Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.Encoder.26682

Added to the Dr.Web virus database: 2018-11-13

Virus description added:

Technical Information

To ensure autorun and distribution:
Modifies the following registry keys:
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Encrypter_074' = '%APPDATA%\info.exe'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'userinfo' = '%APPDATA%\recovery.txt'
Creates or modifies the following files:
  • %WINDIR%\win.ini
  • %WINDIR%\Tasks\How Recovery Files.txt
  • %WINDIR%\Tasks\SA.DAT
  • %WINDIR%\system.ini
Changes the following executable system files:
  • %WINDIR%\XXInstall\vminstall.exe
  • <SYSTEM32>\xenroll.dll
  • <SYSTEM32>\xcopy.exe
  • <SYSTEM32>\xactsrv.dll
  • <SYSTEM32>\wzcdlg.dll
  • <SYSTEM32>\wuweb.dll
  • <SYSTEM32>\wups.dll
  • <SYSTEM32>\wucltui.dll
  • <SYSTEM32>\XPSViewer\en-US\XPSViewer.exe.mui
  • %WINDIR%\srchasst\msgr3en.dll
  • <SYSTEM32>\wuauserv.dll
  • <SYSTEM32>\wuaueng1.dll
  • <SYSTEM32>\wuaueng.dll
  • <SYSTEM32>\wuaucpl.cpl
  • <SYSTEM32>\wuauclt1.exe
  • <SYSTEM32>\xm.dll
  • <SYSTEM32>\xmlprov.dll
  • <SYSTEM32>\xmlprovi.dll
  • <SYSTEM32>\xmlrtl60.bpl
  • <SYSTEM32>\xolehlp.dll
  • <SYSTEM32>\xpob2res.dll
  • <SYSTEM32>\xpsp1res.dll
  • <SYSTEM32>\xpsshhdr.dll
  • <SYSTEM32>\xpssvcs.dll
  • <SYSTEM32>\wupdmgr.exe
  • <SYSTEM32>\XPSViewer\XPSViewer.exe
  • <SYSTEM32>\zipfldr.dll
  • %WINDIR%\srchasst\srchctls.dll
  • %WINDIR%\srchasst\srchui.dll
  • %WINDIR%\system\WINSPOOL.DRV
  • %WINDIR%\TASKMAN.EXE
  • %WINDIR%\twain_32\wiatwain.ds
  • <SYSTEM32>\wuauclt.exe
  • <SYSTEM32>\wship6.dll
  • <SYSTEM32>\wmstream.dll
  • <SYSTEM32>\wstpager.ax
  • <SYSTEM32>\wpnpinst.exe
  • <SYSTEM32>\wpabaln.exe
  • %WINDIR%\Resources\Themes\Luna\Shell\NormalColor\shellstyle.dll
  • <SYSTEM32>\wowfaxui.dll
  • %WINDIR%\Resources\Themes\Luna\Shell\Metallic\shellstyle.dll
  • <SYSTEM32>\wowfax.dll
  • %WINDIR%\Resources\Themes\Luna\luna.msstyles
  • <SYSTEM32>\wuapi.dll
  • <SYSTEM32>\wmvds32.ax
  • <SYSTEM32>\wmvdmoe2.dll
  • <SYSTEM32>\wmvdmod.dll
  • <SYSTEM32>\wmvcore.dll
  • <SYSTEM32>\wmv8ds32.ax
  • %WINDIR%\regedit.exe
  • <SYSTEM32>\write.exe
  • <SYSTEM32>\wscntfy.exe
  • <SYSTEM32>\wscript.exe
  • <SYSTEM32>\wscui.cpl
  • <SYSTEM32>\wsecedit.dll
  • <SYSTEM32>\wshatm.dll
  • <SYSTEM32>\wshbth.dll
  • <SYSTEM32>\wshcon.dll
  • <SYSTEM32>\wshext.dll
  • %WINDIR%\twain_32.dll
  • <SYSTEM32>\wshisn.dll
  • <SYSTEM32>\wshnetbs.dll
  • %WINDIR%\sfk.exe
  • <SYSTEM32>\WshRm.dll
  • %WINDIR%\sleep.exe
  • <SYSTEM32>\wsnmp32.dll
  • <SYSTEM32>\wstdecod.dll
  • <SYSTEM32>\wstrenderer.ax
  • %WINDIR%\Resources\Themes\Luna\Shell\Homestead\shellstyle.dll
  • %WINDIR%\twunk_32.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
  • %WINDIR%\XXInstall\ps.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
  • %WINDIR%\XXInstall\hashdeep.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
  • %WINDIR%\XXInstall\exdir.exe
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
  • %WINDIR%\XXInstall\events.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
  • %WINDIR%\XXInstall\Scripts\antivm.exe
  • %WINDIR%\XXInstall\screen.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll
  • %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll
  • %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll
  • %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll
  • %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
  • %WINDIR%\XXInstall\devcon.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
  • %WINDIR%\winhlp32.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
  • %WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe
  • %WINDIR%\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcm80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
  • %WINDIR%\vmmreg32.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
  • %WINDIR%\XXInstall\cmdow.exe
  • <SYSTEM32>\wmspdmoe.dll
Infects the following executable files:
  • %ProgramFiles%\Windows Media Player\wmpns.dll
  • %ProgramFiles%\FireFox\updater.exe
  • %CommonProgramFiles%\Microsoft Shared\Speech\1033\spcplui.dll
  • %CommonProgramFiles%\Microsoft Shared\MSInfo\msinfo32.exe
  • <SYSTEM32>\xactsrv.dll
  • <SYSTEM32>\xcopy.exe
  • %CommonProgramFiles%\Microsoft Shared\Speech\sapi.cpl
  • %ProgramFiles%\FireFox\xpcom.dll
  • <SYSTEM32>\xenroll.dll
  • %ProgramFiles%\FireFox\xpcshell.exe
  • <ANALYSETOOLS_DIR>\XueTr_Cmd\PCHunter32.exe
  • %CommonProgramFiles%\Microsoft Shared\Speech\sapi.dll
  • <SYSTEM32>\xm.dll
  • %ProgramFiles%\FireFox\xpidl.exe
  • %CommonProgramFiles%\Microsoft Shared\Speech\sapisvr.exe
  • <SYSTEM32>\xmlprov.dll
  • %ProgramFiles%\FireFox\xpt_dump.exe
  • <SYSTEM32>\xmlprovi.dll
  • %CommonProgramFiles%\Microsoft Shared\TextConv\html32.cnv
  • <SYSTEM32>\xmlrtl60.bpl
  • %ProgramFiles%\FireFox\xpt_link.exe
  • %CommonProgramFiles%\Microsoft Shared\TextConv\msconv97.dll
  • <SYSTEM32>\xolehlp.dll
  • %CommonProgramFiles%\Microsoft Shared\TextConv\mswrd632.wpc
  • <SYSTEM32>\xpob2res.dll
  • <SYSTEM32>\xpsp1res.dll
  • %CommonProgramFiles%\Microsoft Shared\TextConv\mswrd832.cnv
  • %CommonProgramFiles%\Microsoft Shared\Triedit\DHTMLED.OCX
  • <SYSTEM32>\wzcdlg.dll
  • %CommonProgramFiles%\Microsoft Shared\MSInfo\IEINFO5.OCX
  • %CommonProgramFiles%\Microsoft Shared\DW\1033\DWINTL20.DLL
  • %CommonProgramFiles%\Microsoft Shared\DW\1031\DWINTL20.DLL
  • %CommonProgramFiles%\Microsoft Shared\DW\1036\DWINTL20.DLL
  • <SYSTEM32>\wuaueng.dll
  • <ANALYSETOOLS_DIR>\STracer\SimplyTracer.exe
  • %CommonProgramFiles%\Microsoft Shared\DW\1040\DWINTL20.DLL
  • %CommonProgramFiles%\Microsoft Shared\DW\2052\DWINTL20.DLL
  • %CommonProgramFiles%\Microsoft Shared\DW\1042\DWINTL20.DLL
  • %CommonProgramFiles%\Microsoft Shared\DW\1041\DWINTL20.DLL
  • %CommonProgramFiles%\Microsoft Shared\DW\3082\DWINTL20.DLL
  • %ProgramFiles%\FireFox\shlibsign.exe
  • <SYSTEM32>\wuaueng1.dll
  • %CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE
  • <ANALYSETOOLS_DIR>\XueTr_Cmd\XueTrCmd.exe
  • <SYSTEM32>\wuauserv.dll
  • %WINDIR%\srchasst\msgr3en.dll
  • %CommonProgramFiles%\Microsoft Shared\DW\DWDCW20.DLL
  • <SYSTEM32>\wucltui.dll
  • %CommonProgramFiles%\Microsoft Shared\DW\DWTRIG20.EXE
  • %CommonProgramFiles%\Microsoft Shared\DAO\dao360.dll
  • <SYSTEM32>\wupdmgr.exe
  • %ProgramFiles%\FireFox\softokn3.dll
  • %ProgramFiles%\FireFox\uninstall\helper.exe
  • <SYSTEM32>\wups.dll
  • %ProgramFiles%\FireFox\ssl3.dll
  • <SYSTEM32>\wuweb.dll
  • %CommonProgramFiles%\Microsoft Shared\Triedit\TRIEDIT.DLL
  • %CommonProgramFiles%\Microsoft Shared\TextConv\write32.wpc
  • <SYSTEM32>\xpsshhdr.dll
  • %CommonProgramFiles%\System\ado\msader15.dll
  • %CommonProgramFiles%\System\Ole DB\msdasql.dll
  • %CommonProgramFiles%\System\msadc\msadce.dll
  • %CommonProgramFiles%\System\Ole DB\msdasqlr.dll
  • %CommonProgramFiles%\System\msadc\msadcer.dll
  • %CommonProgramFiles%\System\Ole DB\msdatl3.dll
  • %CommonProgramFiles%\System\msadc\msadcf.dll
  • %WINDIR%\twain_32\wiatwain.ds
  • %CommonProgramFiles%\System\ado\msado15.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn.dll
  • %CommonProgramFiles%\System\Ole DB\msdatt.dll
  • %CommonProgramFiles%\System\ado\msado20.tlb
  • %CommonProgramFiles%\Microsoft Shared\web server extensions\40\bin\FP4AWEC.DLL
  • %WINDIR%\twain_32.dll
  • %CommonProgramFiles%\System\msadc\msadcfr.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
  • %CommonProgramFiles%\System\Ole DB\msdaurl.dll
  • %CommonProgramFiles%\System\ado\msado21.tlb
  • %CommonProgramFiles%\System\msadc\msadco.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
  • %CommonProgramFiles%\System\Ole DB\msxactps.dll
  • %CommonProgramFiles%\System\ado\msado25.tlb
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwdl.dll
  • %CommonProgramFiles%\System\msadc\msadcor.dll
  • %CommonProgramFiles%\System\Ole DB\msdasc.dll
  • %CommonProgramFiles%\System\Ole DB\msdaps.dll
  • %CommonProgramFiles%\Microsoft Shared\web server extensions\40\bin\fp4autl.dll
  • %WINDIR%\TASKMAN.EXE
  • %CommonProgramFiles%\Microsoft Shared\VC\msdia100.dll
  • %CommonProgramFiles%\System\Ole DB\MSDAPML.DLL
  • %CommonProgramFiles%\Microsoft Shared\VC\msdia80.dll
  • %CommonProgramFiles%\Microsoft Shared\VC\msdia90.dll
  • <SYSTEM32>\xpssvcs.dll
  • <SYSTEM32>\XPSViewer\en-US\XPSViewer.exe.mui
  • <ANALYSETOOLS_DIR>\XueTr_Cmd\PCHunter64.exe
  • <SYSTEM32>\XPSViewer\XPSViewer.exe
  • %CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll
  • <ANALYSETOOLS_DIR>\XueTr_Cmd\XueTr.dll
  • %CommonProgramFiles%\System\Ole DB\msdadc.dll
  • %CommonProgramFiles%\System\Ole DB\msdaenum.dll
  • %CommonProgramFiles%\System\Ole DB\msdaer.dll
  • %ProgramFiles%\FireFox\smime3.dll
  • <ANALYSETOOLS_DIR>\STracer\ollyext.dll
  • %WINDIR%\srchasst\srchctls.dll
  • <ANALYSETOOLS_DIR>\XueTr_Cmd\XueTrCmdOrig.exe
  • %CommonProgramFiles%\Microsoft Shared\Web Folders\MSONSEXT.DLL
  • %CommonProgramFiles%\System\Ole DB\MSDAIPP.DLL
  • %CommonProgramFiles%\System\Ole DB\msdaora.dll
  • %WINDIR%\srchasst\srchui.dll
  • <ANALYSETOOLS_DIR>\XueTr_Cmd\XueTrSDK.sys
  • %CommonProgramFiles%\Microsoft Shared\Web Folders\MSOWS409.DLL
  • %WINDIR%\system\WINSPOOL.DRV
  • <ANALYSE_DIR>\_kdump.sys_
  • %CommonProgramFiles%\System\Ole DB\msdaorar.dll
  • %CommonProgramFiles%\System\Ole DB\msdaosp.dll
  • <SYSTEM32>\zipfldr.dll
  • %CommonProgramFiles%\Microsoft Shared\DW\1028\DWINTL20.DLL
  • %CommonProgramFiles%\Microsoft Shared\DW\1025\DWINTL20.DLL
  • <SYSTEM32>\wuaucpl.cpl
  • %ProgramFiles%\FireFox\nsinstall.exe
  • %ProgramFiles%\FireFox\nspr4.dll
  • C:\Far2\Plugins\Network\Network.dll
  • %WINDIR%\Resources\Themes\Luna\Shell\Homestead\shellstyle.dll
  • %ProgramFiles%\FireFox\nss3.dll
  • %ProgramFiles%\FireFox\nssckbi.dll
  • <SYSTEM32>\wowfax.dll
  • %ProgramFiles%\FireFox\nssdbm3.dll
  • <ANALYSER.EXE>.1
  • <ANALYSETOOLS_DIR>\Angar2\custom_send.exe
  • %WINDIR%\Resources\Themes\Luna\Shell\Metallic\shellstyle.dll
  • %ProgramFiles%\FireFox\nssutil3.dll
  • C:\Far2\Plugins\TmpPanel\TmpPanel.dll
  • <ANALYSER.EXE>.2
  • <ANALYSETOOLS_DIR>\Angar2\tools\dumpe_\procdump32.exe
  • <SYSTEM32>\wowfaxui.dll
  • %ProgramFiles%\FireFox\plc4.dll
  • %ProgramFiles%\FireFox\plds4.dll
  • <ANALYSER.EXE>.3
  • %WINDIR%\Resources\Themes\Luna\Shell\NormalColor\shellstyle.dll
  • %ProgramFiles%\FireFox\plugin-container.exe
  • <ANALYSETOOLS_DIR>\Angar2\tools\dumpe_\procdump64.exe
  • <SYSTEM32>\wpabaln.exe
  • <SYSTEM32>\wpnpinst.exe
  • <ANALYSETOOLS_DIR>\Angar2\tools\th_\dns_serv.dll
  • %ProgramFiles%\FireFox\mozsqlite3.dll
  • %WINDIR%\Resources\Themes\Luna\luna.msstyles
  • %ProgramFiles%\FireFox\mozjs.dll
  • C:\Far2\Plugins\FileCase\FileCase.dll
  • C:\Far2\Plugins\Compare\Compare.dll
  • %WINDIR%\regedit.exe
  • <SYSTEM32>\wmv8ds32.ax
  • C:\Far2\Plugins\ExtSearch\esearch.dll
  • C:\Far2\Plugins\EditCase\EditCase.dll
  • C:\Far2\Plugins\DrawLine\DrawLine.dll
  • %ProgramFiles%\FireFox\AccessibleMarshal.dll
  • %ProgramFiles%\FireFox\crashreporter.exe
  • C:\Far2\Plugins\EMenu\EMenu.dll
  • <SYSTEM32>\wmvcore.dll
  • C:\Far2\Plugins\FTP\FarFtp.dll
  • <SYSTEM32>\wmvdmod.dll
  • C:\Far2\Plugins\FTP\lib\ftpProgress.fll
  • C:\Far2\Plugins\FTP\lib\ftpDirList.fll
  • <SYSTEM32>\wmvdmoe2.dll
  • %ProgramFiles%\FireFox\firefox.exe
  • C:\Far2\Plugins\FarCmds\FARCmds.dll
  • %ProgramFiles%\FireFox\freebl3.dll
  • %ProgramFiles%\FireFox\IA2Marshal.dll
  • <SYSTEM32>\wmvds32.ax
  • %ProgramFiles%\FireFox\js.exe
  • C:\Far2\Plugins\HlfViewer\HlfViewer.dll
  • %ProgramFiles%\FireFox\mangle.exe
  • %ProgramFiles%\FireFox\mozalloc.dll
  • C:\Far2\Plugins\ProcList\Proclist.dll
  • C:\Far2\Plugins\MacroView\MacroView.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwhelp.dll
  • <ANALYSETOOLS_DIR>\DbgPrint\EchoDbg.exe
  • <SYSTEM32>\wscntfy.exe
  • <ANALYSE_DIR>\dwshield.sys
  • <ANALYSETOOLS_DIR>\File\regex2.dll
  • <SYSTEM32>\wstdecod.dll
  • <ANALYSETOOLS_DIR>\MyNCAP_\npptools.dll
  • <ANALYSETOOLS_DIR>\FileDisk\loaddrv.exe
  • <ANALYSETOOLS_DIR>\File\zlib1.dll
  • <SYSTEM32>\wstpager.ax
  • <SYSTEM32>\wstrenderer.ax
  • <ANALYSETOOLS_DIR>\MyNCAP_\Packet.dll
  • <ANALYSETOOLS_DIR>\KDump\kdump.sys
  • <APATH_PROCDUMP.EXE>
  • <ANALYSETOOLS_DIR>\MinArk\minark.exe
  • <APATH_LOADLIB.EXE>
  • <APATH_PROCDUMP.EXE>.1
  • <ANALYSETOOLS_DIR>\KDump\load.exe
  • <APATH_PROCDUMP.EXE>.2
  • <SYSTEM32>\wuapi.dll
  • <APATH_LOADLIB.EXE>_
  • <ANALYSETOOLS_DIR>\MinArk\phunter.sys
  • <APATH_PROCDUMP.EXE>.3
  • <SYSTEM32>\wuauclt.exe
  • <ANALYSETOOLS_DIR>\MyNCAP_\wpcap.dll
  • <ANALYSETOOLS_DIR>\MemDump\memdump2.exe
  • <ANALYSETOOLS_DIR>\NoExit\noexit.exe
  • <ANALYSETOOLS_DIR>\ProcDump\procdump64.exe
  • <SYSTEM32>\wuauclt1.exe
  • <SYSTEM32>\wsnmp32.dll
  • <ANALYSETOOLS_DIR>\MyNCAP_\myncap.exe
  • %WINDIR%\sleep.exe
  • <ANALYSETOOLS_DIR>\FileDisk\filedisk.sys
  • <ANALYSETOOLS_DIR>\BCode\bcode.exe
  • <ANALYSE_DIR>\muldrop.sys
  • <SYSTEM32>\wscript.exe
  • <ANALYSE_DIR>\muldrop_dbg.sys
  • <SYSTEM32>\wscui.cpl
  • C:\Far2\Plugins\WinSCP\WinSCP.dll
  • <ANALYSETOOLS_DIR>\DbgPrint\dbgprn.dll
  • <ANALYSETOOLS_DIR>\Angar2\tools\th_\thp.exe
  • <SYSTEM32>\wsecedit.dll
  • <SYSTEM32>\wshatm.dll
  • <ANALYSETOOLS_DIR>\DbgPrint\DbgPrnHk.sys
  • <SYSTEM32>\wshbth.dll
  • <SYSTEM32>\wmstream.dll
  • <APATH_DUMPER_NET.EXE>.1
  • <SYSTEM32>\wshcon.dll
  • <ANALYSETOOLS_DIR>\File\file.exe
  • <SYSTEM32>\wshext.dll
  • <ANALYSETOOLS_DIR>\MyNCAP_\kdump.exe
  • <SYSTEM32>\wship6.dll
  • <SYSTEM32>\wshisn.dll
  • <ANALYSETOOLS_DIR>\MyNCAP_\mpf.sys
  • <ANALYSETOOLS_DIR>\FileDisk\filedisk.exe
  • <SYSTEM32>\wshnetbs.dll
  • %WINDIR%\sfk.exe
  • <ANALYSETOOLS_DIR>\File\magic1.dll
  • <SYSTEM32>\WshRm.dll
  • <ANALYSETOOLS_DIR>\Angar2\tools\th_\http_serv.dll
  • <SYSTEM32>\write.exe
  • %CommonProgramFiles%\System\ado\msado26.tlb
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll
  • %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obelog.dll
  • %ProgramFiles%\NetMeeting\nmcom.dll
  • %WINDIR%\XXInstall\ps.exe
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll
  • %WINDIR%\XXInstall\Scripts\antivm.exe
  • %ProgramFiles%\NetMeeting\nmft.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll
  • %WINDIR%\XXInstall\screen.exe
  • %ProgramFiles%\Movie Maker\WMM2RES.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
  • %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemetal.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll
  • %ProgramFiles%\NetMeeting\nmoldwb.dll
  • %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemtllc.dll
  • %ProgramFiles%\NetMeeting\nmwb.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll
  • %ProgramFiles%\Movie Maker\WMM2RES2.dll
  • %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obepopc.dll
  • %ProgramFiles%\NetMeeting\rrcm.dll
  • %ProgramFiles%\NetMeeting\wb32.exe
  • %ProgramFiles%\Outlook Express\msimn.exe
  • %ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
  • <STUBS_DIR>\test.exe
  • %ProgramFiles%\Windows Media Player\custsat.dll
  • %ProgramFiles%\Outlook Express\msoe.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll
  • %ProgramFiles%\Windows Media Player\migrate.exe
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll
  • %ProgramFiles%\NetMeeting\nmchat.dll
  • %WINDIR%\XXInstall\events.exe
  • %ProgramFiles%\NetMeeting\h323cc.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll
  • %ProgramFiles%\NetMeeting\MST120.DLL
  • %WINDIR%\XXInstall\exdir.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll
  • %ProgramFiles%\NetMeeting\MST123.DLL
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
  • %WINDIR%\XXInstall\hashdeep.exe
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
  • %ProgramFiles%\NetMeeting\nac.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll
  • %ProgramFiles%\MSN\MSNCoreFiles\Install\msnsusii.exe
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll
  • %ProgramFiles%\NetMeeting\nmas.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll
  • %ProgramFiles%\NetMeeting\nmasnt.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll
  • %ProgramFiles%\Windows Media Player\mplayer2.exe
  • %ProgramFiles%\Windows Media Player\mpvis.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll
  • %ProgramFiles%\Outlook Express\oemiglib.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll
  • %ProgramFiles%\Windows NT\Accessories\write.wpc
  • %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll
  • %ProgramFiles%\Outlook Express\setup50.exe
  • %ProgramFiles%\Outlook Express\wab.exe
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll
  • %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
  • %ProgramFiles%\Windows NT\dialer.exe
  • %ProgramFiles%\Outlook Express\wabfind.dll
  • %ProgramFiles%\Windows Media Player\wmpband.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll
  • %ProgramFiles%\Windows NT\htrn_jis.dll
  • %ProgramFiles%\Outlook Express\wabimp.dll
  • %WINDIR%\XXInstall\vminstall.exe
  • %ProgramFiles%\Windows Media Player\wmplayer.exe
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll
  • %ProgramFiles%\Outlook Express\wabmig.exe
  • %ProgramFiles%\Windows NT\hypertrm.exe
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll
  • %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll
  • %ProgramFiles%\Windows NT\Accessories\wordpad.exe
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll
  • %ProgramFiles%\Outlook Express\oemig50.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll
  • %ProgramFiles%\Windows Media Player\npdrmv2.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll
  • %ProgramFiles%\Windows Media Player\npdsplay.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
  • %ProgramFiles%\Outlook Express\msoeres.dll
