgramFiles%\Outlook Express\oemig50.exe.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND136.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND136.WAV.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\signup.mar to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\signup.mar.no_more_ransom
from %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets to %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets.no_more_ransom
from %ProgramFiles%\Online Services\Refer me to more Internet Service Providers.lnk to %ProgramFiles%\Online Services\Refer me to more Internet Service Providers.lnk.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\PINBALL.DAT to %ProgramFiles%\Windows NT\Pinball\PINBALL.DAT.no_more_ransom
from %ProgramFiles%\NetMeeting\TestSnd.wav to %ProgramFiles%\NetMeeting\TestSnd.wav.no_more_ransom
from %ProgramFiles%\NetMeeting\wb32.exe to %ProgramFiles%\NetMeeting\wb32.exe.no_more_ransom
from %ProgramFiles%\Online Services\Use MSN Explorer to sign up for Internet Access (US only).lnk to %ProgramFiles%\Online Services\Use MSN Explorer to sign up for Internet Access (US only).lnk.no_more_ransom
from %ProgramFiles%\Outlook Express\msimn.exe to %ProgramFiles%\Outlook Express\msimn.exe.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\PINBALL.EXE to %ProgramFiles%\Windows NT\Pinball\PINBALL.EXE.no_more_ransom
from %ProgramFiles%\Outlook Express\msoe.dll to %ProgramFiles%\Outlook Express\msoe.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\PINBALL.MID to %ProgramFiles%\Windows NT\Pinball\PINBALL.MID.no_more_ransom
from %ProgramFiles%\Windows Media Player\custsat.dll to %ProgramFiles%\Windows Media Player\custsat.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\PINBALL2.MID to %ProgramFiles%\Windows NT\Pinball\PINBALL2.MID.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND3.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND3.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND16.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND16.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND104.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND104.WAV.no_more_ransom
from %ProgramFiles%\Outlook Express\msoe.txt to %ProgramFiles%\Outlook Express\msoe.txt.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND105.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND105.WAV.no_more_ransom
from %ProgramFiles%\Windows Media Player\mplayer2.exe to %ProgramFiles%\Windows Media Player\mplayer2.exe.no_more_ransom
from %ProgramFiles%\Outlook Express\msoeres.dll to %ProgramFiles%\Outlook Express\msoeres.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND108.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND108.WAV.no_more_ransom
from %ProgramFiles%\Windows Media Player\mpvis.dll to %ProgramFiles%\Windows Media Player\mpvis.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND111.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND111.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND112.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND112.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND12.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND12.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND13.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND13.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND131.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND131.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND1.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND1.WAV.no_more_ransom
from %ProgramFiles%\Windows Media Player\npdrmv2.dll to %ProgramFiles%\Windows Media Player\npdrmv2.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND30.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND30.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND34.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND34.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND35.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND35.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\htrn_jis.dll to %ProgramFiles%\Windows NT\htrn_jis.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND57.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND57.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND58.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND58.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\dialer.exe to %ProgramFiles%\Windows NT\dialer.exe.no_more_ransom
from %ProgramFiles%\Outlook Express\wab.exe to %ProgramFiles%\Outlook Express\wab.exe.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND6.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND6.WAV.no_more_ransom
from %ProgramFiles%\Windows Media Player\wmpband.dll to %ProgramFiles%\Windows Media Player\wmpband.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND65.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND65.WAV.no_more_ransom
from %ProgramFiles%\Outlook Express\wabfind.dll to %ProgramFiles%\Outlook Express\wabfind.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND68.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND68.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND7.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND7.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\FONT.DAT to %ProgramFiles%\Windows NT\Pinball\FONT.DAT.no_more_ransom