  • %ProgramFiles%\Windows NT\Accessories\mswrd6.wpc
  • %ProgramFiles%\Windows Media Player\npwmsdrm.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll
  • %ProgramFiles%\Windows NT\Accessories\mswrd8.wpc
  • %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll
  • %ProgramFiles%\Outlook Express\oeimport.dll
  • %ProgramFiles%\Windows Media Player\setup_wm.exe
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
  • %ProgramFiles%\Movie Maker\WMM2FXB.dll
  • %CommonProgramFiles%\System\directdb.dll
  • %ProgramFiles%\FireFox\xul.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\trialoc.dll
  • %CommonProgramFiles%\System\wab32.dll
  • %ProgramFiles%\Internet Explorer\HMMAPI.DLL
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll
  • %CommonProgramFiles%\SpeechEngines\Microsoft\TTS\1033\spttseng.dll
  • %CommonProgramFiles%\SpeechEngines\Microsoft\spcommon.dll
  • %CommonProgramFiles%\System\wab32res.dll
  • %ProgramFiles%\Internet Explorer\iedw.exe
  • %ProgramFiles%\Internet Explorer\MUI\0409\mscorier.dll
  • %ProgramFiles%\Internet Explorer\IEXPLORE.EXE
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll
  • %WINDIR%\winhlp32.exe
  • %ProgramFiles%\Messenger\custsat.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll
  • %WINDIR%\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
  • %ProgramFiles%\Messenger\msgsc.dll
  • %WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe
  • %ProgramFiles%\Messenger\msgslang.dll
  • %ProgramFiles%\Messenger\msmsgs.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
  • %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
  • %CommonProgramFiles%\System\Ole DB\sqlxmlx.rll
  • %CommonProgramFiles%\System\msadc\msdfmap.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll
  • %CommonProgramFiles%\System\Ole DB\sqlxmlx.dll
  • %CommonProgramFiles%\System\ado\msado27.tlb
  • %WINDIR%\twunk_32.exe
  • %CommonProgramFiles%\System\msadc\msadds.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwres.dll
  • %CommonProgramFiles%\System\Ole DB\oledb32r.dll
  • %CommonProgramFiles%\System\ado\msadomd.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
  • %CommonProgramFiles%\System\msadc\msaddsr.dll
  • %CommonProgramFiles%\MSSoap\Binaries\mssoap1.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
  • %CommonProgramFiles%\System\ado\msador15.dll
  • %CommonProgramFiles%\System\msadc\msdaprsr.dll
  • %CommonProgramFiles%\System\ado\msadox.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwutil.dll
  • %CommonProgramFiles%\MSSoap\Binaries\Resources\1033\mssoapr.dll
  • %CommonProgramFiles%\System\msadc\msdaprst.dll
  • %CommonProgramFiles%\System\Ole DB\sqloledb.dll
  • %CommonProgramFiles%\System\ado\msadrh15.dll
  • %CommonProgramFiles%\System\Ole DB\sqloledb.rll
  • %CommonProgramFiles%\System\msadc\msdarem.dll
  • %WINDIR%\vmmreg32.dll
  • %CommonProgramFiles%\System\ado\msjro.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
  • %CommonProgramFiles%\MSSoap\Binaries\wisc10.dll
  • %CommonProgramFiles%\System\msadc\msdaremr.dll
  • %ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
  • %CommonProgramFiles%\System\msadc\msadcs.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcm80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
  • %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
  • %ProgramFiles%\NetMeeting\cb32.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
  • %ProgramFiles%\Movie Maker\WMM2FILT.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
  • %ProgramFiles%\NetMeeting\conf.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
  • %WINDIR%\XXInstall\cmdow.exe
  • %ProgramFiles%\Movie Maker\WMM2FXA.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll
  • %WINDIR%\XXInstall\devcon.exe
  • %ProgramFiles%\NetMeeting\confmrsl.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
  • %ProgramFiles%\NetMeeting\dcap32.dll
  • %ProgramFiles%\Movie Maker\WMM2EXT.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll
  • %ProgramFiles%\NetMeeting\callcont.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
  • %CommonProgramFiles%\System\Ole DB\oledb32.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
  • %ProgramFiles%\Movie Maker\moviemk.exe
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
  • %ProgramFiles%\Movie Maker\WMM2AE.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
  • %ProgramFiles%\Movie Maker\WMM2ERES.dll
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll
  • <SYSTEM32>\wmspdmoe.dll
Malicious functions:
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Modifies file system:
Creates the following files:
  • %TEMP%\tmp1.tmp
  • <SYSTEM32>\dllcache\wmm2ae.dll.new
  • <ANALYSETOOLS_DIR>\KDump\How Recovery Files.txt
  • <ANALYSETOOLS_DIR>\MinArk\miniark.log
  • C:\Muldrop\dmp_0x1a4_0x20000
  • C:\Muldrop\dmp_0x1a4_0x10000
  • <SYSTEM32>\dllcache\moviemk.exe.new
  • C:\Muldrop\dmp_0x1a0_0x30000
  • C:\Muldrop\dmp_0x1a0_0x20000
  • C:\Muldrop\dmp_0x1a0_0x10000
  • %CommonProgramFiles%\System\Ole DB\msdaurl.dll.new
  • %CommonProgramFiles%\System\msadc\msadcfr.dll.new
  • C:\Muldrop\dmp_0x194_0x30000
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe.new
  • %CommonProgramFiles%\System\ado\msado20.tlb.new
  • <ANALYSETOOLS_DIR>\FileDisk\How Recovery Files.txt
  • <ANALYSETOOLS_DIR>\File\How Recovery Files.txt
  • C:\Muldrop\dmp_0x194_0x20000
  • <ANALYSETOOLS_DIR>\LoadLib\How Recovery Files.txt
  • %WINDIR%\twain_32.dll.new
  • C:\Muldrop\dmp_0x1a4_0x30000
  • C:\Muldrop\dmp_0x1b4_0x10000
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwdl.dll.new
  • C:\Muldrop\dmp_0x1b8_0x30000
  • %CommonProgramFiles%\System\ado\msado25.tlb.new
  • C:\Muldrop\dmp_0x1b8_0x20000
  • <ANALYSETOOLS_DIR>\ProcDump\How Recovery Files.txt
  • %CommonProgramFiles%\System\Ole DB\msxactps.dll.new
  • <ANALYSETOOLS_DIR>\NoExit\How Recovery Files.txt
  • C:\Muldrop\dmp_0x1b8_0x10000
  • <ANALYSETOOLS_DIR>\MemDump\How Recovery Files.txt
  • <ANALYSETOOLS_DIR>\MyNCAP_\How Recovery Files.txt
  • <ANALYSETOOLS_DIR>\MinArk\How Recovery Files.txt
  • <ANALYSETOOLS_DIR>\MinArk\validdrv.dat
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe.new
  • C:\Muldrop\dmp_0x1b4_0x30000
  • %CommonProgramFiles%\System\msadc\msadco.dll.new
  • C:\Muldrop\dmp_0x1b4_0x20000
  • %CommonProgramFiles%\System\ado\msado21.tlb.new
  • <SYSTEM32>\dllcache\wmm2eres.dll.new
  • %CommonProgramFiles%\System\Ole DB\msdatt.dll.new
  • C:\Muldrop\dmp_0x194_0x10000
  • %CommonProgramFiles%\System\Ole DB\msdatl3.dll.new
  • %WINDIR%\system\winspool.drv.new
  • %CommonProgramFiles%\System\Ole DB\msdaora.dll.new
  • %WINDIR%\srchasst\srchui.dll.new
  • %WINDIR%\system\wfwnet.drv.new
  • %WINDIR%\srchasst\srchctls.dll.new
  • C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_1
  • %CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll.new
  • %CommonProgramFiles%\System\Ole DB\msdaer.dll.new
  • <SYSTEM32>\zipfldr.dll.new
  • C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_0
  • %WINDIR%\system\vga.drv.new
  • %CommonProgramFiles%\System\Ole DB\msdadc.dll.new
  • %WINDIR%\system\ver.dll.new
  • %WINDIR%\system\timer.drv.new
  • %WINDIR%\system\tapi.dll.new
  • %WINDIR%\SoftwareDistribution\DataStore\Logs\How Recovery Files.txt
  • %CommonProgramFiles%\System\Ole DB\msdaenum.dll.new
  • %CommonProgramFiles%\System\Ole DB\msdaorar.dll.new
  • %CommonProgramFiles%\System\Ole DB\msdaosp.dll.new
  • %CommonProgramFiles%\Microsoft Shared\web server extensions\40\bin\fp4autl.dll.new
  • %ProgramFiles%\FireFox\res\fonts\How Recovery Files.txt
  • %CommonProgramFiles%\System\msadc\msadcf.dll.new
  • C:\Muldrop\dmp_0x148_0x30000
  • %CommonProgramFiles%\System\msadc\msadcer.dll.new
  • %CommonProgramFiles%\System\ado\msado15.dll.new
  • %CommonProgramFiles%\System\Ole DB\msdasqlr.dll.new
  • C:\Muldrop\dmp_0x148_0x20000
  • %CommonProgramFiles%\System\msadc\msadcor.dll.new
  • %CommonProgramFiles%\System\Ole DB\msdasql.dll.new
  • C:\Muldrop\dmp_0x1bc_0x10000
  • %CommonProgramFiles%\System\ado\msader15.dll.new
  • %WINDIR%\twain.dll.new
  • %WINDIR%\SoftwareDistribution\How Recovery Files.txt
  • %CommonProgramFiles%\System\Ole DB\msdasc.dll.new
  • %ProgramFiles%\FireFox\res\html\How Recovery Files.txt
  • %CommonProgramFiles%\System\Ole DB\msdaps.dll.new
  • %WINDIR%\taskman.exe.new
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn.dll.new
  • %WINDIR%\SoftwareDistribution\DataStore\How Recovery Files.txt
  • C:\Muldrop\dmp_0x148_0x10000
  • C:\Muldrop\npgdpnq.mph_5
  • %CommonProgramFiles%\System\msadc\msadce.dll.new
  • %CommonProgramFiles%\System\msadc\msadds.dll.new
  • %CommonProgramFiles%\System\msadc\msdarem.dll.new
  • %CommonProgramFiles%\System\ado\msadrh15.dll.new
  • <SYSTEM32>\dllcache\mst120.dll.new
  • <SYSTEM32>\dllcache\wmm2res.dll.new
  • %CommonProgramFiles%\Microsoft Shared\MSInfo\How Recovery Files.txt
  • %CommonProgramFiles%\Microsoft Shared\Speech\1033\How Recovery Files.txt
  • %CommonProgramFiles%\System\msadc\msdaprst.dll.new
  • %CommonProgramFiles%\System\ado\msadox.dll.new
  • %CommonProgramFiles%\MSSoap\Binaries\Resources\1033\mssoapr.dll.new
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwutil.dll.new
  • %CommonProgramFiles%\System\msadc\msdaprsr.dll.new
  • %CommonProgramFiles%\System\ado\msador15.dll.new
  • <SYSTEM32>\dllcache\h323cc.dll.new
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe.new
  • %CommonProgramFiles%\System\msadc\msaddsr.dll.new
  • %ProgramFiles%\FireFox\uninstall\How Recovery Files.txt
  • <SYSTEM32>\dllcache\dcap32.dll.new
  • %WINDIR%\vmmreg32.dll.new
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe.new
  • %CommonProgramFiles%\System\ado\msjro.dll.new
  • %CommonProgramFiles%\MSSoap\Binaries\wisc10.dll.new
  • <SYSTEM32>\dllcache\nmasnt.dll.new
  • C:\Muldrop\npgdpnq.mph_4
  • %CommonProgramFiles%\System\msadc\msdfmap.dll.new
  • %WINDIR%\Web\printers\images\How Recovery Files.txt
  • C:\Muldrop\npgdpnq.mph_3
  • %CommonProgramFiles%\System\Ole DB\sqlxmlx.dll.new
  • %CommonProgramFiles%\System\directdb.dll.new
  • C:\Muldrop\npgdpnq.mph_2
  • %ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe.new
  • %CommonProgramFiles%\Microsoft Shared\Stationery\How Recovery Files.txt
  • <SYSTEM32>\dllcache\nmas.dll.new
  • C:\Muldrop\npgdpnq.mph_1
  • %CommonProgramFiles%\Microsoft Shared\Speech\How Recovery Files.txt
  • %CommonProgramFiles%\System\msadc\msdaremr.dll.new
  • %ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe.new
  • C:\Muldrop\npgdpnq.mph_0
  • <SYSTEM32>\dllcache\nac.dll.new
  • <SYSTEM32>\dllcache\mst123.dll.new
  • %CommonProgramFiles%\MSSoap\Binaries\mssoap1.dll.new
  • <SYSTEM32>\dllcache\wmm2fxb.dll.new
  • %CommonProgramFiles%\System\ado\msadomd.dll.new
  • %CommonProgramFiles%\Microsoft Shared\DW\1033\How Recovery Files.txt
  • <SYSTEM32>\dllcache\cb32.exe.new
  • C:\Muldrop\dmp_0x88_0x30000
  • <SYSTEM32>\dllcache\wmm2ext.dll.new
  • %CommonProgramFiles%\System\msadc\msadcs.dll.new
  • %CommonProgramFiles%\System\ado\msado26.tlb.new
  • <SYSTEM32>\dllcache\callcont.dll.new
  • %WINDIR%\srchasst\chars\How Recovery Files.txt
  • %CommonProgramFiles%\Microsoft Shared\DW\1028\How Recovery Files.txt
  • %ProgramFiles%\FireFox\res\How Recovery Files.txt
  • C:\Muldrop\dmp_0x88_0x20000
  • %WINDIR%\twunk_16.exe.new
  • %CommonProgramFiles%\Microsoft Shared\DW\1025\How Recovery Files.txt
  • C:\Muldrop\dmp_0x88_0x10000
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwhelp.dll.new
  • <ANALYSETOOLS_DIR>\THP\www\How Recovery Files.txt
  • %CommonProgramFiles%\System\Ole DB\oledb32.dll.new
  • %CommonProgramFiles%\Microsoft Shared\DW\1031\How Recovery Files.txt
  • %CommonProgramFiles%\Microsoft Shared\DW\1036\How Recovery Files.txt
  • <SYSTEM32>\dllcache\wmm2filt.dll.new
  • <ANALYSETOOLS_DIR>\STracer\How Recovery Files.txt
  • %CommonProgramFiles%\Microsoft Shared\DAO\How Recovery Files.txt
  • %CommonProgramFiles%\Microsoft Shared\DW\How Recovery Files.txt
  • %CommonProgramFiles%\System\Ole DB\oledb32r.dll.new
  • <SYSTEM32>\dllcache\confmrsl.dll.new
  • %ProgramFiles%\Internet Explorer\Connection Wizard\icwres.dll.new
  • %WINDIR%\twunk_32.exe.new
  • C:\Muldrop\dmp_0x1bc_0x30000
  • <SYSTEM32>\dllcache\wmm2fxa.dll.new
  • C:\Muldrop\dmp_0x1bc_0x20000
  • %CommonProgramFiles%\Microsoft Shared\DW\3082\How Recovery Files.txt
  • %CommonProgramFiles%\Microsoft Shared\DW\1042\How Recovery Files.txt
  • %CommonProgramFiles%\Microsoft Shared\DW\2052\How Recovery Files.txt
  • <SYSTEM32>\dllcache\conf.exe.new
  • %CommonProgramFiles%\Microsoft Shared\DW\1040\How Recovery Files.txt
  • %ProgramFiles%\FireFox\searchplugins\How Recovery Files.txt
  • %CommonProgramFiles%\System\ado\msado27.tlb.new
  • C:\Muldrop\jogp.fyf_0
  • <ANALYSETOOLS_DIR>\THP\How Recovery Files.txt
  • %CommonProgramFiles%\Microsoft Shared\DW\1041\How Recovery Files.txt
  • <SYSTEM32>\dllcache\nmchat.dll.new
  • <SYSTEM32>\dllcache\winhlp32.exe.new
  • <ANALYSE_DIR>\PET-DUMP\How Recovery Files.txt
  • C:\Far2\Plugins\ExtSearch\sources\RegExp\How Recovery Files.txt
  • %ProgramFiles%\FireFox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msdaprsr.dll.new
  • %CommonProgramFiles%\Microsoft Shared\MSInfo\msinfo32.exe.new
  • %CommonProgramFiles%\Microsoft Shared\Speech\1033\spcplui.dll.new
  • %ProgramFiles%\FireFox\defaults\profile\How Recovery Files.txt
  • %WINDIR%\system\avifile.dll.new
  • <SYSTEM32>\wuweb.dll.new
  • %ProgramFiles%\FireFox\modules\services-sync\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msador15.dll.new
  • <SYSTEM32>\wzcdlg.dll.new
  • C:\Far2\Plugins\ExtSearch\sources\How Recovery Files.txt
  • %ProgramFiles%\FireFox\defaults\profile\chrome\How Recovery Files.txt
  • <SYSTEM32>\dllcache\icwtutor.exe.new
  • %ProgramFiles%\FireFox\defaults\pref\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msaddsr.dll.new
  • %ProgramFiles%\FireFox\dictionaries\How Recovery Files.txt
  • C:\Far2\Plugins\EMenu\How Recovery Files.txt
  • %ProgramFiles%\FireFox\modules\services-crypto\How Recovery Files.txt
  • %CommonProgramFiles%\Microsoft Shared\MSInfo\ieinfo5.ocx.new
  • <SYSTEM32>\dllcache\mssoapr.dll.new
  • %WINDIR%\system\lzexpand.dll.new
  • <SYSTEM32>\xenroll.dll.new
  • %CommonProgramFiles%\Microsoft Shared\Speech\sapi.dll.new
  • <SYSTEM32>\dllcache\msadrh15.dll.new
  • %ProgramFiles%\FireFox\modules\How Recovery Files.txt
  • %WINDIR%\system\keyboard.drv.new
  • C:\Far2\Plugins\FTP\lib\How Recovery Files.txt
  • C:\Far2\Plugins\FarCmds\How Recovery Files.txt
  • <SYSTEM32>\xcopy.exe.new
  • %CommonProgramFiles%\Microsoft Shared\Speech\sapi.cpl.new
  • %WINDIR%\system\commdlg.dll.new
  • <ANALYSETOOLS_DIR>\Angar2\scripts\main.bin
  • <SYSTEM32>\xactsrv.dll.new
  • <SYSTEM32>\dllcache\msdaprst.dll.new
  • <SYSTEM32>\dllcache\msadox.dll.new
  • <SYSTEM32>\dllcache\icwutil.dll.new
  • <SYSTEM32>\dllcache\vmmreg32.dll.new
  • %ProgramFiles%\FireFox\modules\tabview\How Recovery Files.txt
  • %ProgramFiles%\Windows Media Player\mplayer2.exe.new
  • %ProgramFiles%\FireFox\defaults\autoconfig\How Recovery Files.txt
  • %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\update\How Recovery Files.txt
  • C:\Far2\Plugins\Compare\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msado27.tlb.new
  • %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\profile\How Recovery Files.txt
  • C:\Far2\Plugins\ExtSearch\doc\How Recovery Files.txt
  • %WINDIR%\srchasst\msgr3en.dll.new
  • %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\plugins\How Recovery Files.txt
  • %ProgramFiles%\FireFox\modules\services-sync\engines\How Recovery Files.txt
  • %WINDIR%\system\avicap.dll.new
  • <SYSTEM32>\dllcache\msadcs.dll.new
  • <SYSTEM32>\dllcache\msado26.tlb.new
  • <SYSTEM32>\dllcache\oledb32.dll.new
  • C:\Far2\Plugins\Colorer\How Recovery Files.txt
  • C:\Far2\Plugins\Brackets\How Recovery Files.txt
  • C:\Far2\Plugins\AutoWrap\How Recovery Files.txt
  • <SYSTEM32>\dllcache\twunk_16.exe.new
  • %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\viewsource\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msadds.dll.new
  • <SYSTEM32>\wuaueng1.dll.new
  • <SYSTEM32>\wuauserv.dll.new
  • C:\Far2\Plugins\ExtSearch\How Recovery Files.txt
  • <SYSTEM32>\dllcache\icwrmind.exe.new
  • <SYSTEM32>\wups.dll.new
  • C:\Far2\Plugins\DrawLine\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msadomd.dll.new
  • C:\Far2\Plugins\EditCase\How Recovery Files.txt
  • %ProgramFiles%\FireFox\components\How Recovery Files.txt
  • <SYSTEM32>\wupdmgr.exe.new
  • C:\Far2\Plugins\MacroView\How Recovery Files.txt
  • %ProgramFiles%\FireFox\chrome\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msdarem.dll.new
  • <SYSTEM32>\dllcache\oledb32r.dll.new
  • <SYSTEM32>\wucltui.dll.new
  • %CommonProgramFiles%\Microsoft Shared\DAO\dao360.dll.new
  • %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\xpinstall\How Recovery Files.txt
  • %ProgramFiles%\FireFox\modules\services-sync\ext\How Recovery Files.txt
  • <SYSTEM32>\dllcache\icwres.dll.new
  • <SYSTEM32>\dllcache\twunk_32.exe.new
  • %WINDIR%\Registration\How Recovery Files.txt
  • <SYSTEM32>\dllcache\mssoap1.dll.new
  • C:\Far2\Plugins\ExtSearch\keys\How Recovery Files.txt
  • <ANALYSETOOLS_DIR>\DbgPrint\How Recovery Files.txt
  • %WINDIR%\system\system.drv.new
  • C:\Far2\Plugins\HlfViewer\How Recovery Files.txt
  • %ProgramFiles%\FireFox\res\entityTables\How Recovery Files.txt
  • <SYSTEM32>\dllcache\spcommon.dll.new
  • %CommonProgramFiles%\Microsoft Shared\Triedit\triedit.dll.new
  • %WINDIR%\system\olesvr.dll.new
  • <ANALYSE_DIR>\PET-DUMP\0B3C_pet_cmd.exe
  • <SYSTEM32>\dllcache\spttseng.dll.new
  • C:\Far2\PluginSDK\Headers.c\How Recovery Files.txt
  • <SYSTEM32>\dllcache\trialoc.dll.new
  • <APATH_DUMPS_DIR>\How Recovery Files.txt
  • %WINDIR%\system\olecli.dll.new