from %ProgramFiles%\Windows Media Player\Skins\Revert.wmz to %ProgramFiles%\Windows Media Player\Skins\Revert.wmz.no_more_ransom
from %ProgramFiles%\Outlook Express\wabimp.dll to %ProgramFiles%\Outlook Express\wabimp.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll.no_more_ransom
from %ProgramFiles%\Windows Media Player\wmplayer.exe to %ProgramFiles%\Windows Media Player\wmplayer.exe.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND735.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND735.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND8.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND8.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND827.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND827.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\hypertrm.exe to %ProgramFiles%\Windows NT\hypertrm.exe.no_more_ransom
from %ProgramFiles%\Outlook Express\wabmig.exe to %ProgramFiles%\Outlook Express\wabmig.exe.no_more_ransom
from %ProgramFiles%\Windows Media Player\wmpns.dll to %ProgramFiles%\Windows Media Player\wmpns.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND9.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND9.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND999.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND999.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND713.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND713.WAV.no_more_ransom
from %ProgramFiles%\Windows Media Player\migrate.exe to %ProgramFiles%\Windows Media Player\migrate.exe.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND560.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND560.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND55.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND55.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Accessories\mswrd8.wpc to %ProgramFiles%\Windows NT\Accessories\mswrd8.wpc.no_more_ransom
from %ProgramFiles%\Windows Media Player\setup_wm.exe to %ProgramFiles%\Windows Media Player\setup_wm.exe.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND36.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND36.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND38.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND38.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND39.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND39.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND4.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND4.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND42.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND42.WAV.no_more_ransom
from %ProgramFiles%\Outlook Express\oeimport.dll to %ProgramFiles%\Outlook Express\oeimport.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND43.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND43.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND45.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND45.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND54.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND54.WAV.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND563.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND563.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND49D.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND49D.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Accessories\wordpad.exe to %ProgramFiles%\Windows NT\Accessories\wordpad.exe.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND5.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND5.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND50.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND50.WAV.no_more_ransom
from %ProgramFiles%\Outlook Express\oemiglib.dll to %ProgramFiles%\Outlook Express\oemiglib.dll.no_more_ransom
from %ProgramFiles%\Windows Media Player\Skins\compact.wmz to %ProgramFiles%\Windows Media Player\Skins\compact.wmz.no_more_ransom
from %ProgramFiles%\Windows NT\Accessories\write.wpc to %ProgramFiles%\Windows NT\Accessories\write.wpc.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND528.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND528.WAV.no_more_ransom
from %ProgramFiles%\Outlook Express\setup50.exe to %ProgramFiles%\Outlook Express\setup50.exe.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND53.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND53.WAV.no_more_ransom
from %ProgramFiles%\Windows NT\Pinball\SOUND49.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND49.WAV.no_more_ransom
from %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets to %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\rrcm.dll to %ProgramFiles%\NetMeeting\rrcm.dll.no_more_ransom
from %ProgramFiles%\Messenger\msmsgs.exe to %ProgramFiles%\Messenger\msmsgs.exe.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\Install\cinfo.xml to %ProgramFiles%\MSN\MSNCoreFiles\Install\cinfo.xml.no_more_ransom