  • %CommonProgramFiles%\Microsoft Shared\Triedit\dhtmled.ocx.new
  • <SYSTEM32>\xpsp1res.dll.new
  • <SYSTEM32>\dllcache\r1033tts.lxa.new
  • <SYSTEM32>\dllcache\sam.spd.new
  • %WINDIR%\system\msvideo.dll.new
  • C:\Far2\Plugins\WinSCP\How Recovery Files.txt
  • C:\Far2\PluginSDK\Headers.pas\How Recovery Files.txt
  • <ANALYSE_DIR>\PET-DUMP\0B44_pet_vssadmin.exe
  • %WINDIR%\system\mouse.drv.new
  • <SYSTEM32>\dllcache\wab32.dll.new
  • <SYSTEM32>\dllcache\ltts1033.lxa.new
  • <SYSTEM32>\dllcache\iexplore.exe.new
  • <ANALYSE_DIR>\PET-DUMP\0B84_pet_SCHTASKS.exe
  • <ANALYSETOOLS_DIR>\BCode\script\How Recovery Files.txt
  • %WINDIR%\system\stdole.tlb.new
  • %WINDIR%\security\templates\How Recovery Files.txt
  • %WINDIR%\system\sound.drv.new
  • <SYSTEM32>\dllcache\iedw.exe.new
  • C:\Far2\How Recovery Files.txt
  • <ANALYSE_DIR>\PET-DUMP\0B64_pet_cmd.exe
  • <ANALYSETOOLS_DIR>\Angar2\tools\th_\How Recovery Files.txt
  • %WINDIR%\system\shell.dll.new
  • <ANALYSETOOLS_DIR>\Angar2\tools\th_\www\How Recovery Files.txt
  • <ANALYSETOOLS_DIR>\BCode\How Recovery Files.txt
  • <SYSTEM32>\dllcache\wab32res.dll.new
  • %WINDIR%\srchasst\nls302en.lex.new
  • <SYSTEM32>\dllcache\winhelp.exe.new
  • <ANALYSETOOLS_DIR>\DumpNet\How Recovery Files.txt
  • <ANALYSE_DIR>\PET-DUMP\0B50_pet_cmd.exe
  • <SYSTEM32>\xpob2res.dll.new
  • %WINDIR%\system\mciwave.drv.new
  • <ANALYSE_DIR>\DWS-DUMP\0B84_dws_SCHTASKS.exe
  • <ANALYSE_DIR>\DWS-DUMP\0B3C_dws_cmd.exe
  • <ANALYSETOOLS_DIR>\Angar2\How Recovery Files.txt
  • <ANALYSETOOLS_DIR>\Angar2\scripts\How Recovery Files.txt
  • <SYSTEM32>\dllcache\inetwiz.exe.new
  • <SYSTEM32>\xmlprov.dll.new
  • %WINDIR%\Resources\Themes\Luna\Shell\Homestead\How Recovery Files.txt
  • <SYSTEM32>\dllcache\hmmapi.dll.new
  • C:\Far2\Plugins\Network\How Recovery Files.txt
  • C:\Far2\Plugins\ProcList\How Recovery Files.txt
  • %CommonProgramFiles%\Microsoft Shared\Speech\sapisvr.exe.new
  • %WINDIR%\system\mciseq.drv.new
  • <SYSTEM32>\dllcache\wisc10.dll.new
  • %WINDIR%\system\mciavi.drv.new
  • C:\Far2\Plugins\FTP\How Recovery Files.txt
  • C:\Far2\Plugins\TmpPanel\How Recovery Files.txt
  • <SYSTEM32>\dllcache\isignup.exe.new
  • %WINDIR%\Resources\Themes\Luna\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msdaremr.dll.new
  • %WINDIR%\Resources\Themes\Luna\Shell\Metallic\How Recovery Files.txt
  • <ANALYSE_DIR>\DWS-DUMP\0B44_dws_vssadmin.exe
  • %WINDIR%\system\mmsystem.dll.new
  • %ProgramFiles%\FireFox\res\dtd\How Recovery Files.txt
  • %WINDIR%\security\logs\How Recovery Files.txt
  • <SYSTEM32>\xolehlp.dll.new
  • %WINDIR%\security\Database\How Recovery Files.txt
  • %WINDIR%\system\mmtask.tsk.new
  • <SYSTEM32>\dllcache\msjro.dll.new
  • <SYSTEM32>\dllcache\msdfmap.dll.new
  • %WINDIR%\Resources\Themes\How Recovery Files.txt
  • C:\Far2\Plugins\FileCase\How Recovery Files.txt
  • <SYSTEM32>\dllcache\sqlxmlx.dll.new
  • <ANALYSETOOLS_DIR>\Angar2\tools\dumpe_\How Recovery Files.txt
  • <ANALYSE_DIR>\DWS-DUMP\0B50_dws_cmd.exe
  • %WINDIR%\repair\How Recovery Files.txt
  • %WINDIR%\Resources\Themes\Luna\Shell\NormalColor\How Recovery Files.txt
  • <SYSTEM32>\xmlprovi.dll.new
  • <ANALYSE_DIR>\DWS-DUMP\0B64_dws_cmd.exe
  • <SYSTEM32>\dllcache\sam.sdf.new
  • <ANALYSE_DIR>\DWS-DUMP\How Recovery Files.txt
  • <SYSTEM32>\dllcache\directdb.dll.new
  • <SYSTEM32>\dllcache\nmcom.dll.new
  • %CommonProgramFiles%\SpeechEngines\Microsoft\TTS\1033\sam.sdf.new
  • %CommonProgramFiles%\SpeechEngines\Microsoft\Lexicon\1033\ltts1033.lxa.new
  • <STUBS_DIR>\GUARD\How Recovery Files.txt
  • <STUBS_DIR>\GVOnline\How Recovery Files.txt
  • <STUBS_DIR>\googletalk\How Recovery Files.txt
  • <STUBS_DIR>\ge\How Recovery Files.txt
  • <STUBS_DIR>\gc\How Recovery Files.txt
  • <STUBS_DIR>\fsavgui\How Recovery Files.txt
  • <STUBS_DIR>\fsavaui\How Recovery Files.txt
  • <STUBS_DIR>\fsav32\How Recovery Files.txt
  • %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\How Recovery Files.txt
  • <STUBS_DIR>\firefox\How Recovery Files.txt
  • <STUBS_DIR>\fsav\How Recovery Files.txt
  • <STUBS_DIR>\el_cli\How Recovery Files.txt
  • <STUBS_DIR>\elementclient\How Recovery Files.txt
  • <STUBS_DIR>\elbank\How Recovery Files.txt
  • <STUBS_DIR>\ekrn\How Recovery Files.txt
  • <STUBS_DIR>\egni\How Recovery Files.txt
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\How Recovery Files.txt
  • <STUBS_DIR>\ecmd\How Recovery Files.txt
  • <STUBS_DIR>\inbank-start-ff\How Recovery Files.txt
  • <STUBS_DIR>\ICQ\How Recovery Files.txt
  • <STUBS_DIR>\maplestory\How Recovery Files.txt
  • <STUBS_DIR>\magent\How Recovery Files.txt
  • <STUBS_DIR>\lotroclient\How Recovery Files.txt
  • <STUBS_DIR>\loadmain\How Recovery Files.txt
  • <STUBS_DIR>\lin\How Recovery Files.txt
  • %ProgramFiles%\MSN\MSNCoreFiles\Install\How Recovery Files.txt
  • <STUBS_DIR>\java\How Recovery Files.txt
  • <STUBS_DIR>\l2\How Recovery Files.txt
  • <STUBS_DIR>\javaw\How Recovery Files.txt
  • <STUBS_DIR>\kb_cli\How Recovery Files.txt
  • <STUBS_DIR>\iscc\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\How Recovery Files.txt
  • <STUBS_DIR>\intpro\How Recovery Files.txt
  • <STUBS_DIR>\ISClient\How Recovery Files.txt
  • <STUBS_DIR>\InphaseNXD\How Recovery Files.txt
  • <STUBS_DIR>\iexplore\How Recovery Files.txt
  • <STUBS_DIR>\httplook\How Recovery Files.txt
  • <STUBS_DIR>\Drwebupw\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\How Recovery Files.txt
  • <STUBS_DIR>\Drwebwcl\How Recovery Files.txt
  • <STUBS_DIR>\bclient\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\How Recovery Files.txt
  • <STUBS_DIR>\BBClient\How Recovery Files.txt
  • <STUBS_DIR>\bankcl\How Recovery Files.txt
  • <STUBS_DIR>\AVSYNMGR\How Recovery Files.txt
  • <STUBS_DIR>\AVPCC\How Recovery Files.txt
  • <STUBS_DIR>\AVPM\How Recovery Files.txt
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\How Recovery Files.txt
  • <STUBS_DIR>\AVP32\How Recovery Files.txt
  • <STUBS_DIR>\AVGCTRL\How Recovery Files.txt
  • <STUBS_DIR>\AVGCC32\How Recovery Files.txt
  • <STUBS_DIR>\avgcc\How Recovery Files.txt
  • <STUBS_DIR>\ashAvSrv\How Recovery Files.txt
  • <STUBS_DIR>\ageofconan\How Recovery Files.txt
  • <STUBS_DIR>\aion\How Recovery Files.txt
  • <STUBS_DIR>\bc_loader\How Recovery Files.txt
  • <STUBS_DIR>\bdagent\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\How Recovery Files.txt
  • <STUBS_DIR>\cabalmain\How Recovery Files.txt
  • <STUBS_DIR>\bdsubmit\How Recovery Files.txt
  • <STUBS_DIR>\Drweb32w\How Recovery Files.txt
  • <STUBS_DIR>\drweb\How Recovery Files.txt
  • <STUBS_DIR>\dekaron\How Recovery Files.txt
  • <STUBS_DIR>\contactNG\How Recovery Files.txt
  • <STUBS_DIR>\dnf\How Recovery Files.txt
  • <STUBS_DIR>\clntw32\How Recovery Files.txt
  • <STUBS_DIR>\client7\How Recovery Files.txt
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\How Recovery Files.txt
  • <STUBS_DIR>\clbank\How Recovery Files.txt
  • <STUBS_DIR>\ash\How Recovery Files.txt
  • <STUBS_DIR>\ClamWin\How Recovery Files.txt
  • <STUBS_DIR>\ccapp\How Recovery Files.txt
  • <STUBS_DIR>\cbsmain\How Recovery Files.txt
  • <STUBS_DIR>\cbmain\How Recovery Files.txt
  • <STUBS_DIR>\cbank\How Recovery Files.txt
  • <STUBS_DIR>\bk\How Recovery Files.txt
  • <STUBS_DIR>\bdss\How Recovery Files.txt
  • <STUBS_DIR>\clmain\How Recovery Files.txt
  • <STUBS_DIR>\drweb386\How Recovery Files.txt
  • <STUBS_DIR>\chrome\How Recovery Files.txt
  • <STUBS_DIR>\AVP\How Recovery Files.txt
  • <STUBS_DIR>\Mir3Game\How Recovery Files.txt
  • <STUBS_DIR>\nod\How Recovery Files.txt
  • <STUBS_DIR>\wow\How Recovery Files.txt
  • <STUBS_DIR>\woool\How Recovery Files.txt
  • <STUBS_DIR>\winbaram\How Recovery Files.txt
  • <STUBS_DIR>\webmoney\How Recovery Files.txt
  • <STUBS_DIR>\wclnt\How Recovery Files.txt
  • <STUBS_DIR>\UniStream\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\How Recovery Files.txt
  • <STUBS_DIR>\TwelveSky2\How Recovery Files.txt
  • <STUBS_DIR>\trillian\How Recovery Files.txt
  • <STUBS_DIR>\translink\How Recovery Files.txt
  • <STUBS_DIR>\tiny\How Recovery Files.txt
  • %ProgramFiles%\Windows Media Player\Skins\How Recovery Files.txt
  • <STUBS_DIR>\How Recovery Files.txt
  • %ProgramFiles%\Windows NT\Accessories\How Recovery Files.txt
  • <STUBS_DIR>\wsm\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\How Recovery Files.txt
  • %ProgramFiles%\Outlook Express\How Recovery Files.txt
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\How Recovery Files.txt
  • %APPDATA%\info.exe
  • %TEMP%\tmp2.tmp
  • %TEMP%\tmp3.tmp
  • %TEMP%\tmp4.tmp
  • %APPDATA%\recovery.txt
  • C:\How Recovery Files.txt
  • %WINDIR%\How Recovery Files.txt
  • <STUBS_DIR>\ZONEALARM\How Recovery Files.txt
  • <STUBS_DIR>\__cd75efb816b2cc__\How Recovery Files.txt
  • <STUBS_DIR>\zlclient\How Recovery Files.txt
  • <STUBS_DIR>\ZZ__cd75efb816b2cc__\How Recovery Files.txt
  • <STUBS_DIR>\zapro\How Recovery Files.txt
  • <STUBS_DIR>\YahooMessenger\How Recovery Files.txt
  • %ProgramFiles%\Windows Media Player\How Recovery Files.txt
  • C:\RECYCLER\S-1-5-21-2052111302-484763869-725345543-1003\How Recovery Files.txt
  • %ProgramFiles%\Windows NT\How Recovery Files.txt
  • <STUBS_DIR>\ybclient\How Recovery Files.txt
  • %ProgramFiles%\Windows NT\Pinball\How Recovery Files.txt
  • %WINDIR%\XXInstall\Scripts\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\How Recovery Files.txt
  • %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\How Recovery Files.txt
  • <STUBS_DIR>\qip\How Recovery Files.txt
  • <STUBS_DIR>\putty\How Recovery Files.txt
  • <STUBS_DIR>\pidgin\How Recovery Files.txt
  • <STUBS_DIR>\outpost\How Recovery Files.txt
  • <STUBS_DIR>\opera\How Recovery Files.txt
  • <STUBS_DIR>\oncbcli\How Recovery Files.txt
  • <STUBS_DIR>\ntvdm\How Recovery Files.txt
  • %WINDIR%\XXInstall\How Recovery Files.txt
  • <STUBS_DIR>\nod32\How Recovery Files.txt
  • <STUBS_DIR>\netxray\How Recovery Files.txt
  • <STUBS_DIR>\NAVAPW32\How Recovery Files.txt
  • <STUBS_DIR>\miranda32\How Recovery Files.txt
  • <STUBS_DIR>\msn6\How Recovery Files.txt
  • <STUBS_DIR>\msnmsgr\How Recovery Files.txt
  • <STUBS_DIR>\mpftray\How Recovery Files.txt
  • %ProgramFiles%\Movie Maker\How Recovery Files.txt
  • <STUBS_DIR>\Ragexe\How Recovery Files.txt
  • <STUBS_DIR>\RagFree\How Recovery Files.txt
  • <STUBS_DIR>\rclient\How Recovery Files.txt
  • %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\How Recovery Files.txt
  • <STUBS_DIR>\sro_client\How Recovery Files.txt
  • <STUBS_DIR>\MCAGENT\How Recovery Files.txt
  • <STUBS_DIR>\startclient7\How Recovery Files.txt
  • <STUBS_DIR>\ashAvast\How Recovery Files.txt
  • <STUBS_DIR>\spidernt\How Recovery Files.txt
  • <STUBS_DIR>\skype\How Recovery Files.txt
  • <STUBS_DIR>\sgbclient\How Recovery Files.txt
  • <STUBS_DIR>\safari\How Recovery Files.txt
  • %ProgramFiles%\NetMeeting\How Recovery Files.txt
  • %ProgramFiles%\Online Services\How Recovery Files.txt
  • %ProgramFiles%\MSN\MSNCoreFiles\OOBE\How Recovery Files.txt
  • <STUBS_DIR>\smc\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\How Recovery Files.txt
  • <STUBS_DIR>\so3d\How Recovery Files.txt
  • <STUBS_DIR>\gw\How Recovery Files.txt
  • <STUBS_DIR>\360tray\How Recovery Files.txt
  • <SYSTEM32>\dllcache\wabmig.exe.new
  • <SYSTEM32>\dllcache\htrn_jis.dll.new
  • <SYSTEM32>\dllcache\wabimp.dll.new
  • <SYSTEM32>\dllcache\wabfind.dll.new
  • <SYSTEM32>\dllcache\wmpband.dll.new
  • <SYSTEM32>\dllcache\dialer.exe.new
  • <SYSTEM32>\dllcache\wab.exe.new
  • %WINDIR%\Temp\How Recovery Files.txt
  • <SYSTEM32>\dllcache\setup50.exe.new
  • <SYSTEM32>\dllcache\oemiglib.dll.new
  • %CommonProgramFiles%\Microsoft Shared\web server extensions\40\bin\1033\How Recovery Files.txt
  • <SYSTEM32>\dllcache\wordpad.exe.new
  • %CommonProgramFiles%\Microsoft Shared\Web Folders\How Recovery Files.txt
  • <ANALYSE_DIR>\How Recovery Files.txt
  • <SYSTEM32>\dllcache\oemig50.exe.new
  • %WINDIR%\system\How Recovery Files.txt
  • %WINDIR%\twain_32\How Recovery Files.txt
  • <SYSTEM32>\dllcache\wmpns.dll.new
  • <SYSTEM32>\dllcache\wmplayer.exe.new
  • <SYSTEM32>\dllcache\oeimport.dll.new
  • <ANALYSETOOLS_DIR>\XueTr_Cmd\How Recovery Files.txt
  • %WINDIR%\srchasst\How Recovery Files.txt
  • %ProgramFiles%\NetMeeting\h323cc.dll.new
  • %ProgramFiles%\NetMeeting\dcap32.dll.new
  • C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\fifo.log
  • %ProgramFiles%\Movie Maker\wmm2fxb.dll.new
  • C:\Muldrop\unq2.unq_0
  • %ProgramFiles%\NetMeeting\confmrsl.dll.new
  • %ProgramFiles%\Movie Maker\wmm2fxa.dll.new
  • %ProgramFiles%\NetMeeting\conf.exe.new
  • C:\Muldrop\unq1.unq_0
  • %ProgramFiles%\Movie Maker\wmm2filt.dll.new
  • %ProgramFiles%\NetMeeting\cb32.exe.new
  • %ProgramFiles%\Movie Maker\wmm2ext.dll.new
  • %ProgramFiles%\NetMeeting\callcont.dll.new
  • %CommonProgramFiles%\Microsoft Shared\web server extensions\40\bin\How Recovery Files.txt
  • %ProgramFiles%\Movie Maker\wmm2eres.dll.new
  • %ProgramFiles%\Movie Maker\moviemk.exe.new
  • %CommonProgramFiles%\MSSoap\Binaries\Resources\1033\How Recovery Files.txt
  • %ProgramFiles%\Movie Maker\wmm2ae.dll.new
  • <SYSTEM32>\dllcache\setup_wm.exe.new
  • %CommonProgramFiles%\Microsoft Shared\TextConv\How Recovery Files.txt
  • <SYSTEM32>\dllcache\npdsplay.dll.new
  • %CommonProgramFiles%\System\wab32res.dll.new
  • %WINDIR%\winhelp.exe.new
  • %ProgramFiles%\Internet Explorer\hmmapi.dll.new
  • %CommonProgramFiles%\SpeechEngines\Microsoft\spcommon.dll.new
  • <SYSTEM32>\dllcache\wmm2res2.dll.new
  • %WINDIR%\srchasst\mui\0409\How Recovery Files.txt
  • %ProgramFiles%\NetMeeting\mst123.dll.new
  • %CommonProgramFiles%\SpeechEngines\Microsoft\TTS\1033\spttseng.dll.new
  • <SYSTEM32>\dllcache\nmwb.dll.new
  • <SYSTEM32>\dllcache\nmoldwb.dll.new
  • %CommonProgramFiles%\SpeechEngines\Microsoft\Lexicon\1033\r1033tts.lxa.new
  • <SYSTEM32>\dllcache\nmft.dll.new
  • %CommonProgramFiles%\SpeechEngines\Microsoft\TTS\1033\sam.spd.new
  • %CommonProgramFiles%\System\wab32.dll.new
  • <SYSTEM32>\dllcache\wb32.exe.new
  • %ProgramFiles%\Internet Explorer\iedw.exe.new
  • %ProgramFiles%\Internet Explorer\Connection Wizard\trialoc.dll.new
  • <SYSTEM32>\dllcache\rrcm.dll.new
  • %CommonProgramFiles%\Microsoft Shared\Triedit\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msimn.exe.new
  • <SYSTEM32>\dllcache\pinball.exe.new
  • <SYSTEM32>\dllcache\npdrmv2.dll.new
  • <SYSTEM32>\XPSViewer\How Recovery Files.txt
  • <SYSTEM32>\dllcache\mpvis.dll.new
  • %CommonProgramFiles%\Microsoft Shared\VGX\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msoeres.dll.new
  • %WINDIR%\Web\Wallpaper\How Recovery Files.txt
  • <SYSTEM32>\dllcache\mplayer2.exe.new
  • %WINDIR%\winhlp32.exe.new
  • %ProgramFiles%\Movie Maker\wmm2res.dll.new
  • %CommonProgramFiles%\Microsoft Shared\VC\How Recovery Files.txt
  • <SYSTEM32>\dllcache\migrate.exe.new
  • <SYSTEM32>\dllcache\custsat.dll.new
  • %ProgramFiles%\Internet Explorer\iexplore.exe.new
  • %WINDIR%\Web\printers\How Recovery Files.txt
  • <SYSTEM32>\dllcache\msoe.dll.new
  • <SYSTEM32>\XPSViewer\en-US\How Recovery Files.txt
  • <SYSTEM32>\How Recovery Files.txt
  • <SYSTEM32>\dllcache\npwmsdrm.dll.new
  • %WINDIR%\Web\How Recovery Files.txt
  • %ProgramFiles%\NetMeeting\mst120.dll.new
  • %ProgramFiles%\NetMeeting\nac.dll.new
  • %ProgramFiles%\Movie Maker\Shared\How Recovery Files.txt
  • %ProgramFiles%\Windows Media Player\wmpns.dll.new
  • %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\How Recovery Files.txt
  • %ProgramFiles%\Outlook Express\wabmig.exe.new
  • %ProgramFiles%\Windows Media Player\wmplayer.exe.new
  • %ProgramFiles%\Windows NT\htrn_jis.dll.new
  • %ProgramFiles%\Outlook Express\wabimp.dll.new
  • %ProgramFiles%\Outlook Express\wabfind.dll.new
  • %ProgramFiles%\Windows Media Player\wmpband.dll.new
  • %ProgramFiles%\Windows NT\dialer.exe.new
  • %ProgramFiles%\Outlook Express\wab.exe.new
  • %ProgramFiles%\Outlook Express\setup50.exe.new
  • %ProgramFiles%\Outlook Express\oemiglib.dll.new
  • %ProgramFiles%\Windows NT\Accessories\wordpad.exe.new
  • %WINDIR%\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\How Recovery Files.txt
  • %ProgramFiles%\Microsoft.NET\RedistList\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-ww_5f0bbcff\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-ww_4ee8bb30\How Recovery Files.txt
  • %ProgramFiles%\Movie Maker\Shared\Profiles\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\How Recovery Files.txt
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_x-ww_6ad67377\How Recovery Files.txt
  • %ProgramFiles%\Outlook Express\oemig50.exe.new
  • <SYSTEM32>\wuaueng.dll.new
  • %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_x-ww_b8438ace\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\How Recovery Files.txt
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\How Recovery Files.txt
  • %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-ww_0f75c32e\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_x-ww_caeee150\How Recovery Files.txt
  • %ProgramFiles%\Movie Maker\MUI\0409\How Recovery Files.txt
  • %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\How Recovery Files.txt
  • %WINDIR%\pss\How Recovery Files.txt
  • %WINDIR%\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\How Recovery Files.txt
  • %WINDIR%\WinSxS\Manifests\How Recovery Files.txt
  • %ProgramFiles%\Movie Maker\wmm2res2.dll.new
  • %ProgramFiles%\Internet Explorer\Connection Wizard\How Recovery Files.txt
  • %CommonProgramFiles%\SpeechEngines\Microsoft\Lexicon\1033\How Recovery Files.txt
  • %CommonProgramFiles%\Services\How Recovery Files.txt
  • %ProgramFiles%\NetMeeting\nmwb.dll.new
  • %ProgramFiles%\NetMeeting\nmoldwb.dll.new
  • %ProgramFiles%\Messenger\How Recovery Files.txt
  • %ProgramFiles%\NetMeeting\nmft.dll.new
  • %CommonProgramFiles%\System\Ole DB\How Recovery Files.txt
  • %ProgramFiles%\NetMeeting\nmchat.dll.new
  • %CommonProgramFiles%\System\msadc\How Recovery Files.txt
  • %ProgramFiles%\NetMeeting\nmasnt.dll.new
  • %CommonProgramFiles%\MSSoap\Binaries\How Recovery Files.txt
  • %ProgramFiles%\NetMeeting\nmas.dll.new
  • %CommonProgramFiles%\System\ado\How Recovery Files.txt
  • C:\Muldrop\How Recovery Files.txt
  • %ProgramFiles%\NetMeeting\nmcom.dll.new
  • %ProgramFiles%\NetMeeting\rrcm.dll.new
  • %ProgramFiles%\NetMeeting\wb32.exe.new
  • %ProgramFiles%\Outlook Express\msimn.exe.new
  • %CommonProgramFiles%\SpeechEngines\Microsoft\TTS\1033\How Recovery Files.txt
  • %ProgramFiles%\Windows Media Player\setup_wm.exe.new
  • %ProgramFiles%\Windows Media Player\npwmsdrm.dll.new
  • %ProgramFiles%\Windows Media Player\npdsplay.dll.new
  • %ProgramFiles%\Windows Media Player\npdrmv2.dll.new
  • %ProgramFiles%\Windows Media Player\mpvis.dll.new
  • %ProgramFiles%\Outlook Express\msoeres.dll.new
  • %WINDIR%\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\How Recovery Files.txt
  • %ProgramFiles%\Internet Explorer\SIGNUP\How Recovery Files.txt
  • %WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\How Recovery Files.txt
  • %ProgramFiles%\Internet Explorer\How Recovery Files.txt
  • %ProgramFiles%\Internet Explorer\MUI\0409\How Recovery Files.txt
  • %ProgramFiles%\Windows Media Player\custsat.dll.new
  • %CommonProgramFiles%\System\How Recovery Files.txt
  • %ProgramFiles%\FireFox\How Recovery Files.txt
  • %ProgramFiles%\Outlook Express\msoe.dll.new
  • %CommonProgramFiles%\SpeechEngines\Microsoft\How Recovery Files.txt
  • %ProgramFiles%\Outlook Express\oeimport.dll.new
  • %ProgramFiles%\Windows NT\Pinball\pinball.exe.new
  • %ProgramFiles%\Windows Media Player\migrate.exe.new
  • C:\Far2\Plugins\Colorer\hrc\How Recovery Files.txt
Deletes the following files:
  • %TEMP%\tmp1.tmp
  • %TEMP%\tmp2.tmp
Moves the following system files:
  • from %WINDIR%\_default.pif to %WINDIR%\_default.pif.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2.cat.no_more_ransom
  • from %WINDIR%\system\COMMDLG.DLL to %WINDIR%\system\COMMDLG.DLL.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lcladv.xml to %WINDIR%\srchasst\mui\0409\lcladv.xml.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lcladvd.xml to %WINDIR%\srchasst\mui\0409\lcladvd.xml.no_more_ransom
  • from <SYSTEM32>\xcopy.exe to <SYSTEM32>\xcopy.exe.no_more_ransom
  • from %WINDIR%\system\KEYBOARD.DRV to %WINDIR%\system\KEYBOARD.DRV.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2.manifest.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lcladvdf.xml to %WINDIR%\srchasst\mui\0409\lcladvdf.xml.no_more_ransom
  • from %WINDIR%\Web\printers\images\ipp_0002.gif to %WINDIR%\Web\printers\images\ipp_0002.gif.no_more_ransom
  • from %WINDIR%\system\LZEXPAND.DLL to %WINDIR%\system\LZEXPAND.DLL.no_more_ransom
  • from <SYSTEM32>\xenroll.dll to <SYSTEM32>\xenroll.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.cat.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lcladvmm.xml to %WINDIR%\srchasst\mui\0409\lcladvmm.xml.no_more_ransom
  • from %WINDIR%\Web\printers\images\ipp_0003.gif to %WINDIR%\Web\printers\images\ipp_0003.gif.no_more_ransom
  • from %WINDIR%\system\MCIAVI.DRV to %WINDIR%\system\MCIAVI.DRV.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lclcomp.xml to %WINDIR%\srchasst\mui\0409\lclcomp.xml.no_more_ransom
  • from %WINDIR%\Web\printers\images\ipp_0004.gif to %WINDIR%\Web\printers\images\ipp_0004.gif.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lcldate.xml to %WINDIR%\srchasst\mui\0409\lcldate.xml.no_more_ransom
  • from <SYSTEM32>\xm.dll to <SYSTEM32>\xm.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest.no_more_ransom
  • from %WINDIR%\system\MCISEQ.DRV to %WINDIR%\system\MCISEQ.DRV.no_more_ransom
  • from <SYSTEM32>\xactsrv.dll to <SYSTEM32>\xactsrv.dll.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\intro.xml to %WINDIR%\srchasst\mui\0409\intro.xml.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\intents.xml to %WINDIR%\srchasst\mui\0409\intents.xml.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\inetsrch.xml to %WINDIR%\srchasst\mui\0409\inetsrch.xml.no_more_ransom
  • from <SYSTEM32>\wuauserv.dll to <SYSTEM32>\wuauserv.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat.no_more_ransom
  • from <SYSTEM32>\wucltui.dll to <SYSTEM32>\wucltui.dll.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\balloon.xsl to %WINDIR%\srchasst\mui\0409\balloon.xsl.no_more_ransom
  • from <SYSTEM32>\wupdmgr.exe to <SYSTEM32>\wupdmgr.exe.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\bar.xsl to %WINDIR%\srchasst\mui\0409\bar.xsl.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\charchsr.xml to %WINDIR%\srchasst\mui\0409\charchsr.xml.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\charctxt.xml to %WINDIR%\srchasst\mui\0409\charctxt.xml.no_more_ransom
  • from <SYSTEM32>\wups.dll to <SYSTEM32>\wups.dll.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\error.xml to %WINDIR%\srchasst\mui\0409\error.xml.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.cat.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\finish.xml to %WINDIR%\srchasst\mui\0409\finish.xml.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\indxsvc.xml to %WINDIR%\srchasst\mui\0409\indxsvc.xml.no_more_ransom
  • from %WINDIR%\system\AVICAP.DLL to %WINDIR%\system\AVICAP.DLL.no_more_ransom
  • from <SYSTEM32>\wuweb.dll to <SYSTEM32>\wuweb.dll.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\inetfind.xml to %WINDIR%\srchasst\mui\0409\inetfind.xml.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\inetopts.xml to %WINDIR%\srchasst\mui\0409\inetopts.xml.no_more_ransom
  • from <SYSTEM32>\wzcdlg.dll to <SYSTEM32>\wzcdlg.dll.no_more_ransom
  • from %WINDIR%\system\AVIFILE.DLL to %WINDIR%\system\AVIFILE.DLL.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.manifest.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\inetpref.xml to %WINDIR%\srchasst\mui\0409\inetpref.xml.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.manifest.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lcldocs.xml to %WINDIR%\srchasst\mui\0409\lcldocs.xml.no_more_ransom
  • from %WINDIR%\Web\printers\images\ipp_0005.gif to %WINDIR%\Web\printers\images\ipp_0005.gif.no_more_ransom
  • from <SYSTEM32>\xmlprov.dll to <SYSTEM32>\xmlprov.dll.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lclsize.xml to %WINDIR%\srchasst\mui\0409\lclsize.xml.no_more_ransom
  • from %WINDIR%\system\OLECLI.DLL to %WINDIR%\system\OLECLI.DLL.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0005.asp to %WINDIR%\Web\printers\ipp_0005.asp.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313.manifest.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lclsrch.xml to %WINDIR%\srchasst\mui\0409\lclsrch.xml.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0006.asp to %WINDIR%\Web\printers\ipp_0006.asp.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lcltechy.xml to %WINDIR%\srchasst\mui\0409\lcltechy.xml.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0007.asp to %WINDIR%\Web\printers\ipp_0007.asp.no_more_ransom
  • from %WINDIR%\system\OLESVR.DLL to %WINDIR%\system\OLESVR.DLL.no_more_ransom
  • from <SYSTEM32>\xpsshhdr.dll to <SYSTEM32>\xpsshhdr.dll.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0010.asp to %WINDIR%\Web\printers\ipp_0010.asp.no_more_ransom
  • from %WINDIR%\srchasst\nls302en.lex to %WINDIR%\srchasst\nls302en.lex.no_more_ransom
  • from %WINDIR%\system\setup.inf to %WINDIR%\system\setup.inf.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53.cat.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0013.asp to %WINDIR%\Web\printers\ipp_0013.asp.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0014.asp to %WINDIR%\Web\printers\ipp_0014.asp.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0015.asp to %WINDIR%\Web\printers\ipp_0015.asp.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_adsi.inc to %WINDIR%\Web\printers\ipp_adsi.inc.no_more_ransom
  • from %WINDIR%\system\SHELL.DLL to %WINDIR%\system\SHELL.DLL.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53.manifest.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_res.inc to %WINDIR%\Web\printers\ipp_res.inc.no_more_ransom
  • from <SYSTEM32>\xpsp1res.dll to <SYSTEM32>\xpsp1res.dll.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0004.asp to %WINDIR%\Web\printers\ipp_0004.asp.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313.cat.no_more_ransom
  • from %WINDIR%\system\MSVIDEO.DLL to %WINDIR%\system\MSVIDEO.DLL.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lclkwrds.xml to %WINDIR%\srchasst\mui\0409\lclkwrds.xml.no_more_ransom
  • from %WINDIR%\Web\printers\images\ipp_0012.gif to %WINDIR%\Web\printers\images\ipp_0012.gif.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lcllook.xml to %WINDIR%\srchasst\mui\0409\lcllook.xml.no_more_ransom
  • from %WINDIR%\system\MMSYSTEM.DLL to %WINDIR%\system\MMSYSTEM.DLL.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.cat.no_more_ransom
  • from <SYSTEM32>\xmlprovi.dll to <SYSTEM32>\xmlprovi.dll.no_more_ransom
  • from %WINDIR%\Web\printers\images\ipp_0015.gif to %WINDIR%\Web\printers\images\ipp_0015.gif.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lclmm.xml to %WINDIR%\srchasst\mui\0409\lclmm.xml.no_more_ransom
  • from <SYSTEM32>\xmlrtl60.bpl to <SYSTEM32>\xmlrtl60.bpl.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lclmode.xml to %WINDIR%\srchasst\mui\0409\lclmode.xml.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0000.inc to %WINDIR%\Web\printers\ipp_0000.inc.no_more_ransom
  • from %WINDIR%\system\MMTASK.TSK to %WINDIR%\system\MMTASK.TSK.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lclother.xml to %WINDIR%\srchasst\mui\0409\lclother.xml.no_more_ransom
  • from <SYSTEM32>\xolehlp.dll to <SYSTEM32>\xolehlp.dll.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0001.asp to %WINDIR%\Web\printers\ipp_0001.asp.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e.manifest.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lclprog.xml to %WINDIR%\srchasst\mui\0409\lclprog.xml.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0002.asp to %WINDIR%\Web\printers\ipp_0002.asp.no_more_ransom
  • from <SYSTEM32>\xpob2res.dll to <SYSTEM32>\xpob2res.dll.no_more_ransom
  • from %WINDIR%\system\MOUSE.DRV to %WINDIR%\system\MOUSE.DRV.no_more_ransom
  • from %WINDIR%\srchasst\mui\0409\lclrfine.xml to %WINDIR%\srchasst\mui\0409\lclrfine.xml.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_0003.asp to %WINDIR%\Web\printers\ipp_0003.asp.no_more_ransom
  • from %WINDIR%\system\MCIWAVE.DRV to %WINDIR%\system\MCIWAVE.DRV.no_more_ransom
  • from <SYSTEM32>\wship6.dll to <SYSTEM32>\wship6.dll.no_more_ransom
  • from %WINDIR%\pss\system.ini.backup to %WINDIR%\pss\system.ini.backup.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest.no_more_ransom
  • from <SYSTEM32>\wowfax.dll to <SYSTEM32>\wowfax.dll.no_more_ransom
  • from %WINDIR%\Resources\Themes\Luna\Shell\Homestead\shellstyle.dll to %WINDIR%\Resources\Themes\Luna\Shell\Homestead\shellstyle.dll.no_more_ransom
  • from %WINDIR%\Resources\Themes\Luna\Shell\Metallic\shellstyle.dll to %WINDIR%\Resources\Themes\Luna\Shell\Metallic\shellstyle.dll.no_more_ransom
  • from <SYSTEM32>\wowfaxui.dll to <SYSTEM32>\wowfaxui.dll.no_more_ransom
  • from %WINDIR%\repair\system to %WINDIR%\repair\system.no_more_ransom
  • from %WINDIR%\Resources\Themes\Luna\Shell\NormalColor\shellstyle.dll to %WINDIR%\Resources\Themes\Luna\Shell\NormalColor\shellstyle.dll.no_more_ransom
  • from <SYSTEM32>\wpa.dbl to <SYSTEM32>\wpa.dbl.no_more_ransom
  • from %WINDIR%\security\Database\secedit.sdb to %WINDIR%\security\Database\secedit.sdb.no_more_ransom
  • from %WINDIR%\security\logs\backup.log to %WINDIR%\security\logs\backup.log.no_more_ransom
  • from <SYSTEM32>\wpabaln.exe to <SYSTEM32>\wpabaln.exe.no_more_ransom
  • from %WINDIR%\Resources\Themes\Luna.theme to %WINDIR%\Resources\Themes\Luna.theme.no_more_ransom
  • from %WINDIR%\security\logs\SceRoot.log to %WINDIR%\security\logs\SceRoot.log.no_more_ransom
  • from %WINDIR%\Resources\Themes\Windows Classic.theme to %WINDIR%\Resources\Themes\Windows Classic.theme.no_more_ransom
  • from <SYSTEM32>\wpnpinst.exe to <SYSTEM32>\wpnpinst.exe.no_more_ransom
  • from %WINDIR%\security\logs\scesetup.log to %WINDIR%\security\logs\scesetup.log.no_more_ransom
  • from <SYSTEM32>\write.exe to <SYSTEM32>\write.exe.no_more_ransom
  • from %WINDIR%\security\templates\compatws.inf to %WINDIR%\security\templates\compatws.inf.no_more_ransom
  • from %WINDIR%\security\templates\hisecdc.inf to %WINDIR%\security\templates\hisecdc.inf.no_more_ransom
  • from <SYSTEM32>\wscntfy.exe to <SYSTEM32>\wscntfy.exe.no_more_ransom
  • from <SYSTEM32>\wscript.exe to <SYSTEM32>\wscript.exe.no_more_ransom
  • from %WINDIR%\security\templates\hisecws.inf to %WINDIR%\security\templates\hisecws.inf.no_more_ransom
  • from <SYSTEM32>\wowexec.exe to <SYSTEM32>\wowexec.exe.no_more_ransom
  • from %WINDIR%\Resources\Themes\Luna\luna.msstyles to %WINDIR%\Resources\Themes\Luna\luna.msstyles.no_more_ransom
  • from %WINDIR%\repair\software to %WINDIR%\repair\software.no_more_ransom
  • from <SYSTEM32>\wowdeb.exe to <SYSTEM32>\wowdeb.exe.no_more_ransom
  • from <SYSTEM32>\wmstream.dll to <SYSTEM32>\wmstream.dll.no_more_ransom
  • from %WINDIR%\pss\win.ini.backup to %WINDIR%\pss\win.ini.backup.no_more_ransom
  • from %WINDIR%\regedit.exe to %WINDIR%\regedit.exe.no_more_ransom
  • from <SYSTEM32>\wmv8ds32.ax to <SYSTEM32>\wmv8ds32.ax.no_more_ransom
  • from %WINDIR%\Registration\R000000000007.clb to %WINDIR%\Registration\R000000000007.clb.no_more_ransom
  • from %WINDIR%\Registration\R00000000000a.clb to %WINDIR%\Registration\R00000000000a.clb.no_more_ransom
  • from <SYSTEM32>\wmvcore.dll to <SYSTEM32>\wmvcore.dll.no_more_ransom
  • from %WINDIR%\Registration\R00000000000b.clb to %WINDIR%\Registration\R00000000000b.clb.no_more_ransom
  • from %WINDIR%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BF4C4D5C-6924-41E8-9BF1-DCC37DF6F31D}.crmlog to %WINDIR%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BF4C4D5C-6924-41E8-9BF1-DCC37DF6F31D}.crmlog.no_more_ransom
  • from %WINDIR%\REGLOCS.OLD to %WINDIR%\REGLOCS.OLD.no_more_ransom
  • from %WINDIR%\repair\autoexec.nt to %WINDIR%\repair\autoexec.nt.no_more_ransom
  • from %WINDIR%\regopt.log to %WINDIR%\regopt.log.no_more_ransom
  • from %WINDIR%\repair\config.nt to %WINDIR%\repair\config.nt.no_more_ransom
  • from <SYSTEM32>\wmvdmod.dll to <SYSTEM32>\wmvdmod.dll.no_more_ransom
  • from %WINDIR%\repair\default to %WINDIR%\repair\default.no_more_ransom
  • from %WINDIR%\repair\ntuser.dat to %WINDIR%\repair\ntuser.dat.no_more_ransom
  • from <SYSTEM32>\wmvdmoe2.dll to <SYSTEM32>\wmvdmoe2.dll.no_more_ransom
  • from %WINDIR%\repair\sam to %WINDIR%\repair\sam.no_more_ransom
  • from %WINDIR%\repair\secsetup.inf to %WINDIR%\repair\secsetup.inf.no_more_ransom
  • from <SYSTEM32>\wmvds32.ax to <SYSTEM32>\wmvds32.ax.no_more_ransom
  • from %WINDIR%\repair\security to %WINDIR%\repair\security.no_more_ransom
  • from %WINDIR%\repair\setup.log to %WINDIR%\repair\setup.log.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.cat.no_more_ransom
  • from <SYSTEM32>\xpssvcs.dll to <SYSTEM32>\xpssvcs.dll.no_more_ransom
  • from %WINDIR%\security\templates\rootsec.inf to %WINDIR%\security\templates\rootsec.inf.no_more_ransom
  • from %WINDIR%\security\templates\securedc.inf to %WINDIR%\security\templates\securedc.inf.no_more_ransom
  • from %WINDIR%\spupdsvc.log to %WINDIR%\spupdsvc.log.no_more_ransom
  • from %WINDIR%\srchasst\chars\courtney.acs to %WINDIR%\srchasst\chars\courtney.acs.no_more_ransom
  • from <SYSTEM32>\wstdecod.dll to <SYSTEM32>\wstdecod.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.Manifest.no_more_ransom
  • from <SYSTEM32>\wstpager.ax to <SYSTEM32>\wstpager.ax.no_more_ransom
  • from <SYSTEM32>\wstrenderer.ax to <SYSTEM32>\wstrenderer.ax.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat.no_more_ransom
  • from %WINDIR%\srchasst\chars\earl.acs to %WINDIR%\srchasst\chars\earl.acs.no_more_ransom
  • from <SYSTEM32>\wuapi.dll to <SYSTEM32>\wuapi.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca.cat.no_more_ransom
  • from <SYSTEM32>\wuauclt.exe to <SYSTEM32>\wuauclt.exe.no_more_ransom
  • from %WINDIR%\srchasst\chars\rover.acs to %WINDIR%\srchasst\chars\rover.acs.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca.manifest.no_more_ransom
  • from <SYSTEM32>\wuauclt1.exe to <SYSTEM32>\wuauclt1.exe.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat.no_more_ransom
  • from <SYSTEM32>\wuaucpl.cpl to <SYSTEM32>\wuaucpl.cpl.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest.no_more_ransom
  • from <SYSTEM32>\wuaueng.dll to <SYSTEM32>\wuaueng.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat.no_more_ransom
  • from %WINDIR%\srchasst\msgr3en.dll to %WINDIR%\srchasst\msgr3en.dll.no_more_ransom
  • from <SYSTEM32>\wsnmp32.dll to <SYSTEM32>\wsnmp32.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5.manifest to %WINDIR%\WinSxS\Manifests\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5.manifest.no_more_ransom
  • from %WINDIR%\SoftwareDistribution\ReportingEvents.log to %WINDIR%\SoftwareDistribution\ReportingEvents.log.no_more_ransom
  • from %WINDIR%\sleep.exe to %WINDIR%\sleep.exe.no_more_ransom
  • from %WINDIR%\security\templates\securews.inf to %WINDIR%\security\templates\securews.inf.no_more_ransom
  • from <SYSTEM32>\wshatm.dll to <SYSTEM32>\wshatm.dll.no_more_ransom
  • from %WINDIR%\security\templates\setup security.inf to %WINDIR%\security\templates\setup security.inf.no_more_ransom