from %ProgramFiles%\Messenger\newalert.wav to %ProgramFiles%\Messenger\newalert.wav.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe to %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe.no_more_ransom
from %ProgramFiles%\Messenger\newemail.wav to %ProgramFiles%\Messenger\newemail.wav.no_more_ransom
from %ProgramFiles%\Messenger\online.wav to %ProgramFiles%\Messenger\online.wav.no_more_ransom
from %ProgramFiles%\Messenger\type.wav to %ProgramFiles%\Messenger\type.wav.no_more_ransom
from %ProgramFiles%\Messenger\xpmsgr.chm to %ProgramFiles%\Messenger\xpmsgr.chm.no_more_ransom
from %ProgramFiles%\Microsoft.NET\RedistList\AssemblyList_4_client.xml to %ProgramFiles%\Microsoft.NET\RedistList\AssemblyList_4_client.xml.no_more_ransom
from %ProgramFiles%\Microsoft.NET\RedistList\AssemblyList_4_extended.xml to %ProgramFiles%\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.no_more_ransom
from %ProgramFiles%\Movie Maker\moviemk.exe to %ProgramFiles%\Movie Maker\moviemk.exe.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\digopt.msi to %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\digopt.msi.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll.no_more_ransom
from %ProgramFiles%\Messenger\msgslang.dll to %ProgramFiles%\Messenger\msgslang.dll.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\digreqEx.msi to %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\digreqEx.msi.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll.no_more_ransom
from %ProgramFiles%\Movie Maker\MUI\0409\moviemk.chm to %ProgramFiles%\Movie Maker\MUI\0409\moviemk.chm.no_more_ransom
from %ProgramFiles%\Movie Maker\Shared\Empty.txt to %ProgramFiles%\Movie Maker\Shared\Empty.txt.no_more_ransom
from %ProgramFiles%\Movie Maker\Shared\Filters.xml to %ProgramFiles%\Movie Maker\Shared\Filters.xml.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe to %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwip.dun to %ProgramFiles%\Internet Explorer\Connection Wizard\icwip.dun.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.no_more_ransom
from C:\Muldrop\unq2.unq_0 to C:\Muldrop\unq2.unq_0.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwres.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\icwres.dll.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwutil.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\icwutil.dll.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25a.dun to %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25a.dun.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25b.dun to %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25b.dun.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25c.dun to %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25c.dun.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\msicw.isp to %ProgramFiles%\Internet Explorer\Connection Wizard\msicw.isp.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\msn.isp to %ProgramFiles%\Internet Explorer\Connection Wizard\msn.isp.no_more_ransom
from %ProgramFiles%\Movie Maker\Shared\Profiles\Blank.txt to %ProgramFiles%\Movie Maker\Shared\Profiles\Blank.txt.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\phone.icw to %ProgramFiles%\Internet Explorer\Connection Wizard\phone.icw.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\phone.ver to %ProgramFiles%\Internet Explorer\Connection Wizard\phone.ver.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\state.icw to %ProgramFiles%\Internet Explorer\Connection Wizard\state.icw.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\support.icw to %ProgramFiles%\Internet Explorer\Connection Wizard\support.icw.no_more_ransom
from %ProgramFiles%\Internet Explorer\Connection Wizard\trialoc.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\trialoc.dll.no_more_ransom
from %ProgramFiles%\Internet Explorer\HMMAPI.DLL to %ProgramFiles%\Internet Explorer\HMMAPI.DLL.no_more_ransom
from %ProgramFiles%\Internet Explorer\iedw.exe to %ProgramFiles%\Internet Explorer\iedw.exe.no_more_ransom
from %ProgramFiles%\Internet Explorer\MUI\0409\mscorier.dll to %ProgramFiles%\Internet Explorer\MUI\0409\mscorier.dll.no_more_ransom
from %ProgramFiles%\Internet Explorer\IEXPLORE.EXE to %ProgramFiles%\Internet Explorer\IEXPLORE.EXE.no_more_ransom
from %ProgramFiles%\Internet Explorer\SIGNUP\INSTALL.INS to %ProgramFiles%\Internet Explorer\SIGNUP\INSTALL.INS.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll.no_more_ransom
from %ProgramFiles%\Messenger\custsat.dll to %ProgramFiles%\Messenger\custsat.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll.no_more_ransom
from %ProgramFiles%\Messenger\logowin.gif to %ProgramFiles%\Messenger\logowin.gif.no_more_ransom
from %ProgramFiles%\Messenger\msgsc.dll to %ProgramFiles%\Messenger\msgsc.dll.no_more_ransom
from %ProgramFiles%\Movie Maker\WMM2FXB.dll to %ProgramFiles%\Movie Maker\WMM2FXB.dll.no_more_ransom