  • from <SYSTEM32>\wshbth.dll to <SYSTEM32>\wshbth.dll.no_more_ransom
  • from <SYSTEM32>\wshcon.dll to <SYSTEM32>\wshcon.dll.no_more_ransom
  • from %WINDIR%\sessmgr.setup.log to %WINDIR%\sessmgr.setup.log.no_more_ransom
  • from %WINDIR%\setupact.log to %WINDIR%\setupact.log.no_more_ransom
  • from %WINDIR%\setupapi.log to %WINDIR%\setupapi.log.no_more_ransom
  • from <SYSTEM32>\wshext.dll to <SYSTEM32>\wshext.dll.no_more_ransom
  • from %WINDIR%\setuperr.log to %WINDIR%\setuperr.log.no_more_ransom
  • from <SYSTEM32>\wuaueng1.dll to <SYSTEM32>\wuaueng1.dll.no_more_ransom
  • from %WINDIR%\setuplog.txt to %WINDIR%\setuplog.txt.no_more_ransom
  • from %WINDIR%\sfk.exe to %WINDIR%\sfk.exe.no_more_ransom
  • from <SYSTEM32>\wshisn.dll to <SYSTEM32>\wshisn.dll.no_more_ransom
  • from %WINDIR%\SoftwareDistribution\DataStore\Logs\edb.chk to %WINDIR%\SoftwareDistribution\DataStore\Logs\edb.chk.no_more_ransom
  • from %WINDIR%\SoftwareDistribution\DataStore\Logs\edb.log to %WINDIR%\SoftwareDistribution\DataStore\Logs\edb.log.no_more_ransom
  • from %WINDIR%\SoftwareDistribution\DataStore\Logs\res1.log to %WINDIR%\SoftwareDistribution\DataStore\Logs\res1.log.no_more_ransom
  • from %WINDIR%\SoftwareDistribution\DataStore\DataStore.edb to %WINDIR%\SoftwareDistribution\DataStore\DataStore.edb.no_more_ransom
  • from <SYSTEM32>\wshnetbs.dll to <SYSTEM32>\wshnetbs.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e.manifest to %WINDIR%\WinSxS\Manifests\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e.manifest.no_more_ransom
  • from %WINDIR%\SoftwareDistribution\DataStore\Logs\res2.log to %WINDIR%\SoftwareDistribution\DataStore\Logs\res2.log.no_more_ransom
  • from <SYSTEM32>\WshRm.dll to <SYSTEM32>\WshRm.dll.no_more_ransom
  • from <SYSTEM32>\wsecedit.dll to <SYSTEM32>\wsecedit.dll.no_more_ransom
  • from <SYSTEM32>\wscui.cpl to <SYSTEM32>\wscui.cpl.no_more_ransom
  • from %WINDIR%\system\SOUND.DRV to %WINDIR%\system\SOUND.DRV.no_more_ransom
  • from %WINDIR%\vb.ini to %WINDIR%\vb.ini.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll.no_more_ransom
  • from %WINDIR%\XXInstall\cmdow.exe to %WINDIR%\XXInstall\cmdow.exe.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll.no_more_ransom
  • from %WINDIR%\XXInstall\devcon.exe to %WINDIR%\XXInstall\devcon.exe.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll.no_more_ransom
  • from %WINDIR%\XXInstall\events.exe to %WINDIR%\XXInstall\events.exe.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll.no_more_ransom
  • from %WINDIR%\XXInstall\exdir.exe to %WINDIR%\XXInstall\exdir.exe.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll.no_more_ransom
  • from %WINDIR%\XXInstall\hashdeep.exe to %WINDIR%\XXInstall\hashdeep.exe.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-ww_4ee8bb30\9.0.30729.4148.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-ww_4ee8bb30\9.0.30729.4148.policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_x-ww_b8438ace\9.0.30729.4148.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_x-ww_b8438ace\9.0.30729.4148.policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.4148.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.4148.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.21022.8.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.21022.8.policy.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.4148.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.4148.policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.4148.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.4148.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.4148.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.4148.policy.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcm80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcm80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_x-ww_6ad67377\9.0.30729.4148.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_x-ww_6ad67377\9.0.30729.4148.cat.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_x-ww_6ad67377\9.0.30729.4148.policy to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_x-ww_6ad67377\9.0.30729.4148.policy.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.21022.8.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.21022.8.cat.no_more_ransom
  • from %WINDIR%\XXInstall\install.bat to %WINDIR%\XXInstall\install.bat.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll.no_more_ransom
  • from %WINDIR%\XXInstall\install_ar.bat to %WINDIR%\XXInstall\install_ar.bat.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\prefs.js to %WINDIR%\XXInstall\Scripts\prefs.js.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\reboot_on_bsod.reg to %WINDIR%\XXInstall\Scripts\reboot_on_bsod.reg.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\safely.reg to %WINDIR%\XXInstall\Scripts\safely.reg.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\smart_assembly_fix.reg to %WINDIR%\XXInstall\Scripts\smart_assembly_fix.reg.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\startup_ar.bat to %WINDIR%\XXInstall\Scripts\startup_ar.bat.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\startup_bsod.bat to %WINDIR%\XXInstall\Scripts\startup_bsod.bat.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\taskmgr.reg to %WINDIR%\XXInstall\Scripts\taskmgr.reg.no_more_ransom
  • from %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll to %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\WindowsKiller.ini to %WINDIR%\XXInstall\Scripts\WindowsKiller.ini.no_more_ransom
  • from %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll to %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll.no_more_ransom
  • from %WINDIR%\XXInstall\vminstall.exe to %WINDIR%\XXInstall\vminstall.exe.no_more_ransom
  • from %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll to %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll to %WINDIR%\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll.no_more_ransom
  • from %WINDIR%\wmsetup.log to %WINDIR%\wmsetup.log.no_more_ransom
  • from %WINDIR%\WMSysPr9.prx to %WINDIR%\WMSysPr9.prx.no_more_ransom
  • from %WINDIR%\Zapotec.bmp to %WINDIR%\Zapotec.bmp.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\perf.reg to %WINDIR%\XXInstall\Scripts\perf.reg.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\not_collect_offline.reg to %WINDIR%\XXInstall\Scripts\not_collect_offline.reg.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll to %WINDIR%\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll.no_more_ransom
  • from %WINDIR%\XXInstall\ps.exe to %WINDIR%\XXInstall\ps.exe.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\antivm.bat to %WINDIR%\XXInstall\Scripts\antivm.bat.no_more_ransom
  • from %WINDIR%\XXInstall\screen.exe to %WINDIR%\XXInstall\screen.exe.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\antivm.exe to %WINDIR%\XXInstall\Scripts\antivm.exe.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\apply_theme.vbs to %WINDIR%\XXInstall\Scripts\apply_theme.vbs.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\bcode-start-stop.vbs to %WINDIR%\XXInstall\Scripts\bcode-start-stop.vbs.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\bcode-start.vbs to %WINDIR%\XXInstall\Scripts\bcode-start.vbs.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\bcode-stop.vbs to %WINDIR%\XXInstall\Scripts\bcode-stop.vbs.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\CompleteDump.reg to %WINDIR%\XXInstall\Scripts\CompleteDump.reg.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\eventmon-startlog.vbs to %WINDIR%\XXInstall\Scripts\eventmon-startlog.vbs.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\eventmon-setup.vbs to %WINDIR%\XXInstall\Scripts\eventmon-setup.vbs.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\ipv6_disable.reg to %WINDIR%\XXInstall\Scripts\ipv6_disable.reg.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\KernelDump.reg to %WINDIR%\XXInstall\Scripts\KernelDump.reg.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\kill_saves.vbs to %WINDIR%\XXInstall\Scripts\kill_saves.vbs.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\kill_windows.vbs to %WINDIR%\XXInstall\Scripts\kill_windows.vbs.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\LanDisabler.vbs to %WINDIR%\XXInstall\Scripts\LanDisabler.vbs.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\ncsi_disable.reg to %WINDIR%\XXInstall\Scripts\ncsi_disable.reg.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\noballon.reg to %WINDIR%\XXInstall\Scripts\noballon.reg.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll to %WINDIR%\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll.no_more_ransom
  • from %WINDIR%\XXInstall\Scripts\norun.reg to %WINDIR%\XXInstall\Scripts\norun.reg.no_more_ransom
  • from %WINDIR%\XXInstall\install_small.bat to %WINDIR%\XXInstall\install_small.bat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.cat to %WINDIR%\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.cat.no_more_ransom
  • from %WINDIR%\Web\printers\ipp_util.inc to %WINDIR%\Web\printers\ipp_util.inc.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll.no_more_ransom
  • from %WINDIR%\srchasst\srchui.dll to %WINDIR%\srchasst\srchui.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13.Manifest.no_more_ransom
  • from %WINDIR%\system\WINSPOOL.DRV to %WINDIR%\system\WINSPOOL.DRV.no_more_ransom
  • from %WINDIR%\Sti_Trace.log to %WINDIR%\Sti_Trace.log.no_more_ransom
  • from %WINDIR%\system.ini to %WINDIR%\system.ini.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.cat.no_more_ransom
  • from %WINDIR%\tabletoc.log to %WINDIR%\tabletoc.log.no_more_ransom
  • from %WINDIR%\Temp\Perflib_Perfdata_7e8.dat to %WINDIR%\Temp\Perflib_Perfdata_7e8.dat.no_more_ransom
  • from %WINDIR%\TASKMAN.EXE to %WINDIR%\TASKMAN.EXE.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.Manifest.no_more_ransom
  • from %WINDIR%\tsoc.log to %WINDIR%\tsoc.log.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.cat.no_more_ransom
  • from %WINDIR%\twain.dll to %WINDIR%\twain.dll.no_more_ransom
  • from %WINDIR%\twain_32\wiatwain.ds to %WINDIR%\twain_32\wiatwain.ds.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.Manifest.no_more_ransom
  • from %WINDIR%\twain_32.dll to %WINDIR%\twain_32.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.cat.no_more_ransom
  • from %WINDIR%\twunk_16.exe to %WINDIR%\twunk_16.exe.no_more_ransom
  • from %WINDIR%\twunk_32.exe to %WINDIR%\twunk_32.exe.no_more_ransom
  • from %WINDIR%\updspapi.log to %WINDIR%\updspapi.log.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.Manifest.no_more_ransom
  • from %WINDIR%\system\WFWNET.DRV to %WINDIR%\system\WFWNET.DRV.no_more_ransom
  • from %WINDIR%\srchasst\srchctls.dll to %WINDIR%\srchasst\srchctls.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.Manifest.no_more_ransom
  • from <SYSTEM32>\zipfldr.dll to <SYSTEM32>\zipfldr.dll.no_more_ransom
  • from %WINDIR%\Web\printers\page1.asp to %WINDIR%\Web\printers\page1.asp.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.manifest.no_more_ransom
  • from %WINDIR%\Web\bullet.gif to %WINDIR%\Web\bullet.gif.no_more_ransom
  • from %WINDIR%\system\stdole.tlb to %WINDIR%\system\stdole.tlb.no_more_ransom
  • from %WINDIR%\Web\printers\prtwebvw.css to %WINDIR%\Web\printers\prtwebvw.css.no_more_ransom
  • from %WINDIR%\Web\deskmovr.htt to %WINDIR%\Web\deskmovr.htt.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a.Manifest.no_more_ransom
  • from %WINDIR%\Web\exclam.gif to %WINDIR%\Web\exclam.gif.no_more_ransom
  • from %WINDIR%\system\SYSTEM.DRV to %WINDIR%\system\SYSTEM.DRV.no_more_ransom
  • from %WINDIR%\Web\safemode.htt to %WINDIR%\Web\safemode.htt.no_more_ransom
  • from %WINDIR%\Web\tips.gif to %WINDIR%\Web\tips.gif.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest.no_more_ransom
  • from <SYSTEM32>\XPSViewer\en-US\XPSViewer.exe.mui to <SYSTEM32>\XPSViewer\en-US\XPSViewer.exe.mui.no_more_ransom
  • from %WINDIR%\system\TAPI.DLL to %WINDIR%\system\TAPI.DLL.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a.Manifest.no_more_ransom
  • from <SYSTEM32>\XPSViewer\XPSViewer.exe to <SYSTEM32>\XPSViewer\XPSViewer.exe.no_more_ransom
  • from %WINDIR%\system\TIMER.DRV to %WINDIR%\system\TIMER.DRV.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.cat.no_more_ransom
  • from %WINDIR%\system\VER.DLL to %WINDIR%\system\VER.DLL.no_more_ransom
  • from <SYSTEM32>\XPSViewer\XPSViewerManifest.xml to <SYSTEM32>\XPSViewer\XPSViewerManifest.xml.no_more_ransom
  • from %WINDIR%\system\VGA.DRV to %WINDIR%\system\VGA.DRV.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\8.0.50727.762.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\8.0.50727.762.policy.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0.cat.no_more_ransom
  • from %WINDIR%\vbaddin.ini to %WINDIR%\vbaddin.ini.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy to %WINDIR%\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.42.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.42.policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_x-ww_caeee150\8.0.50727.762.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_x-ww_caeee150\8.0.50727.762.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-ww_5f0bbcff\8.0.50727.762.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-ww_5f0bbcff\8.0.50727.762.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-ww_0f75c32e\8.0.50727.762.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-ww_0f75c32e\8.0.50727.762.cat.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.cat to %WINDIR%\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.cat.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-ww_5f0bbcff\8.0.50727.762.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-ww_5f0bbcff\8.0.50727.762.policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.762.policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_x-ww_caeee150\8.0.50727.762.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_x-ww_caeee150\8.0.50727.762.policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-ww_0f75c32e\8.0.50727.762.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-ww_0f75c32e\8.0.50727.762.policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.Policy to %WINDIR%\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.Policy.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\8.0.50727.762.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\8.0.50727.762.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-ww_4ee8bb30\9.0.30729.4148.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-ww_4ee8bb30\9.0.30729.4148.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_x-ww_b8438ace\9.0.30729.4148.cat to %WINDIR%\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_x-ww_b8438ace\9.0.30729.4148.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.Policy to %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.Policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.42.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.42.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.cat to %WINDIR%\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.3053.policy to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.3053.policy.no_more_ransom
  • from %WINDIR%\vmmreg32.dll to %WINDIR%\vmmreg32.dll.no_more_ransom
  • from %WINDIR%\wiadebug.log to %WINDIR%\wiadebug.log.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.0.0_x-ww_fc342b0b.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.0.0_x-ww_fc342b0b.Manifest.no_more_ransom
  • from %WINDIR%\wiaservc.log to %WINDIR%\wiaservc.log.no_more_ransom
  • from %WINDIR%\win.ini to %WINDIR%\win.ini.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.cat to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.cat.no_more_ransom
  • from %WINDIR%\WindowsUpdate.log to %WINDIR%\WindowsUpdate.log.no_more_ransom
  • from %WINDIR%\winhelp.exe to %WINDIR%\winhelp.exe.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.Manifest.no_more_ransom
  • from %WINDIR%\winhlp32.exe to %WINDIR%\winhlp32.exe.no_more_ransom
  • from %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll to %WINDIR%\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790.manifest to %WINDIR%\WinSxS\Manifests\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790.manifest.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.cat to %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.cat to %WINDIR%\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.cat.no_more_ransom
  • from %WINDIR%\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll to %WINDIR%\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492.manifest to %WINDIR%\WinSxS\Manifests\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492.manifest.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.Policy to %WINDIR%\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.Policy.no_more_ransom
  • from %WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe to %WINDIR%\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.Policy to %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.Policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.Policy to %WINDIR%\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.Policy.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.3053.cat to %WINDIR%\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.3053.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.cat to %WINDIR%\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.cat.no_more_ransom
  • from %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0.Manifest to %WINDIR%\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0.Manifest.no_more_ransom
  • from %WINDIR%\pss\boot.ini.backup to %WINDIR%\pss\boot.ini.backup.no_more_ransom
Moves the following files:
  • from %ProgramFiles%\Windows NT\Pinball\table.bmp to %ProgramFiles%\Windows NT\Pinball\table.bmp.no_more_ransom
  • from <ANALYSE_DIR>\PET-DUMP\0B50_pet_cmd.exe to <ANALYSE_DIR>\PET-DUMP\0B50_pet_cmd.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\res\fonts\mathfont.properties to %ProgramFiles%\FireFox\res\fonts\mathfont.properties.no_more_ransom
  • from %ProgramFiles%\FireFox\res\fonts\mathfontStandardSymbolsL.properties to %ProgramFiles%\FireFox\res\fonts\mathfontStandardSymbolsL.properties.no_more_ransom
  • from <ANALYSE_DIR>\PET-DUMP\0B64_pet_cmd.exe to <ANALYSE_DIR>\PET-DUMP\0B64_pet_cmd.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\res\fonts\mathfontSTIXNonUnicode.properties to %ProgramFiles%\FireFox\res\fonts\mathfontSTIXNonUnicode.properties.no_more_ransom
  • from <ANALYSE_DIR>\PET-DUMP\0B84_pet_SCHTASKS.exe to <ANALYSE_DIR>\PET-DUMP\0B84_pet_SCHTASKS.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\res\fonts\mathfontSTIXSize1.properties to %ProgramFiles%\FireFox\res\fonts\mathfontSTIXSize1.properties.no_more_ransom
  • from %ProgramFiles%\FireFox\res\fonts\mathfontSTIXSizeOneSym.properties to %ProgramFiles%\FireFox\res\fonts\mathfontSTIXSizeOneSym.properties.no_more_ransom
  • from C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_0 to C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_0.no_more_ransom
  • from C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_1 to C:\Muldrop\88744D2A29102FC88ECF505DD2E984FC.npg_1.no_more_ransom
  • from %ProgramFiles%\FireFox\res\fonts\mathfontSymbol.properties to %ProgramFiles%\FireFox\res\fonts\mathfontSymbol.properties.no_more_ransom
  • from %ProgramFiles%\FireFox\res\fonts\mathfontUnicode.properties to %ProgramFiles%\FireFox\res\fonts\mathfontUnicode.properties.no_more_ransom
  • from %ProgramFiles%\FireFox\res\grabber.gif to %ProgramFiles%\FireFox\res\grabber.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x148_0x20000 to C:\Muldrop\dmp_0x148_0x20000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\entityTables\transliterate.properties to %ProgramFiles%\FireFox\res\entityTables\transliterate.properties.no_more_ransom
  • from %ProgramFiles%\FireFox\res\langGroups.properties to %ProgramFiles%\FireFox\res\langGroups.properties.no_more_ransom
  • from C:\Muldrop\dmp_0x148_0x30000 to C:\Muldrop\dmp_0x148_0x30000.no_more_ransom
  • from C:\Muldrop\dmp_0x194_0x10000 to C:\Muldrop\dmp_0x194_0x10000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\language.properties to %ProgramFiles%\FireFox\res\language.properties.no_more_ransom
  • from C:\Muldrop\dmp_0x194_0x20000 to C:\Muldrop\dmp_0x194_0x20000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\svg.css to %ProgramFiles%\FireFox\res\svg.css.no_more_ransom
  • from C:\Muldrop\dmp_0x194_0x30000 to C:\Muldrop\dmp_0x194_0x30000.no_more_ransom
  • from C:\Muldrop\dmp_0x1a0_0x10000 to C:\Muldrop\dmp_0x1a0_0x10000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-column-after-active.gif to %ProgramFiles%\FireFox\res\table-add-column-after-active.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1a0_0x20000 to C:\Muldrop\dmp_0x1a0_0x20000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-column-after-hover.gif to %ProgramFiles%\FireFox\res\table-add-column-after-hover.gif.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-column-after.gif to %ProgramFiles%\FireFox\res\table-add-column-after.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x148_0x10000 to C:\Muldrop\dmp_0x148_0x10000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-row-before.gif to %ProgramFiles%\FireFox\res\table-add-row-before.gif.no_more_ransom
  • from <ANALYSE_DIR>\PET-DUMP\0B3C_pet_cmd.exe to <ANALYSE_DIR>\PET-DUMP\0B3C_pet_cmd.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\nssckbi.dll to %ProgramFiles%\FireFox\nssckbi.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\nssdbm3.chk to %ProgramFiles%\FireFox\nssdbm3.chk.no_more_ransom
  • from %ProgramFiles%\FireFox\nssdbm3.dll to %ProgramFiles%\FireFox\nssdbm3.dll.no_more_ransom
  • from <ANALYSE_DIR>\DWS-DUMP\0B3C_dws_cmd.exe to <ANALYSE_DIR>\DWS-DUMP\0B3C_dws_cmd.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\nssutil3.dll to %ProgramFiles%\FireFox\nssutil3.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\platform.ini to %ProgramFiles%\FireFox\platform.ini.no_more_ransom
  • from %ProgramFiles%\FireFox\plc4.dll to %ProgramFiles%\FireFox\plc4.dll.no_more_ransom
  • from <ANALYSE_DIR>\DWS-DUMP\0B44_dws_vssadmin.exe to <ANALYSE_DIR>\DWS-DUMP\0B44_dws_vssadmin.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\plds4.dll to %ProgramFiles%\FireFox\plds4.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\plugin-container.exe to %ProgramFiles%\FireFox\plugin-container.exe.no_more_ransom
  • from <ANALYSE_DIR>\DWS-DUMP\0B50_dws_cmd.exe to <ANALYSE_DIR>\DWS-DUMP\0B50_dws_cmd.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\README.txt to %ProgramFiles%\FireFox\README.txt.no_more_ransom
  • from %ProgramFiles%\FireFox\res\contenteditable.css to %ProgramFiles%\FireFox\res\contenteditable.css.no_more_ransom
  • from C:\Muldrop\dmp_0x1a0_0x30000 to C:\Muldrop\dmp_0x1a0_0x30000.no_more_ransom
  • from <ANALYSE_DIR>\PET-DUMP\0B44_pet_vssadmin.exe to <ANALYSE_DIR>\PET-DUMP\0B44_pet_vssadmin.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\res\dtd\mathml.dtd to %ProgramFiles%\FireFox\res\dtd\mathml.dtd.no_more_ransom
  • from <ANALYSE_DIR>\DWS-DUMP\0B84_dws_SCHTASKS.exe to <ANALYSE_DIR>\DWS-DUMP\0B84_dws_SCHTASKS.exe.no_more_ransom
  • from <APATH_DUMPS_DIR>\0B3C_cmd.exe_0.ndmp to <APATH_DUMPS_DIR>\0B3C_cmd.exe_0.ndmp.no_more_ransom
  • from %ProgramFiles%\FireFox\res\dtd\xhtml11.dtd to %ProgramFiles%\FireFox\res\dtd\xhtml11.dtd.no_more_ransom
  • from %ProgramFiles%\FireFox\res\EditorOverride.css to %ProgramFiles%\FireFox\res\EditorOverride.css.no_more_ransom
  • from %ProgramFiles%\FireFox\res\entityTables\html40Latin1.properties to %ProgramFiles%\FireFox\res\entityTables\html40Latin1.properties.no_more_ransom
  • from <APATH_DUMPS_DIR>\0B44_vssadmin.exe_0.ndmp to <APATH_DUMPS_DIR>\0B44_vssadmin.exe_0.ndmp.no_more_ransom
  • from %ProgramFiles%\FireFox\res\entityTables\html40Special.properties to %ProgramFiles%\FireFox\res\entityTables\html40Special.properties.no_more_ransom
  • from <APATH_DUMPS_DIR>\0B50_cmd.exe_0.ndmp to <APATH_DUMPS_DIR>\0B50_cmd.exe_0.ndmp.no_more_ransom
  • from <APATH_DUMPS_DIR>\0B64_cmd.exe_0.ndmp to <APATH_DUMPS_DIR>\0B64_cmd.exe_0.ndmp.no_more_ransom
  • from %ProgramFiles%\FireFox\res\entityTables\html40Symbols.properties to %ProgramFiles%\FireFox\res\entityTables\html40Symbols.properties.no_more_ransom
  • from <APATH_DUMPS_DIR>\0B84_schtasks.exe_0.ndmp to <APATH_DUMPS_DIR>\0B84_schtasks.exe_0.ndmp.no_more_ransom
  • from %ProgramFiles%\FireFox\res\entityTables\htmlEntityVersions.properties to %ProgramFiles%\FireFox\res\entityTables\htmlEntityVersions.properties.no_more_ransom
  • from %ProgramFiles%\FireFox\res\designmode.css to %ProgramFiles%\FireFox\res\designmode.css.no_more_ransom
  • from %ProgramFiles%\FireFox\res\entityTables\mathml20.properties to %ProgramFiles%\FireFox\res\entityTables\mathml20.properties.no_more_ransom
  • from C:\Muldrop\dmp_0x1a4_0x10000 to C:\Muldrop\dmp_0x1a4_0x10000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-column-before-active.gif to %ProgramFiles%\FireFox\res\table-add-column-before-active.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1a4_0x20000 to C:\Muldrop\dmp_0x1a4_0x20000.no_more_ransom
  • from %ProgramFiles%\FireFox\xpcshell.exe to %ProgramFiles%\FireFox\xpcshell.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\searchplugins\wikipedia.xml to %ProgramFiles%\FireFox\searchplugins\wikipedia.xml.no_more_ransom
  • from %ProgramFiles%\FireFox\searchplugins\yahoo.xml to %ProgramFiles%\FireFox\searchplugins\yahoo.xml.no_more_ransom
  • from %ProgramFiles%\FireFox\shlibsign.exe to %ProgramFiles%\FireFox\shlibsign.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\smime3.dll to %ProgramFiles%\FireFox\smime3.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\softokn3.chk to %ProgramFiles%\FireFox\softokn3.chk.no_more_ransom
  • from %ProgramFiles%\FireFox\uninstall\helper.exe to %ProgramFiles%\FireFox\uninstall\helper.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\softokn3.dll to %ProgramFiles%\FireFox\softokn3.dll.no_more_ransom
  • from C:\Muldrop\jogp.fyf_0 to C:\Muldrop\jogp.fyf_0.no_more_ransom
  • from %ProgramFiles%\FireFox\ssl3.dll to %ProgramFiles%\FireFox\ssl3.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\update.locale to %ProgramFiles%\FireFox\update.locale.no_more_ransom
  • from %ProgramFiles%\FireFox\updater.exe to %ProgramFiles%\FireFox\updater.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\updater.ini to %ProgramFiles%\FireFox\updater.ini.no_more_ransom
  • from %ProgramFiles%\FireFox\nss3.dll to %ProgramFiles%\FireFox\nss3.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\searchplugins\eBay.xml to %ProgramFiles%\FireFox\searchplugins\eBay.xml.no_more_ransom
  • from %ProgramFiles%\FireFox\xpidl.exe to %ProgramFiles%\FireFox\xpidl.exe.no_more_ransom
  • from C:\Muldrop\npgdpnq.mph_0 to C:\Muldrop\npgdpnq.mph_0.no_more_ransom
  • from %ProgramFiles%\FireFox\xpt_dump.exe to %ProgramFiles%\FireFox\xpt_dump.exe.no_more_ransom
  • from C:\Muldrop\npgdpnq.mph_1 to C:\Muldrop\npgdpnq.mph_1.no_more_ransom
  • from C:\Muldrop\npgdpnq.mph_2 to C:\Muldrop\npgdpnq.mph_2.no_more_ransom
  • from %ProgramFiles%\FireFox\xpt_link.exe to %ProgramFiles%\FireFox\xpt_link.exe.no_more_ransom
  • from C:\Muldrop\npgdpnq.mph_3 to C:\Muldrop\npgdpnq.mph_3.no_more_ransom
  • from C:\Muldrop\npgdpnq.mph_4 to C:\Muldrop\npgdpnq.mph_4.no_more_ransom
  • from %ProgramFiles%\FireFox\xul.dll to %ProgramFiles%\FireFox\xul.dll.no_more_ransom
  • from C:\Muldrop\npgdpnq.mph_5 to C:\Muldrop\npgdpnq.mph_5.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn.dll.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\xpcom.dll to %ProgramFiles%\FireFox\xpcom.dll.no_more_ransom
  • from <ANALYSE_DIR>\DWS-DUMP\0B64_dws_cmd.exe to <ANALYSE_DIR>\DWS-DUMP\0B64_dws_cmd.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\searchplugins\bing.xml to %ProgramFiles%\FireFox\searchplugins\bing.xml.no_more_ransom
  • from C:\Muldrop\dmp_0x88_0x20000 to C:\Muldrop\dmp_0x88_0x20000.no_more_ransom
  • from %ProgramFiles%\FireFox\searchplugins\amazondotcom.xml to %ProgramFiles%\FireFox\searchplugins\amazondotcom.xml.no_more_ransom
  • from <ANALYSETOOLS_DIR>\MinArk\miniark.log to <ANALYSETOOLS_DIR>\MinArk\miniark.log.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-column-before-hover.gif to %ProgramFiles%\FireFox\res\table-add-column-before-hover.gif.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-column-before.gif to %ProgramFiles%\FireFox\res\table-add-column-before.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1a4_0x30000 to C:\Muldrop\dmp_0x1a4_0x30000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-row-after-active.gif to %ProgramFiles%\FireFox\res\table-add-row-after-active.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1b4_0x10000 to C:\Muldrop\dmp_0x1b4_0x10000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-row-after-hover.gif to %ProgramFiles%\FireFox\res\table-add-row-after-hover.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1b4_0x20000 to C:\Muldrop\dmp_0x1b4_0x20000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-row-after.gif to %ProgramFiles%\FireFox\res\table-add-row-after.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1b4_0x30000 to C:\Muldrop\dmp_0x1b4_0x30000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-row-before-active.gif to %ProgramFiles%\FireFox\res\table-add-row-before-active.gif.no_more_ransom
  • from <ANALYSETOOLS_DIR>\MinArk\validdrv.dat to <ANALYSETOOLS_DIR>\MinArk\validdrv.dat.no_more_ransom
  • from C:\Muldrop\dmp_0x88_0x30000 to C:\Muldrop\dmp_0x88_0x30000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-add-row-before-hover.gif to %ProgramFiles%\FireFox\res\table-add-row-before-hover.gif.no_more_ransom
  • from %ProgramFiles%\FireFox\searchplugins\google.xml to %ProgramFiles%\FireFox\searchplugins\google.xml.no_more_ransom
  • from C:\Muldrop\dmp_0x1b8_0x20000 to C:\Muldrop\dmp_0x1b8_0x20000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-remove-column-active.gif to %ProgramFiles%\FireFox\res\table-remove-column-active.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1b8_0x30000 to C:\Muldrop\dmp_0x1b8_0x30000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-remove-column-hover.gif to %ProgramFiles%\FireFox\res\table-remove-column-hover.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1bc_0x10000 to C:\Muldrop\dmp_0x1bc_0x10000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-remove-column.gif to %ProgramFiles%\FireFox\res\table-remove-column.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1bc_0x20000 to C:\Muldrop\dmp_0x1bc_0x20000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-remove-row-active.gif to %ProgramFiles%\FireFox\res\table-remove-row-active.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1bc_0x30000 to C:\Muldrop\dmp_0x1bc_0x30000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-remove-row-hover.gif to %ProgramFiles%\FireFox\res\table-remove-row-hover.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x88_0x10000 to C:\Muldrop\dmp_0x88_0x10000.no_more_ransom
  • from %ProgramFiles%\FireFox\res\table-remove-row.gif to %ProgramFiles%\FireFox\res\table-remove-row.gif.no_more_ransom
  • from C:\Muldrop\dmp_0x1b8_0x10000 to C:\Muldrop\dmp_0x1b8_0x10000.no_more_ransom
  • from %ProgramFiles%\FireFox\nspr4.dll to %ProgramFiles%\FireFox\nspr4.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\nsinstall.exe to %ProgramFiles%\FireFox\nsinstall.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\mozsqlite3.dll to %ProgramFiles%\FireFox\mozsqlite3.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\engines.js to %ProgramFiles%\FireFox\modules\services-sync\engines.js.no_more_ransom
  • from %ProgramFiles%\FireFox\components\widget.xpt to %ProgramFiles%\FireFox\components\widget.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\components\windowds.xpt to %ProgramFiles%\FireFox\components\windowds.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\LightweightThemeConsumer.jsm to %ProgramFiles%\FireFox\modules\LightweightThemeConsumer.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\windowwatcher.xpt to %ProgramFiles%\FireFox\components\windowwatcher.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\ext\Observers.js to %ProgramFiles%\FireFox\modules\services-sync\ext\Observers.js.no_more_ransom
  • from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\update\updates.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\update\updates.css.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xpcom_base.xpt to %ProgramFiles%\FireFox\components\xpcom_base.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\viewsource\viewsource.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\viewsource\viewsource.css.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\LightweightThemeManager.jsm to %ProgramFiles%\FireFox\modules\LightweightThemeManager.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xpcom_components.xpt to %ProgramFiles%\FireFox\components\xpcom_components.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xpcom_ds.xpt to %ProgramFiles%\FireFox\components\xpcom_ds.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\ext\Preferences.js to %ProgramFiles%\FireFox\modules\services-sync\ext\Preferences.js.no_more_ransom
  • from %ProgramFiles%\FireFox\components\webshell_idls.xpt to %ProgramFiles%\FireFox\components\webshell_idls.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\Microformats.js to %ProgramFiles%\FireFox\modules\Microformats.js.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xpcom_system.xpt to %ProgramFiles%\FireFox\components\xpcom_system.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\xpinstall\xpinstallConfirm.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\xpinstall\xpinstallConfirm.css.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\NetUtil.jsm to %ProgramFiles%\FireFox\modules\NetUtil.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xpcom_threads.xpt to %ProgramFiles%\FireFox\components\xpcom_threads.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\ext\StringBundle.js to %ProgramFiles%\FireFox\modules\services-sync\ext\StringBundle.js.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xpcom_xpti.xpt to %ProgramFiles%\FireFox\components\xpcom_xpti.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xpconnect.xpt to %ProgramFiles%\FireFox\components\xpconnect.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xulapp.xpt to %ProgramFiles%\FireFox\components\xulapp.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\NetworkHelper.jsm to %ProgramFiles%\FireFox\modules\NetworkHelper.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\identity.js to %ProgramFiles%\FireFox\modules\services-sync\identity.js.no_more_ransom
  • from %ProgramFiles%\FireFox\AccessibleMarshal.dll to %ProgramFiles%\FireFox\AccessibleMarshal.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xuldoc.xpt to %ProgramFiles%\FireFox\components\xuldoc.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\chrome\toolkit.manifest to %ProgramFiles%\FireFox\chrome\toolkit.manifest.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xpcom_io.xpt to %ProgramFiles%\FireFox\components\xpcom_io.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\components\update.xpt to %ProgramFiles%\FireFox\components\update.xpt.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwdl.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\icwdl.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\profile\profileSelection.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\profile\profileSelection.css.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\DownloadPaths.jsm to %ProgramFiles%\FireFox\modules\DownloadPaths.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\toolkitsearch.manifest to %ProgramFiles%\FireFox\components\toolkitsearch.manifest.no_more_ransom
  • from %ProgramFiles%\FireFox\components\txEXSLTRegExFunctions.js to %ProgramFiles%\FireFox\components\txEXSLTRegExFunctions.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\engines\history.js to %ProgramFiles%\FireFox\modules\services-sync\engines\history.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\DownloadTaskbarProgress.jsm to %ProgramFiles%\FireFox\modules\DownloadTaskbarProgress.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\txEXSLTRegExFunctions.manifest to %ProgramFiles%\FireFox\components\txEXSLTRegExFunctions.manifest.no_more_ransom
  • from %ProgramFiles%\FireFox\components\txmgr.xpt to %ProgramFiles%\FireFox\components\txmgr.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\DownloadUtils.jsm to %ProgramFiles%\FireFox\modules\DownloadUtils.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\txtsvc.xpt to %ProgramFiles%\FireFox\components\txtsvc.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\engines\passwords.js to %ProgramFiles%\FireFox\modules\services-sync\engines\passwords.js.no_more_ransom
  • from %ProgramFiles%\FireFox\components\uconv.xpt to %ProgramFiles%\FireFox\components\uconv.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\components\unicharutil.xpt to %ProgramFiles%\FireFox\components\unicharutil.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\FileUtils.jsm to %ProgramFiles%\FireFox\modules\FileUtils.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\xultmpl.xpt to %ProgramFiles%\FireFox\components\xultmpl.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\engines\prefs.js to %ProgramFiles%\FireFox\modules\services-sync\engines\prefs.js.no_more_ransom
  • from %ProgramFiles%\FireFox\components\uriloader.xpt to %ProgramFiles%\FireFox\components\uriloader.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\Geometry.jsm to %ProgramFiles%\FireFox\modules\Geometry.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\url-classifier.xpt to %ProgramFiles%\FireFox\components\url-classifier.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\plugins\pluginInstallerWizard.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\plugins\pluginInstallerWizard.css.no_more_ransom
  • from %ProgramFiles%\FireFox\components\urlformatter.xpt to %ProgramFiles%\FireFox\components\urlformatter.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\components\Weave.js to %ProgramFiles%\FireFox\components\Weave.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\HUDService.jsm to %ProgramFiles%\FireFox\modules\HUDService.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\engines\tabs.js to %ProgramFiles%\FireFox\modules\services-sync\engines\tabs.js.no_more_ransom
  • from %ProgramFiles%\FireFox\components\webapps.xpt to %ProgramFiles%\FireFox\components\webapps.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\plugins\pluginProblem.css to %ProgramFiles%\FireFox\chrome\toolkit\skin\classic\mozapps\plugins\pluginProblem.css.no_more_ransom
  • from %ProgramFiles%\FireFox\components\webbrowserpersist.xpt to %ProgramFiles%\FireFox\components\webbrowserpersist.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\InlineSpellChecker.jsm to %ProgramFiles%\FireFox\modules\InlineSpellChecker.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\webBrowser_core.xpt to %ProgramFiles%\FireFox\components\webBrowser_core.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\ISO8601DateUtils.jsm to %ProgramFiles%\FireFox\modules\ISO8601DateUtils.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\defaults\pref\channel-prefs.js to %ProgramFiles%\FireFox\defaults\pref\channel-prefs.js.no_more_ransom
  • from %ProgramFiles%\FireFox\application.ini to %ProgramFiles%\FireFox\application.ini.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\status.js to %ProgramFiles%\FireFox\modules\services-sync\status.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-crypto\WeaveCrypto.js to %ProgramFiles%\FireFox\modules\services-crypto\WeaveCrypto.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\PropertyPanel.jsm to %ProgramFiles%\FireFox\modules\PropertyPanel.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\defaults\profile\prefs.js to %ProgramFiles%\FireFox\defaults\profile\prefs.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\Services.jsm to %ProgramFiles%\FireFox\modules\Services.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\tabview\AllTabs.jsm to %ProgramFiles%\FireFox\modules\tabview\AllTabs.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\dependentlibs.list to %ProgramFiles%\FireFox\dependentlibs.list.no_more_ransom
  • from %ProgramFiles%\FireFox\dictionaries\en-US.aff to %ProgramFiles%\FireFox\dictionaries\en-US.aff.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\SpatialNavigation.js to %ProgramFiles%\FireFox\modules\SpatialNavigation.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\tabview\utils.jsm to %ProgramFiles%\FireFox\modules\tabview\utils.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\dictionaries\en-US.dic to %ProgramFiles%\FireFox\dictionaries\en-US.dic.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\stylePanel.jsm to %ProgramFiles%\FireFox\modules\stylePanel.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\firefox.exe to %ProgramFiles%\FireFox\firefox.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\utils.js to %ProgramFiles%\FireFox\modules\utils.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\util.js to %ProgramFiles%\FireFox\modules\services-sync\util.js.no_more_ransom
  • from %ProgramFiles%\FireFox\freebl3.chk to %ProgramFiles%\FireFox\freebl3.chk.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\WindowDraggingUtils.jsm to %ProgramFiles%\FireFox\modules\WindowDraggingUtils.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\greprefs.js to %ProgramFiles%\FireFox\greprefs.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\WindowsJumpLists.jsm to %ProgramFiles%\FireFox\modules\WindowsJumpLists.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\IA2Marshal.dll to %ProgramFiles%\FireFox\IA2Marshal.dll.no_more_ransom
  • from <ANALYSETOOLS_DIR>\Angar2\scripts\main.bin to <ANALYSETOOLS_DIR>\Angar2\scripts\main.bin.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\WindowsPreviewPerTab.jsm to %ProgramFiles%\FireFox\modules\WindowsPreviewPerTab.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\js.exe to %ProgramFiles%\FireFox\js.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\XPCOMUtils.jsm to %ProgramFiles%\FireFox\modules\XPCOMUtils.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\XPIProvider.jsm to %ProgramFiles%\FireFox\modules\XPIProvider.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\js.log to %ProgramFiles%\FireFox\js.log.no_more_ransom
  • from %ProgramFiles%\FireFox\mangle.exe to %ProgramFiles%\FireFox\mangle.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\mozalloc.dll to %ProgramFiles%\FireFox\mozalloc.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\mozjs.dll to %ProgramFiles%\FireFox\mozjs.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\freebl3.dll to %ProgramFiles%\FireFox\freebl3.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\components\toolkitprofile.xpt to %ProgramFiles%\FireFox\components\toolkitprofile.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\NetworkPrioritizer.jsm to %ProgramFiles%\FireFox\modules\NetworkPrioritizer.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\PluralForm.jsm to %ProgramFiles%\FireFox\modules\PluralForm.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\jpakeclient.js to %ProgramFiles%\FireFox\modules\services-sync\jpakeclient.js.no_more_ransom
  • from %ProgramFiles%\FireFox\blocklist.xml to %ProgramFiles%\FireFox\blocklist.xml.no_more_ransom
  • from %ProgramFiles%\FireFox\chrome.manifest to %ProgramFiles%\FireFox\chrome.manifest.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\log4moz.js to %ProgramFiles%\FireFox\modules\services-sync\log4moz.js.no_more_ransom
  • from %ProgramFiles%\FireFox\defaults\autoconfig\platform.js to %ProgramFiles%\FireFox\defaults\autoconfig\platform.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\nsFormAutoCompleteResult.jsm to %ProgramFiles%\FireFox\modules\nsFormAutoCompleteResult.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\crashreporter-override.ini to %ProgramFiles%\FireFox\crashreporter-override.ini.no_more_ransom
  • from %ProgramFiles%\FireFox\crashreporter.exe to %ProgramFiles%\FireFox\crashreporter.exe.no_more_ransom
  • from %ProgramFiles%\FireFox\defaults\autoconfig\prefcalls.js to %ProgramFiles%\FireFox\defaults\autoconfig\prefcalls.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\openLocationLastURL.jsm to %ProgramFiles%\FireFox\modules\openLocationLastURL.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\main.js to %ProgramFiles%\FireFox\modules\services-sync\main.js.no_more_ransom
  • from %ProgramFiles%\FireFox\crashreporter.ini to %ProgramFiles%\FireFox\crashreporter.ini.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\PerfMeasurement.jsm to %ProgramFiles%\FireFox\modules\PerfMeasurement.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\zipwriter.xpt to %ProgramFiles%\FireFox\components\zipwriter.xpt.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\notifications.js to %ProgramFiles%\FireFox\modules\services-sync\notifications.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\PlacesDBUtils.jsm to %ProgramFiles%\FireFox\modules\PlacesDBUtils.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\record.js to %ProgramFiles%\FireFox\modules\services-sync\record.js.no_more_ransom
  • from %ProgramFiles%\FireFox\defaults\pref\firefox-branding.js to %ProgramFiles%\FireFox\defaults\pref\firefox-branding.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\PlacesUIUtils.jsm to %ProgramFiles%\FireFox\modules\PlacesUIUtils.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\defaults\pref\firefox-l10n.js to %ProgramFiles%\FireFox\defaults\pref\firefox-l10n.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\resource.js to %ProgramFiles%\FireFox\modules\services-sync\resource.js.no_more_ransom
  • from %ProgramFiles%\FireFox\defaults\profile\chrome\userChrome-example.css to %ProgramFiles%\FireFox\defaults\profile\chrome\userChrome-example.css.no_more_ransom
  • from %ProgramFiles%\FireFox\defaults\pref\firefox.js to %ProgramFiles%\FireFox\defaults\pref\firefox.js.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\PlacesUtils.jsm to %ProgramFiles%\FireFox\modules\PlacesUtils.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\service.js to %ProgramFiles%\FireFox\modules\services-sync\service.js.no_more_ransom
  • from %ProgramFiles%\FireFox\defaults\pref\services-sync.js to %ProgramFiles%\FireFox\defaults\pref\services-sync.js.no_more_ransom
  • from %ProgramFiles%\FireFox\defaults\profile\chrome\userContent-example.css to %ProgramFiles%\FireFox\defaults\profile\chrome\userContent-example.css.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\PluginProvider.jsm to %ProgramFiles%\FireFox\modules\PluginProvider.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\PopupNotifications.jsm to %ProgramFiles%\FireFox\modules\PopupNotifications.jsm.no_more_ransom
  • from %ProgramFiles%\FireFox\components\WebContentConverter.js to %ProgramFiles%\FireFox\components\WebContentConverter.js.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwhelp.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\icwhelp.dll.no_more_ransom
  • from %ProgramFiles%\Messenger\lvback.gif to %ProgramFiles%\Messenger\lvback.gif.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND17.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND17.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND18.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND18.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND181.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND181.WAV.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\npdrmv2.zip to %ProgramFiles%\Windows Media Player\npdrmv2.zip.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND19.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND19.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND20.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND20.WAV.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\npds.zip to %ProgramFiles%\Windows Media Player\npds.zip.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND21.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND21.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND22.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND22.WAV.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\npdsplay.dll to %ProgramFiles%\Windows Media Player\npdsplay.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND14.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND14.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND240.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND240.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND243.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND243.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND25.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND25.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND26.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND26.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND27.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND27.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND28.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND28.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Accessories\mswrd6.wpc to %ProgramFiles%\Windows NT\Accessories\mswrd6.wpc.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND29.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND29.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\npwmsdrm.dll to %ProgramFiles%\Windows Media Player\npwmsdrm.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND24.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND24.WAV.no_more_ransom
  • from %ProgramFiles%\Outlook Express\oemig50.exe to %ProgramFiles%\Outlook Express\oemig50.exe.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND136.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND136.WAV.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\signup.mar to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\signup.mar.no_more_ransom
  • from %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets to %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets.no_more_ransom
  • from %ProgramFiles%\Online Services\Refer me to more Internet Service Providers.lnk to %ProgramFiles%\Online Services\Refer me to more Internet Service Providers.lnk.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\PINBALL.DAT to %ProgramFiles%\Windows NT\Pinball\PINBALL.DAT.no_more_ransom
  • from %ProgramFiles%\NetMeeting\TestSnd.wav to %ProgramFiles%\NetMeeting\TestSnd.wav.no_more_ransom
  • from %ProgramFiles%\NetMeeting\wb32.exe to %ProgramFiles%\NetMeeting\wb32.exe.no_more_ransom
  • from %ProgramFiles%\Online Services\Use MSN Explorer to sign up for Internet Access (US only).lnk to %ProgramFiles%\Online Services\Use MSN Explorer to sign up for Internet Access (US only).lnk.no_more_ransom
  • from %ProgramFiles%\Outlook Express\msimn.exe to %ProgramFiles%\Outlook Express\msimn.exe.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\PINBALL.EXE to %ProgramFiles%\Windows NT\Pinball\PINBALL.EXE.no_more_ransom
  • from %ProgramFiles%\Outlook Express\msoe.dll to %ProgramFiles%\Outlook Express\msoe.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\PINBALL.MID to %ProgramFiles%\Windows NT\Pinball\PINBALL.MID.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\custsat.dll to %ProgramFiles%\Windows Media Player\custsat.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\PINBALL2.MID to %ProgramFiles%\Windows NT\Pinball\PINBALL2.MID.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND3.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND3.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND16.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND16.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND104.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND104.WAV.no_more_ransom
  • from %ProgramFiles%\Outlook Express\msoe.txt to %ProgramFiles%\Outlook Express\msoe.txt.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND105.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND105.WAV.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\mplayer2.exe to %ProgramFiles%\Windows Media Player\mplayer2.exe.no_more_ransom
  • from %ProgramFiles%\Outlook Express\msoeres.dll to %ProgramFiles%\Outlook Express\msoeres.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND108.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND108.WAV.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\mpvis.dll to %ProgramFiles%\Windows Media Player\mpvis.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND111.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND111.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND112.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND112.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND12.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND12.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND13.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND13.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND131.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND131.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND1.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND1.WAV.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\npdrmv2.dll to %ProgramFiles%\Windows Media Player\npdrmv2.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND30.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND30.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND34.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND34.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND35.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND35.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\htrn_jis.dll to %ProgramFiles%\Windows NT\htrn_jis.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND57.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND57.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND58.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND58.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\dialer.exe to %ProgramFiles%\Windows NT\dialer.exe.no_more_ransom
  • from %ProgramFiles%\Outlook Express\wab.exe to %ProgramFiles%\Outlook Express\wab.exe.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND6.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND6.WAV.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\wmpband.dll to %ProgramFiles%\Windows Media Player\wmpband.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND65.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND65.WAV.no_more_ransom
  • from %ProgramFiles%\Outlook Express\wabfind.dll to %ProgramFiles%\Outlook Express\wabfind.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND68.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND68.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND7.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND7.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\FONT.DAT to %ProgramFiles%\Windows NT\Pinball\FONT.DAT.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\Skins\Revert.wmz to %ProgramFiles%\Windows Media Player\Skins\Revert.wmz.no_more_ransom
  • from %ProgramFiles%\Outlook Express\wabimp.dll to %ProgramFiles%\Outlook Express\wabimp.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\wmplayer.exe to %ProgramFiles%\Windows Media Player\wmplayer.exe.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND735.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND735.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND8.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND8.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND827.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND827.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\hypertrm.exe to %ProgramFiles%\Windows NT\hypertrm.exe.no_more_ransom
  • from %ProgramFiles%\Outlook Express\wabmig.exe to %ProgramFiles%\Outlook Express\wabmig.exe.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\wmpns.dll to %ProgramFiles%\Windows Media Player\wmpns.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND9.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND9.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND999.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND999.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND713.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND713.WAV.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\migrate.exe to %ProgramFiles%\Windows Media Player\migrate.exe.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND560.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND560.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND55.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND55.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Accessories\mswrd8.wpc to %ProgramFiles%\Windows NT\Accessories\mswrd8.wpc.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\setup_wm.exe to %ProgramFiles%\Windows Media Player\setup_wm.exe.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND36.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND36.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND38.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND38.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND39.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND39.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND4.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND4.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND42.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND42.WAV.no_more_ransom
  • from %ProgramFiles%\Outlook Express\oeimport.dll to %ProgramFiles%\Outlook Express\oeimport.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND43.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND43.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND45.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND45.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND54.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND54.WAV.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND563.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND563.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND49D.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND49D.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Accessories\wordpad.exe to %ProgramFiles%\Windows NT\Accessories\wordpad.exe.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND5.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND5.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND50.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND50.WAV.no_more_ransom
  • from %ProgramFiles%\Outlook Express\oemiglib.dll to %ProgramFiles%\Outlook Express\oemiglib.dll.no_more_ransom
  • from %ProgramFiles%\Windows Media Player\Skins\compact.wmz to %ProgramFiles%\Windows Media Player\Skins\compact.wmz.no_more_ransom
  • from %ProgramFiles%\Windows NT\Accessories\write.wpc to %ProgramFiles%\Windows NT\Accessories\write.wpc.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.dll.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND528.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND528.WAV.no_more_ransom
  • from %ProgramFiles%\Outlook Express\setup50.exe to %ProgramFiles%\Outlook Express\setup50.exe.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND53.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND53.WAV.no_more_ransom
  • from %ProgramFiles%\Windows NT\Pinball\SOUND49.WAV to %ProgramFiles%\Windows NT\Pinball\SOUND49.WAV.no_more_ransom
  • from %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets to %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\rrcm.dll to %ProgramFiles%\NetMeeting\rrcm.dll.no_more_ransom
  • from %ProgramFiles%\Messenger\msmsgs.exe to %ProgramFiles%\Messenger\msmsgs.exe.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\Install\cinfo.xml to %ProgramFiles%\MSN\MSNCoreFiles\Install\cinfo.xml.no_more_ransom
  • from %ProgramFiles%\Messenger\newalert.wav to %ProgramFiles%\Messenger\newalert.wav.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe to %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe.no_more_ransom
  • from %ProgramFiles%\Messenger\newemail.wav to %ProgramFiles%\Messenger\newemail.wav.no_more_ransom
  • from %ProgramFiles%\Messenger\online.wav to %ProgramFiles%\Messenger\online.wav.no_more_ransom
  • from %ProgramFiles%\Messenger\type.wav to %ProgramFiles%\Messenger\type.wav.no_more_ransom
  • from %ProgramFiles%\Messenger\xpmsgr.chm to %ProgramFiles%\Messenger\xpmsgr.chm.no_more_ransom
  • from %ProgramFiles%\Microsoft.NET\RedistList\AssemblyList_4_client.xml to %ProgramFiles%\Microsoft.NET\RedistList\AssemblyList_4_client.xml.no_more_ransom
  • from %ProgramFiles%\Microsoft.NET\RedistList\AssemblyList_4_extended.xml to %ProgramFiles%\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.no_more_ransom
  • from %ProgramFiles%\Movie Maker\moviemk.exe to %ProgramFiles%\Movie Maker\moviemk.exe.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\digopt.msi to %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\digopt.msi.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll.no_more_ransom
  • from %ProgramFiles%\Messenger\msgslang.dll to %ProgramFiles%\Messenger\msgslang.dll.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\digreqEx.msi to %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\digreqEx.msi.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll.no_more_ransom
  • from %ProgramFiles%\Movie Maker\MUI\0409\moviemk.chm to %ProgramFiles%\Movie Maker\MUI\0409\moviemk.chm.no_more_ransom
  • from %ProgramFiles%\Movie Maker\Shared\Empty.txt to %ProgramFiles%\Movie Maker\Shared\Empty.txt.no_more_ransom
  • from %ProgramFiles%\Movie Maker\Shared\Filters.xml to %ProgramFiles%\Movie Maker\Shared\Filters.xml.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe to %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwip.dun to %ProgramFiles%\Internet Explorer\Connection Wizard\icwip.dun.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.no_more_ransom
  • from C:\Muldrop\unq2.unq_0 to C:\Muldrop\unq2.unq_0.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwres.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\icwres.dll.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwutil.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\icwutil.dll.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25a.dun to %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25a.dun.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25b.dun to %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25b.dun.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25c.dun to %ProgramFiles%\Internet Explorer\Connection Wizard\icwx25c.dun.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe to %ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\msicw.isp to %ProgramFiles%\Internet Explorer\Connection Wizard\msicw.isp.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\msn.isp to %ProgramFiles%\Internet Explorer\Connection Wizard\msn.isp.no_more_ransom
  • from %ProgramFiles%\Movie Maker\Shared\Profiles\Blank.txt to %ProgramFiles%\Movie Maker\Shared\Profiles\Blank.txt.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\phone.icw to %ProgramFiles%\Internet Explorer\Connection Wizard\phone.icw.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\phone.ver to %ProgramFiles%\Internet Explorer\Connection Wizard\phone.ver.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\state.icw to %ProgramFiles%\Internet Explorer\Connection Wizard\state.icw.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\support.icw to %ProgramFiles%\Internet Explorer\Connection Wizard\support.icw.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\Connection Wizard\trialoc.dll to %ProgramFiles%\Internet Explorer\Connection Wizard\trialoc.dll.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\HMMAPI.DLL to %ProgramFiles%\Internet Explorer\HMMAPI.DLL.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\iedw.exe to %ProgramFiles%\Internet Explorer\iedw.exe.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\MUI\0409\mscorier.dll to %ProgramFiles%\Internet Explorer\MUI\0409\mscorier.dll.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\IEXPLORE.EXE to %ProgramFiles%\Internet Explorer\IEXPLORE.EXE.no_more_ransom
  • from %ProgramFiles%\Internet Explorer\SIGNUP\INSTALL.INS to %ProgramFiles%\Internet Explorer\SIGNUP\INSTALL.INS.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll.no_more_ransom
  • from %ProgramFiles%\Messenger\custsat.dll to %ProgramFiles%\Messenger\custsat.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Classic.dll.no_more_ransom
  • from %ProgramFiles%\Messenger\logowin.gif to %ProgramFiles%\Messenger\logowin.gif.no_more_ransom
  • from %ProgramFiles%\Messenger\msgsc.dll to %ProgramFiles%\Messenger\msgsc.dll.no_more_ransom
  • from %ProgramFiles%\Movie Maker\WMM2FXB.dll to %ProgramFiles%\Movie Maker\WMM2FXB.dll.no_more_ransom
  • from %ProgramFiles%\Movie Maker\Shared\Sample1.jpg to %ProgramFiles%\Movie Maker\Shared\Sample1.jpg.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\nmas.dll to %ProgramFiles%\NetMeeting\nmas.dll.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\Install\xfp.xml to %ProgramFiles%\MSN\MSNCoreFiles\Install\xfp.xml.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\market.mar to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\market.mar.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\nmasnt.dll to %ProgramFiles%\NetMeeting\nmasnt.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obelog.dll to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obelog.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\nmchat.dll to %ProgramFiles%\NetMeeting\nmchat.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\netmeet.htm to %ProgramFiles%\NetMeeting\netmeet.htm.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemetal.dll to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemetal.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\nmft.dll to %ProgramFiles%\NetMeeting\nmft.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\nmoldwb.dll to %ProgramFiles%\NetMeeting\nmoldwb.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll.no_more_ransom
  • from %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets to %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemtllc.dll to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obemtllc.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\nmwb.dll to %ProgramFiles%\NetMeeting\nmwb.dll.no_more_ransom
  • from %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets to %ProgramFiles%\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.no_more_ransom
  • from %ProgramFiles%\Movie Maker\WMM2RES2.dll to %ProgramFiles%\Movie Maker\WMM2RES2.dll.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obepopc.dll to %ProgramFiles%\MSN\MSNCoreFiles\OOBE\obepopc.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\nmcom.dll to %ProgramFiles%\NetMeeting\nmcom.dll.no_more_ransom
  • from C:\Muldrop\unq1.unq_0 to C:\Muldrop\unq1.unq_0.no_more_ransom
  • from %ProgramFiles%\Movie Maker\WMM2AE.dll to %ProgramFiles%\Movie Maker\WMM2AE.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\nac.dll to %ProgramFiles%\NetMeeting\nac.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\Blip.wav to %ProgramFiles%\NetMeeting\Blip.wav.no_more_ransom
  • from %ProgramFiles%\NetMeeting\callcont.dll to %ProgramFiles%\NetMeeting\callcont.dll.no_more_ransom
  • from %ProgramFiles%\Movie Maker\WMM2ERES.dll to %ProgramFiles%\Movie Maker\WMM2ERES.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll.no_more_ransom
  • from %ProgramFiles%\Movie Maker\WMM2EXT.dll to %ProgramFiles%\Movie Maker\WMM2EXT.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\cb32.exe to %ProgramFiles%\NetMeeting\cb32.exe.no_more_ransom
  • from %ProgramFiles%\Movie Maker\WMM2FILT.dll to %ProgramFiles%\Movie Maker\WMM2FILT.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\conf.exe to %ProgramFiles%\NetMeeting\conf.exe.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\msnmsgs.msi to %ProgramFiles%\MSN\MSNCoreFiles\Install\MSN9Components\msnmsgs.msi.no_more_ransom
  • from %ProgramFiles%\Movie Maker\WMM2FXA.dll to %ProgramFiles%\Movie Maker\WMM2FXA.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll.no_more_ransom
  • from %ProgramFiles%\Movie Maker\Shared\Sample2.jpg to %ProgramFiles%\Movie Maker\Shared\Sample2.jpg.no_more_ransom
  • from %ProgramFiles%\NetMeeting\confmrsl.dll to %ProgramFiles%\NetMeeting\confmrsl.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\dcap32.dll to %ProgramFiles%\NetMeeting\dcap32.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\h323cc.dll to %ProgramFiles%\NetMeeting\h323cc.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll.no_more_ransom
  • from %ProgramFiles%\Movie Maker\WMM2RES.dll to %ProgramFiles%\Movie Maker\WMM2RES.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\MST120.DLL to %ProgramFiles%\NetMeeting\MST120.DLL.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll.no_more_ransom
  • from %ProgramFiles%\NetMeeting\MST123.DLL to %ProgramFiles%\NetMeeting\MST123.DLL.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\Install\msnms.ico to %ProgramFiles%\MSN\MSNCoreFiles\Install\msnms.ico.no_more_ransom
  • from %ProgramFiles%\MSN\MSNCoreFiles\Install\msnsusii.exe to %ProgramFiles%\MSN\MSNCoreFiles\Install\msnsusii.exe.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll.no_more_ransom
  • from %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll to %ProgramFiles%\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll.no_more_ransom
  • from %ProgramFiles%\FireFox\modules\services-sync\engines\forms.js to %ProgramFiles%\FireFox\modules\services-sync\engines\forms.js.no_more_ransom
Modifies user data files (Trojan.Encoder).
Changes user data files extensions (Trojan.Encoder).
Miscellaneous:
Executes the following:
  • '<SYSTEM32>\cmd.exe' /c vssadmin.exe Delete Shadows /All /Quiet
  • '<SYSTEM32>\cmd.exe' /c bcdedit.exe /set {default} recoveryenabled No
  • '<SYSTEM32>\cmd.exe' /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  • '<SYSTEM32>\cmd.exe' /c wbadmin DELETE SYSTEMSTATEBACKUP
  • '<SYSTEM32>\cmd.exe' /c wmic SHADOWCOPY DELETE
  • '<SYSTEM32>\schtasks.exe' /Create /SC MINUTE /TN Encrypter /TR %APPDATA%\info.exe
  • '<SYSTEM32>\schtasks.exe' /Create /SC ONLOGON /TN EncrypterSt /TR %APPDATA%\info.exe

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android