from %ProgramFiles%\Movie Maker\Shared\Sample1.jpg to %ProgramFiles%\Movie Maker\Shared\Sample1.jpg.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\nmas.dll to %ProgramFiles%\NetMeeting\nmas.dll.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\Install\xfp.xml to %ProgramFiles%\MSN\MSNCoreFiles\Install\xfp.xml.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\market.mar to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\market.mar.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\nmasnt.dll to %ProgramFiles%\NetMeeting\nmasnt.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obelog.dll to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obelog.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\nmchat.dll to %ProgramFiles%\NetMeeting\nmchat.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\netmeet.htm to %ProgramFiles%\NetMeeting\netmeet.htm.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemetal.dll to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemetal.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\nmft.dll to %ProgramFiles%\NetMeeting\nmft.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\nmoldwb.dll to %ProgramFiles%\NetMeeting\nmoldwb.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll.no_more_ransom
from %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets to %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemtllc.dll to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemtllc.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\nmwb.dll to %ProgramFiles%\NetMeeting\nmwb.dll.no_more_ransom
from %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets to %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.no_more_ransom
from %ProgramFiles%\Movie Maker\WMM2RES2.dll to %ProgramFiles%\Movie Maker\WMM2RES2.dll.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obepopc.dll to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obepopc.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\nmcom.dll to %ProgramFiles%\NetMeeting\nmcom.dll.no_more_ransom
from C:\Muldrop\unq1.unq_0 to C:\Muldrop\unq1.unq_0.no_more_ransom
from %ProgramFiles%\Movie Maker\WMM2AE.dll to %ProgramFiles%\Movie Maker\WMM2AE.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\nac.dll to %ProgramFiles%\NetMeeting\nac.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\Blip.wav to %ProgramFiles%\NetMeeting\Blip.wav.no_more_ransom
from %ProgramFiles%\NetMeeting\callcont.dll to %ProgramFiles%\NetMeeting\callcont.dll.no_more_ransom
from %ProgramFiles%\Movie Maker\WMM2ERES.dll to %ProgramFiles%\Movie Maker\WMM2ERES.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll.no_more_ransom
from %ProgramFiles%\Movie Maker\WMM2EXT.dll to %ProgramFiles%\Movie Maker\WMM2EXT.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\cb32.exe to %ProgramFiles%\NetMeeting\cb32.exe.no_more_ransom
from %ProgramFiles%\Movie Maker\WMM2FILT.dll to %ProgramFiles%\Movie Maker\WMM2FILT.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\conf.exe to %ProgramFiles%\NetMeeting\conf.exe.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\msnmsgs.msi to %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\msnmsgs.msi.no_more_ransom
from %ProgramFiles%\Movie Maker\WMM2FXA.dll to %ProgramFiles%\Movie Maker\WMM2FXA.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll.no_more_ransom
from %ProgramFiles%\Movie Maker\Shared\Sample2.jpg to %ProgramFiles%\Movie Maker\Shared\Sample2.jpg.no_more_ransom
from %ProgramFiles%\NetMeeting\confmrsl.dll to %ProgramFiles%\NetMeeting\confmrsl.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\dcap32.dll to %ProgramFiles%\NetMeeting\dcap32.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\h323cc.dll to %ProgramFiles%\NetMeeting\h323cc.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll.no_more_ransom
from %ProgramFiles%\Movie Maker\WMM2RES.dll to %ProgramFiles%\Movie Maker\WMM2RES.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\MST120.DLL to %ProgramFiles%\NetMeeting\MST120.DLL.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll.no_more_ransom
from %ProgramFiles%\NetMeeting\MST123.DLL to %ProgramFiles%\NetMeeting\MST123.DLL.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\Install\msnms.ico to %ProgramFiles%\MSN\MSNCoreFiles\Install\msnms.ico.no_more_ransom
from %ProgramFiles%\MSN\MSNCoreFiles\Install\msnsusii.exe to %ProgramFiles%\MSN\MSNCoreFiles\Install\msnsusii.exe.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll.no_more_ransom
from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll.no_more_ransom
from %ProgramFiles%\FireFox\modules\services-sync\engines\forms.js to %ProgramFiles%\FireFox\modules\services-sync\engines\forms.js.no_more_ransom

Modifies user data files (Trojan.Encoder).

Changes user data files extensions (Trojan.Encoder).

Miscellaneous:

Executes the following:

'<SYSTEM32>\cmd.exe' /c vssadmin.exe Delete Shadows /All /Quiet
'<SYSTEM32>\cmd.exe' /c bcdedit.exe /set {default} recoveryenabled No
'<SYSTEM32>\cmd.exe' /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
'<SYSTEM32>\cmd.exe' /c wbadmin DELETE SYSTEMSTATEBACKUP
'<SYSTEM32>\cmd.exe' /c wmic SHADOWCOPY DELETE
'<SYSTEM32>\schtasks.exe' /Create /SC MINUTE /TN Encrypter /TR %APPDATA%\info.exe
'<SYSTEM32>\schtasks.exe' /Create /SC ONLOGON /TN EncrypterSt /TR %APPDATA%\info.exe

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial